diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 29768352..4d0085ec 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: refs/tags/${{ github.event.inputs.git_tag}} + ref: refs/tags/${{ github.event.inputs.git_tag }} fetch-depth: "0" - name: Apply base_iam @@ -48,7 +48,7 @@ jobs: - name: Checkout Tag uses: actions/checkout@v6 with: - ref: refs/tags/${{ inputs.git_tag}} + ref: refs/tags/${{ inputs.git_tag }} fetch-depth: "0" - name: Apply Main diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 38bac416..6ddb4bf6 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -96,7 +96,7 @@ jobs: uses: ./.github/actions/tf-plan-apply with: # use newly created role - aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name}}-github-actions-role + aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name }}-github-actions-role bucket_prefix: "dev" aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} aws_region: ${{ vars.AWS_REGION }} @@ -120,7 +120,7 @@ jobs: uses: ./.github/actions/tf-plan-apply with: # use newly created role - aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name}}-github-actions-role + aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.sandbox_name }}-github-actions-role bucket_prefix: "dev" aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }} aws_region: ${{ vars.AWS_REGION }} diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index ff897cd6..a62e02c8 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout branch uses: actions/checkout@v6 with: - ref: ${{ inputs.git_ref}} + ref: ${{ inputs.git_ref }} - name: Apply base_iam uses: ./.github/actions/tf-plan-apply @@ -47,7 +47,7 @@ jobs: - name: Checkout main uses: actions/checkout@v6 with: - ref: ${{ github.event.inputs.git_ref}} + ref: ${{ github.event.inputs.git_ref }} - name: Apply Main uses: ./.github/actions/tf-plan-apply diff --git a/base_iam/iam_github_actions_role.tf b/base_iam/iam_github_actions_role.tf new file mode 100644 index 00000000..7ed356e4 --- /dev/null +++ b/base_iam/iam_github_actions_role.tf @@ -0,0 +1,66 @@ +resource "aws_iam_role" "github_actions" { + name = "${terraform.workspace}-github-actions-role" + description = "This role provides access for GitHub Actions to the ${terraform.workspace} environment. " + force_detach_policies = false + max_session_duration = 3600 + name_prefix = null + path = "/" + permissions_boundary = null + tags = {} + assume_role_policy = local.is_sandbox_or_dev ? jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" + } + }, + ] + Version = "2012-10-17" + } + ) : jsonencode( + { + Statement = [ + { + Action = "sts:AssumeRoleWithWebIdentity" + Condition = { + StringEquals = { + "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" + } + StringLike = { + "token.actions.githubusercontent.com:sub" = [ + "repo:NHSDigital/national-document-repository-infrastructure:*", + "repo:NHSDigital/national-document-repository:*", + ] + } + } + Effect = "Allow" + Principal = { + Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" + } + }, + ] + Version = "2012-10-17" + } + ) +} diff --git a/base_iam/iam_github_common.tf b/base_iam/iam_github_common.tf new file mode 100644 index 00000000..90ee977b --- /dev/null +++ b/base_iam/iam_github_common.tf @@ -0,0 +1,442 @@ +# Resources that are common to all environments (dev, test, pre-prod & prod) + +resource "aws_iam_role_policy_attachment" "ReadOnlyAccess" { + role = aws_iam_role.github_actions.name + policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" +} + + +# The policy is split into 3 parts to avoid hitting the character limit for AWS IAM policies. + +resource "aws_iam_role_policy_attachment" "github_actions_common_1" { + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_common_1.arn +} + +resource "aws_iam_policy" "github_actions_common_1" { + name = "${terraform.workspace}-github-actions-policy-common-1" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "acm:RequestCertificate", + "apigateway:DELETE", + "apigateway:PATCH", + "apigateway:POST", + "apigateway:PUT", + "apigateway:SetWebACL", + "appconfig:CreateApplication", + "appconfig:CreateConfigurationProfile", + "appconfig:CreateDeploymentStrategy", + "appconfig:CreateEnvironment", + "appconfig:CreateHostedConfigurationVersion", + "appconfig:DeleteDeploymentStrategy", + "appconfig:DeleteHostedConfigurationVersion", + "appconfig:StartDeployment", + "appconfig:TagResource", + "application-autoscaling:DeleteScalingPolicy", + "application-autoscaling:DeregisterScalableTarget", + "application-autoscaling:ListTagsForResource", + "application-autoscaling:PutScalingPolicy", + "application-autoscaling:RegisterScalableTarget", + "application-autoscaling:TagResource", + "application-autoscaling:UntagResource", + "backup-storage:MountCapsule", + "backup:CreateBackupPlan", + "backup:CreateBackupSelection", + "backup:CreateBackupVault", + "backup:DeleteBackupSelection", + "backup:DeleteBackupVault", + "backup:DeleteRecoveryPoint", + "backup:DescribeBackupVault", + "backup:ListTags", + "backup:UpdateBackupPlan", + "cloudwatch:DeleteAlarms", + "cloudwatch:ListTagsForResource", + "cloudwatch:PutMetricAlarm", + "cloudwatch:TagResource", + "cloudwatch:UntagResource", + "dynamodb:CreateTable", + "dynamodb:DeleteItem", + "dynamodb:DeleteTable", + "dynamodb:DescribeContinuousBackups", + "dynamodb:DescribeTable", + "dynamodb:DescribeTimeToLive", + "dynamodb:GetItem", + "dynamodb:ListTagsOfResource", + "dynamodb:PutItem", + "dynamodb:TagResource", + "dynamodb:UpdateContinuousBackups", + "dynamodb:UpdateTable", + "dynamodb:UpdateTimeToLive", + "ec2:AllocateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateDefaultVpc", + "ec2:CreateInternetGateway", + "ec2:CreateNatGateway", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:CreateVpcEndpoint", + "ec2:DeleteInternetGateway", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteVpc", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribePrefixLists", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:ModifyVpcEndpoint", + "ec2:ReleaseAddress", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_role_policy_attachment" "github_actions_common_2" { + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_common_2.arn +} + +resource "aws_iam_policy" "github_actions_common_2" { + name = "${terraform.workspace}-github-actions-policy-common-2" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ecr:CreateRepository", + "ecr:DeleteLifecyclePolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", + "ecr:GetLifecyclePolicy", + "ecr:GetRepositoryPolicy", + "ecr:ListTagsForResource", + "ecr:PutLifecyclePolicy", + "ecr:SetRepositoryPolicy", + "ecr:TagResource", + "ecs:CreateCluster", + "ecs:CreateService", + "ecs:DeleteCluster", + "ecs:DeleteService", + "ecs:DeregisterTaskDefinition", + "ecs:DescribeClusters", + "ecs:DescribeServices", + "ecs:DescribeTaskDefinition", + "ecs:PutClusterCapacityProviders", + "ecs:RegisterTaskDefinition", + "ecs:TagResource", + "ecs:UntagResource", + "ecs:UpdateService", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyListenerAttributes", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetWebACL", + "events:DeleteRule", + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets", + "iam:AttachRolePolicy", + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:CreateServiceLinkedRole", + "iam:DeletePolicy", + "iam:DeletePolicyVersion", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies", + "iam:PassRole", + "iam:PutRolePolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateRoleDescription", + "kms:CreateAlias", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DescribeKey", + "kms:EnableKeyRotation", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:ListAliases", + "kms:ListKeys", + "kms:ListResourceTags", + "kms:PutKeyPolicy", + "kms:RetireGrant", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:UpdateAlias", + "kms:UpdateKeyDescription", + "lambda:AddLayerVersionPermission", + "lambda:AddPermission", + "lambda:CreateEventSourceMapping", + "lambda:CreateFunction", + "lambda:DeleteEventSourceMapping", + "lambda:DeleteFunction", + "lambda:DeleteLayerVersion", + "lambda:EnableReplication", + "lambda:GetLayerVersion", + "lambda:GetLayerVersionPolicy", + "lambda:GetPolicy", + "lambda:ListLayerVersions", + "lambda:ListLayers", + "lambda:PublishLayerVersion", + "lambda:PublishVersion", + "lambda:PutFunctionConcurrency", + "lambda:RemoveLayerVersionPermission", + "lambda:RemovePermission", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration", + "logs:CreateLogDelivery", + "logs:CreateLogGroup", + "logs:DeleteLogDelivery", + "logs:DeleteLogGroup", + "logs:DeleteMetricFilter", + "logs:DescribeLogGroups", + "logs:DescribeResourcePolicies", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", + "logs:ListTagsLogGroup", + "logs:PutMetricFilter", + "logs:UpdateLogDelivery", + "resource-groups:CreateGroup", + "resource-groups:ListGroups", + "resource-groups:SearchResources", + "route53:AssociateVPCWithHostedZone", + "route53:ChangeResourceRecordSets", + "route53:GetChange", + "route53:GetHostedZone", + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_role_policy_attachment" "github_actions_common_3" { + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_common_3.arn +} + +resource "aws_iam_policy" "github_actions_common_3" { + name = "${terraform.workspace}-github-actions-policy-common-3" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "scheduler:CreateSchedule", + "scheduler:DeleteSchedule", + "scheduler:UpdateSchedule", + "secretsmanager:DeleteSecret", + "ses:CreateConfigurationSet", + "ses:CreateConfigurationSetEventDestination", + "ses:DeleteConfigurationSet", + "ses:DeleteConfigurationSetEventDestination", + "ses:DeleteIdentity", + "ses:DescribeConfigurationSet", + "ses:ListConfigurationSets", + "ses:SetIdentityMailFromDomain", + "ses:UpdateConfigurationSetEventDestination", + "ses:VerifyDomainDkim", + "ses:VerifyDomainIdentity", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:SetTopicAttributes", + "sns:Subscribe", + "sns:Unsubscribe", + "sqs:DeleteMessage", + "sqs:DeleteQueue", + "sqs:ListQueues", + "sqs:createqueue", + "sqs:setqueueattributes", + "ssm:AddTagsToResource", + "ssm:DeleteParameter", + "ssm:PutParameter", + "wafv2:AssociateWebACL", + "wafv2:CreateRegexPatternSet", + "wafv2:CreateWebACL", + "wafv2:DeleteRegexPatternSet", + "wafv2:DeleteWebACL", + "wafv2:TagResource", + "wafv2:UpdateWebACL" + ] + Effect = "Allow" + Resource = "*" + }, + { + Action = [ + "backup:TagResource", + "backup:UntagResource", + "cognito-identity:TagResource", + "cognito-identity:UntagResource", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags", + "events:TagResource", + "events:UntagResource", + "iam:TagInstanceProfile", + "iam:TagPolicy", + "iam:TagRole", + "iam:UntagInstanceProfile", + "iam:UntagPolicy", + "iam:UntagRole", + "lambda:TagResource", + "lambda:UntagResource", + "logs:TagResource", + "logs:UntagResource", + "resource-groups:DeleteGroup", + "resource-groups:GetGroup", + "resource-groups:GetGroupConfiguration", + "resource-groups:GetGroupQuery", + "resource-groups:GetTags", + "resource-groups:ListGroupResources", + "resource-groups:Tag", + "resource-groups:Untag", + "resource-groups:UpdateGroup", + "resource-groups:UpdateGroupQuery", + "sns:TagResource", + "sns:UntagResource" + ] + Effect = "Allow" + Resource = [ + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", + "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", + "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", + "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", + "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:anomaly-detector:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-destination:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-source:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:destination:*", + "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*", + "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", + "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*" + ] + }, + { + Action = [ + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:UpdateIdentityPool" + ] + Effect = "Allow" + Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" + }, + { + Action = [ + "logs:DeleteLogGroup", + "logs:DeleteResourcePolicy", + "logs:DescribeLogGroups" + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" + }, + { + Action = [ + "iam:PassRole", + "rum:CreateAppMonitor", + "rum:DeleteAppMonitor", + "rum:GetAppMonitor", + "rum:ListTagsForResource", + "rum:TagResource", + "rum:UntagResource", + "rum:UpdateAppMonitor" + ] + Effect = "Allow" + Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" + }, + { + Action = [ + "states:CreateStateMachine", + "states:DeleteStateMachine", + "states:DescribeStateMachine", + "states:TagResource", + "states:UntagResource", + "states:UpdateStateMachine" + ] + Effect = "Allow" + Resource = "arn:aws:states:eu-west-2:${data.aws_caller_identity.current.account_id}:stateMachine:*" + }, + ] + }) +} diff --git a/base_iam/iam_github_dev.tf b/base_iam/iam_github_dev.tf index 8a0f5737..b6547d53 100644 --- a/base_iam/iam_github_dev.tf +++ b/base_iam/iam_github_dev.tf @@ -1,982 +1,120 @@ -# aws_iam_role.dev_github_actions[0]: -resource "aws_iam_role" "dev_github_actions" { - count = local.is_sandbox_or_dev ? 1 : 0 - name = "${terraform.workspace}-github-actions-role" - description = "This role is to provide access for GitHub Actions to the ${terraform.workspace} environment. " - force_detach_policies = false - max_session_duration = 3600 - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - assume_role_policy = jsonencode( - { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } +# Resources that are specific to the dev environment only. + +resource "aws_iam_role_policy_attachment" "github_actions_dev" { + count = local.is_dev ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_dev[0].arn +} + +resource "aws_iam_policy" "github_actions_dev" { + count = local.is_dev ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-dev" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudfront:*", + "cognito-idp:*", + "config:DeleteConfigurationRecorder", + "config:DeleteDeliveryChannel", + "config:DescribeConfigurationRecorderStatus", + "config:PutConfigurationRecorder", + "config:PutDeliveryChannel", + "config:StartConfigurationRecorder", + "config:StopConfigurationRecorder", + "dynamodb:BatchWriteItem", + "ec2:DeleteTags", + "organizations:ListAWSServiceAccessForOrganization" + ] + Effect = "Allow" + Resource = "*" + }, + { + Action = "kms:GenerateDataKey" + Effect = "Allow" + Resource = "*" + Condition = { + StringLike = { + "aws:ResourceTag/Name" = "alias/mns-notification-encryption-key-kms-*" } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - { - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DomainCGpit-Administrators_e00623801cb4b59e" - } - }, - ] - Version = "2012-10-17" - } - ) -} - - -# INLINE POLICIES - -resource "aws_iam_role_policy" "cloudtrail_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "cloudtrail" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:StartLogging", - "cloudtrail:DeleteTrail", - ] - Effect = "Allow" - Resource = [ - "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*", - "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", - "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", - ] - Sid = "VisualEditor0" - }, - { - Action = "organizations:ListAWSServiceAccessForOrganization" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "cloudwatch_logs_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" - Sid = "Statement1" - }, - { - Action = [ - "logs:PutDeliverySource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*", - ] - Sid = "Statement2" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "ecs_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "github_actions_waf_override_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "github_actions_waf_override" - policy = jsonencode( - { - Statement = [ - { - Action = "apigateway:SetWebACL" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "lambda_layer_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "lambda_layer_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "rum_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "step_functions_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "step_functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "github_terraform_tagging_policy_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "github_terraform_tagging_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", - "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor2" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "service_quotas_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "service_quotas" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "servicequotas:RequestServiceQuotaIncrease" - ] - Effect = "Allow" - Resource = [ - "arn:aws:servicequotas:us-east-1:${data.aws_caller_identity.current.account_id}:lambda/L-B99A9384", - "arn:aws:servicequotas::${data.aws_caller_identity.current.account_id}:iam/L-E95E4862", - "arn:aws:servicequotas::${data.aws_caller_identity.current.account_id}:iam/L-FE177D64" - ] - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "cert_manager_tags_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "cert_manager_tags" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:AddTagsToCertificate", - "acm:DeleteCertificate" - ] - Effect = "Allow" - Resource = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "e2e_mns_permissions_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].id - name = "e2e_mns_permissions" - policy = jsonencode( - { - Statement = [ - { - Action = "kms:GenerateDataKey" - Effect = "Allow" - Resource = "*" - Condition = { - StringLike = { - "aws:ResourceTag/Name" = "alias/mns-notification-encryption-key-kms-*" - } - } - Sid = "VisualEditor0" - }, - { - Action = "sqs:SendMessage" - Effect = "Allow" - Resource = "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*-mns-notification-queue" - Sid = "VisualEditor1" } - ] - Version = "2012-10-17" - } - ) -} - -# ATTACHED POLICIES - -resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].name - policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" -} - -resource "aws_iam_role_policy_attachment" "github_actions_terraform_full_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].name - policy_arn = aws_iam_policy.github_actions_terraform_full_dev[0].arn -} - -# aws_iam_policy.github_actions_terraform_full_dev[0]: -resource "aws_iam_policy" "github_actions_terraform_full_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = "All permissions required for Terraform to do its thing." - name = "${terraform.workspace}-github_actions_terraform_full" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "scheduler:DeleteSchedule", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "dynamodb:BatchWriteItem", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "lambda:PublishVersion", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "dynamodb:UpdateTable", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "logs:DeleteMetricFilter", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "ec2:ReleaseAddress", - "lambda:UpdateEventSourceMapping", - "elasticloadbalancing:CreateLoadBalancer", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "iam:CreateServiceLinkedRole", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:UpdateAssumeRolePolicy", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "ecs:UpdateService", - "elasticloadbalancing:DescribeLoadBalancers", - "ssm:DeleteParameter", - "cloudfront:*", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "ses:VerifyDomainDkim", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "ecs:CreateService", - "elasticloadbalancing:CreateListener", - "kms:ScheduleKeyDeletion", - "ecr:DescribeRepositories", - "ecs:DescribeServices", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "kms:ListKeys", - "events:PutTargets", - "lambda:AddPermission", - "ecr:SetRepositoryPolicy", - "ec2:DeleteSecurityGroup", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "sqs:DeleteMessage", - "elasticloadbalancing:ModifyListener", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "dynamodb:CreateTable", - "ec2:RevokeSecurityGroupIngress", - "lambda:UpdateFunctionCode", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "ec2:DisassociateAddress", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "scheduler:UpdateSchedule", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "backup:DeleteBackupVault", - "lambda:UpdateFunctionConfiguration", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "lambda:EnableReplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "ec2:DetachInternetGateway", - "ecr:DeleteLifecyclePolicy", - "logs:CreateLogGroup", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "ec2:DeleteTags", - "lambda:GetLayerVersion", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "scheduler:CreateSchedule", - "logs:PutRetentionPolicy", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "cognito-idp:*", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} - - - -resource "aws_iam_role_policy_attachment" "github_actions_extended_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - role = aws_iam_role.dev_github_actions[0].name - policy_arn = aws_iam_policy.github_actions_extended_dev[0].arn -} - -# aws_iam_policy github_actions_extended -# Incorporates permissions from: -# config_policy -# ecr_github_access_policy -# github_mtls_gateway -# (github_terraform_tagging_policy - Moved to inline) -# lambda_github_access_policy -# repo_app_config -# terraform_github_dynamodb_access_policy -# terraform_github_s3_access_policy -resource "aws_iam_policy" "github_actions_extended_dev" { - count = local.is_sandbox_or_dev ? 1 : 0 - description = null - name = "${terraform.workspace}-github_actions_extended" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "config:DeleteDeliveryChannel", - "config:PutConfigurationRecorder", - "config:StopConfigurationRecorder", - "config:StartConfigurationRecorder", - "config:PutDeliveryChannel", - "config:DeleteConfigurationRecorder", - "config:DescribeConfigurationRecorderStatus", - ] - Effect = "Allow" - Resource = "*" - Sid = "ConfigPolicy1" - }, - - - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = "arn:aws:ecr:eu-west-2:*:repository/*" - Sid = "EcrGithubAccessPolicy1" - }, - - - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "GithubMtlsGateway1" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "GithubMtlsGateway2" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", - ] - Sid = "GithubMtlsGateway3" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "GithubMtlsGateway4" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "GithubMtlsGateway5" - }, - - - - - { - Action = [ - "lambda:CreateFunction", - "s3:PutObject", - "lambda:UpdateFunctionCode", - "kms:TagResource", - "kms:UntagResource", - "kms:Encrypt", - "kms:Decrypt", - "lambda:InvokeFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "lambda:DeleteFunctionConcurrency", - "kms:CreateGrant", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "LambdaGithubAccessPolicy1" - }, - { - Action = "iam:ListRoles" - Effect = "Allow" - Resource = "arn:aws:lambda:eu-west-2:*:function:*" - Sid = "LambdaGithubAccessPolicy2" - }, - - - { - Action = [ - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - ] - Effect = "Allow" - Resource = "*" - Sid = "RepoAppConfig1" - }, - - - { - Action = [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - ] - Effect = "Allow" - Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" - Sid = "TerraformGithubDynamodbAccessPolicy1" - }, - - - { - Action = "s3:ListBucket" - Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" - Sid = "TerraformGithubS3AccessPolicy1" - }, - { - Action = [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:DeleteBucketPolicy", - "s3:PutBucketPolicy", - ] - Effect = "Allow" - Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}/ndr/terraform.tfstate" - Sid = "TerraformGithubS3AccessPolicy2" - }, - { - Effect = "Allow", - Action = [ - "ses:CreateConfigurationSet", - "ses:DeleteConfigurationSet", - "ses:CreateConfigurationSetEventDestination", - "ses:UpdateConfigurationSetEventDestination", - "ses:DeleteConfigurationSetEventDestination", - "ses:DescribeConfigurationSet", - "ses:ListConfigurationSets" - ], - Resource = "*" - Sid = "SesConfigurationSets", - } - - - ] - Version = "2012-10-17" - } - ) - tags = {} + }, + { + Action = "apigateway:SetWebACL" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" + }, + { + Action = [ + "cloudtrail:AddTags", + "cloudtrail:CreateTrail", + "cloudtrail:DeleteTrail", + "cloudtrail:StartLogging" + ] + Effect = "Allow" + Resource = [ + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:channel/*", + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:eventdatastore/*", + "arn:aws:cloudtrail:eu-west-2:${data.aws_caller_identity.current.account_id}:trail/*" + ] + }, + { + Action = [ + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:UpdateTimeToLive" + ] + Effect = "Allow" + Resource = "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" + }, + { + Action = [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:GetDownloadUrlForLayer", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart" + ] + Effect = "Allow" + Resource = "arn:aws:ecr:eu-west-2:*:repository/*" + }, + { + Action = "iam:ListRoles" + Effect = "Allow" + Resource = "arn:aws:lambda:eu-west-2:*:function:*" + }, + { + Action = "logs:PutDeliverySource" + Effect = "Allow" + Resource = "arn:aws:logs:us-east-1:${data.aws_caller_identity.current.account_id}:delivery-source:*" + }, + { + Action = "s3:ListBucket" + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}" + }, + { + Action = [ + "s3:DeleteBucketPolicy", + "s3:DeleteObject", + "s3:GetObject", + "s3:PutBucketPolicy", + "s3:PutObject" + ] + Effect = "Allow" + Resource = "arn:aws:s3:::ndr-dev-terraform-state-${data.aws_caller_identity.current.account_id}/ndr/terraform.tfstate" + }, + { + Action = "sqs:SendMessage" + Effect = "Allow" + Resource = "arn:aws:sqs:eu-west-2:${data.aws_caller_identity.current.account_id}:*-mns-notification-queue" + }, + ] + }) } diff --git a/base_iam/iam_github_dev_pre-prod_prod.tf b/base_iam/iam_github_dev_pre-prod_prod.tf new file mode 100644 index 00000000..1a55c226 --- /dev/null +++ b/base_iam/iam_github_dev_pre-prod_prod.tf @@ -0,0 +1,93 @@ +# Resources that are common to dev, pre-prod & prod environments. + +resource "aws_iam_role_policy_attachment" "github_actions_dev_pre-prod_prod" { + count = local.is_dev_pre-prod_prod ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_dev_pre-prod_prod[0].arn +} + +resource "aws_iam_policy" "github_actions_dev_pre-prod_prod" { + count = local.is_dev_pre-prod_prod ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-dev_pre-prod_prod" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "acm:ListCertificates", + "ecs:UpdateCluster", + "logs:PutRetentionPolicy" + ] + Effect = "Allow" + Resource = "*" + }, + { + Action = [ + "acm:AddTagsToCertificate", + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "acm:GetCertificate", + "acm:ListTagsForCertificate", + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain", + "route53:ChangeResourceRecordSets", + "route53:GetHostedZone" + ] + Effect = "Allow" + Resource = [ + "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*", + "arn:aws:route53:::hostedzone/*" + ] + }, + { + Action = [ + "acm:AddTagsToCertificate", + "acm:DeleteCertificate" + ] + Effect = "Allow" + Resource = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/*" + }, + { + Action = "apigateway:AddCertificateToDomain" + Effect = "Allow" + Resource = "arn:aws:apigateway:eu-west-2::/domainnames" + }, + { + Action = [ + "apigateway:AddCertificateToDomain", + "apigateway:RemoveCertificateFromDomain" + ] + Effect = "Allow" + Resource = [ + "arn:aws:apigateway:eu-west-2::/domainnames", + "arn:aws:apigateway:eu-west-2::/domainnames/*" + ] + }, + { + Action = [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:Encrypt", + "kms:TagResource", + "kms:UntagResource", + "lambda:CreateFunction", + "lambda:DeleteFunctionConcurrency", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:InvokeFunction", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration", + "s3:PutObject" + ] + Effect = "Allow" + Resource = [ + "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", + "arn:aws:lambda:eu-west-2:*:function:*" + ] + }, + ] + }) +} diff --git a/base_iam/iam_github_dev_test.tf b/base_iam/iam_github_dev_test.tf new file mode 100644 index 00000000..f16eb39d --- /dev/null +++ b/base_iam/iam_github_dev_test.tf @@ -0,0 +1,87 @@ +# Resources that are common to the dev and test environments. + +resource "aws_iam_role_policy_attachment" "github_actions_dev_test" { + count = local.is_dev_test ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_dev_test[0].arn +} + +resource "aws_iam_policy" "github_actions_dev_test" { + count = local.is_dev_test ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-dev_test" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "appconfig:CreateExtension", + "appconfig:CreateExtensionAssociation", + "appconfig:DeleteApplication", + "appconfig:DeleteConfigurationProfile", + "appconfig:DeleteEnvironment", + "appconfig:GetApplication", + "appconfig:GetConfiguration", + "appconfig:GetConfigurationProfile", + "appconfig:GetDeployment", + "appconfig:GetDeploymentStrategy", + "appconfig:GetEnvironment", + "appconfig:GetExtension", + "appconfig:GetExtensionAssociation", + "appconfig:GetHostedConfigurationVersion", + "appconfig:GetLatestConfiguration", + "appconfig:ListApplications", + "appconfig:ListConfigurationProfiles", + "appconfig:ListDeploymentStrategies", + "appconfig:ListDeployments", + "appconfig:ListEnvironments", + "appconfig:ListExtensionAssociations", + "appconfig:ListExtensions", + "appconfig:ListHostedConfigurationVersions", + "appconfig:ListTagsForResource", + "appconfig:StopDeployment", + "appconfig:UntagResource", + "appconfig:UpdateApplication", + "appconfig:UpdateConfigurationProfile", + "appconfig:UpdateDeploymentStrategy", + "appconfig:UpdateEnvironment", + "backup:DeleteBackupPlan", + "backup:GetBackupPlan", + "backup:GetBackupSelection", + "ec2:DeleteNatGateway", + "s3:*", + "sqs:TagQueue", + ] + Effect = "Allow" + Resource = "*" + }, + { + Action = [ + "logs:AssociateKmsKey", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DeleteResourcePolicy", + "logs:DeleteRetentionPolicy", + "logs:DescribeLogGroups", + "logs:DisassociateKmsKey", + "logs:PutLogEvents", + "logs:PutResourcePolicy", + "logs:PutRetentionPolicy", + "logs:TagResource", + "logs:UntagResource" + ] + Effect = "Allow" + Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" + }, + { + Action = "servicequotas:RequestServiceQuotaIncrease" + Effect = "Allow" + Resource = [ + "arn:aws:servicequotas::${data.aws_caller_identity.current.account_id}:iam/L-E95E4862", + "arn:aws:servicequotas::${data.aws_caller_identity.current.account_id}:iam/L-FE177D64", + "arn:aws:servicequotas:us-east-1:${data.aws_caller_identity.current.account_id}:lambda/L-B99A9384" + ] + }, + ] + }) +} diff --git a/base_iam/iam_github_pre-prod.tf b/base_iam/iam_github_pre-prod.tf index 1443faf0..efbec3b0 100644 --- a/base_iam/iam_github_pre-prod.tf +++ b/base_iam/iam_github_pre-prod.tf @@ -1,982 +1,26 @@ -# aws_iam_role.pre_prod_github_actions[0]: -resource "aws_iam_role" "pre_prod_github_actions" { - count = local.is_pre_production ? 1 : 0 - name = "${terraform.workspace}-github-actions-role" - description = "This role is to provide access for GitHub Actions to the ${terraform.workspace} environment." - force_detach_policies = false - max_session_duration = 3600 - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - assume_role_policy = jsonencode( - { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - ] - Version = "2012-10-17" - } - ) -} - - -# INLINE POLICIES - -resource "aws_iam_role_policy" "cloudfront_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "cloudfront_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:UpdateOriginAccessControl", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:UpdateOriginRequestPolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "cloudwatch_logs_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:ListTagsLogGroup", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutResourcePolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowLogGroup" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "ecr_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "ecr_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:InitiateLayerUpload", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart", - ] - Effect = "Allow" - Resource = [ - "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/ndr-pre-prod-app", - "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/pre-prod-data-collection", - ] - Sid = "AllowAppAndOdsUpdate" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "ecs_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "ecs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "github-extended-policy-virus-scanner" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ssm:CreateDocument", - "iam:TagRole", - "SNS:TagResource", - "SNS:SetSubscriptionAttributes", - "cognito-idp:CreateUserPool", - "cognito-idp:TagResource", - "cognito-idp:SetUserPoolMfaConfig", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "cloudformation:CreateResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:CreateGroup", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminAddUserToGroup", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "lambda_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "lambda" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:TagResource", - "kms:UntagResource", - "s3:PutObject", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "mtls_gateway_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "mtls-gateway" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "resource_tagging_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", - "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", - "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", - "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-source:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:destination:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-destination:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:anomaly-detector:*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "rum_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "AllowIdentityPool" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "AllowAppMonitor" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "AllowRumServiceLogs" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowRumServiceAllLogs" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "scheduler_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "scheduler_policy" - policy = jsonencode( - { - Statement = [ - { - Action = "scheduler:DeleteSchedule" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "step_functions_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - name = "step_functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "arn:aws:states:eu-west-2:${data.aws_caller_identity.current.account_id}:stateMachine:*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - - -# ATTACHED POLICIES - -resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" -} - -resource "aws_iam_role_policy_attachment" "github_actions_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - policy_arn = aws_iam_policy.github_actions_policy_pre_prod[0].arn -} - -# aws_iam_policy.github_actions_policy_pre_prod[0]: -resource "aws_iam_policy" "github_actions_policy_pre_prod" { - count = local.is_pre_production ? 1 : 0 - description = null - name = "${terraform.workspace}-github-actions-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "apigateway:DELETE", - "apigateway:PATCH", - "apigateway:POST", - "apigateway:PUT", - "cloudwatch:DeleteAlarms", - "cloudwatch:PutMetricAlarm", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:GetItem", - "dynamodb:ListTagsOfResource", - "dynamodb:PutItem", - "dynamodb:TagResource", - "dynamodb:UpdateTimeToLive", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDefaultVpc", - "ec2:CreateInternetGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteInternetGateway", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ecr:CreateRepository", - "ecr:DeleteLifecyclePolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:ListTagsForResource", - "ecr:PutLifecyclePolicy", - "ecr:SetRepositoryPolicy", - "ecr:TagResource", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:SetSecurityGroups", - "events:PutRule", - "events:PutTargets", - "iam:AttachRolePolicy", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "kms:RetireGrant", - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:GetPolicy", - "lambda:RemovePermission", - "logs:CreateLogGroup", - "logs:DeleteLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketOwnershipControls", - "s3:PutBucketPolicy", - "s3:PutBucketTagging", - "s3:PutLifecycleConfiguration", - "s3:PutObject", - "secretsmanager:DeleteSecret", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:ListQueues", - "sqs:createqueue", - "sqs:setqueueattributes", - "ssm:AddTagsToResource", - "ssm:DeleteParameter", - "ssm:PutParameter", - "events:RemoveTargets", - "wafv2:CreateRegexPatternSet", - "wafv2:TagResource", - "wafv2:CreateWebACL", - "wafv2:AssociateWebACL", - "elasticloadbalancing:SetWebACL", - "events:DeleteRule", - "wafv2:DeleteRegexPatternSet", - "wafv2:DeleteWebACL", - "s3:PutIntelligentTieringConfiguration", - "ecs:UntagResource", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionCode", - "sqs:tagqueue", - "kms:TagResource", - "wafv2:UpdateWebACL", - "dynamodb:UpdateTable", - "kms:CreateKey", - "dynamodb:UpdateContinuousBackups", - "backup:CreateBackupVault", - "application-autoscaling:RegisterScalableTarget", - "application-autoscaling:TagResource", - "s3:PutBucketVersioning", - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateKeyDescription", - "kms:ScheduleKeyDeletion", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:UntagResource", - "application-autoscaling:ListTagsForResource", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "cloudwatch:ListTagsForResource", - "backup-storage:MountCapsule", - "backup:CreateBackupPlan", - "lambda:PutFunctionConcurrency", - "backup:CreateBackupSelection", - "backup:UpdateBackupPlan", - "backup:DescribeBackupJob", - "backup:ListTags", - "backup:TagResource", - "backup:DeleteBackupVault", - "backup:DeleteBackupSelection", - "iam:UpdateRoleDescription", - "logs:PutMetricFilter", - "ec2:AllocateAddress", - "ec2:CreateNatGateway", - "scheduler:CreateSchedule", - "scheduler:UpdateSchedule", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} - -resource "aws_iam_role_policy_attachment" "github_extended_policy_1_pre_prod" { - count = local.is_pre_production ? 1 : 0 - role = aws_iam_role.pre_prod_github_actions[0].name - policy_arn = aws_iam_policy.github_extended_policy_1_pre_prod[0].arn -} - -# aws_iam_policy.github_extended_policy_1_pre_prod[0]: -resource "aws_iam_policy" "github_extended_policy_1_pre_prod" { - count = local.is_pre_production ? 1 : 0 - description = "more required items for GitHub access" - name = "${terraform.workspace}-github-extended-policy-1" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "appconfig:StartDeployment", - "elasticloadbalancing:ModifyListener", - "appconfig:TagResource", - "appconfig:CreateDeploymentStrategy", - "lambda:ListLayers", - "ecs:TagResource", - "appconfig:DeleteHostedConfigurationVersion", - "lambda:PublishVersion", - "dynamodb:UpdateTable", - "ec2:DisassociateAddress", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "lambda:RemoveLayerVersionPermission", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "logs:DeleteMetricFilter", - "apigateway:SetWebACL", - "ec2:DescribeAvailabilityZones", - "backup:CreateBackupSelection", - "kms:CreateKey", - "ec2:ReleaseAddress", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "lambda:UpdateEventSourceMapping", - "backup:DeleteBackupVault", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "elasticloadbalancing:DeleteTargetGroup", - "appconfig:CreateEnvironment", - "backup:DescribeBackupVault", - "events:DeleteRule", - "iam:CreateServiceLinkedRole", - "appconfig:DeleteDeploymentStrategy", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "appconfig:CreateApplication", - "ec2:AssociateRouteTable", - "ec2:DescribeInternetGateways", - "elasticloadbalancing:DeleteLoadBalancer", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "lambda:ListLayerVersions", - "ec2:DescribeRouteTables", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "ec2:CreateRouteTable", - "route53:ChangeResourceRecordSets", - "lambda:AddLayerVersionPermission", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:PutMetricFilter", - "ec2:DescribeSecurityGroupRules", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "s3:PutBucketLogging", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "appconfig:CreateConfigurationProfile", - "route53:GetChange", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "ses:VerifyDomainDkim", - "lambda:CreateEventSourceMapping", - "lambda:GetLayerVersionPolicy", - "kms:TagResource", - "dynamodb:TagResource", - "elasticloadbalancing:DescribeListeners", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "appconfig:CreateHostedConfigurationVersion", - "lambda:DeleteLayerVersion", - "application-autoscaling:ListTagsForResource", - "kms:DescribeKey", - "ec2:ModifyVpcAttribute", - "ecs:UntagResource", - "ecr:DeleteRepositoryPolicy", - "s3:GetBucketPublicAccessBlock", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "s3:PutBucketPublicAccessBlock", - "logs:DescribeLogGroups", - "kms:UpdateKeyDescription", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "lambda:DeleteFunctionConcurrency", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "s3:PutBucketNotification", - "iam:UpdateAssumeRolePolicy", - "sqs:sendmessage", - "kms:GenerateDataKey", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = [ - "acm:AddTagsToCertificate", - "acm:DeleteCertificate", - ] - Effect = "Allow" - Resource = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/*" - Sid = "VisualEditor1" - }, - { - Effect = "Allow", - Action = [ - "ses:CreateConfigurationSet", - "ses:DeleteConfigurationSet", - "ses:CreateConfigurationSetEventDestination", - "ses:UpdateConfigurationSetEventDestination", - "ses:DeleteConfigurationSetEventDestination", - "ses:DescribeConfigurationSet", - "ses:ListConfigurationSets" - ], - Resource = "*" - Sid = "SesConfigurationSets", - } - ] - Version = "2012-10-17" - } - ) - tags = {} +# Resources that are specific to the pre-prod environment only. + +resource "aws_iam_role_policy_attachment" "github_actions_pre-prod" { + count = local.is_pre-prod ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_pre-prod[0].arn +} + +resource "aws_iam_policy" "github_actions_pre-prod" { + count = local.is_pre-prod ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-pre-prod" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "kms:GenerateDataKey", + "sqs:sendmessage" + ] + Effect = "Allow" + Resource = "*" + } + ] + }) } diff --git a/base_iam/iam_github_pre-prod_prod.tf b/base_iam/iam_github_pre-prod_prod.tf new file mode 100644 index 00000000..f499a250 --- /dev/null +++ b/base_iam/iam_github_pre-prod_prod.tf @@ -0,0 +1,77 @@ +# Resources that are common to pre-prod and prod environments. + +resource "aws_iam_role_policy_attachment" "github_actions_pre-prod_prod" { + count = local.is_pre-prod_prod ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_pre-prod_prod[0].arn +} + +resource "aws_iam_policy" "github_actions_pre-prod_prod" { + count = local.is_pre-prod_prod ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-pre-prod_prod" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "SNS:TagResource", + "backup:DescribeBackupJob", + "backup:TagResource", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutResourcePolicy", + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:DeleteBucketPolicy", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:DeleteObjectVersionTagging", + "s3:GetAccelerateConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLogging", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetReplicationConfiguration", + "s3:PutBucketAcl", + "s3:PutBucketCORS", + "s3:PutBucketLogging", + "s3:PutBucketNotification", + "s3:PutBucketOwnershipControls", + "s3:PutBucketPolicy", + "s3:PutBucketPublicAccessBlock", + "s3:PutBucketTagging", + "s3:PutBucketVersioning", + "s3:PutIntelligentTieringConfiguration", + "s3:PutLifecycleConfiguration", + "sqs:tagqueue" + ] + Effect = "Allow" + Resource = "*" + }, + { + Action = [ + "ecr:BatchDeleteImage", + "ecr:CompleteLayerUpload", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart" + ] + Effect = "Allow" + Resource = [ + "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/ndr-${var.environment}-app", + "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/${var.environment}-data-collection" + ] + }, + ] + }) +} diff --git a/base_iam/iam_github_prod.tf b/base_iam/iam_github_prod.tf deleted file mode 100644 index ba78b229..00000000 --- a/base_iam/iam_github_prod.tf +++ /dev/null @@ -1,1042 +0,0 @@ -# aws_iam_role.prod_github_actions[0]: -resource "aws_iam_role" "prod_github_actions" { - count = local.is_prod ? 1 : 0 - name = "${terraform.workspace}-github-actions-role" - description = "This role is to provide access for GitHub Actions to the ${terraform.workspace} environment." - force_detach_policies = false - max_session_duration = 3600 - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - assume_role_policy = jsonencode( - { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository:*", - "repo:NHSDigital/national-document-repository-infrastructure:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - ] - Version = "2012-10-17" - } - ) -} - -# INLINE POLICIES - -resource "aws_iam_role_policy" "CloudWatchLogsPolicy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "CloudWatchLogsPolicy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:ListTagsLogGroup", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutResourcePolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowLogGroup" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "CloudWatchRumPolicy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "CloudWatchRumPolicy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "AllowIdentityPool" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "AllowAppMonitor" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "AllowRumServiceLogs" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "AllowRumServiceAllLogs" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "GithubCloudfrontPolicy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "GithubCloudfrontPolicy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateOriginAccessControl", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:TagResource", - "cloudfront:CreateDistribution", - "cloudfront:CreateInvalidation", - "lambda:EnableReplication", - "cloudfront:CreateCachePolicy", - "iam:CreateServiceLinkedRole", - "cloudfront:DeleteCachePolicy", - "lambda:PublishVersion", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteDistribution", - "cloudfront:UntagResource", - "cloudfront:UpdateOriginRequestPolicy", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:UpdateOriginAccessControl", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "GithubECSPolicy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "GithubECSPolicy" - policy = jsonencode( - { - Statement = [ - { - Action = "ecs:TagResource" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "GithubSchedulerPolicy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "GithubSchedulerPolicy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "scheduler:UpdateSchedule", - "scheduler:CreateSchedule", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "acm_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "acm" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:AddTagsToCertificate", - "acm:DeleteCertificate", - ] - Effect = "Allow" - Resource = "arn:aws:acm:us-east-1:${data.aws_caller_identity.current.account_id}:certificate/*" - Sid = "VisualEditor1" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "ecr_policy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "ecr_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecr:InitiateLayerUpload", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart", - ] - Effect = "Allow" - Resource = [ - "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/ndr-prod-app", - "arn:aws:ecr:eu-west-2:${data.aws_caller_identity.current.account_id}:repository/prod-data-collection", - ] - Sid = "ecrAllowPolicy" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "github_extended_policy_virus_scanner_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "github-extended-policy-virus-scanner" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ssm:CreateDocument", - "iam:TagRole", - "SNS:TagResource", - "SNS:SetSubscriptionAttributes", - "cognito-idp:CreateUserPool", - "cognito-idp:TagResource", - "cognito-idp:SetUserPoolMfaConfig", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "cloudformation:CreateResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:CreateGroup", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminAddUserToGroup", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "lambda_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "lambda" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "lambda:CreateFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:TagResource", - "kms:UntagResource", - "s3:PutObject", - ] - Effect = "Allow" - Resource = [ - "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*", - ] - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "mtls_gateway_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "mtls-gateway" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor1" - }, - { - Action = [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${data.aws_caller_identity.current.account_id}:certificate/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames", - ] - Sid = "VisualEditor3" - }, - { - Action = "apigateway:AddCertificateToDomain" - Effect = "Allow" - Resource = "arn:aws:apigateway:eu-west-2::/domainnames" - Sid = "VisualEditor4" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "resource_tagging_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:event-bus/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:event-source-mapping:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:code-signing-config:*", - "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:*", - "arn:aws:cognito-identity:*:${data.aws_caller_identity.current.account_id}:identitypool/*", - "arn:aws:resource-groups:*:${data.aws_caller_identity.current.account_id}:group/*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-plan:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:report-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:restore-testing-plan:*-*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:backup-vault:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:legal-hold:*", - "arn:aws:backup:*:${data.aws_caller_identity.current.account_id}:framework:*-*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:instance-profile/*", - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*", - "arn:aws:sns:*:${data.aws_caller_identity.current.account_id}:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-source:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:destination:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:delivery-destination:*", - "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:anomaly-detector:*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${data.aws_caller_identity.current.account_id}:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "step_functions_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].id - name = "step_functions" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource", - ] - Effect = "Allow" - Resource = "arn:aws:states:eu-west-2:${data.aws_caller_identity.current.account_id}:stateMachine:*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -############################################################### -# ATTACHED POLICIES - -resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].name - policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" -} - -resource "aws_iam_role_policy_attachment" "GitHubAllAccess_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].name - policy_arn = aws_iam_policy.GitHubAllAccess_prod[0].arn -} - -# aws_iam_policy.GitHubAllAccess_prod[0]: -resource "aws_iam_policy" "GitHubAllAccess_prod" { - count = local.is_prod ? 1 : 0 - description = "Access for Github Workflows" - name = "${terraform.workspace}-GitHubAllAccess" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "apigateway:DELETE", - "apigateway:PATCH", - "apigateway:POST", - "apigateway:PUT", - "cloudwatch:DeleteAlarms", - "cloudwatch:PutMetricAlarm", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:GetItem", - "dynamodb:ListTagsOfResource", - "dynamodb:PutItem", - "dynamodb:TagResource", - "dynamodb:UpdateTimeToLive", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDefaultVpc", - "ec2:CreateInternetGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteInternetGateway", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ecr:CreateRepository", - "ecr:DeleteLifecyclePolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:ListTagsForResource", - "ecr:PutLifecyclePolicy", - "ecr:SetRepositoryPolicy", - "ecr:TagResource", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:SetSecurityGroups", - "events:PutRule", - "events:PutTargets", - "iam:AttachRolePolicy", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "kms:RetireGrant", - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:GetPolicy", - "lambda:RemovePermission", - "logs:CreateLogGroup", - "logs:DeleteLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketOwnershipControls", - "s3:PutBucketPolicy", - "s3:PutBucketTagging", - "s3:PutLifecycleConfiguration", - "s3:PutObject", - "secretsmanager:DeleteSecret", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:ListQueues", - "sqs:createqueue", - "sqs:setqueueattributes", - "ssm:AddTagsToResource", - "ssm:DeleteParameter", - "ssm:PutParameter", - "events:RemoveTargets", - "wafv2:CreateRegexPatternSet", - "wafv2:TagResource", - "wafv2:CreateWebACL", - "wafv2:AssociateWebACL", - "elasticloadbalancing:SetWebACL", - "events:DeleteRule", - "wafv2:DeleteRegexPatternSet", - "wafv2:DeleteWebACL", - "s3:PutIntelligentTieringConfiguration", - "ecs:UntagResource", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionCode", - "sqs:tagqueue", - "kms:TagResource", - "wafv2:UpdateWebACL", - "dynamodb:UpdateTable", - "kms:CreateKey", - "dynamodb:UpdateContinuousBackups", - "backup:CreateBackupVault", - "application-autoscaling:RegisterScalableTarget", - "application-autoscaling:TagResource", - "s3:PutBucketVersioning", - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateKeyDescription", - "kms:ScheduleKeyDeletion", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:UntagResource", - "application-autoscaling:ListTagsForResource", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "cloudwatch:ListTagsForResource", - "backup-storage:MountCapsule", - "backup:CreateBackupPlan", - "lambda:PutFunctionConcurrency", - "backup:CreateBackupSelection", - "backup:UpdateBackupPlan", - "backup:DescribeBackupJob", - "backup:ListTags", - "backup:TagResource", - "backup:DeleteBackupVault", - "backup:DeleteBackupSelection", - "iam:UpdateRoleDescription", - "logs:PutMetricFilter", - "ec2:AllocateAddress", - "ec2:CreateNatGateway", - ] - Effect = "Allow" - Resource = "*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} - -resource "aws_iam_role_policy_attachment" "ecs_policy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].name - policy_arn = aws_iam_policy.ecs_policy_prod[0].arn -} - -# aws_iam_policy.ecs_policy_prod[0]: -resource "aws_iam_policy" "ecs_policy_prod" { - count = local.is_prod ? 1 : 0 - description = null - name = "${terraform.workspace}-ecs_policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} - -resource "aws_iam_role_policy_attachment" "github_extension_1_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].name - policy_arn = aws_iam_policy.github_extension_1_prod[0].arn -} - -# aws_iam_policy.github_extension_1_prod[0]: -resource "aws_iam_policy" "github_extension_1_prod" { - count = local.is_prod ? 1 : 0 - description = null - name = "${terraform.workspace}-github-extension-1" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "appconfig:StartDeployment", - "elasticloadbalancing:ModifyListener", - "appconfig:TagResource", - "appconfig:CreateDeploymentStrategy", - "lambda:ListLayers", - "appconfig:DeleteHostedConfigurationVersion", - "dynamodb:UpdateTable", - "ec2:DisassociateAddress", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "lambda:RemoveLayerVersionPermission", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "logs:DeleteMetricFilter", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "ec2:ReleaseAddress", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "lambda:UpdateEventSourceMapping", - "backup:DeleteBackupVault", - "route53:ListHostedZones", - "kms:GetKeyPolicy", - "elasticloadbalancing:DeleteTargetGroup", - "appconfig:CreateEnvironment", - "backup:DescribeBackupVault", - "events:DeleteRule", - "appconfig:DeleteDeploymentStrategy", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "appconfig:CreateApplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "lambda:ListLayerVersions", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "lambda:AddLayerVersionPermission", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "ssm:PutParameter", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "s3:PutBucketLogging", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "appconfig:CreateConfigurationProfile", - "route53:GetChange", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "ses:VerifyDomainDkim", - "lambda:CreateEventSourceMapping", - "lambda:GetLayerVersionPolicy", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "appconfig:CreateHostedConfigurationVersion", - "apigateway:PATCH", - "lambda:DeleteLayerVersion", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "s3:GetBucketPublicAccessBlock", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "s3:PutBucketPublicAccessBlock", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "lambda:DeleteFunctionConcurrency", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "s3:PutBucketNotification", - "iam:UpdateAssumeRolePolicy", - "ses:CreateConfigurationSet", - "ses:DeleteConfigurationSet", - "ses:CreateConfigurationSetEventDestination", - "ses:UpdateConfigurationSetEventDestination", - "ses:DeleteConfigurationSetEventDestination", - "ses:DescribeConfigurationSet", - "ses:ListConfigurationSets", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} - -resource "aws_iam_role_policy_attachment" "scheduler_policy_prod" { - count = local.is_prod ? 1 : 0 - role = aws_iam_role.prod_github_actions[0].name - policy_arn = aws_iam_policy.scheduler_policy_prod[0].arn -} - -# aws_iam_policy.scheduler_policy_prod[0]: -resource "aws_iam_policy" "scheduler_policy_prod" { - count = local.is_prod ? 1 : 0 - description = null - name = "${terraform.workspace}-scheduler_policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = "scheduler:DeleteSchedule" - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} diff --git a/base_iam/iam_github_test.tf b/base_iam/iam_github_test.tf index 13fc2bd3..55322a54 100644 --- a/base_iam/iam_github_test.tf +++ b/base_iam/iam_github_test.tf @@ -1,806 +1,60 @@ -# aws_iam_role.test_github_actions[0]: -resource "aws_iam_role" "test_github_actions" { - count = local.is_testing ? 1 : 0 - name = "${terraform.workspace}-github-actions-role" - description = "This role is to provide access for GitHub Actions to the ${terraform.workspace} environment." - force_detach_policies = false - max_session_duration = 3600 - name_prefix = null - path = "/" - permissions_boundary = null - tags = {} - assume_role_policy = jsonencode( - { - Statement = [ - { - Action = "sts:AssumeRoleWithWebIdentity" - Condition = { - StringEquals = { - "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" - } - StringLike = { - "token.actions.githubusercontent.com:sub" = [ - "repo:NHSDigital/national-document-repository-infrastructure:*", - "repo:NHSDigital/national-document-repository:*", - ] - } - } - Effect = "Allow" - Principal = { - Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" - } - }, - ] - Version = "2012-10-17" - } - ) -} - -# INLINE POLICIES - -resource "aws_iam_role_policy" "cloudfront_policies_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "cloudfront_policies" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:DeleteOriginRequestPolicy", - "cloudfront:UpdateOriginRequestPolicy", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "cloudwatch_logs_policy_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "cloudwatch_logs_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*" - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "resource_tagging_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "resource_tagging" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile", - ] - Effect = "Allow" - Resource = [ - "arn:aws:events:*:694282683086:event-bus/*", - "arn:aws:events:*:694282683086:rule/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:lambda:*:694282683086:event-source-mapping:*", - "arn:aws:lambda:*:694282683086:code-signing-config:*", - "arn:aws:lambda:*:694282683086:function:*", - "arn:aws:cognito-identity:*:694282683086:identitypool/*", - "arn:aws:resource-groups:*:694282683086:group/*", - "arn:aws:backup:*:694282683086:backup-plan:*", - "arn:aws:backup:*:694282683086:report-plan:*-*", - "arn:aws:backup:*:694282683086:restore-testing-plan:*-*", - "arn:aws:backup:*:694282683086:backup-vault:*", - "arn:aws:backup:*:694282683086:legal-hold:*", - "arn:aws:backup:*:694282683086:framework:*-*", - "arn:aws:iam::694282683086:policy/*", - "arn:aws:iam::694282683086:instance-profile/*", - "arn:aws:iam::694282683086:role/*", - "arn:aws:sns:*:694282683086:*", - "arn:aws:logs:*:694282683086:log-group:*", - "arn:aws:logs:*:694282683086:delivery-source:*", - "arn:aws:logs:*:694282683086:delivery:*", - "arn:aws:logs:*:694282683086:destination:*", - "arn:aws:logs:*:694282683086:delivery-destination:*", - "arn:aws:logs:*:694282683086:anomaly-detector:*", - "*", - ] - Sid = "VisualEditor0" - }, - { - Action = [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:events:*:694282683086:rule/*", - ] - Sid = "VisualEditor1" - }, - { - Action = [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - ] - Effect = "Allow" - Resource = [ - "arn:aws:elasticloadbalancing:*:694282683086:truststore/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:694282683086:loadbalancer/app/*/*", - ] - Sid = "VisualEditor2" - }, - { - Action = [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "rum_policy_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "rum_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool", - ] - Effect = "Allow" - Resource = "arn:aws:cognito-identity:eu-west-2:${data.aws_caller_identity.current.account_id}:identitypool/*" - Sid = "VisualEditor0" - }, - { - Action = [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor", - ] - Effect = "Allow" - Resource = "arn:aws:rum:eu-west-2:${data.aws_caller_identity.current.account_id}:appmonitor/*" - Sid = "VisualEditor1" - }, - { - Action = [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups", - ] - Effect = "Allow" - Resource = "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*RUMService*" - Sid = "VisualEditor2" - }, - { - Action = [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor3" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "scheduler_policy_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "scheduler_policy" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "scheduler:TagResource", - "scheduler:CreateSchedule", - "scheduler:UntagResource", - "scheduler:DeleteSchedule", - "scheduler:UpdateSchedule", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "service_quotas_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "service_quotas" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "servicequotas:RequestServiceQuotaIncrease", - ] - Effect = "Allow" - Resource = [ - "arn:aws:servicequotas:us-east-1:${data.aws_caller_identity.current.account_id}:lambda/L-B99A9384", - "arn:aws:servicequotas::${data.aws_caller_identity.current.account_id}:iam/L-E95E4862", - "arn:aws:servicequotas::${data.aws_caller_identity.current.account_id}:iam/L-FE177D64", - ] - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -resource "aws_iam_role_policy" "virus-scan-cognito_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - name = "virus-scan-cognito" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "cognito-idp:TagResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:CreateGroup", - "cognito-idp:CreateUserPool", - "cognito-idp:SetUserPoolMfaConfig", - "cognito-idp:AdminAddUserToGroup", - "cloudformation:CreateResource", - "cloudformation:DeleteResource", - "cognito-idp:DeleteGroup", - "appconfig:DeleteEnvironment", - "appconfig:DeleteConfigurationProfile", - "iam:RemoveRoleFromInstanceProfile", - "cognito-idp:DeleteUserPoolClient", - "cognito-idp:AdminRemoveUserFromGroup", - "cognito-idp:AdminDeleteUser", - ] - Effect = "Allow" - Resource = "*" - Sid = "VisualEditor0" - }, - ] - Version = "2012-10-17" - } - ) -} - -############################################################################################################## -# ATTACHED POLICIES - -resource "aws_iam_role_policy_attachment" "ReadOnlyAccess_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" -} - -resource "aws_iam_role_policy_attachment" "github_action_policy_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - policy_arn = aws_iam_policy.github_action_policy_test[0].arn -} - -# aws_iam_policy.github_action_policy_test[0]: -resource "aws_iam_policy" "github_action_policy_test" { - count = local.is_testing ? 1 : 0 - description = null - name = "${terraform.workspace}-github-action-policy" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "elasticloadbalancing:CreateLoadBalancer", - "lambda:UpdateEventSourceMapping", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "elasticloadbalancing:DescribeLoadBalancers", - "ecs:UpdateService", - "ssm:DeleteParameter", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "elasticloadbalancing:CreateListener", - "ecs:CreateService", - "kms:ScheduleKeyDeletion", - "ecs:DescribeServices", - "ecr:DescribeRepositories", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "events:PutTargets", - "kms:ListKeys", - "lambda:AddPermission", - "ec2:DeleteSecurityGroup", - "ecr:SetRepositoryPolicy", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "sqs:DeleteMessage", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "ec2:RevokeSecurityGroupIngress", - "dynamodb:CreateTable", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "backup:CreateBackupSelection", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "backup:DeleteBackupVault", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "iam:CreateRole", - "sns:Unsubscribe", - "iam:AttachRolePolicy", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "iam:DetachRolePolicy", - "backup:DeleteBackupSelection", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "ec2:CreateRouteTable", - "route53:ChangeResourceRecordSets", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "ssm:PutParameter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "application-autoscaling:ListTagsForResource", - "kms:DescribeKey", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "logs:DescribeLogGroups", - "kms:UpdateKeyDescription", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "iam:DeletePolicyVersion", - "lambda:GetPolicy", - "ecr:GetRepositoryPolicy", - "ec2:AllocateAddress", - "ec2:ReleaseAddress", - "ec2:DisassociateAddress", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "ses:VerifyDomainIdentity", - "ses:VerifyDomainDkim", - "ses:DeleteIdentity", - "ses:SetIdentityMailFromDomain", - "dynamodb:UpdateTable", - "elasticloadbalancing:ModifyListener", - "lambda:GetLayerVersion", - "iam:CreatePolicyVersion", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "s3:PutObject", - "iam:ListRoles", - "lambda:UpdateFunctionCode", - "lambda:CreateFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "ecr:PutImage", - ] - Effect = "Allow" - Resource = [ - "*", - ] - Sid = "Statement1" - }, - ] - Version = "2012-10-17" - } - ) - tags = {} -} - -resource "aws_iam_role_policy_attachment" "github_action_policy_2_test" { - count = local.is_testing ? 1 : 0 - role = aws_iam_role.test_github_actions[0].id - policy_arn = aws_iam_policy.github_action_policy_2_test[0].arn -} - -# aws_iam_policy.github_action_policy_2_test[0]: -resource "aws_iam_policy" "github_action_policy_2_test" { - count = local.is_testing ? 1 : 0 - description = null - name = "${terraform.workspace}-github-action-policy-2" - name_prefix = null - path = "/" - policy = jsonencode( - { - Statement = [ - { - Action = [ - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "ecs:PutClusterCapacityProviders", - "backup:ListRecoveryPointsByBackupVault", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:ListBucket", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - "lambda:DeleteFunctionConcurrency", - "lambda:PublishVersion", - "iam:CreateServiceLinkedRole", - "iam:UpdateAssumeRolePolicy", - "elasticloadbalancing:ModifyListenerAttributes", - "apigateway:SetWebACL", - "backup:ListRecoveryPointsByBackupVault", - "iam:UpdateAssumeRolePolicy", - "iam:TagRole", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:TagPolicy", - "ssm:CreateDocument", - "ssm:DeleteDocument", - "sns:TagResource", - "ec2:DeleteNetworkInterface", - "resource-groups:DeleteGroup", - "events:TagResource", - "kms:Encrypt", - "kms:CreateGrant", - "kms:Decrypt", - "apigateway:AddCertificateToDomain", - "apigateway:POST", - "apigateway:GET", - "apigateway:PATCH", - "apigateway:DELETE", - "cloudfront:UpdateOriginAccessControl", - "cloudfront:GetOriginAccessControl", - "states:CreateStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:DescribeStateMachine", - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "states:TagResource", - "states:UntagResource", - "apigateway:RemoveCertificateFromDomain", - ] - Effect = "Allow" - Resource = [ - "*", - ] - Sid = "Statement1" - }, - { - Effect = "Allow", - Action = [ - "ses:CreateConfigurationSet", - "ses:DeleteConfigurationSet", - "ses:CreateConfigurationSetEventDestination", - "ses:UpdateConfigurationSetEventDestination", - "ses:DeleteConfigurationSetEventDestination", - "ses:DescribeConfigurationSet", - "ses:ListConfigurationSets" - ], - Resource = "*" - Sid = "SesConfigurationSets", - } - ] - Version = "2012-10-17" - } - ) - tags = {} +# Resources that are specific to the test environment only. + +resource "aws_iam_role_policy_attachment" "github_actions_test" { + count = local.is_test ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_test[0].arn +} + +resource "aws_iam_policy" "github_actions_test" { + count = local.is_test ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-test" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "acm:AddTagsToCertificate", + "acm:DeleteCertificate", + "acm:DescribeCertificate", + "apigateway:AddCertificateToDomain", + "apigateway:GET", + "apigateway:RemoveCertificateFromDomain", + "backup:ListRecoveryPointsByBackupVault", + "cloudformation:DeleteResource", + "cloudfront:DeleteOriginRequestPolicy", + "cloudfront:GetOriginAccessControl", + "cognito-idp:AdminDeleteUser", + "cognito-idp:AdminRemoveUserFromGroup", + "cognito-idp:DeleteGroup", + "cognito-idp:DeleteUserPoolClient", + "ec2:DeleteNetworkInterface", + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:GetDownloadUrlForLayer", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart", + "events:TagResource", + "iam:ListRoles", + "iam:RemoveRoleFromInstanceProfile", + "iam:TagPolicy", + "kms:CreateGrant", + "kms:Decrypt", + "kms:Encrypt", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "resource-groups:DeleteGroup", + "scheduler:TagResource", + "scheduler:UntagResource", + "sns:TagResource", + "ssm:DeleteDocument" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) } diff --git a/base_iam/iam_github_test_pre-prod_prod.tf b/base_iam/iam_github_test_pre-prod_prod.tf new file mode 100644 index 00000000..9935b3a4 --- /dev/null +++ b/base_iam/iam_github_test_pre-prod_prod.tf @@ -0,0 +1,56 @@ +# Resources that are common to test, pre-prod and prod environments. + +resource "aws_iam_role_policy_attachment" "github_actions_test_pre-prod_prod" { + count = local.is_test_pre-prod_prod ? 1 : 0 + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.github_actions_test_pre-prod_prod[0].arn +} + +resource "aws_iam_policy" "github_actions_test_pre-prod_prod" { + count = local.is_test_pre-prod_prod ? 1 : 0 + name = "${terraform.workspace}-github-actions-policy-test_pre-prod_prod" + path = "/" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateResource", + "cloudfront:CreateCachePolicy", + "cloudfront:CreateDistribution", + "cloudfront:CreateInvalidation", + "cloudfront:CreateOriginAccessControl", + "cloudfront:CreateOriginRequestPolicy", + "cloudfront:DeleteCachePolicy", + "cloudfront:DeleteDistribution", + "cloudfront:DeleteOriginAccessControl", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:UpdateDistribution", + "cloudfront:UpdateOriginAccessControl", + "cloudfront:UpdateOriginRequestPolicy", + "cognito-idp:AdminAddUserToGroup", + "cognito-idp:AdminCreateUser", + "cognito-idp:CreateGroup", + "cognito-idp:CreateUserPool", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:DeleteUserPool", + "cognito-idp:SetUserPoolMfaConfig", + "cognito-idp:TagResource", + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:TagRole", + "lambda:DeleteFunctionConcurrency", + "s3:DeleteObject", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject", + "ssm:CreateDocument" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/base_iam/variables.tf b/base_iam/variables.tf index 43c9aca1..19df1d9f 100644 --- a/base_iam/variables.tf +++ b/base_iam/variables.tf @@ -29,4 +29,12 @@ locals { is_pre_production = terraform.workspace == "pre-prod" is_prod = terraform.workspace == "prod" shared_terraform_state_bucket = "ndr-${var.environment}-terraform-state-${data.aws_caller_identity.current.account_id}" + + is_dev_pre-prod_prod = !contains(["ndr-test"], terraform.workspace) + is_dev_test = !contains(["pre-prod", "prod"], terraform.workspace) + is_dev = !contains(["ndr-test", "pre-prod", "prod"], terraform.workspace) + is_pre-prod_prod = contains(["pre-prod", "prod"], terraform.workspace) + is_pre-prod = terraform.workspace == "pre-prod" + is_test_pre-prod_prod = contains(["ndr-test", "pre-prod", "prod"], terraform.workspace) + is_test = terraform.workspace == "ndr-test" } \ No newline at end of file diff --git a/infrastructure/iam_roles/dev_github-actions-dev-role.json b/infrastructure/iam_roles/dev_github-actions-dev-role.json deleted file mode 100644 index 2e320534..00000000 --- a/infrastructure/iam_roles/dev_github-actions-dev-role.json +++ /dev/null @@ -1,3264 +0,0 @@ -{ - "inline": { - "cloudtrail": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:StartLogging", - "cloudtrail:DeleteTrail" - ], - "Resource": [ - "arn:aws:cloudtrail:eu-west-2:${account}:trail/*", - "arn:aws:cloudtrail:eu-west-2:${account}:eventdatastore/*", - "arn:aws:cloudtrail:eu-west-2:${account}:channel/*" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": "organizations:ListAWSServiceAccessForOrganization", - "Resource": "*" - } - ], - "cloudwatch_logs_policy": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey" - ], - "Resource": "arn:aws:logs:eu-west-2:${account}:log-group:*" - }, - { - "Sid": "Statement2", - "Effect": "Allow", - "Action": [ - "logs:PutDeliverySource" - ], - "Resource": [ - "arn:aws:logs:us-east-1:${account}:delivery-source:*" - ] - } - ], - "ecs_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders" - ], - "Resource": "*" - } - ], - "github-actions-waf-override": [ - { - "Effect": "Allow", - "Action": "apigateway:SetWebACL", - "Resource": "arn:aws:apigateway:eu-west-2::/restapis/*/stages/*" - } - ], - "lambda_layer_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission" - ], - "Resource": "*" - } - ], - "rum_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool" - ], - "Resource": "arn:aws:cognito-identity:eu-west-2:${account}:identitypool/*" - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor" - ], - "Resource": "arn:aws:rum:eu-west-2:${account}:appmonitor/*" - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups" - ], - "Resource": "arn:aws:logs:eu-west-2:${account}:log-group:*RUMService*" - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies" - ], - "Resource": "*" - } - ], - "step-functions": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource" - ], - "Resource": "*" - } - ] - }, - "attached": { - "ReadOnlyAccess": [ - { - "Sid": "ReadOnlyActionsGroup1", - "Effect": "Allow", - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAccessPreview", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:GetFindingsStatistics", - "access-analyzer:GetGeneratedPolicy", - "access-analyzer:ListAccessPreviewFindings", - "access-analyzer:ListAccessPreviews", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListPolicyGenerations", - "access-analyzer:ListTagsForResource", - "access-analyzer:ValidatePolicy", - "account:GetAccountInformation", - "account:GetAlternateContact", - "account:GetContactInformation", - "account:GetPrimaryEmail", - "account:GetRegionOptStatus", - "account:ListRegions", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "action-recommendations:ListRecommendedActions", - "aiops:GetEphemeralInvestigationResults", - "aiops:GetInvestigation", - "aiops:GetInvestigationEvent", - "aiops:GetInvestigationGroup", - "aiops:GetInvestigationResource", - "aiops:ListInvestigationEvents", - "aiops:ListInvestigationGroups", - "aiops:ListInvestigations", - "aiops:ValidateInvestigationGroup", - "airflow:ListEnvironments", - "airflow:ListTagsForResource", - "amplify:GetApp", - "amplify:GetBackendEnvironment", - "amplify:GetBranch", - "amplify:GetDomainAssociation", - "amplify:GetJob", - "amplify:GetWebhook", - "amplify:ListApps", - "amplify:ListArtifacts", - "amplify:ListBackendEnvironments", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "amplify:ListTagsForResource", - "amplify:ListWebhooks", - "aoss:BatchGetCollection", - "aoss:BatchGetLifecyclePolicy", - "aoss:BatchGetVpcEndpoint", - "aoss:GetAccessPolicy", - "aoss:GetAccountSettings", - "aoss:GetPoliciesStats", - "aoss:GetSecurityConfig", - "aoss:GetSecurityPolicy", - "aoss:ListAccessPolicies", - "aoss:ListCollections", - "aoss:ListLifecyclePolicies", - "aoss:ListSecurityConfigs", - "aoss:ListSecurityPolicies", - "aoss:ListTagsForResource", - "aoss:ListVpcEndpoints", - "apigateway:GET", - "appconfig:GetApplication", - "appconfig:GetConfiguration", - "appconfig:GetConfigurationProfile", - "appconfig:GetDeployment", - "appconfig:GetDeploymentStrategy", - "appconfig:GetEnvironment", - "appconfig:GetExtension", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListApplications", - "appconfig:ListConfigurationProfiles", - "appconfig:ListDeploymentStrategies", - "appconfig:ListDeployments", - "appconfig:ListEnvironments", - "appconfig:ListExtensions", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListTagsForResource", - "appfabric:GetAppAuthorization", - "appfabric:GetAppBundle", - "appfabric:GetIngestion", - "appfabric:GetIngestionDestination", - "appfabric:ListAppAuthorizations", - "appfabric:ListAppBundles", - "appfabric:ListIngestionDestinations", - "appfabric:ListIngestions", - "appfabric:ListTagsForResource", - "appflow:DescribeConnector", - "appflow:DescribeConnectorEntity", - "appflow:DescribeConnectorFields", - "appflow:DescribeConnectorProfiles", - "appflow:DescribeConnectors", - "appflow:DescribeFlow", - "appflow:DescribeFlowExecution", - "appflow:DescribeFlowExecutionRecords", - "appflow:DescribeFlows", - "appflow:ListConnectorEntities", - "appflow:ListConnectorFields", - "appflow:ListConnectors", - "appflow:ListFlows", - "appflow:ListTagsForResource", - "application-autoscaling:Describe*", - "application-autoscaling:GetPredictiveScalingForecast", - "application-autoscaling:ListTagsForResource", - "application-signals:BatchGetServiceLevelObjectiveBudgetReport", - "application-signals:GetService", - "application-signals:GetServiceLevelObjective", - "application-signals:ListObservedEntities", - "application-signals:ListServiceDependencies", - "application-signals:ListServiceDependents", - "application-signals:ListServiceLevelObjectives", - "application-signals:ListServiceOperations", - "application-signals:ListServices", - "application-signals:ListTagsForResource", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "apprunner:DescribeAutoScalingConfiguration", - "apprunner:DescribeCustomDomains", - "apprunner:DescribeObservabilityConfiguration", - "apprunner:DescribeService", - "apprunner:DescribeVpcConnector", - "apprunner:DescribeVpcIngressConnection", - "apprunner:DescribeWebAclForService", - "apprunner:ListAssociatedServicesForWebAcl", - "apprunner:ListAutoScalingConfigurations", - "apprunner:ListConnections", - "apprunner:ListObservabilityConfigurations", - "apprunner:ListOperations", - "apprunner:ListServices", - "apprunner:ListServicesForAutoScalingConfiguration", - "apprunner:ListTagsForResource", - "apprunner:ListVpcConnectors", - "apprunner:ListVpcIngressConnections", - "appstream:Describe*", - "appstream:List*", - "appstudio:GetAccountStatus", - "appstudio:GetEnablementJobStatus", - "appsync:Get*", - "appsync:List*", - "apptest:GetTestCase", - "apptest:GetTestConfiguration", - "apptest:GetTestRunStep", - "apptest:GetTestSuite", - "apptest:ListTagsForResource", - "apptest:ListTestCases", - "apptest:ListTestConfigurations", - "apptest:ListTestRunSteps", - "apptest:ListTestRunTestCases", - "apptest:ListTestRuns", - "apptest:ListTestSuites", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeRuleGroupsNamespace", - "aps:DescribeScraper", - "aps:DescribeWorkspace", - "aps:GetAlertManagerSilence", - "aps:GetAlertManagerStatus", - "aps:GetDefaultScraperConfiguration", - "aps:GetLabels", - "aps:GetMetricMetadata", - "aps:GetSeries", - "aps:ListAlertManagerAlertGroups", - "aps:ListAlertManagerAlerts", - "aps:ListAlertManagerReceivers", - "aps:ListAlertManagerSilences", - "aps:ListAlerts", - "aps:ListRuleGroupsNamespaces", - "aps:ListRules", - "aps:ListScrapers", - "aps:ListTagsForResource", - "aps:ListWorkspaces", - "aps:QueryMetrics", - "arc-region-switch:GetPlan", - "arc-region-switch:GetPlanEvaluationStatus", - "arc-region-switch:GetPlanExecution", - "arc-region-switch:GetPlanInRegion", - "arc-region-switch:ListPlanExecutionEvents", - "arc-region-switch:ListPlanExecutions", - "arc-region-switch:ListPlans", - "arc-region-switch:ListPlansInRegion", - "arc-region-switch:ListRoute53HealthChecks", - "arc-region-switch:ListTagsForResource", - "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", - "arc-zonal-shift:GetManagedResource", - "arc-zonal-shift:ListAutoshifts", - "arc-zonal-shift:ListManagedResources", - "arc-zonal-shift:ListZonalShifts", - "artifact:GetCustomerAgreement", - "artifact:GetReport", - "artifact:GetReportMetadata", - "artifact:GetTermForReport", - "artifact:ListAgreements", - "artifact:ListCustomerAgreements", - "artifact:ListReports", - "athena:Batch*", - "athena:Get*", - "athena:List*", - "auditmanager:GetAccountStatus", - "auditmanager:GetAssessment", - "auditmanager:GetAssessmentFramework", - "auditmanager:GetAssessmentReportUrl", - "auditmanager:GetChangeLogs", - "auditmanager:GetControl", - "auditmanager:GetDelegations", - "auditmanager:GetEvidence", - "auditmanager:GetEvidenceByEvidenceFolder", - "auditmanager:GetEvidenceFolder", - "auditmanager:GetEvidenceFoldersByAssessment", - "auditmanager:GetEvidenceFoldersByAssessmentControl", - "auditmanager:GetOrganizationAdminAccount", - "auditmanager:GetServicesInScope", - "auditmanager:GetSettings", - "auditmanager:ListAssessmentFrameworks", - "auditmanager:ListAssessmentReports", - "auditmanager:ListAssessments", - "auditmanager:ListControls", - "auditmanager:ListKeywordsForDataSource", - "auditmanager:ListNotifications", - "auditmanager:ListTagsForResource", - "auditmanager:ValidateAssessmentReportIntegrity", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "autoscaling:Describe*", - "autoscaling:GetPredictiveScalingForecast", - "aws-portal:View*", - "backup-gateway:GetBandwidthRateLimitSchedule", - "backup-gateway:GetGateway", - "backup-gateway:GetHypervisor", - "backup-gateway:GetHypervisorPropertyMappings", - "backup-gateway:GetVirtualMachine", - "backup-gateway:ListGateways", - "backup-gateway:ListHypervisors", - "backup-gateway:ListTagsForResource", - "backup-gateway:ListVirtualMachines", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:Describe*", - "batch:List*", - "bedrock-agentcore:GetAgentRuntime", - "bedrock-agentcore:GetAgentRuntimeEndpoint", - "bedrock-agentcore:GetApiKeyCredentialProvider", - "bedrock-agentcore:GetBrowser", - "bedrock-agentcore:GetBrowserSession", - "bedrock-agentcore:GetCodeInterpreter", - "bedrock-agentcore:GetCodeInterpreterSession", - "bedrock-agentcore:GetEvent", - "bedrock-agentcore:GetGateway", - "bedrock-agentcore:GetGatewayTarget", - "bedrock-agentcore:GetMemory", - "bedrock-agentcore:GetMemoryRecord", - "bedrock-agentcore:GetOauth2CredentialProvider", - "bedrock-agentcore:GetTokenVault", - "bedrock-agentcore:GetWorkloadIdentity", - "bedrock-agentcore:ListAgentRuntimeEndpoints", - "bedrock-agentcore:ListAgentRuntimes", - "bedrock-agentcore:ListAgentRuntimeVersions", - "bedrock-agentcore:ListApiKeyCredentialProviders", - "bedrock-agentcore:ListBrowsers", - "bedrock-agentcore:ListBrowserSessions", - "bedrock-agentcore:ListCodeInterpreters", - "bedrock-agentcore:ListCodeInterpreterSessions", - "bedrock-agentcore:ListEvents", - "bedrock-agentcore:ListGateways", - "bedrock-agentcore:ListGatewayTargets", - "bedrock-agentcore:ListMemories", - "bedrock-agentcore:ListMemoryRecords", - "bedrock-agentcore:ListOauth2CredentialProviders", - "bedrock-agentcore:ListWorkloadIdentities", - "bedrock-agentcore:RetrieveMemoryRecords", - "bedrock:GetAgent", - "bedrock:GetAgentActionGroup", - "bedrock:GetAgentAlias", - "bedrock:GetAgentCollaborator", - "bedrock:GetAgentKnowledgeBase", - "bedrock:GetAgentVersion", - "bedrock:GetCustomModel", - "bedrock:GetDataSource", - "bedrock:GetEvaluationJob", - "bedrock:GetFlow", - "bedrock:GetFlowAlias", - "bedrock:GetFlowVersion", - "bedrock:GetFoundationModel", - "bedrock:GetFoundationModelAvailability", - "bedrock:GetGuardrail", - "bedrock:GetInferenceProfile", - "bedrock:GetIngestionJob", - "bedrock:GetKnowledgeBase", - "bedrock:GetModelCustomizationJob", - "bedrock:GetModelInvocationJob", - "bedrock:GetModelInvocationLoggingConfiguration", - "bedrock:GetPrompt", - "bedrock:GetProvisionedModelThroughput", - "bedrock:GetUseCaseForModelAccess", - "bedrock:ListAgentActionGroups", - "bedrock:ListAgentAliases", - "bedrock:ListAgentCollaborators", - "bedrock:ListAgentKnowledgeBases", - "bedrock:ListAgentVersions", - "bedrock:ListAgents", - "bedrock:ListCustomModels", - "bedrock:ListDataSources", - "bedrock:ListEvaluationJobs", - "bedrock:ListFlowAliases", - "bedrock:ListFlowVersions", - "bedrock:ListFlows", - "bedrock:ListFoundationModelAgreementOffers", - "bedrock:ListFoundationModels", - "bedrock:ListGuardrails", - "bedrock:ListInferenceProfiles", - "bedrock:ListIngestionJobs", - "bedrock:ListKnowledgeBases", - "bedrock:ListModelCustomizationJobs", - "bedrock:ListModelInvocationJobs", - "bedrock:ListPrompts", - "bedrock:ListProvisionedModelThroughputs", - "billing:GetBillingData", - "billing:GetBillingDetails", - "billing:GetBillingNotifications", - "billing:GetBillingPreferences", - "billing:GetBillingView", - "billing:GetContractInformation", - "billing:GetCredits", - "billing:GetIAMAccessPreference", - "billing:GetResourcePolicy", - "billing:GetSellerOfRecord", - "billing:ListBillingViews", - "billing:ListSourceViewsForBillingView", - "billing:ListTagsForResource", - "billingconductor:GetBillingGroupCostReport", - "billingconductor:ListAccountAssociations", - "billingconductor:ListBillingGroupCostReports", - "billingconductor:ListBillingGroups", - "billingconductor:ListCustomLineItemVersions", - "billingconductor:ListCustomLineItems", - "billingconductor:ListPricingPlans", - "billingconductor:ListPricingPlansAssociatedWithPricingRule", - "billingconductor:ListPricingRules", - "billingconductor:ListPricingRulesAssociatedToPricingPlan", - "billingconductor:ListResourcesAssociatedToCustomLineItem", - "billingconductor:ListTagsForResource", - "braket:GetDevice", - "braket:GetJob", - "braket:GetQuantumTask", - "braket:SearchDevices", - "braket:SearchJobs", - "braket:SearchQuantumTasks", - "budgets:Describe*", - "budgets:ListTagsForResource", - "budgets:View*", - "cassandra:Select", - "ce:DescribeCostCategoryDefinition", - "ce:DescribeNotificationSubscription", - "ce:DescribeReport", - "ce:GetAnomalies", - "ce:GetAnomalyMonitors", - "ce:GetAnomalySubscriptions", - "ce:GetApproximateUsageRecords", - "ce:GetCommitmentPurchaseAnalysis", - "ce:GetCostAndUsage", - "ce:GetCostAndUsageComparisons", - "ce:GetCostAndUsageWithResources", - "ce:GetCostCategories", - "ce:GetCostComparisonDrivers", - "ce:GetCostForecast", - "ce:GetDimensionValues", - "ce:GetPreferences", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetRightsizingRecommendation", - "ce:GetSavingsPlanPurchaseRecommendationDetails", - "ce:GetSavingsPlansCoverage", - "ce:GetSavingsPlansPurchaseRecommendation", - "ce:GetSavingsPlansUtilization", - "ce:GetSavingsPlansUtilizationDetails", - "ce:GetTags", - "ce:GetUsageForecast", - "ce:ListCommitmentPurchaseAnalyses", - "ce:ListCostAllocationTagBackfillHistory", - "ce:ListCostAllocationTags", - "ce:ListCostCategoryDefinitions", - "ce:ListSavingsPlansPurchaseRecommendationGeneration", - "ce:ListTagsForResource", - "chatbot:Describe*", - "chatbot:Get*", - "chatbot:List*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cleanrooms-ml:GetAudienceGenerationJob", - "cleanrooms-ml:GetAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModelPolicy", - "cleanrooms-ml:GetTrainingDataset", - "cleanrooms-ml:ListAudienceExportJobs", - "cleanrooms-ml:ListAudienceGenerationJobs", - "cleanrooms-ml:ListAudienceModels", - "cleanrooms-ml:ListConfiguredAudienceModels", - "cleanrooms-ml:ListTagsForResource", - "cleanrooms-ml:ListTrainingDatasets", - "cleanrooms:BatchGetCollaborationAnalysisTemplate", - "cleanrooms:BatchGetSchema", - "cleanrooms:BatchGetSchemaAnalysisRule", - "cleanrooms:GetAnalysisTemplate", - "cleanrooms:GetCollaboration", - "cleanrooms:GetCollaborationAnalysisTemplate", - "cleanrooms:GetCollaborationConfiguredAudienceModelAssociation", - "cleanrooms:GetCollaborationIdNamespaceAssociation", - "cleanrooms:GetCollaborationPrivacyBudgetTemplate", - "cleanrooms:GetConfiguredAudienceModelAssociation", - "cleanrooms:GetConfiguredTable", - "cleanrooms:GetConfiguredTableAnalysisRule", - "cleanrooms:GetConfiguredTableAssociation", - "cleanrooms:GetConfiguredTableAssociationAnalysisRule", - "cleanrooms:GetIdMappingTable", - "cleanrooms:GetIdNamespaceAssociation", - "cleanrooms:GetMembership", - "cleanrooms:GetPrivacyBudgetTemplate", - "cleanrooms:GetProtectedQuery", - "cleanrooms:GetSchema", - "cleanrooms:GetSchemaAnalysisRule", - "cleanrooms:ListAnalysisTemplates", - "cleanrooms:ListCollaborationAnalysisTemplates", - "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", - "cleanrooms:ListCollaborationIdNamespaceAssociations", - "cleanrooms:ListCollaborationPrivacyBudgetTemplates", - "cleanrooms:ListCollaborationPrivacyBudgets", - "cleanrooms:ListCollaborations", - "cleanrooms:ListConfiguredAudienceModelAssociations", - "cleanrooms:ListConfiguredTableAssociations", - "cleanrooms:ListConfiguredTables", - "cleanrooms:ListIdMappingTables", - "cleanrooms:ListIdNamespaceAssociations", - "cleanrooms:ListMembers", - "cleanrooms:ListMemberships", - "cleanrooms:ListPrivacyBudgetTemplates", - "cleanrooms:ListPrivacyBudgets", - "cleanrooms:ListProtectedQueries", - "cleanrooms:ListSchemas", - "cleanrooms:ListTagsForResource", - "cleanrooms:PreviewPrivacyImpact", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:List*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Estimate*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:ValidateTemplate", - "cloudfront-keyvaluestore:Describe*", - "cloudfront-keyvaluestore:Get*", - "cloudfront-keyvaluestore:List*", - "cloudfront:Describe*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:Describe*", - "cloudhsm:GetResourcePolicy", - "cloudhsm:List*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:GenerateQuery", - "cloudwatch:GenerateQueryResultsSummary", - "cloudwatch:Get*", - "cloudwatch:List*", - "codeartifact:DescribeDomain", - "codeartifact:DescribePackage", - "codeartifact:DescribePackageVersion", - "codeartifact:DescribeRepository", - "codeartifact:GetAuthorizationToken", - "codeartifact:GetDomainPermissionsPolicy", - "codeartifact:GetPackageVersionAsset", - "codeartifact:GetPackageVersionReadme", - "codeartifact:GetRepositoryEndpoint", - "codeartifact:GetRepositoryPermissionsPolicy", - "codeartifact:ListDomains", - "codeartifact:ListPackageVersionAssets", - "codeartifact:ListPackageVersionDependencies", - "codeartifact:ListPackageVersions", - "codeartifact:ListPackages", - "codeartifact:ListRepositories", - "codeartifact:ListRepositoriesInDomain", - "codeartifact:ListTagsForResource", - "codeartifact:ReadFromRepository", - "codebuild:BatchGet*", - "codebuild:DescribeCodeCoverages", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecatalyst:GetBillingAuthorization", - "codecatalyst:GetConnection", - "codecatalyst:GetPendingConnection", - "codecatalyst:ListConnections", - "codecatalyst:ListIamRolesForConnection", - "codecatalyst:ListTagsForResource", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:Get*", - "codepipeline:List*", - "codestar-connections:GetConnection", - "codestar-connections:GetHost", - "codestar-connections:GetRepositoryLink", - "codestar-connections:GetRepositorySyncStatus", - "codestar-connections:GetResourceSyncStatus", - "codestar-connections:GetSyncConfiguration", - "codestar-connections:ListConnections", - "codestar-connections:ListHosts", - "codestar-connections:ListRepositoryLinks", - "codestar-connections:ListRepositorySyncDefinitions", - "codestar-connections:ListSyncConfigurations", - "codestar-connections:ListTagsForResource", - "codestar-notifications:ListTargets", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar:Describe*", - "codestar:Get*", - "codestar:List*", - "codestar:Verify*", - "codewhisperer:ListProfiles", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolAnalytics", - "cognito-identity:GetIdentityPoolDailyAnalytics", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetIdentityProviderDailyAnalytics", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "cognito-idp:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:List*", - "cognito-sync:QueryRecords", - "comprehend:BatchDetect*", - "comprehend:Classify*", - "comprehend:Contains*", - "comprehend:Describe*", - "comprehend:Detect*", - "comprehend:List*", - "compute-optimizer:DescribeRecommendationExportJobs", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEBSVolumeRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendations", - "compute-optimizer:GetEffectiveRecommendationPreferences", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetEnrollmentStatusesForOrganization", - "compute-optimizer:GetIdleRecommendations", - "compute-optimizer:GetLambdaFunctionRecommendations", - "compute-optimizer:GetLicenseRecommendations", - "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics", - "compute-optimizer:GetRDSDatabaseRecommendations", - "compute-optimizer:GetRecommendationPreferences", - "compute-optimizer:GetRecommendationSummaries", - "config:BatchGetAggregateResourceConfig", - "config:BatchGetResourceConfig", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectAggregateResourceConfig", - "config:SelectResourceConfig", - "connect:Describe*", - "connect:GetContactAttributes", - "connect:GetCurrentMetricData", - "connect:GetCurrentUserData", - "connect:GetFederationToken", - "connect:GetMetricData", - "connect:GetMetricDataV2", - "connect:GetTaskTemplate", - "connect:GetTrafficDistribution", - "connect:List*", - "consoleapp:GetDeviceIdentity", - "consoleapp:ListDeviceIdentities", - "consolidatedbilling:GetAccountBillingRole", - "consolidatedbilling:ListLinkedAccounts", - "controlcatalog:GetControl", - "controlcatalog:ListCommonControls", - "controlcatalog:ListControlMappings", - "controlcatalog:ListControls", - "controlcatalog:ListDomains", - "controlcatalog:ListObjectives", - "cost-optimization-hub:GetPreferences", - "cost-optimization-hub:GetRecommendation", - "cost-optimization-hub:ListEnrollmentStatuses", - "cost-optimization-hub:ListRecommendationSummaries", - "cost-optimization-hub:ListRecommendations", - "cur:GetClassicReport", - "cur:GetClassicReportPreferences", - "cur:GetUsageReport", - "customer-verification:GetCustomerVerificationDetails", - "customer-verification:GetCustomerVerificationEligibility", - "databrew:DescribeDataset", - "databrew:DescribeJob", - "databrew:DescribeJobRun", - "databrew:DescribeProject", - "databrew:DescribeRecipe", - "databrew:DescribeRuleset", - "databrew:DescribeSchedule", - "databrew:ListDatasets", - "databrew:ListJobRuns", - "databrew:ListJobs", - "databrew:ListProjects", - "databrew:ListRecipeVersions", - "databrew:ListRecipes", - "databrew:ListRulesets", - "databrew:ListSchedules", - "databrew:ListTagsForResource", - "dataexchange:Get*", - "dataexchange:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "datasync:Describe*", - "datasync:List*", - "datazone:GetAsset", - "datazone:GetAssetType", - "datazone:GetDataProduct", - "datazone:GetDataSource", - "datazone:GetDataSourceRun", - "datazone:GetDomain", - "datazone:GetDomainSharingPolicy", - "datazone:GetDomainUnit", - "datazone:GetEnvironment", - "datazone:GetEnvironmentAction", - "datazone:GetEnvironmentBlueprint", - "datazone:GetEnvironmentBlueprintConfiguration", - "datazone:GetEnvironmentProfile", - "datazone:GetFormType", - "datazone:GetGlossary", - "datazone:GetGlossaryTerm", - "datazone:GetGroupProfile", - "datazone:GetLineageNode", - "datazone:GetListing", - "datazone:GetMetadataGenerationRun", - "datazone:GetProject", - "datazone:GetProjectProfile", - "datazone:GetSubscription", - "datazone:GetSubscriptionEligibility", - "datazone:GetSubscriptionGrant", - "datazone:GetSubscriptionRequestDetails", - "datazone:GetSubscriptionTarget", - "datazone:GetTimeSeriesDataPoint", - "datazone:GetUserProfile", - "datazone:ListAccountEnvironments", - "datazone:ListAssetRevisions", - "datazone:ListDataProductRevisions", - "datazone:ListDataSourceRunActivities", - "datazone:ListDataSourceRuns", - "datazone:ListDataSources", - "datazone:ListDomainUnitsForParent", - "datazone:ListDomains", - "datazone:ListEntityOwners", - "datazone:ListEnvironmentActions", - "datazone:ListEnvironmentBlueprintConfigurationSummaries", - "datazone:ListEnvironmentBlueprintConfigurations", - "datazone:ListEnvironmentBlueprints", - "datazone:ListEnvironmentProfiles", - "datazone:ListEnvironments", - "datazone:ListGroupsForUser", - "datazone:ListLineageNodeHistory", - "datazone:ListNotifications", - "datazone:ListPolicyGrants", - "datazone:ListProjectMemberships", - "datazone:ListProjectProfiles", - "datazone:ListProjects", - "datazone:ListSubscriptionGrants", - "datazone:ListSubscriptionRequests", - "datazone:ListSubscriptionTargets", - "datazone:ListSubscriptions", - "datazone:ListTagsForResource", - "datazone:ListTimeSeriesDataPoints", - "datazone:Search", - "datazone:SearchGroupProfiles", - "datazone:SearchListings", - "datazone:SearchTypes", - "datazone:SearchUserProfiles", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "deadline:BatchGetJobEntity", - "deadline:GetApplicationVersion", - "deadline:GetBudget", - "deadline:GetFarm", - "deadline:GetFleet", - "deadline:GetJob", - "deadline:GetLicenseEndpoint", - "deadline:GetMonitor", - "deadline:GetQueue", - "deadline:GetQueueEnvironment", - "deadline:GetQueueFleetAssociation", - "deadline:GetSession", - "deadline:GetSessionAction", - "deadline:GetSessionsStatisticsAggregation", - "deadline:GetStep", - "deadline:GetStorageProfile", - "deadline:GetStorageProfileForQueue", - "deadline:GetTask", - "deadline:GetWorker", - "deadline:ListAvailableMeteredProducts", - "deadline:ListBudgets", - "deadline:ListFarmMembers", - "deadline:ListFarms", - "deadline:ListFleetMembers", - "deadline:ListFleets", - "deadline:ListJobMembers", - "deadline:ListJobParameterDefinitions", - "deadline:ListJobs", - "deadline:ListLicenseEndpoints", - "deadline:ListMeteredProducts", - "deadline:ListMonitors", - "deadline:ListQueueEnvironments", - "deadline:ListQueueFleetAssociations", - "deadline:ListQueueMembers", - "deadline:ListQueues", - "deadline:ListSessionActions", - "deadline:ListSessions", - "deadline:ListSessionsForWorker", - "deadline:ListStepConsumers", - "deadline:ListStepDependencies", - "deadline:ListSteps", - "deadline:ListStorageProfiles", - "deadline:ListStorageProfilesForQueue", - "deadline:ListTagsForResource", - "deadline:ListTasks", - "deadline:ListWorkers", - "deadline:SearchJobs", - "deadline:SearchSteps", - "deadline:SearchTasks", - "deadline:SearchWorkers", - "deepcomposer:GetComposition", - "deepcomposer:GetModel", - "deepcomposer:GetSampleModel", - "deepcomposer:ListCompositions", - "deepcomposer:ListModels", - "deepcomposer:ListSampleModels", - "deepcomposer:ListTrainingTopics", - "detective:BatchGetGraphMemberDatasources", - "detective:BatchGetMembershipDatasources", - "detective:Get*", - "detective:List*", - "detective:SearchGraph", - "devicefarm:Get*", - "devicefarm:List*", - "devops-guru:DescribeAccountHealth", - "devops-guru:DescribeAccountOverview", - "devops-guru:DescribeAnomaly", - "devops-guru:DescribeEventSourcesConfig", - "devops-guru:DescribeFeedback", - "devops-guru:DescribeInsight", - "devops-guru:DescribeOrganizationHealth", - "devops-guru:DescribeOrganizationOverview", - "devops-guru:DescribeOrganizationResourceCollectionHealth", - "devops-guru:DescribeResourceCollectionHealth", - "devops-guru:DescribeServiceIntegration", - "devops-guru:GetCostEstimation", - "devops-guru:GetResourceCollection", - "devops-guru:ListAnomaliesForInsight", - "devops-guru:ListAnomalousLogGroups", - "devops-guru:ListEvents", - "devops-guru:ListInsights", - "devops-guru:ListMonitoredResources", - "devops-guru:ListNotificationChannels", - "devops-guru:ListOrganizationInsights", - "devops-guru:ListRecommendations", - "devops-guru:SearchInsights", - "devops-guru:StartCostEstimation", - "directconnect:Describe*", - "discovery:Describe*", - "discovery:Get*", - "discovery:List*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "docdb-elastic:ListClusters", - "docdb-elastic:ListClusterSnapshots", - "docdb-elastic:ListPendingMaintenanceActions", - "docdb-elastic:ListTagsForResource", - "drs:DescribeJobLogItems", - "drs:DescribeJobs", - "drs:DescribeLaunchConfigurationTemplates", - "drs:DescribeRecoveryInstances", - "drs:DescribeRecoverySnapshots", - "drs:DescribeReplicationConfigurationTemplates", - "drs:DescribeSourceNetworks", - "drs:DescribeSourceServers", - "drs:GetFailbackReplicationConfiguration", - "drs:GetLaunchConfiguration", - "drs:GetReplicationConfiguration", - "drs:ListExtensibleSourceServers", - "drs:ListLaunchActions", - "drs:ListStagingAccounts", - "drs:ListTagsForResource", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dsql:GetCluster", - "dsql:GetVpcEndpointServiceName", - "dsql:ListClusters", - "dsql:ListTagsForResource", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:PartiQLSelect", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:DescribeInstanceImageMetadata", - "ec2:Get*", - "ec2:ListImagesInRecycleBin", - "ec2:ListSnapshotsInRecycleBin", - "ec2:SearchLocalGatewayRoutes", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr-public:BatchCheckLayerAvailability", - "ecr-public:DescribeImageTags", - "ecr-public:DescribeImages", - "ecr-public:DescribeRegistries", - "ecr-public:DescribeRepositories", - "ecr-public:GetAuthorizationToken", - "ecr-public:GetRegistryCatalogData", - "ecr-public:GetRepositoryCatalogData", - "ecr-public:GetRepositoryPolicy", - "ecr-public:ListTagsForResource", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:Describe*", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticfilesystem:ListTagsForResource", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:GetBlockPublicAccessConfiguration", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "emr-containers:DescribeJobRun", - "emr-containers:DescribeManagedEndpoint", - "emr-containers:DescribeVirtualCluster", - "emr-containers:ListJobRuns", - "emr-containers:ListManagedEndpoints", - "emr-containers:ListTagsForResource", - "emr-containers:ListVirtualClusters", - "emr-serverless:GetApplication", - "emr-serverless:GetDashboardForJobRun", - "emr-serverless:GetJobRun", - "emr-serverless:ListApplications", - "emr-serverless:ListJobRuns", - "emr-serverless:ListTagsForResource", - "es:Describe*", - "es:ESHttpGet", - "es:ESHttpHead", - "es:Get*", - "es:List*", - "events:Describe*", - "events:List*", - "events:Test*", - "evidently:GetExperiment", - "evidently:GetExperimentResults", - "evidently:GetFeature", - "evidently:GetLaunch", - "evidently:GetProject", - "evidently:GetSegment", - "evidently:ListExperiments", - "evidently:ListFeatures", - "evidently:ListLaunches", - "evidently:ListProjects", - "evidently:ListSegmentReferences", - "evidently:ListSegments", - "evidently:ListTagsForResource", - "evidently:TestSegmentPattern", - "firehose:Describe*", - "firehose:List*", - "fis:GetAction", - "fis:GetExperiment", - "fis:GetExperimentTargetAccountConfiguration", - "fis:GetExperimentTemplate", - "fis:GetTargetAccountConfiguration", - "fis:GetTargetResourceType", - "fis:ListActions", - "fis:ListExperimentResolvedTargets", - "fis:ListExperimentTargetAccountConfigurations", - "fis:ListExperimentTemplates", - "fis:ListExperiments", - "fis:ListTagsForResource", - "fis:ListTargetAccountConfigurations", - "fis:ListTargetResourceTypes", - "fms:GetAdminAccount", - "fms:GetAdminScope", - "fms:GetAppsList", - "fms:GetComplianceDetail", - "fms:GetNotificationChannel", - "fms:GetPolicy", - "fms:GetProtectionStatus", - "fms:GetProtocolsList", - "fms:GetViolationDetails", - "fms:ListAppsLists", - "fms:ListComplianceStatus", - "fms:ListMemberAccounts", - "fms:ListPolicies", - "fms:ListProtocolsLists", - "fms:ListTagsForResource", - "forecast:DescribeAutoPredictor", - "forecast:DescribeDataset", - "forecast:DescribeDatasetGroup", - "forecast:DescribeDatasetImportJob", - "forecast:DescribeExplainability", - "forecast:DescribeExplainabilityExport", - "forecast:DescribeForecast", - "forecast:DescribeForecastExportJob", - "forecast:DescribeMonitor", - "forecast:DescribePredictor", - "forecast:DescribePredictorBacktestExportJob", - "forecast:DescribeWhatIfAnalysis", - "forecast:DescribeWhatIfForecast", - "forecast:DescribeWhatIfForecastExport", - "forecast:GetAccuracyMetrics", - "forecast:ListDatasetGroups", - "forecast:ListDatasetImportJobs", - "forecast:ListDatasets", - "forecast:ListExplainabilities", - "forecast:ListExplainabilityExports", - "forecast:ListForecastExportJobs", - "forecast:ListForecasts", - "forecast:ListMonitorEvaluations", - "forecast:ListMonitors", - "forecast:ListPredictorBacktestExportJobs", - "forecast:ListPredictors", - "forecast:ListWhatIfAnalyses", - "forecast:ListWhatIfForecastExports", - "forecast:ListWhatIfForecasts", - "forecast:QueryForecast", - "forecast:QueryWhatIfForecast", - "frauddetector:BatchGetVariable", - "frauddetector:DescribeDetector", - "frauddetector:DescribeModelVersions", - "frauddetector:GetBatchImportJobs", - "frauddetector:GetBatchPredictionJobs", - "frauddetector:GetDeleteEventsByEventTypeStatus", - "frauddetector:GetDetectorVersion", - "frauddetector:GetDetectors", - "frauddetector:GetEntityTypes", - "frauddetector:GetEvent", - "frauddetector:GetEventPredictionMetadata", - "frauddetector:GetEventTypes", - "frauddetector:GetExternalModels", - "frauddetector:GetKMSEncryptionKey", - "frauddetector:GetLabels", - "frauddetector:GetListElements", - "frauddetector:GetListsMetadata", - "frauddetector:GetModelVersion", - "frauddetector:GetModels", - "frauddetector:GetOutcomes", - "frauddetector:GetRules", - "frauddetector:GetVariables", - "frauddetector:ListEventPredictions", - "frauddetector:ListTagsForResource", - "freertos:Describe*", - "freertos:List*", - "freetier:GetFreeTierAlertPreference", - "freetier:GetFreeTierUsage", - "freetier:GetAccountActivity", - "freetier:GetAccountPlanState", - "freetier:ListAccountActivities", - "fsx:Describe*", - "fsx:List*", - "gamelift:Describe*", - "gamelift:Get*", - "gamelift:List*", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:Describe*", - "glacier:Get*", - "glacier:List*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetCrawlers", - "glue:BatchGetDevEndpoints", - "glue:BatchGetJobs", - "glue:BatchGetPartition", - "glue:BatchGetTableOptimizer", - "glue:BatchGetTriggers", - "glue:BatchGetWorkflows", - "glue:CheckSchemaVersionValidity", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlerMetrics", - "glue:GetCrawlers", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobBookmark", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetJobs", - "glue:GetMLTaskRun", - "glue:GetMLTaskRuns", - "glue:GetMLTransform", - "glue:GetMLTransforms", - "glue:GetMapping", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetRegistry", - "glue:GetResourcePolicy", - "glue:GetSchema", - "glue:GetSchemaByDefinition", - "glue:GetSchemaVersion", - "glue:GetSchemaVersionsDiff", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetSession", - "glue:GetStatement", - "glue:GetTable", - "glue:GetTableOptimizer", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTables", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "glue:GetWorkflow", - "glue:GetWorkflowRun", - "glue:GetWorkflowRunProperties", - "glue:GetWorkflowRuns", - "glue:ListCrawlers", - "glue:ListCrawls", - "glue:ListDevEndpoints", - "glue:ListJobs", - "glue:ListMLTransforms", - "glue:ListRegistries", - "glue:ListSchemaVersions", - "glue:ListSchemas", - "glue:ListSessions", - "glue:ListStatements", - "glue:ListTableOptimizerRuns", - "glue:ListTriggers", - "glue:ListWorkflows", - "glue:QuerySchemaVersionMetadata", - "glue:SearchTables", - "grafana:DescribeWorkspace", - "grafana:DescribeWorkspaceAuthentication", - "grafana:DescribeWorkspaceConfiguration", - "grafana:ListPermissions", - "grafana:ListTagsForResource", - "grafana:ListVersions", - "grafana:ListWorkspaces", - "greengrass:DescribeComponent", - "greengrass:Get*", - "greengrass:List*", - "groundstation:DescribeContact", - "groundstation:GetConfig", - "groundstation:GetDataflowEndpointGroup", - "groundstation:GetMinuteUsage", - "groundstation:GetMissionProfile", - "groundstation:GetSatellite", - "groundstation:ListConfigs", - "groundstation:ListContacts", - "groundstation:ListDataflowEndpointGroups", - "groundstation:ListGroundStations", - "groundstation:ListMissionProfiles", - "groundstation:ListSatellites", - "groundstation:ListTagsForResource", - "guardduty:Describe*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "healthlake:DescribeFHIRDatastore", - "healthlake:DescribeFHIRExportJob", - "healthlake:DescribeFHIRImportJob", - "healthlake:GetCapabilities", - "healthlake:ListFHIRDatastores", - "healthlake:ListFHIRExportJobs", - "healthlake:ListFHIRImportJobs", - "healthlake:ListTagsForResource", - "healthlake:ReadResource", - "healthlake:SearchWithGet", - "healthlake:SearchWithPost", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "identity-sync:GetSyncProfile", - "identity-sync:GetSyncTarget", - "identity-sync:ListSyncFilters", - "identitystore-auth:BatchGetSession", - "identitystore-auth:ListSessions", - "identitystore:DescribeGroup", - "identitystore:DescribeGroupMembership", - "identitystore:DescribeUser", - "identitystore:GetGroupId", - "identitystore:GetGroupMembershipId", - "identitystore:GetUserId", - "identitystore:IsMemberInGroups", - "identitystore:ListGroupMemberships", - "identitystore:ListGroupMembershipsForMember", - "identitystore:ListGroups", - "identitystore:ListUsers", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector2:BatchGetAccountStatus", - "inspector2:BatchGetCodeSnippet", - "inspector2:BatchGetFreeTrialInfo", - "inspector2:BatchGetMemberEc2DeepInspectionStatus", - "inspector2:DescribeOrganizationConfiguration", - "inspector2:GetCisScanReport", - "inspector2:GetConfiguration", - "inspector2:GetDelegatedAdminAccount", - "inspector2:GetEc2DeepInspectionConfiguration", - "inspector2:GetEncryptionKey", - "inspector2:GetFindingsReportStatus", - "inspector2:GetMember", - "inspector2:GetSbomExport", - "inspector2:ListAccountPermissions", - "inspector2:ListCisScanConfigurations", - "inspector2:ListCisScans", - "inspector2:ListCoverage", - "inspector2:ListCoverageStatistics", - "inspector2:ListDelegatedAdminAccounts", - "inspector2:ListFilters", - "inspector2:ListFindingAggregations", - "inspector2:ListFindings", - "inspector2:ListMembers", - "inspector2:ListTagsForResource", - "inspector2:ListUsageTotals", - "inspector2:SearchVulnerabilities", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "internetmonitor:GetHealthEvent", - "internetmonitor:GetInternetEvent", - "internetmonitor:GetMonitor", - "internetmonitor:ListHealthEvents", - "internetmonitor:ListInternetEvents", - "internetmonitor:ListMonitors", - "internetmonitor:ListTagsForResource", - "invoicing:GetInvoiceEmailDeliveryPreferences", - "invoicing:GetInvoicePDF", - "invoicing:ListInvoiceSummaries", - "iot1click:DescribeDevice", - "iot1click:DescribePlacement", - "iot1click:DescribeProject", - "iot1click:GetDeviceMethods", - "iot1click:GetDevicesInPlacement", - "iot1click:ListDeviceEvents", - "iot1click:ListDevices", - "iot1click:ListPlacements", - "iot1click:ListProjects", - "iot1click:ListTagsForResource", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:Get*", - "iotanalytics:List*", - "iotanalytics:SampleChannelData", - "iotevents:DescribeAlarm", - "iotevents:DescribeAlarmModel", - "iotevents:DescribeDetector", - "iotevents:DescribeDetectorModel", - "iotevents:DescribeInput", - "iotevents:DescribeLoggingOptions", - "iotevents:ListAlarmModelVersions", - "iotevents:ListAlarmModels", - "iotevents:ListAlarms", - "iotevents:ListDetectorModelVersions", - "iotevents:ListDetectorModels", - "iotevents:ListDetectors", - "iotevents:ListInputs", - "iotevents:ListTagsForResource", - "iotfleethub:DescribeApplication", - "iotfleethub:ListApplications", - "iotfleetwise:GetCampaign", - "iotfleetwise:GetDecoderManifest", - "iotfleetwise:GetFleet", - "iotfleetwise:GetLoggingOptions", - "iotfleetwise:GetModelManifest", - "iotfleetwise:GetRegisterAccountStatus", - "iotfleetwise:GetSignalCatalog", - "iotfleetwise:GetVehicle", - "iotfleetwise:GetVehicleStatus", - "iotfleetwise:ListCampaigns", - "iotfleetwise:ListDecoderManifestNetworkInterfaces", - "iotfleetwise:ListDecoderManifestSignals", - "iotfleetwise:ListDecoderManifests", - "iotfleetwise:ListFleets", - "iotfleetwise:ListFleetsForVehicle", - "iotfleetwise:ListModelManifestNodes", - "iotfleetwise:ListModelManifests", - "iotfleetwise:ListSignalCatalogNodes", - "iotfleetwise:ListSignalCatalogs", - "iotfleetwise:ListTagsForResource", - "iotfleetwise:ListVehicles", - "iotfleetwise:ListVehiclesInFleet", - "iotsitewise:Describe*", - "iotsitewise:Get*", - "iotsitewise:List*", - "iotwireless:GetDestination", - "iotwireless:GetDeviceProfile", - "iotwireless:GetEventConfigurationByResourceTypes", - "iotwireless:GetFuotaTask", - "iotwireless:GetLogLevelsByResourceTypes", - "iotwireless:GetMetricConfiguration", - "iotwireless:GetMetrics", - "iotwireless:GetMulticastGroup", - "iotwireless:GetMulticastGroupSession", - "iotwireless:GetNetworkAnalyzerConfiguration", - "iotwireless:GetPartnerAccount", - "iotwireless:GetPosition", - "iotwireless:GetPositionConfiguration", - "iotwireless:GetPositionEstimate", - "iotwireless:GetResourceEventConfiguration", - "iotwireless:GetResourceLogLevel", - "iotwireless:GetResourcePosition", - "iotwireless:GetServiceEndpoint", - "iotwireless:GetServiceProfile", - "iotwireless:GetWirelessDevice", - "iotwireless:GetWirelessDeviceImportTask", - "iotwireless:GetWirelessDeviceStatistics", - "iotwireless:GetWirelessGateway", - "iotwireless:GetWirelessGatewayCertificate", - "iotwireless:GetWirelessGatewayFirmwareInformation", - "iotwireless:GetWirelessGatewayStatistics", - "iotwireless:GetWirelessGatewayTask", - "iotwireless:GetWirelessGatewayTaskDefinition", - "iotwireless:ListDestinations", - "iotwireless:ListDeviceProfiles", - "iotwireless:ListDevicesForWirelessDeviceImportTask", - "iotwireless:ListEventConfigurations", - "iotwireless:ListFuotaTasks", - "iotwireless:ListMulticastGroups", - "iotwireless:ListMulticastGroupsByFuotaTask", - "iotwireless:ListNetworkAnalyzerConfigurations", - "iotwireless:ListPartnerAccounts", - "iotwireless:ListPositionConfigurations", - "iotwireless:ListQueuedMessages", - "iotwireless:ListServiceProfiles", - "iotwireless:ListTagsForResource", - "iotwireless:ListWirelessDeviceImportTasks", - "iotwireless:ListWirelessDevices", - "iotwireless:ListWirelessGatewayTaskDefinitions", - "iotwireless:ListWirelessGateways", - "ivs:BatchGetChannel", - "ivs:GetChannel", - "ivs:GetComposition", - "ivs:GetEncoderConfiguration", - "ivs:GetIngestConfiguration", - "ivs:GetParticipant", - "ivs:GetPlaybackKeyPair", - "ivs:GetPlaybackRestrictionPolicy", - "ivs:GetPublicKey", - "ivs:GetRecordingConfiguration", - "ivs:GetStage", - "ivs:GetStageSession", - "ivs:GetStorageConfiguration", - "ivs:GetStream", - "ivs:GetStreamSession", - "ivs:ListChannels", - "ivs:ListCompositions", - "ivs:ListEncoderConfigurations", - "ivs:ListIngestConfigurations", - "ivs:ListParticipantEvents", - "ivs:ListParticipants", - "ivs:ListPlaybackKeyPairs", - "ivs:ListPlaybackRestrictionPolicies", - "ivs:ListPublicKeys", - "ivs:ListRecordingConfigurations", - "ivs:ListStageSessions", - "ivs:ListStages", - "ivs:ListStorageConfigurations", - "ivs:ListStreamKeys", - "ivs:ListStreamSessions", - "ivs:ListStreams", - "ivs:ListTagsForResource", - "ivschat:GetLoggingConfiguration", - "ivschat:GetRoom", - "ivschat:ListLoggingConfigurations", - "ivschat:ListRooms", - "ivschat:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "ReadOnlyActionsGroup2", - "Effect": "Allow", - "Action": [ - "kafka:Describe*", - "kafka:DescribeCluster", - "kafka:DescribeClusterOperation", - "kafka:DescribeClusterV2", - "kafka:DescribeConfiguration", - "kafka:DescribeConfigurationRevision", - "kafka:Get*", - "kafka:GetBootstrapBrokers", - "kafka:GetCompatibleKafkaVersions", - "kafka:List*", - "kafka:ListClusterOperations", - "kafka:ListClusters", - "kafka:ListClustersV2", - "kafka:ListConfigurationRevisions", - "kafka:ListConfigurations", - "kafka:ListKafkaVersions", - "kafka:ListNodes", - "kafka:ListTagsForResource", - "kafkaconnect:DescribeConnector", - "kafkaconnect:DescribeCustomPlugin", - "kafkaconnect:DescribeWorkerConfiguration", - "kafkaconnect:ListConnectors", - "kafkaconnect:ListCustomPlugins", - "kafkaconnect:ListWorkerConfigurations", - "kendra:BatchGetDocumentStatus", - "kendra:DescribeDataSource", - "kendra:DescribeExperience", - "kendra:DescribeFaq", - "kendra:DescribeIndex", - "kendra:DescribePrincipalMapping", - "kendra:DescribeQuerySuggestionsBlockList", - "kendra:DescribeQuerySuggestionsConfig", - "kendra:DescribeThesaurus", - "kendra:GetQuerySuggestions", - "kendra:GetSnapshots", - "kendra:ListDataSourceSyncJobs", - "kendra:ListDataSources", - "kendra:ListEntityPersonas", - "kendra:ListExperienceEntities", - "kendra:ListExperiences", - "kendra:ListFaqs", - "kendra:ListGroupsOlderThanOrderingId", - "kendra:ListIndices", - "kendra:ListQuerySuggestionsBlockLists", - "kendra:ListTagsForResource", - "kendra:ListThesauri", - "kendra:Query", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lakeformation:DescribeResource", - "lakeformation:GetDataCellsFilter", - "lakeformation:GetDataLakeSettings", - "lakeformation:GetEffectivePermissionsForPath", - "lakeformation:GetLfTag", - "lakeformation:GetResourceLfTags", - "lakeformation:ListDataCellsFilter", - "lakeformation:ListLfTags", - "lakeformation:ListPermissions", - "lakeformation:ListResources", - "lakeformation:ListTableStorageOptimizers", - "lakeformation:SearchDatabasesByLfTags", - "lakeformation:SearchTablesByLfTags", - "lambda:Get*", - "lambda:List*", - "launchwizard:DescribeAdditionalNode", - "launchwizard:DescribeProvisionedApp", - "launchwizard:DescribeProvisioningEvents", - "launchwizard:DescribeSettingsSet", - "launchwizard:GetDeployment", - "launchwizard:GetInfrastructureSuggestion", - "launchwizard:GetIpAddress", - "launchwizard:GetResourceCostEstimate", - "launchwizard:GetResourceRecommendation", - "launchwizard:GetSettingsSet", - "launchwizard:GetWorkload", - "launchwizard:GetWorkloadAsset", - "launchwizard:GetWorkloadAssets", - "launchwizard:GetWorkloadDeploymentPattern", - "launchwizard:ListAdditionalNodes", - "launchwizard:ListAllowedResources", - "launchwizard:ListDeploymentEvents", - "launchwizard:ListDeployments", - "launchwizard:ListProvisionedApps", - "launchwizard:ListResourceCostEstimates", - "launchwizard:ListSettingsSets", - "launchwizard:ListTagsForResource", - "launchwizard:ListWorkloadDeploymentOptions", - "launchwizard:ListWorkloadDeploymentPatterns", - "launchwizard:ListWorkloads", - "lex:DescribeBot", - "lex:DescribeBotAlias", - "lex:DescribeBotChannel", - "lex:DescribeBotLocale", - "lex:DescribeBotReplica", - "lex:DescribeBotVersion", - "lex:DescribeExport", - "lex:DescribeImport", - "lex:DescribeIntent", - "lex:DescribeResourcePolicy", - "lex:DescribeSlot", - "lex:DescribeSlotType", - "lex:Get*", - "lex:ListBotAliasReplicas", - "lex:ListBotAliases", - "lex:ListBotChannels", - "lex:ListBotLocales", - "lex:ListBotReplicas", - "lex:ListBotVersionReplicas", - "lex:ListBotVersions", - "lex:ListBots", - "lex:ListBuiltInIntents", - "lex:ListBuiltInSlotTypes", - "lex:ListExports", - "lex:ListImports", - "lex:ListIntents", - "lex:ListSlotTypes", - "lex:ListSlots", - "lex:ListTagsForResource", - "license-manager:Get*", - "license-manager:List*", - "lightsail:GetActiveNames", - "lightsail:GetAlarms", - "lightsail:GetAutoSnapshots", - "lightsail:GetBlueprints", - "lightsail:GetBucketAccessKeys", - "lightsail:GetBucketBundles", - "lightsail:GetBucketMetricData", - "lightsail:GetBuckets", - "lightsail:GetBundles", - "lightsail:GetCertificates", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetContainerAPIMetadata", - "lightsail:GetContainerImages", - "lightsail:GetContainerServiceDeployments", - "lightsail:GetContainerServiceMetricData", - "lightsail:GetContainerServicePowers", - "lightsail:GetContainerServices", - "lightsail:GetDisk", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDisks", - "lightsail:GetDistributionBundles", - "lightsail:GetDistributionLatestCacheReset", - "lightsail:GetDistributionMetricData", - "lightsail:GetDistributions", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetInstances", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetLoadBalancers", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetRelationalDatabases", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:FilterLogEvents", - "logs:Get*", - "logs:ListAnomalies", - "logs:ListEntitiesForLogGroup", - "logs:ListIntegrations", - "logs:ListLogAnomalyDetectors", - "logs:ListLogDeliveries", - "logs:ListLogGroupsForEntity", - "logs:ListLogGroupsForQuery", - "logs:ListTagsForResource", - "logs:ListTagsLogGroup", - "logs:StartLiveTail", - "logs:StartQuery", - "logs:StopLiveTail", - "logs:StopQuery", - "logs:TestMetricFilter", - "lookoutequipment:DescribeDataIngestionJob", - "lookoutequipment:DescribeDataset", - "lookoutequipment:DescribeInferenceScheduler", - "lookoutequipment:DescribeLabel", - "lookoutequipment:DescribeLabelGroup", - "lookoutequipment:DescribeModel", - "lookoutequipment:DescribeModelVersion", - "lookoutequipment:DescribeResourcePolicy", - "lookoutequipment:DescribeRetrainingScheduler", - "lookoutequipment:ListDataIngestionJobs", - "lookoutequipment:ListDatasets", - "lookoutequipment:ListInferenceEvents", - "lookoutequipment:ListInferenceExecutions", - "lookoutequipment:ListInferenceSchedulers", - "lookoutequipment:ListLabelGroups", - "lookoutequipment:ListLabels", - "lookoutequipment:ListModelVersions", - "lookoutequipment:ListModels", - "lookoutequipment:ListRetrainingSchedulers", - "lookoutequipment:ListSensorStatistics", - "lookoutequipment:ListTagsForResource", - "lookoutmetrics:Describe*", - "lookoutmetrics:Get*", - "lookoutmetrics:List*", - "lookoutvision:DescribeDataset", - "lookoutvision:DescribeModel", - "lookoutvision:DescribeModelPackagingJob", - "lookoutvision:DescribeProject", - "lookoutvision:ListDatasetEntries", - "lookoutvision:ListModelPackagingJobs", - "lookoutvision:ListModels", - "lookoutvision:ListProjects", - "lookoutvision:ListTagsForResource", - "m2:GetApplication", - "m2:GetApplicationVersion", - "m2:GetBatchJobExecution", - "m2:GetDataSetDetails", - "m2:GetDataSetImportTask", - "m2:GetDeployment", - "m2:GetEnvironment", - "m2:ListApplicationVersions", - "m2:ListApplications", - "m2:ListBatchJobDefinitions", - "m2:ListBatchJobExecutions", - "m2:ListDataSetImportHistory", - "m2:ListDataSets", - "m2:ListDeployments", - "m2:ListEngineVersions", - "m2:ListEnvironments", - "m2:ListTagsForResource", - "machinelearning:Describe*", - "machinelearning:Get*", - "macie2:BatchGetCustomDataIdentifiers", - "macie2:DescribeBuckets", - "macie2:DescribeClassificationJob", - "macie2:DescribeOrganizationConfiguration", - "macie2:GetAdministratorAccount", - "macie2:GetAllowList", - "macie2:GetAutomatedDiscoveryConfiguration", - "macie2:GetBucketStatistics", - "macie2:GetClassificationExportConfiguration", - "macie2:GetClassificationScope", - "macie2:GetCustomDataIdentifier", - "macie2:GetFindingStatistics", - "macie2:GetFindings", - "macie2:GetFindingsFilter", - "macie2:GetFindingsPublicationConfiguration", - "macie2:GetInvitationsCount", - "macie2:GetMacieSession", - "macie2:GetMember", - "macie2:GetResourceProfile", - "macie2:GetRevealConfiguration", - "macie2:GetSensitiveDataOccurrencesAvailability", - "macie2:GetSensitivityInspectionTemplate", - "macie2:GetUsageStatistics", - "macie2:GetUsageTotals", - "macie2:ListAllowLists", - "macie2:ListAutomatedDiscoveryAccounts", - "macie2:ListClassificationJobs", - "macie2:ListClassificationScopes", - "macie2:ListCustomDataIdentifiers", - "macie2:ListFindings", - "macie2:ListFindingsFilters", - "macie2:ListInvitations", - "macie2:ListMembers", - "macie2:ListOrganizationAdminAccounts", - "macie2:ListResourceProfileArtifacts", - "macie2:ListResourceProfileDetections", - "macie2:ListSensitivityInspectionTemplates", - "macie2:ListTagsForResource", - "macie2:SearchResources", - "managedblockchain:GetMember", - "managedblockchain:GetNetwork", - "managedblockchain:GetNode", - "managedblockchain:GetProposal", - "managedblockchain:ListInvitations", - "managedblockchain:ListMembers", - "managedblockchain:ListNetworks", - "managedblockchain:ListNodes", - "managedblockchain:ListProposalVotes", - "managedblockchain:ListProposals", - "managedblockchain:ListTagsForResource", - "mediaconnect:DescribeFlow", - "mediaconnect:DescribeOffering", - "mediaconnect:DescribeReservation", - "mediaconnect:ListEntitlements", - "mediaconnect:ListFlows", - "mediaconnect:ListOfferings", - "mediaconnect:ListReservations", - "mediaconnect:ListTagsForResource", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "medialive:DescribeChannel", - "medialive:DescribeInput", - "medialive:DescribeInputDevice", - "medialive:DescribeInputDeviceThumbnail", - "medialive:DescribeInputSecurityGroup", - "medialive:DescribeMultiplex", - "medialive:DescribeMultiplexProgram", - "medialive:DescribeOffering", - "medialive:DescribeReservation", - "medialive:DescribeSchedule", - "medialive:GetCloudWatchAlarmTemplate", - "medialive:GetCloudWatchAlarmTemplateGroup", - "medialive:GetEventBridgeRuleTemplate", - "medialive:GetEventBridgeRuleTemplateGroup", - "medialive:GetSignalMap", - "medialive:ListChannels", - "medialive:ListCloudWatchAlarmTemplateGroups", - "medialive:ListCloudWatchAlarmTemplates", - "medialive:ListEventBridgeRuleTemplateGroups", - "medialive:ListEventBridgeRuleTemplates", - "medialive:ListInputDeviceTransfers", - "medialive:ListInputDevices", - "medialive:ListInputSecurityGroups", - "medialive:ListInputs", - "medialive:ListMultiplexPrograms", - "medialive:ListMultiplexes", - "medialive:ListOfferings", - "medialive:ListReservations", - "medialive:ListSignalMaps", - "medialive:ListTagsForResource", - "mediapackage-vod:Describe*", - "mediapackage-vod:List*", - "mediapackage:Describe*", - "mediapackage:List*", - "mediapackagev2:GetChannel", - "mediapackagev2:GetChannelGroup", - "mediapackagev2:GetChannelPolicy", - "mediapackagev2:GetHeadObject", - "mediapackagev2:GetObject", - "mediapackagev2:GetOriginEndpoint", - "mediapackagev2:GetOriginEndpointPolicy", - "mediapackagev2:ListChannelGroups", - "mediapackagev2:ListChannels", - "mediapackagev2:ListOriginEndpoints", - "mediapackagev2:ListTagsForResource", - "mediastore:DescribeContainer", - "mediastore:DescribeObject", - "mediastore:GetContainerPolicy", - "mediastore:GetCorsPolicy", - "mediastore:GetLifecyclePolicy", - "mediastore:GetMetricPolicy", - "mediastore:GetObject", - "mediastore:ListContainers", - "mediastore:ListItems", - "mediastore:ListTagsForResource", - "memorydb:DescribeAcls", - "memorydb:DescribeClusters", - "memorydb:DescribeEngineVersions", - "memorydb:DescribeEvents", - "memorydb:DescribeMultiRegionClusters", - "memorydb:DescribeMultiRegionParameterGroups", - "memorydb:DescribeMultiRegionParameters", - "memorydb:DescribeParameterGroups", - "memorydb:DescribeParameters", - "memorydb:DescribeReservedNodes", - "memorydb:DescribeReservedNodesOfferings", - "memorydb:DescribeServiceUpdates", - "memorydb:DescribeSnapshots", - "memorydb:DescribeSubnetGroups", - "memorydb:DescribeUsers", - "memorydb:ListAllowedMultiRegionClusterUpdates", - "memorydb:ListAllowedNodeTypeUpdates", - "memorydb:ListTags", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mgn:DescribeJobLogItems", - "mgn:DescribeJobs", - "mgn:DescribeLaunchConfigurationTemplates", - "mgn:DescribeReplicationConfigurationTemplates", - "mgn:DescribeSourceServers", - "mgn:DescribeVcenterClients", - "mgn:GetLaunchConfiguration", - "mgn:GetReplicationConfiguration", - "mgn:ListApplications", - "mgn:ListSourceServerActions", - "mgn:ListTemplateActions", - "mgn:ListWaves", - "mobileanalytics:Get*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "monitron:GetProject", - "monitron:GetProjectAdminUser", - "monitron:ListProjects", - "monitron:ListTagsForResource", - "mpa:GetApprovalTeam", - "mpa:GetIdentitySource", - "mpa:GetPolicyVersion", - "mpa:GetResourcePolicy", - "mpa:GetSession", - "mpa:ListApprovalTeams", - "mpa:ListIdentitySources", - "mpa:ListPolicies", - "mpa:ListPolicyVersions", - "mpa:ListResourcePolicies", - "mpa:ListSessions", - "mpa:ListTagsForResource", - "mq:Describe*", - "mq:List*", - "network-firewall:DescribeFirewall", - "network-firewall:DescribeFirewallPolicy", - "network-firewall:DescribeLoggingConfiguration", - "network-firewall:DescribeResourcePolicy", - "network-firewall:DescribeRuleGroup", - "network-firewall:DescribeRuleGroupMetadata", - "network-firewall:DescribeTLSInspectionConfiguration", - "network-firewall:ListFirewallPolicies", - "network-firewall:ListFirewalls", - "network-firewall:ListRuleGroups", - "network-firewall:ListTLSInspectionConfigurations", - "network-firewall:ListTagsForResource", - "networkflowmonitor:GetMonitor", - "networkflowmonitor:GetScope", - "networkflowmonitor:ListMonitors", - "networkflowmonitor:ListScopes", - "networkmanager:DescribeGlobalNetworks", - "networkmanager:GetConnectAttachment", - "networkmanager:GetConnectPeer", - "networkmanager:GetConnectPeerAssociations", - "networkmanager:GetConnections", - "networkmanager:GetCoreNetwork", - "networkmanager:GetCoreNetworkChangeEvents", - "networkmanager:GetCoreNetworkChangeSet", - "networkmanager:GetCoreNetworkPolicy", - "networkmanager:GetCustomerGatewayAssociations", - "networkmanager:GetDevices", - "networkmanager:GetLinkAssociations", - "networkmanager:GetLinks", - "networkmanager:GetNetworkResourceCounts", - "networkmanager:GetNetworkResourceRelationships", - "networkmanager:GetNetworkResources", - "networkmanager:GetNetworkRoutes", - "networkmanager:GetNetworkTelemetry", - "networkmanager:GetResourcePolicy", - "networkmanager:GetRouteAnalysis", - "networkmanager:GetSiteToSiteVpnAttachment", - "networkmanager:GetSites", - "networkmanager:GetTransitGatewayConnectPeerAssociations", - "networkmanager:GetTransitGatewayPeering", - "networkmanager:GetTransitGatewayRegistrations", - "networkmanager:GetTransitGatewayRouteTableAttachment", - "networkmanager:GetVpcAttachment", - "networkmanager:ListAttachments", - "networkmanager:ListConnectPeers", - "networkmanager:ListCoreNetworkPolicyVersions", - "networkmanager:ListCoreNetworks", - "networkmanager:ListPeerings", - "networkmanager:ListTagsForResource", - "networkmonitor:GetMonitor", - "networkmonitor:GetProbe", - "networkmonitor:ListMonitors", - "networkmonitor:ListTagsForResource", - "nimble:GetEula", - "nimble:GetFeatureMap", - "nimble:GetLaunchProfile", - "nimble:GetLaunchProfileDetails", - "nimble:GetLaunchProfileInitialization", - "nimble:GetLaunchProfileMember", - "nimble:GetStreamingImage", - "nimble:GetStreamingSession", - "nimble:GetStudio", - "nimble:GetStudioComponent", - "nimble:GetStudioMember", - "nimble:ListEulaAcceptances", - "nimble:ListEulas", - "nimble:ListLaunchProfileMembers", - "nimble:ListLaunchProfiles", - "nimble:ListStreamingImages", - "nimble:ListStreamingSessions", - "nimble:ListStudioComponents", - "nimble:ListStudioMembers", - "nimble:ListStudios", - "nimble:ListTagsForResource", - "notifications-contacts:GetEmailContact", - "notifications-contacts:ListEmailContacts", - "notifications-contacts:ListTagsForResource", - "notifications:GetEventRule", - "notifications:GetFeatureOptInStatus", - "notifications:GetManagedNotificationChildEvent", - "notifications:GetManagedNotificationConfiguration", - "notifications:GetManagedNotificationEvent", - "notifications:GetNotificationConfiguration", - "notifications:GetNotificationEvent", - "notifications:GetNotificationsAccessForOrganization", - "notifications:List*", - "oam:GetLink", - "oam:GetSink", - "oam:GetSinkPolicy", - "oam:ListAttachedLinks", - "oam:ListLinks", - "oam:ListSinks", - "observabilityadmin:GetCentralizationRuleForOrganization", - "observabilityadmin:GetTelemetryEnrichmentStatus", - "observabilityadmin:GetTelemetryEvaluationStatus", - "observabilityadmin:GetTelemetryEvaluationStatusForOrganization", - "observabilityadmin:GetTelemetryRule", - "observabilityadmin:GetTelemetryRuleForOrganization", - "observabilityadmin:ListCentralizationRulesForOrganization", - "observabilityadmin:ListResourceTelemetry", - "observabilityadmin:ListResourceTelemetryForOrganization", - "observabilityadmin:ListTagsForResource", - "observabilityadmin:ListTelemetryRules", - "observabilityadmin:ListTelemetryRulesForOrganization", - "omics:Get*", - "omics:List*", - "one:GetDeviceConfigurationTemplate", - "one:GetDeviceInstance", - "one:GetDeviceInstanceConfiguration", - "one:GetSite", - "one:GetSiteAddress", - "one:ListDeviceConfigurationTemplates", - "one:ListDeviceInstances", - "one:ListSites", - "one:ListUsers", - "opsworks-cm:Describe*", - "opsworks-cm:List*", - "opsworks:Describe*", - "opsworks:Get*", - "organizations:Describe*", - "organizations:List*", - "osis:GetPipeline", - "osis:GetPipelineBlueprint", - "osis:GetPipelineChangeProgress", - "osis:ListPipelineBlueprints", - "osis:ListPipelines", - "osis:ListTagsForResource", - "outposts:Get*", - "outposts:List*", - "payment-cryptography:GetAlias", - "payment-cryptography:GetKey", - "payment-cryptography:GetPublicKeyCertificate", - "payment-cryptography:ListAliases", - "payment-cryptography:ListKeys", - "payment-cryptography:ListTagsForResource", - "payments:GetPaymentInstrument", - "payments:GetPaymentStatus", - "payments:ListPaymentInstruments", - "payments:ListPaymentPreferences", - "payments:ListPaymentProgramOptions", - "payments:ListPaymentProgramStatus", - "payments:ListTagsForResource", - "pca-connector-ad:GetConnector", - "pca-connector-ad:GetDirectoryRegistration", - "pca-connector-ad:GetServicePrincipalName", - "pca-connector-ad:GetTemplate", - "pca-connector-ad:GetTemplateGroupAccessControlEntry", - "pca-connector-ad:ListConnectors", - "pca-connector-ad:ListDirectoryRegistrations", - "pca-connector-ad:ListServicePrincipalNames", - "pca-connector-ad:ListTagsForResource", - "pca-connector-ad:ListTemplateGroupAccessControlEntries", - "pca-connector-ad:ListTemplates", - "pca-connector-scep:GetChallengeMetadata", - "pca-connector-scep:GetConnector", - "pca-connector-scep:ListChallengeMetadata", - "pca-connector-scep:ListConnectors", - "pca-connector-scep:ListTagsForResource", - "pcs:GetCluster", - "pcs:GetComputeNodeGroup", - "pcs:GetQueue", - "pcs:ListClusters", - "pcs:ListComputeNodeGroups", - "pcs:ListQueues", - "pcs:ListTagsForResource", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetDimensionKeyDetails", - "pi:GetResourceMetadata", - "pi:GetResourceMetrics", - "pi:ListAvailableResourceDimensions", - "pi:ListAvailableResourceMetrics", - "pipes:DescribePipe", - "pipes:ListPipes", - "pipes:ListTagsForResource", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "pricing:DescribeServices", - "pricing:GetAttributeValues", - "pricing:GetPriceListFileUrl", - "pricing:GetProducts", - "pricing:ListPriceLists", - "proton:GetDeployment", - "proton:GetEnvironment", - "proton:GetEnvironmentTemplate", - "proton:GetEnvironmentTemplateVersion", - "proton:GetService", - "proton:GetServiceInstance", - "proton:GetServiceTemplate", - "proton:GetServiceTemplateVersion", - "proton:ListDeployments", - "proton:ListEnvironmentAccountConnections", - "proton:ListEnvironmentTemplates", - "proton:ListEnvironments", - "proton:ListServiceInstances", - "proton:ListServiceTemplates", - "proton:ListServices", - "proton:ListTagsForResource", - "purchase-orders:GetPurchaseOrder", - "purchase-orders:ListPurchaseOrderInvoices", - "purchase-orders:ListPurchaseOrders", - "purchase-orders:ViewPurchaseOrders", - "qbusiness:GetApplication", - "qbusiness:GetChatControlsConfiguration", - "qbusiness:GetDataSource", - "qbusiness:GetGroup", - "qbusiness:GetIndex", - "qbusiness:GetPlugin", - "qbusiness:GetRetriever", - "qbusiness:GetUser", - "qbusiness:GetWebExperience", - "qbusiness:ListApplications", - "qbusiness:ListDataSourceSyncJobs", - "qbusiness:ListDataSources", - "qbusiness:ListGroups", - "qbusiness:ListIndices", - "qbusiness:ListPlugins", - "qbusiness:ListRetrievers", - "qbusiness:ListSubscriptions", - "qbusiness:ListTagsForResource", - "qbusiness:ListWebExperiences", - "qldb:DescribeJournalKinesisStream", - "qldb:DescribeJournalS3Export", - "qldb:DescribeLedger", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:ListJournalKinesisStreamsForLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:ListLedgers", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rbin:GetRule", - "rbin:ListRules", - "rbin:ListTagsForResource", - "rds:Describe*", - "rds:Download*", - "rds:List*", - "redshift-serverless:GetCustomDomainAssociation", - "redshift-serverless:GetEndpointAccess", - "redshift-serverless:GetNamespace", - "redshift-serverless:GetRecoveryPoint", - "redshift-serverless:GetResourcePolicy", - "redshift-serverless:GetScheduledAction", - "redshift-serverless:GetSnapshot", - "redshift-serverless:GetTableRestoreStatus", - "redshift-serverless:GetUsageLimit", - "redshift-serverless:GetWorkgroup", - "redshift-serverless:ListCustomDomainAssociations", - "redshift-serverless:ListEndpointAccess", - "redshift-serverless:ListNamespaces", - "redshift-serverless:ListRecoveryPoints", - "redshift-serverless:ListScheduledActions", - "redshift-serverless:ListSnapshotCopyConfigurations", - "redshift-serverless:ListSnapshots", - "redshift-serverless:ListTableRestoreStatus", - "redshift-serverless:ListTagsForResource", - "redshift-serverless:ListUsageLimits", - "redshift-serverless:ListWorkgroups", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:ListRecommendations", - "redshift:View*", - "refactor-spaces:GetApplication", - "refactor-spaces:GetEnvironment", - "refactor-spaces:GetResourcePolicy", - "refactor-spaces:GetRoute", - "refactor-spaces:GetService", - "refactor-spaces:ListApplications", - "refactor-spaces:ListEnvironmentVpcs", - "refactor-spaces:ListEnvironments", - "refactor-spaces:ListRoutes", - "refactor-spaces:ListServices", - "refactor-spaces:ListTagsForResource", - "rekognition:CompareFaces", - "rekognition:DescribeDataset", - "rekognition:DescribeProjectVersions", - "rekognition:DescribeProjects", - "rekognition:DescribeStreamProcessor", - "rekognition:Detect*", - "rekognition:GetCelebrityInfo", - "rekognition:GetCelebrityRecognition", - "rekognition:GetContentModeration", - "rekognition:GetFaceDetection", - "rekognition:GetFaceSearch", - "rekognition:GetLabelDetection", - "rekognition:GetPersonTracking", - "rekognition:GetSegmentDetection", - "rekognition:GetTextDetection", - "rekognition:List*", - "rekognition:RecognizeCelebrities", - "rekognition:Search*", - "resiliencehub:DescribeApp", - "resiliencehub:DescribeAppAssessment", - "resiliencehub:DescribeAppVersion", - "resiliencehub:DescribeAppVersionAppComponent", - "resiliencehub:DescribeAppVersionResource", - "resiliencehub:DescribeAppVersionResourcesResolutionStatus", - "resiliencehub:DescribeAppVersionTemplate", - "resiliencehub:DescribeDraftAppVersionResourcesImportStatus", - "resiliencehub:DescribeMetricsExport", - "resiliencehub:DescribeResiliencyPolicy", - "resiliencehub:DescribeResourceGroupingRecommendationTask", - "resiliencehub:ListAlarmRecommendations", - "resiliencehub:ListAppAssessmentComplianceDrifts", - "resiliencehub:ListAppAssessmentResourceDrifts", - "resiliencehub:ListAppAssessments", - "resiliencehub:ListAppComponentCompliances", - "resiliencehub:ListAppComponentRecommendations", - "resiliencehub:ListAppInputSources", - "resiliencehub:ListAppVersionAppComponents", - "resiliencehub:ListAppVersionResourceMappings", - "resiliencehub:ListAppVersionResources", - "resiliencehub:ListAppVersions", - "resiliencehub:ListApps", - "resiliencehub:ListMetrics", - "resiliencehub:ListRecommendationTemplates", - "resiliencehub:ListResiliencyPolicies", - "resiliencehub:ListResourceGroupingRecommendations", - "resiliencehub:ListSopRecommendations", - "resiliencehub:ListSuggestedResiliencyPolicies", - "resiliencehub:ListTagsForResource", - "resiliencehub:ListTestRecommendations", - "resiliencehub:ListUnsupportedAppVersionResources", - "resource-explorer-2:BatchGetView", - "resource-explorer-2:GetAccountLevelServiceConfiguration", - "resource-explorer-2:GetDefaultView", - "resource-explorer-2:GetIndex", - "resource-explorer-2:GetManagedView", - "resource-explorer-2:GetView", - "resource-explorer-2:ListIndexes", - "resource-explorer-2:ListIndexesForMembers", - "resource-explorer-2:ListManagedViews", - "resource-explorer-2:ListSupportedResourceTypes", - "resource-explorer-2:ListTagsForResource", - "resource-explorer-2:ListViews", - "resource-explorer-2:Search", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:Get*", - "robomaker:List*", - "rolesanywhere:GetCrl", - "rolesanywhere:GetProfile", - "rolesanywhere:GetSubject", - "rolesanywhere:GetTrustAnchor", - "rolesanywhere:ListCrls", - "rolesanywhere:ListProfiles", - "rolesanywhere:ListSubjects", - "rolesanywhere:ListTagsForResource", - "rolesanywhere:ListTrustAnchors", - "route53-recovery-cluster:Get*", - "route53-recovery-cluster:ListRoutingControls", - "route53-recovery-control-config:Describe*", - "route53-recovery-control-config:GetResourcePolicy", - "route53-recovery-control-config:List*", - "route53-recovery-readiness:Get*", - "route53-recovery-readiness:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53profiles:GetProfile", - "route53profiles:GetProfileAssociation", - "route53profiles:GetProfileResourceAssociation", - "route53profiles:ListProfileAssociations", - "route53profiles:ListProfileResourceAssociations", - "route53profiles:ListProfiles", - "route53profiles:ListTagsForResource", - "route53resolver:Get*", - "route53resolver:List*", - "rum:GetAppMonitor", - "rum:GetAppMonitorData", - "rum:ListAppMonitors", - "s3-object-lambda:GetObject", - "s3-object-lambda:GetObjectAcl", - "s3-object-lambda:GetObjectLegalHold", - "s3-object-lambda:GetObjectRetention", - "s3-object-lambda:GetObjectTagging", - "s3-object-lambda:GetObjectVersion", - "s3-object-lambda:GetObjectVersionAcl", - "s3-object-lambda:GetObjectVersionTagging", - "s3-object-lambda:ListBucket", - "s3-object-lambda:ListBucketMultipartUploads", - "s3-object-lambda:ListBucketVersions", - "s3-object-lambda:ListMultipartUploadParts", - "s3-outposts:GetAccessPoint", - "s3-outposts:GetAccessPointPolicy", - "s3-outposts:GetBucket", - "s3-outposts:GetBucketPolicy", - "s3-outposts:GetBucketTagging", - "s3-outposts:GetBucketVersioning", - "s3-outposts:GetLifecycleConfiguration", - "s3-outposts:GetObject", - "s3-outposts:GetObjectTagging", - "s3-outposts:GetObjectVersion", - "s3-outposts:GetObjectVersionForReplication", - "s3-outposts:GetObjectVersionTagging", - "s3-outposts:GetReplicationConfiguration", - "s3-outposts:ListAccessPoints", - "s3-outposts:ListBucket", - "s3-outposts:ListBucketMultipartUploads", - "s3-outposts:ListBucketVersions", - "s3-outposts:ListEndpoints", - "s3-outposts:ListMultipartUploadParts", - "s3-outposts:ListOutpostsWithS3", - "s3-outposts:ListRegionalBuckets", - "s3-outposts:ListSharedEndpoints", - "s3:DescribeJob", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "savingsplans:DescribeSavingsPlanRates", - "savingsplans:DescribeSavingsPlans", - "savingsplans:DescribeSavingsPlansOfferingRates", - "savingsplans:DescribeSavingsPlansOfferings", - "savingsplans:ListTagsForResource", - "scheduler:GetSchedule", - "scheduler:GetScheduleGroup", - "scheduler:ListScheduleGroups", - "scheduler:ListSchedules", - "scheduler:ListTagsForResource", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "secretsmanager:List*", - "securityhub:BatchGetAutomationRules", - "securityhub:BatchGetConfigurationPolicyAssociations", - "securityhub:BatchGetControlEvaluations", - "securityhub:BatchGetSecurityControls", - "securityhub:BatchGetStandardsControlAssociations", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "securitylake:GetDataLakeExceptionSubscription", - "securitylake:GetDataLakeOrganizationConfiguration", - "securitylake:GetDataLakeSources", - "securitylake:GetSubscriber", - "securitylake:ListDataLakeExceptions", - "securitylake:ListDataLakes", - "securitylake:ListLogSources", - "securitylake:ListSubscribers", - "securitylake:ListTagsForResource", - "serverlessrepo:Get*", - "serverlessrepo:List*", - "serverlessrepo:SearchApplications", - "servicecatalog:Describe*", - "servicecatalog:GetApplication", - "servicecatalog:GetAttributeGroup", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicediscovery:DiscoverInstances", - "servicediscovery:DiscoverInstancesRevision", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServices", - "ses:BatchGetMetricData", - "ses:Describe*", - "ses:Get*", - "ses:List*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "signer:DescribeSigningJob", - "signer:GetSigningPlatform", - "signer:GetSigningProfile", - "signer:ListProfilePermissions", - "signer:ListSigningJobs", - "signer:ListSigningPlatforms", - "signer:ListSigningProfiles", - "signer:ListTagsForResource", - "signin:ListTrustedIdentityPropagationApplicationsForConsole", - "sms-voice:DescribeAccountAttributes", - "sms-voice:DescribeAccountLimits", - "sms-voice:DescribeConfigurationSets", - "sms-voice:DescribeKeywords", - "sms-voice:DescribeOptOutLists", - "sms-voice:DescribeOptedOutNumbers", - "sms-voice:DescribePhoneNumbers", - "sms-voice:DescribePools", - "sms-voice:DescribeProtectConfigurations", - "sms-voice:DescribeRegistrationAttachments", - "sms-voice:DescribeRegistrationFieldDefinitions", - "sms-voice:DescribeRegistrationFieldValues", - "sms-voice:DescribeRegistrations", - "sms-voice:DescribeRegistrationSectionDefinitions", - "sms-voice:DescribeRegistrationTypeDefinitions", - "sms-voice:DescribeRegistrationVersions", - "sms-voice:DescribeSenderIds", - "sms-voice:DescribeSpendLimits", - "sms-voice:DescribeVerifiedDestinationNumbers", - "sms-voice:ListPoolOriginationIdentities", - "sms-voice:ListTagsForResource", - "snowball:Describe*", - "snowball:Get*", - "snowball:List*", - "sns:Check*", - "sns:Get*", - "sns:List*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm-contacts:DescribeEngagement", - "ssm-contacts:DescribePage", - "ssm-contacts:GetContact", - "ssm-contacts:GetContactChannel", - "ssm-contacts:ListContactChannels", - "ssm-contacts:ListContacts", - "ssm-contacts:ListEngagements", - "ssm-contacts:ListPageReceipts", - "ssm-contacts:ListPagesByContact", - "ssm-contacts:ListPagesByEngagement", - "ssm-incidents:GetIncidentRecord", - "ssm-incidents:GetReplicationSet", - "ssm-incidents:GetResourcePolicies", - "ssm-incidents:GetResponsePlan", - "ssm-incidents:GetTimelineEvent", - "ssm-incidents:ListIncidentRecords", - "ssm-incidents:ListRelatedItems", - "ssm-incidents:ListReplicationSets", - "ssm-incidents:ListResponsePlans", - "ssm-incidents:ListTagsForResource", - "ssm-incidents:ListTimelineEvents", - "ssm-quicksetup:GetConfiguration", - "ssm-quicksetup:GetConfigurationManager", - "ssm-quicksetup:GetServiceSettings", - "ssm-quicksetup:ListConfigurationManagers", - "ssm-quicksetup:ListConfigurations", - "ssm-quicksetup:ListQuickSetupTypes", - "ssm-quicksetup:ListTagsForResource", - "ssm-sap:GetApplication", - "ssm-sap:GetComponent", - "ssm-sap:GetConfigurationCheckOperation", - "ssm-sap:GetDatabase", - "ssm-sap:GetOperation", - "ssm-sap:GetResourcePermission", - "ssm-sap:ListApplications", - "ssm-sap:ListComponents", - "ssm-sap:ListConfigurationCheckDefinitions", - "ssm-sap:ListConfigurationCheckOperations", - "ssm-sap:ListDatabases", - "ssm-sap:ListOperationEvents", - "ssm-sap:ListOperations", - "ssm-sap:ListSubCheckResults", - "ssm-sap:ListSubCheckRuleResults", - "ssm-sap:ListTagsForResource", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "sso-directory:Describe*", - "sso-directory:List*", - "sso-directory:Search*", - "sso:Describe*", - "sso:Get*", - "sso:List*", - "states:Describe*", - "states:GetExecutionHistory", - "states:List*", - "states:ValidateStateMachineDefinition", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:GetAccessKeyInfo", - "sts:GetCallerIdentity", - "sts:GetSessionToken", - "support:DescribeAttachment", - "support:DescribeCaseAttributes", - "support:DescribeCases", - "support:DescribeCommunication", - "support:DescribeCommunications", - "support:DescribeCreateCaseOptions", - "support:DescribeIssueTypes", - "support:DescribeServices", - "support:DescribeSeverityLevels", - "support:DescribeSupportLevel", - "support:DescribeSupportedLanguages", - "support:DescribeTrustedAdvisorCheckRefreshStatuses", - "support:DescribeTrustedAdvisorCheckResult", - "support:DescribeTrustedAdvisorCheckSummaries", - "support:DescribeTrustedAdvisorChecks", - "support:SearchForCases", - "supportplans:GetSupportPlan", - "supportplans:GetSupportPlanUpdateStatus", - "supportplans:ListSupportPlanModifiers", - "sustainability:GetCarbonFootprintSummary", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "synthetics:List*", - "tag:DescribeReportCreation", - "tag:Get*", - "tax:GetExemptions", - "tax:GetTaxInheritance", - "tax:GetTaxInterview", - "tax:GetTaxRegistration", - "tax:GetTaxRegistrationDocument", - "tax:ListTaxRegistrations", - "timestream:DescribeBatchLoadTask", - "timestream:DescribeDatabase", - "timestream:DescribeEndpoints", - "timestream:DescribeTable", - "timestream:ListBatchLoadTasks", - "timestream:ListDatabases", - "timestream:ListMeasures", - "timestream:ListTables", - "timestream:ListTagsForResource", - "tnb:GetSolFunctionInstance", - "tnb:GetSolFunctionPackage", - "tnb:GetSolFunctionPackageContent", - "tnb:GetSolFunctionPackageDescriptor", - "tnb:GetSolNetworkInstance", - "tnb:GetSolNetworkOperation", - "tnb:GetSolNetworkPackage", - "tnb:GetSolNetworkPackageContent", - "tnb:GetSolNetworkPackageDescriptor", - "tnb:ListSolFunctionInstances", - "tnb:ListSolFunctionPackages", - "tnb:ListSolNetworkInstances", - "tnb:ListSolNetworkOperations", - "tnb:ListSolNetworkPackages", - "tnb:ListTagsForResource", - "transcribe:Get*", - "transcribe:List*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "translate:DescribeTextTranslationJob", - "translate:GetParallelData", - "translate:GetTerminology", - "translate:ListParallelData", - "translate:ListTerminologies", - "translate:ListTextTranslationJobs", - "trustedadvisor:Describe*", - "trustedadvisor:GetOrganizationRecommendation", - "trustedadvisor:GetRecommendation", - "trustedadvisor:ListChecks", - "trustedadvisor:ListOrganizationRecommendationAccounts", - "trustedadvisor:ListOrganizationRecommendationResources", - "trustedadvisor:ListOrganizationRecommendations", - "trustedadvisor:ListRecommendationResources", - "trustedadvisor:ListRecommendations", - "user-subscriptions:ListApplicationClaims", - "user-subscriptions:ListClaims", - "user-subscriptions:ListUserSubscriptions", - "verifiedpermissions:GetIdentitySource", - "verifiedpermissions:GetPolicy", - "verifiedpermissions:GetPolicyStore", - "verifiedpermissions:GetPolicyTemplate", - "verifiedpermissions:GetSchema", - "verifiedpermissions:IsAuthorized", - "verifiedpermissions:IsAuthorizedWithToken", - "verifiedpermissions:ListIdentitySources", - "verifiedpermissions:ListPolicies", - "verifiedpermissions:ListPolicyStores", - "verifiedpermissions:ListPolicyTemplates", - "vpc-lattice:GetAccessLogSubscription", - "vpc-lattice:GetAuthPolicy", - "vpc-lattice:GetListener", - "vpc-lattice:GetResourceConfiguration", - "vpc-lattice:GetResourceGateway", - "vpc-lattice:GetResourcePolicy", - "vpc-lattice:GetRule", - "vpc-lattice:GetService", - "vpc-lattice:GetServiceNetwork", - "vpc-lattice:GetServiceNetworkResourceAssociation", - "vpc-lattice:GetServiceNetworkServiceAssociation", - "vpc-lattice:GetServiceNetworkVpcAssociation", - "vpc-lattice:GetTargetGroup", - "vpc-lattice:ListAccessLogSubscriptions", - "vpc-lattice:ListListeners", - "vpc-lattice:ListResourceConfigurations", - "vpc-lattice:ListResourceEndpointAssociations", - "vpc-lattice:ListResourceGateways", - "vpc-lattice:ListRules", - "vpc-lattice:ListServiceNetworkResourceAssociations", - "vpc-lattice:ListServiceNetworkServiceAssociations", - "vpc-lattice:ListServiceNetworkVpcAssociations", - "vpc-lattice:ListServiceNetworks", - "vpc-lattice:ListServiceNetworkVpcEndpointAssociations", - "vpc-lattice:ListServices", - "vpc-lattice:ListTagsForResource", - "vpc-lattice:ListTargetGroups", - "vpc-lattice:ListTargets", - "waf-regional:Get*", - "waf-regional:List*", - "waf:Get*", - "waf:List*", - "wafv2:CheckCapacity", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "wellarchitected:ExportLens", - "wellarchitected:GetAnswer", - "wellarchitected:GetConsolidatedReport", - "wellarchitected:GetLens", - "wellarchitected:GetLensReview", - "wellarchitected:GetLensReviewReport", - "wellarchitected:GetLensVersionDifference", - "wellarchitected:GetMilestone", - "wellarchitected:GetProfile", - "wellarchitected:GetProfileTemplate", - "wellarchitected:GetReviewTemplate", - "wellarchitected:GetReviewTemplateAnswer", - "wellarchitected:GetReviewTemplateLensReview", - "wellarchitected:GetWorkload", - "wellarchitected:List*", - "workdocs:CheckAlias", - "workdocs:Describe*", - "workdocs:Get*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces-web:GetBrowserSettings", - "workspaces-web:GetIdentityProvider", - "workspaces-web:GetNetworkSettings", - "workspaces-web:GetPortal", - "workspaces-web:GetPortalServiceProviderMetadata", - "workspaces-web:GetTrustStore", - "workspaces-web:GetUserAccessLoggingSettings", - "workspaces-web:GetUserSettings", - "workspaces-web:ListBrowserSettings", - "workspaces-web:ListIdentityProviders", - "workspaces-web:ListNetworkSettings", - "workspaces-web:ListPortals", - "workspaces-web:ListTagsForResource", - "workspaces-web:ListTrustStores", - "workspaces-web:ListUserAccessLoggingSettings", - "workspaces-web:ListUserSettings", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Resource": "*" - } - ], - "lambda-github-access-policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "lambda:CreateFunction", - "s3:PutObject", - "lambda:UpdateFunctionCode", - "kms:TagResource", - "kms:UntagResource", - "kms:Encrypt", - "kms:Decrypt", - "lambda:InvokeFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "lambda:DeleteFunctionConcurrency", - "kms:CreateGrant" - ], - "Resource": [ - "arn:aws:kms:*:${account}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": "iam:ListRoles", - "Resource": "arn:aws:lambda:eu-west-2:*:function:*" - } - ], - "ecr-github-access-policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage" - ], - "Resource": "arn:aws:ecr:eu-west-2:*:repository/*" - } - ], - "github_terraform_tagging_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "sns:TagResource", - "backup:TagResource", - "resource-groups:GetGroupQuery", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "resource-groups:DeleteGroup", - "events:TagResource", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "events:UntagResource" - ], - "Resource": [ - "arn:aws:lambda:*:${account}:event-source-mapping:*", - "arn:aws:lambda:*:${account}:function:*", - "arn:aws:lambda:*:${account}:code-signing-config:*", - "arn:aws:iam::${account}:role/*", - "arn:aws:iam::${account}:policy/*", - "arn:aws:sns:*:${account}:*", - "arn:aws:backup:*:${account}:legal-hold:*", - "arn:aws:backup:*:${account}:framework:*-*", - "arn:aws:backup:*:${account}:backup-vault:*", - "arn:aws:backup:*:${account}:report-plan:*-*", - "arn:aws:backup:*:${account}:backup-plan:*", - "arn:aws:backup:*:${account}:restore-testing-plan:*-*", - "arn:aws:cognito-identity:*:${account}:identitypool/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:resource-groups:*:${account}:group/*", - "arn:aws:events:*:${account}:event-bus/*", - "arn:aws:events:*:${account}:rule/*/*" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*", - "arn:aws:events:*:${account}:rule/*" - ] - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups" - ], - "Resource": "*" - } - ], - "terraform-github-dynamodb-access-policy": [ - { - "Effect": "Allow", - "Action": [ - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive" - ], - "Resource": "arn:aws:dynamodb:*:*:table/ndr-terraform-locks" - } - ], - "github_actions_terraform_full": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "scheduler:DeleteSchedule", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "dynamodb:BatchWriteItem", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "lambda:PublishVersion", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "dynamodb:UpdateTable", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "logs:DeleteMetricFilter", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "ec2:ReleaseAddress", - "lambda:UpdateEventSourceMapping", - "elasticloadbalancing:CreateLoadBalancer", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "iam:CreateServiceLinkedRole", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:UpdateAssumeRolePolicy", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "ecs:UpdateService", - "elasticloadbalancing:DescribeLoadBalancers", - "ssm:DeleteParameter", - "cloudfront:*", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "ses:VerifyDomainDkim", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "ecs:CreateService", - "elasticloadbalancing:CreateListener", - "kms:ScheduleKeyDeletion", - "ecr:DescribeRepositories", - "ecs:DescribeServices", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "kms:ListKeys", - "events:PutTargets", - "lambda:AddPermission", - "ecr:SetRepositoryPolicy", - "ec2:DeleteSecurityGroup", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "sqs:DeleteMessage", - "elasticloadbalancing:ModifyListener", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "dynamodb:CreateTable", - "ec2:RevokeSecurityGroupIngress", - "lambda:UpdateFunctionCode", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "ec2:DisassociateAddress", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "scheduler:UpdateSchedule", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "backup:DeleteBackupVault", - "lambda:UpdateFunctionConfiguration", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "lambda:EnableReplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "ec2:DetachInternetGateway", - "ecr:DeleteLifecyclePolicy", - "logs:CreateLogGroup", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "ec2:DeleteTags", - "lambda:GetLayerVersion", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "scheduler:CreateSchedule", - "logs:PutRetentionPolicy", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "cognito-idp:*" - ], - "Resource": "*" - } - ], - "github_mtls_gateway": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates" - ], - "Resource": "*" - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": "apigateway:AddCertificateToDomain", - "Resource": "arn:aws:apigateway:eu-west-2::/domainnames" - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${account}:certificate/*" - ] - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain" - ], - "Resource": [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames" - ] - }, - { - "Sid": "VisualEditor4", - "Effect": "Allow", - "Action": "apigateway:AddCertificateToDomain", - "Resource": "arn:aws:apigateway:eu-west-2::/domainnames" - } - ], - "terraform-github-s3-access-policy": [ - { - "Effect": "Allow", - "Action": "s3:ListBucket", - "Resource": "arn:aws:s3:::ndr-dev-terraform-state-${account}" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:DeleteBucketPolicy", - "s3:PutBucketPolicy" - ], - "Resource": "arn:aws:s3:::ndr-dev-terraform-state-${account}/ndr/terraform.tfstate" - } - ], - "config-policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "config:DeleteDeliveryChannel", - "config:PutConfigurationRecorder", - "config:StopConfigurationRecorder", - "config:StartConfigurationRecorder", - "config:PutDeliveryChannel", - "config:DeleteConfigurationRecorder", - "config:DescribeConfigurationRecorderStatus" - ], - "Resource": "*" - } - ], - "repo_app_config": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile" - ], - "Resource": "*" - } - ] - } -} \ No newline at end of file diff --git a/infrastructure/iam_roles/pre-prod_Github-Actions-pre-prod-role.json b/infrastructure/iam_roles/pre-prod_Github-Actions-pre-prod-role.json deleted file mode 100644 index 82b9b604..00000000 --- a/infrastructure/iam_roles/pre-prod_Github-Actions-pre-prod-role.json +++ /dev/null @@ -1,3320 +0,0 @@ -{ - "inline": { - "cloudfront_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:UpdateOriginAccessControl", - "cloudfront:CreateOriginRequestPolicy" - ], - "Resource": "*" - } - ], - "cloudwatch_logs_policy": [ - { - "Sid": "AllowLogGroup", - "Effect": "Allow", - "Action": [ - "logs:ListTagsLogGroup", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutResourcePolicy" - ], - "Resource": "*" - } - ], - "ecr_policy": [ - { - "Sid": "AllowAppAndOdsUpdate", - "Effect": "Allow", - "Action": [ - "ecr:InitiateLayerUpload", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart" - ], - "Resource": [ - "arn:aws:ecr:eu-west-2:${account}:repository/ndr-pre-prod-app", - "arn:aws:ecr:eu-west-2:${account}:repository/pre-prod-data-collection" - ] - } - ], - "ecs_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders" - ], - "Resource": "*" - } - ], - "github-extended-policy-virus-scanner": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "ssm:CreateDocument", - "iam:TagRole", - "SNS:TagResource", - "SNS:SetSubscriptionAttributes", - "cognito-idp:CreateUserPool", - "cognito-idp:TagResource", - "cognito-idp:SetUserPoolMfaConfig", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "cloudformation:CreateResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:CreateGroup", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminAddUserToGroup" - ], - "Resource": "*" - } - ], - "lambda": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "lambda:CreateFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:TagResource", - "kms:UntagResource", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:kms:*:${account}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*" - ] - } - ], - "mtls-gateway": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates" - ], - "Resource": "*" - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": "apigateway:AddCertificateToDomain", - "Resource": "arn:aws:apigateway:eu-west-2::/domainnames" - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${account}:certificate/*" - ] - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain" - ], - "Resource": [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames" - ] - }, - { - "Sid": "VisualEditor4", - "Effect": "Allow", - "Action": "apigateway:AddCertificateToDomain", - "Resource": "arn:aws:apigateway:eu-west-2::/domainnames" - } - ], - "resource_tagging": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile" - ], - "Resource": [ - "arn:aws:events:*:${account}:event-bus/*", - "arn:aws:events:*:${account}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:lambda:*:${account}:event-source-mapping:*", - "arn:aws:lambda:*:${account}:code-signing-config:*", - "arn:aws:lambda:*:${account}:function:*", - "arn:aws:cognito-identity:*:${account}:identitypool/*", - "arn:aws:resource-groups:*:${account}:group/*", - "arn:aws:backup:*:${account}:backup-plan:*", - "arn:aws:backup:*:${account}:report-plan:*-*", - "arn:aws:backup:*:${account}:restore-testing-plan:*-*", - "arn:aws:backup:*:${account}:backup-vault:*", - "arn:aws:backup:*:${account}:legal-hold:*", - "arn:aws:backup:*:${account}:framework:*-*", - "arn:aws:iam::${account}:policy/*", - "arn:aws:iam::${account}:instance-profile/*", - "arn:aws:iam::${account}:role/*", - "arn:aws:sns:*:${account}:*", - "arn:aws:logs:*:${account}:log-group:*", - "arn:aws:logs:*:${account}:delivery-source:*", - "arn:aws:logs:*:${account}:delivery:*", - "arn:aws:logs:*:${account}:destination:*", - "arn:aws:logs:*:${account}:delivery-destination:*", - "arn:aws:logs:*:${account}:anomaly-detector:*" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${account}:rule/*" - ] - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*" - ] - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups" - ], - "Resource": "*" - } - ], - "rum_policy": [ - { - "Sid": "AllowIdentityPool", - "Effect": "Allow", - "Action": [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool" - ], - "Resource": "arn:aws:cognito-identity:eu-west-2:${account}:identitypool/*" - }, - { - "Sid": "AllowAppMonitor", - "Effect": "Allow", - "Action": [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor" - ], - "Resource": "arn:aws:rum:eu-west-2:${account}:appmonitor/*" - }, - { - "Sid": "AllowRumServiceLogs", - "Effect": "Allow", - "Action": [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups" - ], - "Resource": "arn:aws:logs:eu-west-2:${account}:log-group:*RUMService*" - }, - { - "Sid": "AllowRumServiceAllLogs", - "Effect": "Allow", - "Action": [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies" - ], - "Resource": "*" - } - ], - "scheduler_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": "scheduler:DeleteSchedule", - "Resource": "*" - } - ], - "step_functions": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource" - ], - "Resource": "arn:aws:states:eu-west-2:${account}:stateMachine:*" - } - ] - }, - "attached": { - "github-extended-policy-1": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "appconfig:StartDeployment", - "elasticloadbalancing:ModifyListener", - "appconfig:TagResource", - "appconfig:CreateDeploymentStrategy", - "lambda:ListLayers", - "ecs:TagResource", - "appconfig:DeleteHostedConfigurationVersion", - "lambda:PublishVersion", - "dynamodb:UpdateTable", - "ec2:DisassociateAddress", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "lambda:RemoveLayerVersionPermission", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "logs:DeleteMetricFilter", - "apigateway:SetWebACL", - "ec2:DescribeAvailabilityZones", - "backup:CreateBackupSelection", - "kms:CreateKey", - "ec2:ReleaseAddress", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "lambda:UpdateEventSourceMapping", - "backup:DeleteBackupVault", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "elasticloadbalancing:DeleteTargetGroup", - "appconfig:CreateEnvironment", - "backup:DescribeBackupVault", - "events:DeleteRule", - "iam:CreateServiceLinkedRole", - "appconfig:DeleteDeploymentStrategy", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "appconfig:CreateApplication", - "ec2:AssociateRouteTable", - "ec2:DescribeInternetGateways", - "elasticloadbalancing:DeleteLoadBalancer", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "lambda:ListLayerVersions", - "ec2:DescribeRouteTables", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "ec2:CreateRouteTable", - "route53:ChangeResourceRecordSets", - "lambda:AddLayerVersionPermission", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "ssm:PutParameter", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "logs:PutMetricFilter", - "ec2:DescribeSecurityGroupRules", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "s3:PutBucketLogging", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "appconfig:CreateConfigurationProfile", - "route53:GetChange", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "ses:VerifyDomainDkim", - "lambda:CreateEventSourceMapping", - "lambda:GetLayerVersionPolicy", - "kms:TagResource", - "dynamodb:TagResource", - "elasticloadbalancing:DescribeListeners", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "appconfig:CreateHostedConfigurationVersion", - "lambda:DeleteLayerVersion", - "application-autoscaling:ListTagsForResource", - "kms:DescribeKey", - "ec2:ModifyVpcAttribute", - "ecs:UntagResource", - "ecr:DeleteRepositoryPolicy", - "s3:GetBucketPublicAccessBlock", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "s3:PutBucketPublicAccessBlock", - "logs:DescribeLogGroups", - "kms:UpdateKeyDescription", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "lambda:DeleteFunctionConcurrency", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "s3:PutBucketNotification", - "iam:UpdateAssumeRolePolicy" - ], - "Resource": "*" - } - ], - "github-actions-policy": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "apigateway:DELETE", - "apigateway:PATCH", - "apigateway:POST", - "apigateway:PUT", - "cloudwatch:DeleteAlarms", - "cloudwatch:PutMetricAlarm", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:GetItem", - "dynamodb:ListTagsOfResource", - "dynamodb:PutItem", - "dynamodb:TagResource", - "dynamodb:UpdateTimeToLive", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDefaultVpc", - "ec2:CreateInternetGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteInternetGateway", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ecr:CreateRepository", - "ecr:DeleteLifecyclePolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:ListTagsForResource", - "ecr:PutLifecyclePolicy", - "ecr:SetRepositoryPolicy", - "ecr:TagResource", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:SetSecurityGroups", - "events:PutRule", - "events:PutTargets", - "iam:AttachRolePolicy", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "kms:RetireGrant", - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:GetPolicy", - "lambda:RemovePermission", - "logs:CreateLogGroup", - "logs:DeleteLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketOwnershipControls", - "s3:PutBucketPolicy", - "s3:PutBucketTagging", - "s3:PutLifecycleConfiguration", - "s3:PutObject", - "secretsmanager:DeleteSecret", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:ListQueues", - "sqs:createqueue", - "sqs:setqueueattributes", - "ssm:AddTagsToResource", - "ssm:DeleteParameter", - "ssm:PutParameter", - "events:RemoveTargets", - "wafv2:CreateRegexPatternSet", - "wafv2:TagResource", - "wafv2:CreateWebACL", - "wafv2:AssociateWebACL", - "elasticloadbalancing:SetWebACL", - "events:DeleteRule", - "wafv2:DeleteRegexPatternSet", - "wafv2:DeleteWebACL", - "s3:PutIntelligentTieringConfiguration", - "ecs:UntagResource", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionCode", - "sqs:tagqueue", - "kms:TagResource", - "wafv2:UpdateWebACL", - "dynamodb:UpdateTable", - "kms:CreateKey", - "dynamodb:UpdateContinuousBackups", - "backup:CreateBackupVault", - "application-autoscaling:RegisterScalableTarget", - "application-autoscaling:TagResource", - "s3:PutBucketVersioning", - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateKeyDescription", - "kms:ScheduleKeyDeletion", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:UntagResource", - "application-autoscaling:ListTagsForResource", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "cloudwatch:ListTagsForResource", - "backup-storage:MountCapsule", - "backup:CreateBackupPlan", - "lambda:PutFunctionConcurrency", - "backup:CreateBackupSelection", - "backup:UpdateBackupPlan", - "backup:DescribeBackupJob", - "backup:ListTags", - "backup:TagResource", - "backup:DeleteBackupVault", - "backup:DeleteBackupSelection", - "iam:UpdateRoleDescription", - "logs:PutMetricFilter", - "ec2:AllocateAddress", - "ec2:CreateNatGateway", - "scheduler:CreateSchedule", - "scheduler:UpdateSchedule" - ], - "Resource": "*" - } - ], - "ReadOnlyAccess": [ - { - "Sid": "ReadOnlyActionsGroup1", - "Effect": "Allow", - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAccessPreview", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:GetFindingsStatistics", - "access-analyzer:GetGeneratedPolicy", - "access-analyzer:ListAccessPreviewFindings", - "access-analyzer:ListAccessPreviews", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListPolicyGenerations", - "access-analyzer:ListTagsForResource", - "access-analyzer:ValidatePolicy", - "account:GetAccountInformation", - "account:GetAlternateContact", - "account:GetContactInformation", - "account:GetPrimaryEmail", - "account:GetRegionOptStatus", - "account:ListRegions", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "action-recommendations:ListRecommendedActions", - "aiops:GetEphemeralInvestigationResults", - "aiops:GetInvestigation", - "aiops:GetInvestigationEvent", - "aiops:GetInvestigationGroup", - "aiops:GetInvestigationResource", - "aiops:ListInvestigationEvents", - "aiops:ListInvestigationGroups", - "aiops:ListInvestigations", - "aiops:ValidateInvestigationGroup", - "airflow:ListEnvironments", - "airflow:ListTagsForResource", - "amplify:GetApp", - "amplify:GetBackendEnvironment", - "amplify:GetBranch", - "amplify:GetDomainAssociation", - "amplify:GetJob", - "amplify:GetWebhook", - "amplify:ListApps", - "amplify:ListArtifacts", - "amplify:ListBackendEnvironments", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "amplify:ListTagsForResource", - "amplify:ListWebhooks", - "aoss:BatchGetCollection", - "aoss:BatchGetLifecyclePolicy", - "aoss:BatchGetVpcEndpoint", - "aoss:GetAccessPolicy", - "aoss:GetAccountSettings", - "aoss:GetPoliciesStats", - "aoss:GetSecurityConfig", - "aoss:GetSecurityPolicy", - "aoss:ListAccessPolicies", - "aoss:ListCollections", - "aoss:ListLifecyclePolicies", - "aoss:ListSecurityConfigs", - "aoss:ListSecurityPolicies", - "aoss:ListTagsForResource", - "aoss:ListVpcEndpoints", - "apigateway:GET", - "appconfig:GetApplication", - "appconfig:GetConfiguration", - "appconfig:GetConfigurationProfile", - "appconfig:GetDeployment", - "appconfig:GetDeploymentStrategy", - "appconfig:GetEnvironment", - "appconfig:GetExtension", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListApplications", - "appconfig:ListConfigurationProfiles", - "appconfig:ListDeploymentStrategies", - "appconfig:ListDeployments", - "appconfig:ListEnvironments", - "appconfig:ListExtensions", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListTagsForResource", - "appfabric:GetAppAuthorization", - "appfabric:GetAppBundle", - "appfabric:GetIngestion", - "appfabric:GetIngestionDestination", - "appfabric:ListAppAuthorizations", - "appfabric:ListAppBundles", - "appfabric:ListIngestionDestinations", - "appfabric:ListIngestions", - "appfabric:ListTagsForResource", - "appflow:DescribeConnector", - "appflow:DescribeConnectorEntity", - "appflow:DescribeConnectorFields", - "appflow:DescribeConnectorProfiles", - "appflow:DescribeConnectors", - "appflow:DescribeFlow", - "appflow:DescribeFlowExecution", - "appflow:DescribeFlowExecutionRecords", - "appflow:DescribeFlows", - "appflow:ListConnectorEntities", - "appflow:ListConnectorFields", - "appflow:ListConnectors", - "appflow:ListFlows", - "appflow:ListTagsForResource", - "application-autoscaling:Describe*", - "application-autoscaling:GetPredictiveScalingForecast", - "application-autoscaling:ListTagsForResource", - "application-signals:BatchGetServiceLevelObjectiveBudgetReport", - "application-signals:GetService", - "application-signals:GetServiceLevelObjective", - "application-signals:ListObservedEntities", - "application-signals:ListServiceDependencies", - "application-signals:ListServiceDependents", - "application-signals:ListServiceLevelObjectives", - "application-signals:ListServiceOperations", - "application-signals:ListServices", - "application-signals:ListTagsForResource", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "apprunner:DescribeAutoScalingConfiguration", - "apprunner:DescribeCustomDomains", - "apprunner:DescribeObservabilityConfiguration", - "apprunner:DescribeService", - "apprunner:DescribeVpcConnector", - "apprunner:DescribeVpcIngressConnection", - "apprunner:DescribeWebAclForService", - "apprunner:ListAssociatedServicesForWebAcl", - "apprunner:ListAutoScalingConfigurations", - "apprunner:ListConnections", - "apprunner:ListObservabilityConfigurations", - "apprunner:ListOperations", - "apprunner:ListServices", - "apprunner:ListServicesForAutoScalingConfiguration", - "apprunner:ListTagsForResource", - "apprunner:ListVpcConnectors", - "apprunner:ListVpcIngressConnections", - "appstream:Describe*", - "appstream:List*", - "appstudio:GetAccountStatus", - "appstudio:GetEnablementJobStatus", - "appsync:Get*", - "appsync:List*", - "apptest:GetTestCase", - "apptest:GetTestConfiguration", - "apptest:GetTestRunStep", - "apptest:GetTestSuite", - "apptest:ListTagsForResource", - "apptest:ListTestCases", - "apptest:ListTestConfigurations", - "apptest:ListTestRunSteps", - "apptest:ListTestRunTestCases", - "apptest:ListTestRuns", - "apptest:ListTestSuites", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeRuleGroupsNamespace", - "aps:DescribeScraper", - "aps:DescribeWorkspace", - "aps:GetAlertManagerSilence", - "aps:GetAlertManagerStatus", - "aps:GetDefaultScraperConfiguration", - "aps:GetLabels", - "aps:GetMetricMetadata", - "aps:GetSeries", - "aps:ListAlertManagerAlertGroups", - "aps:ListAlertManagerAlerts", - "aps:ListAlertManagerReceivers", - "aps:ListAlertManagerSilences", - "aps:ListAlerts", - "aps:ListRuleGroupsNamespaces", - "aps:ListRules", - "aps:ListScrapers", - "aps:ListTagsForResource", - "aps:ListWorkspaces", - "aps:QueryMetrics", - "arc-region-switch:GetPlan", - "arc-region-switch:GetPlanEvaluationStatus", - "arc-region-switch:GetPlanExecution", - "arc-region-switch:GetPlanInRegion", - "arc-region-switch:ListPlanExecutionEvents", - "arc-region-switch:ListPlanExecutions", - "arc-region-switch:ListPlans", - "arc-region-switch:ListPlansInRegion", - "arc-region-switch:ListRoute53HealthChecks", - "arc-region-switch:ListTagsForResource", - "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", - "arc-zonal-shift:GetManagedResource", - "arc-zonal-shift:ListAutoshifts", - "arc-zonal-shift:ListManagedResources", - "arc-zonal-shift:ListZonalShifts", - "artifact:GetCustomerAgreement", - "artifact:GetReport", - "artifact:GetReportMetadata", - "artifact:GetTermForReport", - "artifact:ListAgreements", - "artifact:ListCustomerAgreements", - "artifact:ListReports", - "athena:Batch*", - "athena:Get*", - "athena:List*", - "auditmanager:GetAccountStatus", - "auditmanager:GetAssessment", - "auditmanager:GetAssessmentFramework", - "auditmanager:GetAssessmentReportUrl", - "auditmanager:GetChangeLogs", - "auditmanager:GetControl", - "auditmanager:GetDelegations", - "auditmanager:GetEvidence", - "auditmanager:GetEvidenceByEvidenceFolder", - "auditmanager:GetEvidenceFolder", - "auditmanager:GetEvidenceFoldersByAssessment", - "auditmanager:GetEvidenceFoldersByAssessmentControl", - "auditmanager:GetOrganizationAdminAccount", - "auditmanager:GetServicesInScope", - "auditmanager:GetSettings", - "auditmanager:ListAssessmentFrameworks", - "auditmanager:ListAssessmentReports", - "auditmanager:ListAssessments", - "auditmanager:ListControls", - "auditmanager:ListKeywordsForDataSource", - "auditmanager:ListNotifications", - "auditmanager:ListTagsForResource", - "auditmanager:ValidateAssessmentReportIntegrity", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "autoscaling:Describe*", - "autoscaling:GetPredictiveScalingForecast", - "aws-portal:View*", - "backup-gateway:GetBandwidthRateLimitSchedule", - "backup-gateway:GetGateway", - "backup-gateway:GetHypervisor", - "backup-gateway:GetHypervisorPropertyMappings", - "backup-gateway:GetVirtualMachine", - "backup-gateway:ListGateways", - "backup-gateway:ListHypervisors", - "backup-gateway:ListTagsForResource", - "backup-gateway:ListVirtualMachines", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:Describe*", - "batch:List*", - "bedrock-agentcore:GetAgentRuntime", - "bedrock-agentcore:GetAgentRuntimeEndpoint", - "bedrock-agentcore:GetApiKeyCredentialProvider", - "bedrock-agentcore:GetBrowser", - "bedrock-agentcore:GetBrowserSession", - "bedrock-agentcore:GetCodeInterpreter", - "bedrock-agentcore:GetCodeInterpreterSession", - "bedrock-agentcore:GetEvent", - "bedrock-agentcore:GetGateway", - "bedrock-agentcore:GetGatewayTarget", - "bedrock-agentcore:GetMemory", - "bedrock-agentcore:GetMemoryRecord", - "bedrock-agentcore:GetOauth2CredentialProvider", - "bedrock-agentcore:GetTokenVault", - "bedrock-agentcore:GetWorkloadIdentity", - "bedrock-agentcore:ListAgentRuntimeEndpoints", - "bedrock-agentcore:ListAgentRuntimes", - "bedrock-agentcore:ListAgentRuntimeVersions", - "bedrock-agentcore:ListApiKeyCredentialProviders", - "bedrock-agentcore:ListBrowsers", - "bedrock-agentcore:ListBrowserSessions", - "bedrock-agentcore:ListCodeInterpreters", - "bedrock-agentcore:ListCodeInterpreterSessions", - "bedrock-agentcore:ListEvents", - "bedrock-agentcore:ListGateways", - "bedrock-agentcore:ListGatewayTargets", - "bedrock-agentcore:ListMemories", - "bedrock-agentcore:ListMemoryRecords", - "bedrock-agentcore:ListOauth2CredentialProviders", - "bedrock-agentcore:ListWorkloadIdentities", - "bedrock-agentcore:RetrieveMemoryRecords", - "bedrock:GetAgent", - "bedrock:GetAgentActionGroup", - "bedrock:GetAgentAlias", - "bedrock:GetAgentCollaborator", - "bedrock:GetAgentKnowledgeBase", - "bedrock:GetAgentVersion", - "bedrock:GetCustomModel", - "bedrock:GetDataSource", - "bedrock:GetEvaluationJob", - "bedrock:GetFlow", - "bedrock:GetFlowAlias", - "bedrock:GetFlowVersion", - "bedrock:GetFoundationModel", - "bedrock:GetFoundationModelAvailability", - "bedrock:GetGuardrail", - "bedrock:GetInferenceProfile", - "bedrock:GetIngestionJob", - "bedrock:GetKnowledgeBase", - "bedrock:GetModelCustomizationJob", - "bedrock:GetModelInvocationJob", - "bedrock:GetModelInvocationLoggingConfiguration", - "bedrock:GetPrompt", - "bedrock:GetProvisionedModelThroughput", - "bedrock:GetUseCaseForModelAccess", - "bedrock:ListAgentActionGroups", - "bedrock:ListAgentAliases", - "bedrock:ListAgentCollaborators", - "bedrock:ListAgentKnowledgeBases", - "bedrock:ListAgentVersions", - "bedrock:ListAgents", - "bedrock:ListCustomModels", - "bedrock:ListDataSources", - "bedrock:ListEvaluationJobs", - "bedrock:ListFlowAliases", - "bedrock:ListFlowVersions", - "bedrock:ListFlows", - "bedrock:ListFoundationModelAgreementOffers", - "bedrock:ListFoundationModels", - "bedrock:ListGuardrails", - "bedrock:ListInferenceProfiles", - "bedrock:ListIngestionJobs", - "bedrock:ListKnowledgeBases", - "bedrock:ListModelCustomizationJobs", - "bedrock:ListModelInvocationJobs", - "bedrock:ListPrompts", - "bedrock:ListProvisionedModelThroughputs", - "billing:GetBillingData", - "billing:GetBillingDetails", - "billing:GetBillingNotifications", - "billing:GetBillingPreferences", - "billing:GetBillingView", - "billing:GetContractInformation", - "billing:GetCredits", - "billing:GetIAMAccessPreference", - "billing:GetResourcePolicy", - "billing:GetSellerOfRecord", - "billing:ListBillingViews", - "billing:ListSourceViewsForBillingView", - "billing:ListTagsForResource", - "billingconductor:GetBillingGroupCostReport", - "billingconductor:ListAccountAssociations", - "billingconductor:ListBillingGroupCostReports", - "billingconductor:ListBillingGroups", - "billingconductor:ListCustomLineItemVersions", - "billingconductor:ListCustomLineItems", - "billingconductor:ListPricingPlans", - "billingconductor:ListPricingPlansAssociatedWithPricingRule", - "billingconductor:ListPricingRules", - "billingconductor:ListPricingRulesAssociatedToPricingPlan", - "billingconductor:ListResourcesAssociatedToCustomLineItem", - "billingconductor:ListTagsForResource", - "braket:GetDevice", - "braket:GetJob", - "braket:GetQuantumTask", - "braket:SearchDevices", - "braket:SearchJobs", - "braket:SearchQuantumTasks", - "budgets:Describe*", - "budgets:ListTagsForResource", - "budgets:View*", - "cassandra:Select", - "ce:DescribeCostCategoryDefinition", - "ce:DescribeNotificationSubscription", - "ce:DescribeReport", - "ce:GetAnomalies", - "ce:GetAnomalyMonitors", - "ce:GetAnomalySubscriptions", - "ce:GetApproximateUsageRecords", - "ce:GetCommitmentPurchaseAnalysis", - "ce:GetCostAndUsage", - "ce:GetCostAndUsageComparisons", - "ce:GetCostAndUsageWithResources", - "ce:GetCostCategories", - "ce:GetCostComparisonDrivers", - "ce:GetCostForecast", - "ce:GetDimensionValues", - "ce:GetPreferences", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetRightsizingRecommendation", - "ce:GetSavingsPlanPurchaseRecommendationDetails", - "ce:GetSavingsPlansCoverage", - "ce:GetSavingsPlansPurchaseRecommendation", - "ce:GetSavingsPlansUtilization", - "ce:GetSavingsPlansUtilizationDetails", - "ce:GetTags", - "ce:GetUsageForecast", - "ce:ListCommitmentPurchaseAnalyses", - "ce:ListCostAllocationTagBackfillHistory", - "ce:ListCostAllocationTags", - "ce:ListCostCategoryDefinitions", - "ce:ListSavingsPlansPurchaseRecommendationGeneration", - "ce:ListTagsForResource", - "chatbot:Describe*", - "chatbot:Get*", - "chatbot:List*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cleanrooms-ml:GetAudienceGenerationJob", - "cleanrooms-ml:GetAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModelPolicy", - "cleanrooms-ml:GetTrainingDataset", - "cleanrooms-ml:ListAudienceExportJobs", - "cleanrooms-ml:ListAudienceGenerationJobs", - "cleanrooms-ml:ListAudienceModels", - "cleanrooms-ml:ListConfiguredAudienceModels", - "cleanrooms-ml:ListTagsForResource", - "cleanrooms-ml:ListTrainingDatasets", - "cleanrooms:BatchGetCollaborationAnalysisTemplate", - "cleanrooms:BatchGetSchema", - "cleanrooms:BatchGetSchemaAnalysisRule", - "cleanrooms:GetAnalysisTemplate", - "cleanrooms:GetCollaboration", - "cleanrooms:GetCollaborationAnalysisTemplate", - "cleanrooms:GetCollaborationConfiguredAudienceModelAssociation", - "cleanrooms:GetCollaborationIdNamespaceAssociation", - "cleanrooms:GetCollaborationPrivacyBudgetTemplate", - "cleanrooms:GetConfiguredAudienceModelAssociation", - "cleanrooms:GetConfiguredTable", - "cleanrooms:GetConfiguredTableAnalysisRule", - "cleanrooms:GetConfiguredTableAssociation", - "cleanrooms:GetConfiguredTableAssociationAnalysisRule", - "cleanrooms:GetIdMappingTable", - "cleanrooms:GetIdNamespaceAssociation", - "cleanrooms:GetMembership", - "cleanrooms:GetPrivacyBudgetTemplate", - "cleanrooms:GetProtectedQuery", - "cleanrooms:GetSchema", - "cleanrooms:GetSchemaAnalysisRule", - "cleanrooms:ListAnalysisTemplates", - "cleanrooms:ListCollaborationAnalysisTemplates", - "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", - "cleanrooms:ListCollaborationIdNamespaceAssociations", - "cleanrooms:ListCollaborationPrivacyBudgetTemplates", - "cleanrooms:ListCollaborationPrivacyBudgets", - "cleanrooms:ListCollaborations", - "cleanrooms:ListConfiguredAudienceModelAssociations", - "cleanrooms:ListConfiguredTableAssociations", - "cleanrooms:ListConfiguredTables", - "cleanrooms:ListIdMappingTables", - "cleanrooms:ListIdNamespaceAssociations", - "cleanrooms:ListMembers", - "cleanrooms:ListMemberships", - "cleanrooms:ListPrivacyBudgetTemplates", - "cleanrooms:ListPrivacyBudgets", - "cleanrooms:ListProtectedQueries", - "cleanrooms:ListSchemas", - "cleanrooms:ListTagsForResource", - "cleanrooms:PreviewPrivacyImpact", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:List*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Estimate*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:ValidateTemplate", - "cloudfront-keyvaluestore:Describe*", - "cloudfront-keyvaluestore:Get*", - "cloudfront-keyvaluestore:List*", - "cloudfront:Describe*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:Describe*", - "cloudhsm:GetResourcePolicy", - "cloudhsm:List*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:GenerateQuery", - "cloudwatch:GenerateQueryResultsSummary", - "cloudwatch:Get*", - "cloudwatch:List*", - "codeartifact:DescribeDomain", - "codeartifact:DescribePackage", - "codeartifact:DescribePackageVersion", - "codeartifact:DescribeRepository", - "codeartifact:GetAuthorizationToken", - "codeartifact:GetDomainPermissionsPolicy", - "codeartifact:GetPackageVersionAsset", - "codeartifact:GetPackageVersionReadme", - "codeartifact:GetRepositoryEndpoint", - "codeartifact:GetRepositoryPermissionsPolicy", - "codeartifact:ListDomains", - "codeartifact:ListPackageVersionAssets", - "codeartifact:ListPackageVersionDependencies", - "codeartifact:ListPackageVersions", - "codeartifact:ListPackages", - "codeartifact:ListRepositories", - "codeartifact:ListRepositoriesInDomain", - "codeartifact:ListTagsForResource", - "codeartifact:ReadFromRepository", - "codebuild:BatchGet*", - "codebuild:DescribeCodeCoverages", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecatalyst:GetBillingAuthorization", - "codecatalyst:GetConnection", - "codecatalyst:GetPendingConnection", - "codecatalyst:ListConnections", - "codecatalyst:ListIamRolesForConnection", - "codecatalyst:ListTagsForResource", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:Get*", - "codepipeline:List*", - "codestar-connections:GetConnection", - "codestar-connections:GetHost", - "codestar-connections:GetRepositoryLink", - "codestar-connections:GetRepositorySyncStatus", - "codestar-connections:GetResourceSyncStatus", - "codestar-connections:GetSyncConfiguration", - "codestar-connections:ListConnections", - "codestar-connections:ListHosts", - "codestar-connections:ListRepositoryLinks", - "codestar-connections:ListRepositorySyncDefinitions", - "codestar-connections:ListSyncConfigurations", - "codestar-connections:ListTagsForResource", - "codestar-notifications:ListTargets", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar:Describe*", - "codestar:Get*", - "codestar:List*", - "codestar:Verify*", - "codewhisperer:ListProfiles", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolAnalytics", - "cognito-identity:GetIdentityPoolDailyAnalytics", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetIdentityProviderDailyAnalytics", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "cognito-idp:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:List*", - "cognito-sync:QueryRecords", - "comprehend:BatchDetect*", - "comprehend:Classify*", - "comprehend:Contains*", - "comprehend:Describe*", - "comprehend:Detect*", - "comprehend:List*", - "compute-optimizer:DescribeRecommendationExportJobs", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEBSVolumeRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendations", - "compute-optimizer:GetEffectiveRecommendationPreferences", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetEnrollmentStatusesForOrganization", - "compute-optimizer:GetIdleRecommendations", - "compute-optimizer:GetLambdaFunctionRecommendations", - "compute-optimizer:GetLicenseRecommendations", - "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics", - "compute-optimizer:GetRDSDatabaseRecommendations", - "compute-optimizer:GetRecommendationPreferences", - "compute-optimizer:GetRecommendationSummaries", - "config:BatchGetAggregateResourceConfig", - "config:BatchGetResourceConfig", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectAggregateResourceConfig", - "config:SelectResourceConfig", - "connect:Describe*", - "connect:GetContactAttributes", - "connect:GetCurrentMetricData", - "connect:GetCurrentUserData", - "connect:GetFederationToken", - "connect:GetMetricData", - "connect:GetMetricDataV2", - "connect:GetTaskTemplate", - "connect:GetTrafficDistribution", - "connect:List*", - "consoleapp:GetDeviceIdentity", - "consoleapp:ListDeviceIdentities", - "consolidatedbilling:GetAccountBillingRole", - "consolidatedbilling:ListLinkedAccounts", - "controlcatalog:GetControl", - "controlcatalog:ListCommonControls", - "controlcatalog:ListControlMappings", - "controlcatalog:ListControls", - "controlcatalog:ListDomains", - "controlcatalog:ListObjectives", - "cost-optimization-hub:GetPreferences", - "cost-optimization-hub:GetRecommendation", - "cost-optimization-hub:ListEnrollmentStatuses", - "cost-optimization-hub:ListRecommendationSummaries", - "cost-optimization-hub:ListRecommendations", - "cur:GetClassicReport", - "cur:GetClassicReportPreferences", - "cur:GetUsageReport", - "customer-verification:GetCustomerVerificationDetails", - "customer-verification:GetCustomerVerificationEligibility", - "databrew:DescribeDataset", - "databrew:DescribeJob", - "databrew:DescribeJobRun", - "databrew:DescribeProject", - "databrew:DescribeRecipe", - "databrew:DescribeRuleset", - "databrew:DescribeSchedule", - "databrew:ListDatasets", - "databrew:ListJobRuns", - "databrew:ListJobs", - "databrew:ListProjects", - "databrew:ListRecipeVersions", - "databrew:ListRecipes", - "databrew:ListRulesets", - "databrew:ListSchedules", - "databrew:ListTagsForResource", - "dataexchange:Get*", - "dataexchange:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "datasync:Describe*", - "datasync:List*", - "datazone:GetAsset", - "datazone:GetAssetType", - "datazone:GetDataProduct", - "datazone:GetDataSource", - "datazone:GetDataSourceRun", - "datazone:GetDomain", - "datazone:GetDomainSharingPolicy", - "datazone:GetDomainUnit", - "datazone:GetEnvironment", - "datazone:GetEnvironmentAction", - "datazone:GetEnvironmentBlueprint", - "datazone:GetEnvironmentBlueprintConfiguration", - "datazone:GetEnvironmentProfile", - "datazone:GetFormType", - "datazone:GetGlossary", - "datazone:GetGlossaryTerm", - "datazone:GetGroupProfile", - "datazone:GetLineageNode", - "datazone:GetListing", - "datazone:GetMetadataGenerationRun", - "datazone:GetProject", - "datazone:GetProjectProfile", - "datazone:GetSubscription", - "datazone:GetSubscriptionEligibility", - "datazone:GetSubscriptionGrant", - "datazone:GetSubscriptionRequestDetails", - "datazone:GetSubscriptionTarget", - "datazone:GetTimeSeriesDataPoint", - "datazone:GetUserProfile", - "datazone:ListAccountEnvironments", - "datazone:ListAssetRevisions", - "datazone:ListDataProductRevisions", - "datazone:ListDataSourceRunActivities", - "datazone:ListDataSourceRuns", - "datazone:ListDataSources", - "datazone:ListDomainUnitsForParent", - "datazone:ListDomains", - "datazone:ListEntityOwners", - "datazone:ListEnvironmentActions", - "datazone:ListEnvironmentBlueprintConfigurationSummaries", - "datazone:ListEnvironmentBlueprintConfigurations", - "datazone:ListEnvironmentBlueprints", - "datazone:ListEnvironmentProfiles", - "datazone:ListEnvironments", - "datazone:ListGroupsForUser", - "datazone:ListLineageNodeHistory", - "datazone:ListNotifications", - "datazone:ListPolicyGrants", - "datazone:ListProjectMemberships", - "datazone:ListProjectProfiles", - "datazone:ListProjects", - "datazone:ListSubscriptionGrants", - "datazone:ListSubscriptionRequests", - "datazone:ListSubscriptionTargets", - "datazone:ListSubscriptions", - "datazone:ListTagsForResource", - "datazone:ListTimeSeriesDataPoints", - "datazone:Search", - "datazone:SearchGroupProfiles", - "datazone:SearchListings", - "datazone:SearchTypes", - "datazone:SearchUserProfiles", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "deadline:BatchGetJobEntity", - "deadline:GetApplicationVersion", - "deadline:GetBudget", - "deadline:GetFarm", - "deadline:GetFleet", - "deadline:GetJob", - "deadline:GetLicenseEndpoint", - "deadline:GetMonitor", - "deadline:GetQueue", - "deadline:GetQueueEnvironment", - "deadline:GetQueueFleetAssociation", - "deadline:GetSession", - "deadline:GetSessionAction", - "deadline:GetSessionsStatisticsAggregation", - "deadline:GetStep", - "deadline:GetStorageProfile", - "deadline:GetStorageProfileForQueue", - "deadline:GetTask", - "deadline:GetWorker", - "deadline:ListAvailableMeteredProducts", - "deadline:ListBudgets", - "deadline:ListFarmMembers", - "deadline:ListFarms", - "deadline:ListFleetMembers", - "deadline:ListFleets", - "deadline:ListJobMembers", - "deadline:ListJobParameterDefinitions", - "deadline:ListJobs", - "deadline:ListLicenseEndpoints", - "deadline:ListMeteredProducts", - "deadline:ListMonitors", - "deadline:ListQueueEnvironments", - "deadline:ListQueueFleetAssociations", - "deadline:ListQueueMembers", - "deadline:ListQueues", - "deadline:ListSessionActions", - "deadline:ListSessions", - "deadline:ListSessionsForWorker", - "deadline:ListStepConsumers", - "deadline:ListStepDependencies", - "deadline:ListSteps", - "deadline:ListStorageProfiles", - "deadline:ListStorageProfilesForQueue", - "deadline:ListTagsForResource", - "deadline:ListTasks", - "deadline:ListWorkers", - "deadline:SearchJobs", - "deadline:SearchSteps", - "deadline:SearchTasks", - "deadline:SearchWorkers", - "deepcomposer:GetComposition", - "deepcomposer:GetModel", - "deepcomposer:GetSampleModel", - "deepcomposer:ListCompositions", - "deepcomposer:ListModels", - "deepcomposer:ListSampleModels", - "deepcomposer:ListTrainingTopics", - "detective:BatchGetGraphMemberDatasources", - "detective:BatchGetMembershipDatasources", - "detective:Get*", - "detective:List*", - "detective:SearchGraph", - "devicefarm:Get*", - "devicefarm:List*", - "devops-guru:DescribeAccountHealth", - "devops-guru:DescribeAccountOverview", - "devops-guru:DescribeAnomaly", - "devops-guru:DescribeEventSourcesConfig", - "devops-guru:DescribeFeedback", - "devops-guru:DescribeInsight", - "devops-guru:DescribeOrganizationHealth", - "devops-guru:DescribeOrganizationOverview", - "devops-guru:DescribeOrganizationResourceCollectionHealth", - "devops-guru:DescribeResourceCollectionHealth", - "devops-guru:DescribeServiceIntegration", - "devops-guru:GetCostEstimation", - "devops-guru:GetResourceCollection", - "devops-guru:ListAnomaliesForInsight", - "devops-guru:ListAnomalousLogGroups", - "devops-guru:ListEvents", - "devops-guru:ListInsights", - "devops-guru:ListMonitoredResources", - "devops-guru:ListNotificationChannels", - "devops-guru:ListOrganizationInsights", - "devops-guru:ListRecommendations", - "devops-guru:SearchInsights", - "devops-guru:StartCostEstimation", - "directconnect:Describe*", - "discovery:Describe*", - "discovery:Get*", - "discovery:List*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "docdb-elastic:ListClusters", - "docdb-elastic:ListClusterSnapshots", - "docdb-elastic:ListPendingMaintenanceActions", - "docdb-elastic:ListTagsForResource", - "drs:DescribeJobLogItems", - "drs:DescribeJobs", - "drs:DescribeLaunchConfigurationTemplates", - "drs:DescribeRecoveryInstances", - "drs:DescribeRecoverySnapshots", - "drs:DescribeReplicationConfigurationTemplates", - "drs:DescribeSourceNetworks", - "drs:DescribeSourceServers", - "drs:GetFailbackReplicationConfiguration", - "drs:GetLaunchConfiguration", - "drs:GetReplicationConfiguration", - "drs:ListExtensibleSourceServers", - "drs:ListLaunchActions", - "drs:ListStagingAccounts", - "drs:ListTagsForResource", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dsql:GetCluster", - "dsql:GetVpcEndpointServiceName", - "dsql:ListClusters", - "dsql:ListTagsForResource", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:PartiQLSelect", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:DescribeInstanceImageMetadata", - "ec2:Get*", - "ec2:ListImagesInRecycleBin", - "ec2:ListSnapshotsInRecycleBin", - "ec2:SearchLocalGatewayRoutes", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr-public:BatchCheckLayerAvailability", - "ecr-public:DescribeImageTags", - "ecr-public:DescribeImages", - "ecr-public:DescribeRegistries", - "ecr-public:DescribeRepositories", - "ecr-public:GetAuthorizationToken", - "ecr-public:GetRegistryCatalogData", - "ecr-public:GetRepositoryCatalogData", - "ecr-public:GetRepositoryPolicy", - "ecr-public:ListTagsForResource", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:Describe*", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticfilesystem:ListTagsForResource", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:GetBlockPublicAccessConfiguration", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "emr-containers:DescribeJobRun", - "emr-containers:DescribeManagedEndpoint", - "emr-containers:DescribeVirtualCluster", - "emr-containers:ListJobRuns", - "emr-containers:ListManagedEndpoints", - "emr-containers:ListTagsForResource", - "emr-containers:ListVirtualClusters", - "emr-serverless:GetApplication", - "emr-serverless:GetDashboardForJobRun", - "emr-serverless:GetJobRun", - "emr-serverless:ListApplications", - "emr-serverless:ListJobRuns", - "emr-serverless:ListTagsForResource", - "es:Describe*", - "es:ESHttpGet", - "es:ESHttpHead", - "es:Get*", - "es:List*", - "events:Describe*", - "events:List*", - "events:Test*", - "evidently:GetExperiment", - "evidently:GetExperimentResults", - "evidently:GetFeature", - "evidently:GetLaunch", - "evidently:GetProject", - "evidently:GetSegment", - "evidently:ListExperiments", - "evidently:ListFeatures", - "evidently:ListLaunches", - "evidently:ListProjects", - "evidently:ListSegmentReferences", - "evidently:ListSegments", - "evidently:ListTagsForResource", - "evidently:TestSegmentPattern", - "firehose:Describe*", - "firehose:List*", - "fis:GetAction", - "fis:GetExperiment", - "fis:GetExperimentTargetAccountConfiguration", - "fis:GetExperimentTemplate", - "fis:GetTargetAccountConfiguration", - "fis:GetTargetResourceType", - "fis:ListActions", - "fis:ListExperimentResolvedTargets", - "fis:ListExperimentTargetAccountConfigurations", - "fis:ListExperimentTemplates", - "fis:ListExperiments", - "fis:ListTagsForResource", - "fis:ListTargetAccountConfigurations", - "fis:ListTargetResourceTypes", - "fms:GetAdminAccount", - "fms:GetAdminScope", - "fms:GetAppsList", - "fms:GetComplianceDetail", - "fms:GetNotificationChannel", - "fms:GetPolicy", - "fms:GetProtectionStatus", - "fms:GetProtocolsList", - "fms:GetViolationDetails", - "fms:ListAppsLists", - "fms:ListComplianceStatus", - "fms:ListMemberAccounts", - "fms:ListPolicies", - "fms:ListProtocolsLists", - "fms:ListTagsForResource", - "forecast:DescribeAutoPredictor", - "forecast:DescribeDataset", - "forecast:DescribeDatasetGroup", - "forecast:DescribeDatasetImportJob", - "forecast:DescribeExplainability", - "forecast:DescribeExplainabilityExport", - "forecast:DescribeForecast", - "forecast:DescribeForecastExportJob", - "forecast:DescribeMonitor", - "forecast:DescribePredictor", - "forecast:DescribePredictorBacktestExportJob", - "forecast:DescribeWhatIfAnalysis", - "forecast:DescribeWhatIfForecast", - "forecast:DescribeWhatIfForecastExport", - "forecast:GetAccuracyMetrics", - "forecast:ListDatasetGroups", - "forecast:ListDatasetImportJobs", - "forecast:ListDatasets", - "forecast:ListExplainabilities", - "forecast:ListExplainabilityExports", - "forecast:ListForecastExportJobs", - "forecast:ListForecasts", - "forecast:ListMonitorEvaluations", - "forecast:ListMonitors", - "forecast:ListPredictorBacktestExportJobs", - "forecast:ListPredictors", - "forecast:ListWhatIfAnalyses", - "forecast:ListWhatIfForecastExports", - "forecast:ListWhatIfForecasts", - "forecast:QueryForecast", - "forecast:QueryWhatIfForecast", - "frauddetector:BatchGetVariable", - "frauddetector:DescribeDetector", - "frauddetector:DescribeModelVersions", - "frauddetector:GetBatchImportJobs", - "frauddetector:GetBatchPredictionJobs", - "frauddetector:GetDeleteEventsByEventTypeStatus", - "frauddetector:GetDetectorVersion", - "frauddetector:GetDetectors", - "frauddetector:GetEntityTypes", - "frauddetector:GetEvent", - "frauddetector:GetEventPredictionMetadata", - "frauddetector:GetEventTypes", - "frauddetector:GetExternalModels", - "frauddetector:GetKMSEncryptionKey", - "frauddetector:GetLabels", - "frauddetector:GetListElements", - "frauddetector:GetListsMetadata", - "frauddetector:GetModelVersion", - "frauddetector:GetModels", - "frauddetector:GetOutcomes", - "frauddetector:GetRules", - "frauddetector:GetVariables", - "frauddetector:ListEventPredictions", - "frauddetector:ListTagsForResource", - "freertos:Describe*", - "freertos:List*", - "freetier:GetFreeTierAlertPreference", - "freetier:GetFreeTierUsage", - "freetier:GetAccountActivity", - "freetier:GetAccountPlanState", - "freetier:ListAccountActivities", - "fsx:Describe*", - "fsx:List*", - "gamelift:Describe*", - "gamelift:Get*", - "gamelift:List*", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:Describe*", - "glacier:Get*", - "glacier:List*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetCrawlers", - "glue:BatchGetDevEndpoints", - "glue:BatchGetJobs", - "glue:BatchGetPartition", - "glue:BatchGetTableOptimizer", - "glue:BatchGetTriggers", - "glue:BatchGetWorkflows", - "glue:CheckSchemaVersionValidity", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlerMetrics", - "glue:GetCrawlers", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobBookmark", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetJobs", - "glue:GetMLTaskRun", - "glue:GetMLTaskRuns", - "glue:GetMLTransform", - "glue:GetMLTransforms", - "glue:GetMapping", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetRegistry", - "glue:GetResourcePolicy", - "glue:GetSchema", - "glue:GetSchemaByDefinition", - "glue:GetSchemaVersion", - "glue:GetSchemaVersionsDiff", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetSession", - "glue:GetStatement", - "glue:GetTable", - "glue:GetTableOptimizer", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTables", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "glue:GetWorkflow", - "glue:GetWorkflowRun", - "glue:GetWorkflowRunProperties", - "glue:GetWorkflowRuns", - "glue:ListCrawlers", - "glue:ListCrawls", - "glue:ListDevEndpoints", - "glue:ListJobs", - "glue:ListMLTransforms", - "glue:ListRegistries", - "glue:ListSchemaVersions", - "glue:ListSchemas", - "glue:ListSessions", - "glue:ListStatements", - "glue:ListTableOptimizerRuns", - "glue:ListTriggers", - "glue:ListWorkflows", - "glue:QuerySchemaVersionMetadata", - "glue:SearchTables", - "grafana:DescribeWorkspace", - "grafana:DescribeWorkspaceAuthentication", - "grafana:DescribeWorkspaceConfiguration", - "grafana:ListPermissions", - "grafana:ListTagsForResource", - "grafana:ListVersions", - "grafana:ListWorkspaces", - "greengrass:DescribeComponent", - "greengrass:Get*", - "greengrass:List*", - "groundstation:DescribeContact", - "groundstation:GetConfig", - "groundstation:GetDataflowEndpointGroup", - "groundstation:GetMinuteUsage", - "groundstation:GetMissionProfile", - "groundstation:GetSatellite", - "groundstation:ListConfigs", - "groundstation:ListContacts", - "groundstation:ListDataflowEndpointGroups", - "groundstation:ListGroundStations", - "groundstation:ListMissionProfiles", - "groundstation:ListSatellites", - "groundstation:ListTagsForResource", - "guardduty:Describe*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "healthlake:DescribeFHIRDatastore", - "healthlake:DescribeFHIRExportJob", - "healthlake:DescribeFHIRImportJob", - "healthlake:GetCapabilities", - "healthlake:ListFHIRDatastores", - "healthlake:ListFHIRExportJobs", - "healthlake:ListFHIRImportJobs", - "healthlake:ListTagsForResource", - "healthlake:ReadResource", - "healthlake:SearchWithGet", - "healthlake:SearchWithPost", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "identity-sync:GetSyncProfile", - "identity-sync:GetSyncTarget", - "identity-sync:ListSyncFilters", - "identitystore-auth:BatchGetSession", - "identitystore-auth:ListSessions", - "identitystore:DescribeGroup", - "identitystore:DescribeGroupMembership", - "identitystore:DescribeUser", - "identitystore:GetGroupId", - "identitystore:GetGroupMembershipId", - "identitystore:GetUserId", - "identitystore:IsMemberInGroups", - "identitystore:ListGroupMemberships", - "identitystore:ListGroupMembershipsForMember", - "identitystore:ListGroups", - "identitystore:ListUsers", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector2:BatchGetAccountStatus", - "inspector2:BatchGetCodeSnippet", - "inspector2:BatchGetFreeTrialInfo", - "inspector2:BatchGetMemberEc2DeepInspectionStatus", - "inspector2:DescribeOrganizationConfiguration", - "inspector2:GetCisScanReport", - "inspector2:GetConfiguration", - "inspector2:GetDelegatedAdminAccount", - "inspector2:GetEc2DeepInspectionConfiguration", - "inspector2:GetEncryptionKey", - "inspector2:GetFindingsReportStatus", - "inspector2:GetMember", - "inspector2:GetSbomExport", - "inspector2:ListAccountPermissions", - "inspector2:ListCisScanConfigurations", - "inspector2:ListCisScans", - "inspector2:ListCoverage", - "inspector2:ListCoverageStatistics", - "inspector2:ListDelegatedAdminAccounts", - "inspector2:ListFilters", - "inspector2:ListFindingAggregations", - "inspector2:ListFindings", - "inspector2:ListMembers", - "inspector2:ListTagsForResource", - "inspector2:ListUsageTotals", - "inspector2:SearchVulnerabilities", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "internetmonitor:GetHealthEvent", - "internetmonitor:GetInternetEvent", - "internetmonitor:GetMonitor", - "internetmonitor:ListHealthEvents", - "internetmonitor:ListInternetEvents", - "internetmonitor:ListMonitors", - "internetmonitor:ListTagsForResource", - "invoicing:GetInvoiceEmailDeliveryPreferences", - "invoicing:GetInvoicePDF", - "invoicing:ListInvoiceSummaries", - "iot1click:DescribeDevice", - "iot1click:DescribePlacement", - "iot1click:DescribeProject", - "iot1click:GetDeviceMethods", - "iot1click:GetDevicesInPlacement", - "iot1click:ListDeviceEvents", - "iot1click:ListDevices", - "iot1click:ListPlacements", - "iot1click:ListProjects", - "iot1click:ListTagsForResource", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:Get*", - "iotanalytics:List*", - "iotanalytics:SampleChannelData", - "iotevents:DescribeAlarm", - "iotevents:DescribeAlarmModel", - "iotevents:DescribeDetector", - "iotevents:DescribeDetectorModel", - "iotevents:DescribeInput", - "iotevents:DescribeLoggingOptions", - "iotevents:ListAlarmModelVersions", - "iotevents:ListAlarmModels", - "iotevents:ListAlarms", - "iotevents:ListDetectorModelVersions", - "iotevents:ListDetectorModels", - "iotevents:ListDetectors", - "iotevents:ListInputs", - "iotevents:ListTagsForResource", - "iotfleethub:DescribeApplication", - "iotfleethub:ListApplications", - "iotfleetwise:GetCampaign", - "iotfleetwise:GetDecoderManifest", - "iotfleetwise:GetFleet", - "iotfleetwise:GetLoggingOptions", - "iotfleetwise:GetModelManifest", - "iotfleetwise:GetRegisterAccountStatus", - "iotfleetwise:GetSignalCatalog", - "iotfleetwise:GetVehicle", - "iotfleetwise:GetVehicleStatus", - "iotfleetwise:ListCampaigns", - "iotfleetwise:ListDecoderManifestNetworkInterfaces", - "iotfleetwise:ListDecoderManifestSignals", - "iotfleetwise:ListDecoderManifests", - "iotfleetwise:ListFleets", - "iotfleetwise:ListFleetsForVehicle", - "iotfleetwise:ListModelManifestNodes", - "iotfleetwise:ListModelManifests", - "iotfleetwise:ListSignalCatalogNodes", - "iotfleetwise:ListSignalCatalogs", - "iotfleetwise:ListTagsForResource", - "iotfleetwise:ListVehicles", - "iotfleetwise:ListVehiclesInFleet", - "iotsitewise:Describe*", - "iotsitewise:Get*", - "iotsitewise:List*", - "iotwireless:GetDestination", - "iotwireless:GetDeviceProfile", - "iotwireless:GetEventConfigurationByResourceTypes", - "iotwireless:GetFuotaTask", - "iotwireless:GetLogLevelsByResourceTypes", - "iotwireless:GetMetricConfiguration", - "iotwireless:GetMetrics", - "iotwireless:GetMulticastGroup", - "iotwireless:GetMulticastGroupSession", - "iotwireless:GetNetworkAnalyzerConfiguration", - "iotwireless:GetPartnerAccount", - "iotwireless:GetPosition", - "iotwireless:GetPositionConfiguration", - "iotwireless:GetPositionEstimate", - "iotwireless:GetResourceEventConfiguration", - "iotwireless:GetResourceLogLevel", - "iotwireless:GetResourcePosition", - "iotwireless:GetServiceEndpoint", - "iotwireless:GetServiceProfile", - "iotwireless:GetWirelessDevice", - "iotwireless:GetWirelessDeviceImportTask", - "iotwireless:GetWirelessDeviceStatistics", - "iotwireless:GetWirelessGateway", - "iotwireless:GetWirelessGatewayCertificate", - "iotwireless:GetWirelessGatewayFirmwareInformation", - "iotwireless:GetWirelessGatewayStatistics", - "iotwireless:GetWirelessGatewayTask", - "iotwireless:GetWirelessGatewayTaskDefinition", - "iotwireless:ListDestinations", - "iotwireless:ListDeviceProfiles", - "iotwireless:ListDevicesForWirelessDeviceImportTask", - "iotwireless:ListEventConfigurations", - "iotwireless:ListFuotaTasks", - "iotwireless:ListMulticastGroups", - "iotwireless:ListMulticastGroupsByFuotaTask", - "iotwireless:ListNetworkAnalyzerConfigurations", - "iotwireless:ListPartnerAccounts", - "iotwireless:ListPositionConfigurations", - "iotwireless:ListQueuedMessages", - "iotwireless:ListServiceProfiles", - "iotwireless:ListTagsForResource", - "iotwireless:ListWirelessDeviceImportTasks", - "iotwireless:ListWirelessDevices", - "iotwireless:ListWirelessGatewayTaskDefinitions", - "iotwireless:ListWirelessGateways", - "ivs:BatchGetChannel", - "ivs:GetChannel", - "ivs:GetComposition", - "ivs:GetEncoderConfiguration", - "ivs:GetIngestConfiguration", - "ivs:GetParticipant", - "ivs:GetPlaybackKeyPair", - "ivs:GetPlaybackRestrictionPolicy", - "ivs:GetPublicKey", - "ivs:GetRecordingConfiguration", - "ivs:GetStage", - "ivs:GetStageSession", - "ivs:GetStorageConfiguration", - "ivs:GetStream", - "ivs:GetStreamSession", - "ivs:ListChannels", - "ivs:ListCompositions", - "ivs:ListEncoderConfigurations", - "ivs:ListIngestConfigurations", - "ivs:ListParticipantEvents", - "ivs:ListParticipants", - "ivs:ListPlaybackKeyPairs", - "ivs:ListPlaybackRestrictionPolicies", - "ivs:ListPublicKeys", - "ivs:ListRecordingConfigurations", - "ivs:ListStageSessions", - "ivs:ListStages", - "ivs:ListStorageConfigurations", - "ivs:ListStreamKeys", - "ivs:ListStreamSessions", - "ivs:ListStreams", - "ivs:ListTagsForResource", - "ivschat:GetLoggingConfiguration", - "ivschat:GetRoom", - "ivschat:ListLoggingConfigurations", - "ivschat:ListRooms", - "ivschat:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "ReadOnlyActionsGroup2", - "Effect": "Allow", - "Action": [ - "kafka:Describe*", - "kafka:DescribeCluster", - "kafka:DescribeClusterOperation", - "kafka:DescribeClusterV2", - "kafka:DescribeConfiguration", - "kafka:DescribeConfigurationRevision", - "kafka:Get*", - "kafka:GetBootstrapBrokers", - "kafka:GetCompatibleKafkaVersions", - "kafka:List*", - "kafka:ListClusterOperations", - "kafka:ListClusters", - "kafka:ListClustersV2", - "kafka:ListConfigurationRevisions", - "kafka:ListConfigurations", - "kafka:ListKafkaVersions", - "kafka:ListNodes", - "kafka:ListTagsForResource", - "kafkaconnect:DescribeConnector", - "kafkaconnect:DescribeCustomPlugin", - "kafkaconnect:DescribeWorkerConfiguration", - "kafkaconnect:ListConnectors", - "kafkaconnect:ListCustomPlugins", - "kafkaconnect:ListWorkerConfigurations", - "kendra:BatchGetDocumentStatus", - "kendra:DescribeDataSource", - "kendra:DescribeExperience", - "kendra:DescribeFaq", - "kendra:DescribeIndex", - "kendra:DescribePrincipalMapping", - "kendra:DescribeQuerySuggestionsBlockList", - "kendra:DescribeQuerySuggestionsConfig", - "kendra:DescribeThesaurus", - "kendra:GetQuerySuggestions", - "kendra:GetSnapshots", - "kendra:ListDataSourceSyncJobs", - "kendra:ListDataSources", - "kendra:ListEntityPersonas", - "kendra:ListExperienceEntities", - "kendra:ListExperiences", - "kendra:ListFaqs", - "kendra:ListGroupsOlderThanOrderingId", - "kendra:ListIndices", - "kendra:ListQuerySuggestionsBlockLists", - "kendra:ListTagsForResource", - "kendra:ListThesauri", - "kendra:Query", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lakeformation:DescribeResource", - "lakeformation:GetDataCellsFilter", - "lakeformation:GetDataLakeSettings", - "lakeformation:GetEffectivePermissionsForPath", - "lakeformation:GetLfTag", - "lakeformation:GetResourceLfTags", - "lakeformation:ListDataCellsFilter", - "lakeformation:ListLfTags", - "lakeformation:ListPermissions", - "lakeformation:ListResources", - "lakeformation:ListTableStorageOptimizers", - "lakeformation:SearchDatabasesByLfTags", - "lakeformation:SearchTablesByLfTags", - "lambda:Get*", - "lambda:List*", - "launchwizard:DescribeAdditionalNode", - "launchwizard:DescribeProvisionedApp", - "launchwizard:DescribeProvisioningEvents", - "launchwizard:DescribeSettingsSet", - "launchwizard:GetDeployment", - "launchwizard:GetInfrastructureSuggestion", - "launchwizard:GetIpAddress", - "launchwizard:GetResourceCostEstimate", - "launchwizard:GetResourceRecommendation", - "launchwizard:GetSettingsSet", - "launchwizard:GetWorkload", - "launchwizard:GetWorkloadAsset", - "launchwizard:GetWorkloadAssets", - "launchwizard:GetWorkloadDeploymentPattern", - "launchwizard:ListAdditionalNodes", - "launchwizard:ListAllowedResources", - "launchwizard:ListDeploymentEvents", - "launchwizard:ListDeployments", - "launchwizard:ListProvisionedApps", - "launchwizard:ListResourceCostEstimates", - "launchwizard:ListSettingsSets", - "launchwizard:ListTagsForResource", - "launchwizard:ListWorkloadDeploymentOptions", - "launchwizard:ListWorkloadDeploymentPatterns", - "launchwizard:ListWorkloads", - "lex:DescribeBot", - "lex:DescribeBotAlias", - "lex:DescribeBotChannel", - "lex:DescribeBotLocale", - "lex:DescribeBotReplica", - "lex:DescribeBotVersion", - "lex:DescribeExport", - "lex:DescribeImport", - "lex:DescribeIntent", - "lex:DescribeResourcePolicy", - "lex:DescribeSlot", - "lex:DescribeSlotType", - "lex:Get*", - "lex:ListBotAliasReplicas", - "lex:ListBotAliases", - "lex:ListBotChannels", - "lex:ListBotLocales", - "lex:ListBotReplicas", - "lex:ListBotVersionReplicas", - "lex:ListBotVersions", - "lex:ListBots", - "lex:ListBuiltInIntents", - "lex:ListBuiltInSlotTypes", - "lex:ListExports", - "lex:ListImports", - "lex:ListIntents", - "lex:ListSlotTypes", - "lex:ListSlots", - "lex:ListTagsForResource", - "license-manager:Get*", - "license-manager:List*", - "lightsail:GetActiveNames", - "lightsail:GetAlarms", - "lightsail:GetAutoSnapshots", - "lightsail:GetBlueprints", - "lightsail:GetBucketAccessKeys", - "lightsail:GetBucketBundles", - "lightsail:GetBucketMetricData", - "lightsail:GetBuckets", - "lightsail:GetBundles", - "lightsail:GetCertificates", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetContainerAPIMetadata", - "lightsail:GetContainerImages", - "lightsail:GetContainerServiceDeployments", - "lightsail:GetContainerServiceMetricData", - "lightsail:GetContainerServicePowers", - "lightsail:GetContainerServices", - "lightsail:GetDisk", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDisks", - "lightsail:GetDistributionBundles", - "lightsail:GetDistributionLatestCacheReset", - "lightsail:GetDistributionMetricData", - "lightsail:GetDistributions", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetInstances", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetLoadBalancers", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetRelationalDatabases", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:FilterLogEvents", - "logs:Get*", - "logs:ListAnomalies", - "logs:ListEntitiesForLogGroup", - "logs:ListIntegrations", - "logs:ListLogAnomalyDetectors", - "logs:ListLogDeliveries", - "logs:ListLogGroupsForEntity", - "logs:ListLogGroupsForQuery", - "logs:ListTagsForResource", - "logs:ListTagsLogGroup", - "logs:StartLiveTail", - "logs:StartQuery", - "logs:StopLiveTail", - "logs:StopQuery", - "logs:TestMetricFilter", - "lookoutequipment:DescribeDataIngestionJob", - "lookoutequipment:DescribeDataset", - "lookoutequipment:DescribeInferenceScheduler", - "lookoutequipment:DescribeLabel", - "lookoutequipment:DescribeLabelGroup", - "lookoutequipment:DescribeModel", - "lookoutequipment:DescribeModelVersion", - "lookoutequipment:DescribeResourcePolicy", - "lookoutequipment:DescribeRetrainingScheduler", - "lookoutequipment:ListDataIngestionJobs", - "lookoutequipment:ListDatasets", - "lookoutequipment:ListInferenceEvents", - "lookoutequipment:ListInferenceExecutions", - "lookoutequipment:ListInferenceSchedulers", - "lookoutequipment:ListLabelGroups", - "lookoutequipment:ListLabels", - "lookoutequipment:ListModelVersions", - "lookoutequipment:ListModels", - "lookoutequipment:ListRetrainingSchedulers", - "lookoutequipment:ListSensorStatistics", - "lookoutequipment:ListTagsForResource", - "lookoutmetrics:Describe*", - "lookoutmetrics:Get*", - "lookoutmetrics:List*", - "lookoutvision:DescribeDataset", - "lookoutvision:DescribeModel", - "lookoutvision:DescribeModelPackagingJob", - "lookoutvision:DescribeProject", - "lookoutvision:ListDatasetEntries", - "lookoutvision:ListModelPackagingJobs", - "lookoutvision:ListModels", - "lookoutvision:ListProjects", - "lookoutvision:ListTagsForResource", - "m2:GetApplication", - "m2:GetApplicationVersion", - "m2:GetBatchJobExecution", - "m2:GetDataSetDetails", - "m2:GetDataSetImportTask", - "m2:GetDeployment", - "m2:GetEnvironment", - "m2:ListApplicationVersions", - "m2:ListApplications", - "m2:ListBatchJobDefinitions", - "m2:ListBatchJobExecutions", - "m2:ListDataSetImportHistory", - "m2:ListDataSets", - "m2:ListDeployments", - "m2:ListEngineVersions", - "m2:ListEnvironments", - "m2:ListTagsForResource", - "machinelearning:Describe*", - "machinelearning:Get*", - "macie2:BatchGetCustomDataIdentifiers", - "macie2:DescribeBuckets", - "macie2:DescribeClassificationJob", - "macie2:DescribeOrganizationConfiguration", - "macie2:GetAdministratorAccount", - "macie2:GetAllowList", - "macie2:GetAutomatedDiscoveryConfiguration", - "macie2:GetBucketStatistics", - "macie2:GetClassificationExportConfiguration", - "macie2:GetClassificationScope", - "macie2:GetCustomDataIdentifier", - "macie2:GetFindingStatistics", - "macie2:GetFindings", - "macie2:GetFindingsFilter", - "macie2:GetFindingsPublicationConfiguration", - "macie2:GetInvitationsCount", - "macie2:GetMacieSession", - "macie2:GetMember", - "macie2:GetResourceProfile", - "macie2:GetRevealConfiguration", - "macie2:GetSensitiveDataOccurrencesAvailability", - "macie2:GetSensitivityInspectionTemplate", - "macie2:GetUsageStatistics", - "macie2:GetUsageTotals", - "macie2:ListAllowLists", - "macie2:ListAutomatedDiscoveryAccounts", - "macie2:ListClassificationJobs", - "macie2:ListClassificationScopes", - "macie2:ListCustomDataIdentifiers", - "macie2:ListFindings", - "macie2:ListFindingsFilters", - "macie2:ListInvitations", - "macie2:ListMembers", - "macie2:ListOrganizationAdminAccounts", - "macie2:ListResourceProfileArtifacts", - "macie2:ListResourceProfileDetections", - "macie2:ListSensitivityInspectionTemplates", - "macie2:ListTagsForResource", - "macie2:SearchResources", - "managedblockchain:GetMember", - "managedblockchain:GetNetwork", - "managedblockchain:GetNode", - "managedblockchain:GetProposal", - "managedblockchain:ListInvitations", - "managedblockchain:ListMembers", - "managedblockchain:ListNetworks", - "managedblockchain:ListNodes", - "managedblockchain:ListProposalVotes", - "managedblockchain:ListProposals", - "managedblockchain:ListTagsForResource", - "mediaconnect:DescribeFlow", - "mediaconnect:DescribeOffering", - "mediaconnect:DescribeReservation", - "mediaconnect:ListEntitlements", - "mediaconnect:ListFlows", - "mediaconnect:ListOfferings", - "mediaconnect:ListReservations", - "mediaconnect:ListTagsForResource", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "medialive:DescribeChannel", - "medialive:DescribeInput", - "medialive:DescribeInputDevice", - "medialive:DescribeInputDeviceThumbnail", - "medialive:DescribeInputSecurityGroup", - "medialive:DescribeMultiplex", - "medialive:DescribeMultiplexProgram", - "medialive:DescribeOffering", - "medialive:DescribeReservation", - "medialive:DescribeSchedule", - "medialive:GetCloudWatchAlarmTemplate", - "medialive:GetCloudWatchAlarmTemplateGroup", - "medialive:GetEventBridgeRuleTemplate", - "medialive:GetEventBridgeRuleTemplateGroup", - "medialive:GetSignalMap", - "medialive:ListChannels", - "medialive:ListCloudWatchAlarmTemplateGroups", - "medialive:ListCloudWatchAlarmTemplates", - "medialive:ListEventBridgeRuleTemplateGroups", - "medialive:ListEventBridgeRuleTemplates", - "medialive:ListInputDeviceTransfers", - "medialive:ListInputDevices", - "medialive:ListInputSecurityGroups", - "medialive:ListInputs", - "medialive:ListMultiplexPrograms", - "medialive:ListMultiplexes", - "medialive:ListOfferings", - "medialive:ListReservations", - "medialive:ListSignalMaps", - "medialive:ListTagsForResource", - "mediapackage-vod:Describe*", - "mediapackage-vod:List*", - "mediapackage:Describe*", - "mediapackage:List*", - "mediapackagev2:GetChannel", - "mediapackagev2:GetChannelGroup", - "mediapackagev2:GetChannelPolicy", - "mediapackagev2:GetHeadObject", - "mediapackagev2:GetObject", - "mediapackagev2:GetOriginEndpoint", - "mediapackagev2:GetOriginEndpointPolicy", - "mediapackagev2:ListChannelGroups", - "mediapackagev2:ListChannels", - "mediapackagev2:ListOriginEndpoints", - "mediapackagev2:ListTagsForResource", - "mediastore:DescribeContainer", - "mediastore:DescribeObject", - "mediastore:GetContainerPolicy", - "mediastore:GetCorsPolicy", - "mediastore:GetLifecyclePolicy", - "mediastore:GetMetricPolicy", - "mediastore:GetObject", - "mediastore:ListContainers", - "mediastore:ListItems", - "mediastore:ListTagsForResource", - "memorydb:DescribeAcls", - "memorydb:DescribeClusters", - "memorydb:DescribeEngineVersions", - "memorydb:DescribeEvents", - "memorydb:DescribeMultiRegionClusters", - "memorydb:DescribeMultiRegionParameterGroups", - "memorydb:DescribeMultiRegionParameters", - "memorydb:DescribeParameterGroups", - "memorydb:DescribeParameters", - "memorydb:DescribeReservedNodes", - "memorydb:DescribeReservedNodesOfferings", - "memorydb:DescribeServiceUpdates", - "memorydb:DescribeSnapshots", - "memorydb:DescribeSubnetGroups", - "memorydb:DescribeUsers", - "memorydb:ListAllowedMultiRegionClusterUpdates", - "memorydb:ListAllowedNodeTypeUpdates", - "memorydb:ListTags", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mgn:DescribeJobLogItems", - "mgn:DescribeJobs", - "mgn:DescribeLaunchConfigurationTemplates", - "mgn:DescribeReplicationConfigurationTemplates", - "mgn:DescribeSourceServers", - "mgn:DescribeVcenterClients", - "mgn:GetLaunchConfiguration", - "mgn:GetReplicationConfiguration", - "mgn:ListApplications", - "mgn:ListSourceServerActions", - "mgn:ListTemplateActions", - "mgn:ListWaves", - "mobileanalytics:Get*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "monitron:GetProject", - "monitron:GetProjectAdminUser", - "monitron:ListProjects", - "monitron:ListTagsForResource", - "mpa:GetApprovalTeam", - "mpa:GetIdentitySource", - "mpa:GetPolicyVersion", - "mpa:GetResourcePolicy", - "mpa:GetSession", - "mpa:ListApprovalTeams", - "mpa:ListIdentitySources", - "mpa:ListPolicies", - "mpa:ListPolicyVersions", - "mpa:ListResourcePolicies", - "mpa:ListSessions", - "mpa:ListTagsForResource", - "mq:Describe*", - "mq:List*", - "network-firewall:DescribeFirewall", - "network-firewall:DescribeFirewallPolicy", - "network-firewall:DescribeLoggingConfiguration", - "network-firewall:DescribeResourcePolicy", - "network-firewall:DescribeRuleGroup", - "network-firewall:DescribeRuleGroupMetadata", - "network-firewall:DescribeTLSInspectionConfiguration", - "network-firewall:ListFirewallPolicies", - "network-firewall:ListFirewalls", - "network-firewall:ListRuleGroups", - "network-firewall:ListTLSInspectionConfigurations", - "network-firewall:ListTagsForResource", - "networkflowmonitor:GetMonitor", - "networkflowmonitor:GetScope", - "networkflowmonitor:ListMonitors", - "networkflowmonitor:ListScopes", - "networkmanager:DescribeGlobalNetworks", - "networkmanager:GetConnectAttachment", - "networkmanager:GetConnectPeer", - "networkmanager:GetConnectPeerAssociations", - "networkmanager:GetConnections", - "networkmanager:GetCoreNetwork", - "networkmanager:GetCoreNetworkChangeEvents", - "networkmanager:GetCoreNetworkChangeSet", - "networkmanager:GetCoreNetworkPolicy", - "networkmanager:GetCustomerGatewayAssociations", - "networkmanager:GetDevices", - "networkmanager:GetLinkAssociations", - "networkmanager:GetLinks", - "networkmanager:GetNetworkResourceCounts", - "networkmanager:GetNetworkResourceRelationships", - "networkmanager:GetNetworkResources", - "networkmanager:GetNetworkRoutes", - "networkmanager:GetNetworkTelemetry", - "networkmanager:GetResourcePolicy", - "networkmanager:GetRouteAnalysis", - "networkmanager:GetSiteToSiteVpnAttachment", - "networkmanager:GetSites", - "networkmanager:GetTransitGatewayConnectPeerAssociations", - "networkmanager:GetTransitGatewayPeering", - "networkmanager:GetTransitGatewayRegistrations", - "networkmanager:GetTransitGatewayRouteTableAttachment", - "networkmanager:GetVpcAttachment", - "networkmanager:ListAttachments", - "networkmanager:ListConnectPeers", - "networkmanager:ListCoreNetworkPolicyVersions", - "networkmanager:ListCoreNetworks", - "networkmanager:ListPeerings", - "networkmanager:ListTagsForResource", - "networkmonitor:GetMonitor", - "networkmonitor:GetProbe", - "networkmonitor:ListMonitors", - "networkmonitor:ListTagsForResource", - "nimble:GetEula", - "nimble:GetFeatureMap", - "nimble:GetLaunchProfile", - "nimble:GetLaunchProfileDetails", - "nimble:GetLaunchProfileInitialization", - "nimble:GetLaunchProfileMember", - "nimble:GetStreamingImage", - "nimble:GetStreamingSession", - "nimble:GetStudio", - "nimble:GetStudioComponent", - "nimble:GetStudioMember", - "nimble:ListEulaAcceptances", - "nimble:ListEulas", - "nimble:ListLaunchProfileMembers", - "nimble:ListLaunchProfiles", - "nimble:ListStreamingImages", - "nimble:ListStreamingSessions", - "nimble:ListStudioComponents", - "nimble:ListStudioMembers", - "nimble:ListStudios", - "nimble:ListTagsForResource", - "notifications-contacts:GetEmailContact", - "notifications-contacts:ListEmailContacts", - "notifications-contacts:ListTagsForResource", - "notifications:GetEventRule", - "notifications:GetFeatureOptInStatus", - "notifications:GetManagedNotificationChildEvent", - "notifications:GetManagedNotificationConfiguration", - "notifications:GetManagedNotificationEvent", - "notifications:GetNotificationConfiguration", - "notifications:GetNotificationEvent", - "notifications:GetNotificationsAccessForOrganization", - "notifications:List*", - "oam:GetLink", - "oam:GetSink", - "oam:GetSinkPolicy", - "oam:ListAttachedLinks", - "oam:ListLinks", - "oam:ListSinks", - "observabilityadmin:GetCentralizationRuleForOrganization", - "observabilityadmin:GetTelemetryEnrichmentStatus", - "observabilityadmin:GetTelemetryEvaluationStatus", - "observabilityadmin:GetTelemetryEvaluationStatusForOrganization", - "observabilityadmin:GetTelemetryRule", - "observabilityadmin:GetTelemetryRuleForOrganization", - "observabilityadmin:ListCentralizationRulesForOrganization", - "observabilityadmin:ListResourceTelemetry", - "observabilityadmin:ListResourceTelemetryForOrganization", - "observabilityadmin:ListTagsForResource", - "observabilityadmin:ListTelemetryRules", - "observabilityadmin:ListTelemetryRulesForOrganization", - "omics:Get*", - "omics:List*", - "one:GetDeviceConfigurationTemplate", - "one:GetDeviceInstance", - "one:GetDeviceInstanceConfiguration", - "one:GetSite", - "one:GetSiteAddress", - "one:ListDeviceConfigurationTemplates", - "one:ListDeviceInstances", - "one:ListSites", - "one:ListUsers", - "opsworks-cm:Describe*", - "opsworks-cm:List*", - "opsworks:Describe*", - "opsworks:Get*", - "organizations:Describe*", - "organizations:List*", - "osis:GetPipeline", - "osis:GetPipelineBlueprint", - "osis:GetPipelineChangeProgress", - "osis:ListPipelineBlueprints", - "osis:ListPipelines", - "osis:ListTagsForResource", - "outposts:Get*", - "outposts:List*", - "payment-cryptography:GetAlias", - "payment-cryptography:GetKey", - "payment-cryptography:GetPublicKeyCertificate", - "payment-cryptography:ListAliases", - "payment-cryptography:ListKeys", - "payment-cryptography:ListTagsForResource", - "payments:GetPaymentInstrument", - "payments:GetPaymentStatus", - "payments:ListPaymentInstruments", - "payments:ListPaymentPreferences", - "payments:ListPaymentProgramOptions", - "payments:ListPaymentProgramStatus", - "payments:ListTagsForResource", - "pca-connector-ad:GetConnector", - "pca-connector-ad:GetDirectoryRegistration", - "pca-connector-ad:GetServicePrincipalName", - "pca-connector-ad:GetTemplate", - "pca-connector-ad:GetTemplateGroupAccessControlEntry", - "pca-connector-ad:ListConnectors", - "pca-connector-ad:ListDirectoryRegistrations", - "pca-connector-ad:ListServicePrincipalNames", - "pca-connector-ad:ListTagsForResource", - "pca-connector-ad:ListTemplateGroupAccessControlEntries", - "pca-connector-ad:ListTemplates", - "pca-connector-scep:GetChallengeMetadata", - "pca-connector-scep:GetConnector", - "pca-connector-scep:ListChallengeMetadata", - "pca-connector-scep:ListConnectors", - "pca-connector-scep:ListTagsForResource", - "pcs:GetCluster", - "pcs:GetComputeNodeGroup", - "pcs:GetQueue", - "pcs:ListClusters", - "pcs:ListComputeNodeGroups", - "pcs:ListQueues", - "pcs:ListTagsForResource", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetDimensionKeyDetails", - "pi:GetResourceMetadata", - "pi:GetResourceMetrics", - "pi:ListAvailableResourceDimensions", - "pi:ListAvailableResourceMetrics", - "pipes:DescribePipe", - "pipes:ListPipes", - "pipes:ListTagsForResource", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "pricing:DescribeServices", - "pricing:GetAttributeValues", - "pricing:GetPriceListFileUrl", - "pricing:GetProducts", - "pricing:ListPriceLists", - "proton:GetDeployment", - "proton:GetEnvironment", - "proton:GetEnvironmentTemplate", - "proton:GetEnvironmentTemplateVersion", - "proton:GetService", - "proton:GetServiceInstance", - "proton:GetServiceTemplate", - "proton:GetServiceTemplateVersion", - "proton:ListDeployments", - "proton:ListEnvironmentAccountConnections", - "proton:ListEnvironmentTemplates", - "proton:ListEnvironments", - "proton:ListServiceInstances", - "proton:ListServiceTemplates", - "proton:ListServices", - "proton:ListTagsForResource", - "purchase-orders:GetPurchaseOrder", - "purchase-orders:ListPurchaseOrderInvoices", - "purchase-orders:ListPurchaseOrders", - "purchase-orders:ViewPurchaseOrders", - "qbusiness:GetApplication", - "qbusiness:GetChatControlsConfiguration", - "qbusiness:GetDataSource", - "qbusiness:GetGroup", - "qbusiness:GetIndex", - "qbusiness:GetPlugin", - "qbusiness:GetRetriever", - "qbusiness:GetUser", - "qbusiness:GetWebExperience", - "qbusiness:ListApplications", - "qbusiness:ListDataSourceSyncJobs", - "qbusiness:ListDataSources", - "qbusiness:ListGroups", - "qbusiness:ListIndices", - "qbusiness:ListPlugins", - "qbusiness:ListRetrievers", - "qbusiness:ListSubscriptions", - "qbusiness:ListTagsForResource", - "qbusiness:ListWebExperiences", - "qldb:DescribeJournalKinesisStream", - "qldb:DescribeJournalS3Export", - "qldb:DescribeLedger", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:ListJournalKinesisStreamsForLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:ListLedgers", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rbin:GetRule", - "rbin:ListRules", - "rbin:ListTagsForResource", - "rds:Describe*", - "rds:Download*", - "rds:List*", - "redshift-serverless:GetCustomDomainAssociation", - "redshift-serverless:GetEndpointAccess", - "redshift-serverless:GetNamespace", - "redshift-serverless:GetRecoveryPoint", - "redshift-serverless:GetResourcePolicy", - "redshift-serverless:GetScheduledAction", - "redshift-serverless:GetSnapshot", - "redshift-serverless:GetTableRestoreStatus", - "redshift-serverless:GetUsageLimit", - "redshift-serverless:GetWorkgroup", - "redshift-serverless:ListCustomDomainAssociations", - "redshift-serverless:ListEndpointAccess", - "redshift-serverless:ListNamespaces", - "redshift-serverless:ListRecoveryPoints", - "redshift-serverless:ListScheduledActions", - "redshift-serverless:ListSnapshotCopyConfigurations", - "redshift-serverless:ListSnapshots", - "redshift-serverless:ListTableRestoreStatus", - "redshift-serverless:ListTagsForResource", - "redshift-serverless:ListUsageLimits", - "redshift-serverless:ListWorkgroups", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:ListRecommendations", - "redshift:View*", - "refactor-spaces:GetApplication", - "refactor-spaces:GetEnvironment", - "refactor-spaces:GetResourcePolicy", - "refactor-spaces:GetRoute", - "refactor-spaces:GetService", - "refactor-spaces:ListApplications", - "refactor-spaces:ListEnvironmentVpcs", - "refactor-spaces:ListEnvironments", - "refactor-spaces:ListRoutes", - "refactor-spaces:ListServices", - "refactor-spaces:ListTagsForResource", - "rekognition:CompareFaces", - "rekognition:DescribeDataset", - "rekognition:DescribeProjectVersions", - "rekognition:DescribeProjects", - "rekognition:DescribeStreamProcessor", - "rekognition:Detect*", - "rekognition:GetCelebrityInfo", - "rekognition:GetCelebrityRecognition", - "rekognition:GetContentModeration", - "rekognition:GetFaceDetection", - "rekognition:GetFaceSearch", - "rekognition:GetLabelDetection", - "rekognition:GetPersonTracking", - "rekognition:GetSegmentDetection", - "rekognition:GetTextDetection", - "rekognition:List*", - "rekognition:RecognizeCelebrities", - "rekognition:Search*", - "resiliencehub:DescribeApp", - "resiliencehub:DescribeAppAssessment", - "resiliencehub:DescribeAppVersion", - "resiliencehub:DescribeAppVersionAppComponent", - "resiliencehub:DescribeAppVersionResource", - "resiliencehub:DescribeAppVersionResourcesResolutionStatus", - "resiliencehub:DescribeAppVersionTemplate", - "resiliencehub:DescribeDraftAppVersionResourcesImportStatus", - "resiliencehub:DescribeMetricsExport", - "resiliencehub:DescribeResiliencyPolicy", - "resiliencehub:DescribeResourceGroupingRecommendationTask", - "resiliencehub:ListAlarmRecommendations", - "resiliencehub:ListAppAssessmentComplianceDrifts", - "resiliencehub:ListAppAssessmentResourceDrifts", - "resiliencehub:ListAppAssessments", - "resiliencehub:ListAppComponentCompliances", - "resiliencehub:ListAppComponentRecommendations", - "resiliencehub:ListAppInputSources", - "resiliencehub:ListAppVersionAppComponents", - "resiliencehub:ListAppVersionResourceMappings", - "resiliencehub:ListAppVersionResources", - "resiliencehub:ListAppVersions", - "resiliencehub:ListApps", - "resiliencehub:ListMetrics", - "resiliencehub:ListRecommendationTemplates", - "resiliencehub:ListResiliencyPolicies", - "resiliencehub:ListResourceGroupingRecommendations", - "resiliencehub:ListSopRecommendations", - "resiliencehub:ListSuggestedResiliencyPolicies", - "resiliencehub:ListTagsForResource", - "resiliencehub:ListTestRecommendations", - "resiliencehub:ListUnsupportedAppVersionResources", - "resource-explorer-2:BatchGetView", - "resource-explorer-2:GetAccountLevelServiceConfiguration", - "resource-explorer-2:GetDefaultView", - "resource-explorer-2:GetIndex", - "resource-explorer-2:GetManagedView", - "resource-explorer-2:GetView", - "resource-explorer-2:ListIndexes", - "resource-explorer-2:ListIndexesForMembers", - "resource-explorer-2:ListManagedViews", - "resource-explorer-2:ListSupportedResourceTypes", - "resource-explorer-2:ListTagsForResource", - "resource-explorer-2:ListViews", - "resource-explorer-2:Search", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:Get*", - "robomaker:List*", - "rolesanywhere:GetCrl", - "rolesanywhere:GetProfile", - "rolesanywhere:GetSubject", - "rolesanywhere:GetTrustAnchor", - "rolesanywhere:ListCrls", - "rolesanywhere:ListProfiles", - "rolesanywhere:ListSubjects", - "rolesanywhere:ListTagsForResource", - "rolesanywhere:ListTrustAnchors", - "route53-recovery-cluster:Get*", - "route53-recovery-cluster:ListRoutingControls", - "route53-recovery-control-config:Describe*", - "route53-recovery-control-config:GetResourcePolicy", - "route53-recovery-control-config:List*", - "route53-recovery-readiness:Get*", - "route53-recovery-readiness:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53profiles:GetProfile", - "route53profiles:GetProfileAssociation", - "route53profiles:GetProfileResourceAssociation", - "route53profiles:ListProfileAssociations", - "route53profiles:ListProfileResourceAssociations", - "route53profiles:ListProfiles", - "route53profiles:ListTagsForResource", - "route53resolver:Get*", - "route53resolver:List*", - "rum:GetAppMonitor", - "rum:GetAppMonitorData", - "rum:ListAppMonitors", - "s3-object-lambda:GetObject", - "s3-object-lambda:GetObjectAcl", - "s3-object-lambda:GetObjectLegalHold", - "s3-object-lambda:GetObjectRetention", - "s3-object-lambda:GetObjectTagging", - "s3-object-lambda:GetObjectVersion", - "s3-object-lambda:GetObjectVersionAcl", - "s3-object-lambda:GetObjectVersionTagging", - "s3-object-lambda:ListBucket", - "s3-object-lambda:ListBucketMultipartUploads", - "s3-object-lambda:ListBucketVersions", - "s3-object-lambda:ListMultipartUploadParts", - "s3-outposts:GetAccessPoint", - "s3-outposts:GetAccessPointPolicy", - "s3-outposts:GetBucket", - "s3-outposts:GetBucketPolicy", - "s3-outposts:GetBucketTagging", - "s3-outposts:GetBucketVersioning", - "s3-outposts:GetLifecycleConfiguration", - "s3-outposts:GetObject", - "s3-outposts:GetObjectTagging", - "s3-outposts:GetObjectVersion", - "s3-outposts:GetObjectVersionForReplication", - "s3-outposts:GetObjectVersionTagging", - "s3-outposts:GetReplicationConfiguration", - "s3-outposts:ListAccessPoints", - "s3-outposts:ListBucket", - "s3-outposts:ListBucketMultipartUploads", - "s3-outposts:ListBucketVersions", - "s3-outposts:ListEndpoints", - "s3-outposts:ListMultipartUploadParts", - "s3-outposts:ListOutpostsWithS3", - "s3-outposts:ListRegionalBuckets", - "s3-outposts:ListSharedEndpoints", - "s3:DescribeJob", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "savingsplans:DescribeSavingsPlanRates", - "savingsplans:DescribeSavingsPlans", - "savingsplans:DescribeSavingsPlansOfferingRates", - "savingsplans:DescribeSavingsPlansOfferings", - "savingsplans:ListTagsForResource", - "scheduler:GetSchedule", - "scheduler:GetScheduleGroup", - "scheduler:ListScheduleGroups", - "scheduler:ListSchedules", - "scheduler:ListTagsForResource", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "secretsmanager:List*", - "securityhub:BatchGetAutomationRules", - "securityhub:BatchGetConfigurationPolicyAssociations", - "securityhub:BatchGetControlEvaluations", - "securityhub:BatchGetSecurityControls", - "securityhub:BatchGetStandardsControlAssociations", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "securitylake:GetDataLakeExceptionSubscription", - "securitylake:GetDataLakeOrganizationConfiguration", - "securitylake:GetDataLakeSources", - "securitylake:GetSubscriber", - "securitylake:ListDataLakeExceptions", - "securitylake:ListDataLakes", - "securitylake:ListLogSources", - "securitylake:ListSubscribers", - "securitylake:ListTagsForResource", - "serverlessrepo:Get*", - "serverlessrepo:List*", - "serverlessrepo:SearchApplications", - "servicecatalog:Describe*", - "servicecatalog:GetApplication", - "servicecatalog:GetAttributeGroup", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicediscovery:DiscoverInstances", - "servicediscovery:DiscoverInstancesRevision", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServices", - "ses:BatchGetMetricData", - "ses:Describe*", - "ses:Get*", - "ses:List*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "signer:DescribeSigningJob", - "signer:GetSigningPlatform", - "signer:GetSigningProfile", - "signer:ListProfilePermissions", - "signer:ListSigningJobs", - "signer:ListSigningPlatforms", - "signer:ListSigningProfiles", - "signer:ListTagsForResource", - "signin:ListTrustedIdentityPropagationApplicationsForConsole", - "sms-voice:DescribeAccountAttributes", - "sms-voice:DescribeAccountLimits", - "sms-voice:DescribeConfigurationSets", - "sms-voice:DescribeKeywords", - "sms-voice:DescribeOptOutLists", - "sms-voice:DescribeOptedOutNumbers", - "sms-voice:DescribePhoneNumbers", - "sms-voice:DescribePools", - "sms-voice:DescribeProtectConfigurations", - "sms-voice:DescribeRegistrationAttachments", - "sms-voice:DescribeRegistrationFieldDefinitions", - "sms-voice:DescribeRegistrationFieldValues", - "sms-voice:DescribeRegistrations", - "sms-voice:DescribeRegistrationSectionDefinitions", - "sms-voice:DescribeRegistrationTypeDefinitions", - "sms-voice:DescribeRegistrationVersions", - "sms-voice:DescribeSenderIds", - "sms-voice:DescribeSpendLimits", - "sms-voice:DescribeVerifiedDestinationNumbers", - "sms-voice:ListPoolOriginationIdentities", - "sms-voice:ListTagsForResource", - "snowball:Describe*", - "snowball:Get*", - "snowball:List*", - "sns:Check*", - "sns:Get*", - "sns:List*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm-contacts:DescribeEngagement", - "ssm-contacts:DescribePage", - "ssm-contacts:GetContact", - "ssm-contacts:GetContactChannel", - "ssm-contacts:ListContactChannels", - "ssm-contacts:ListContacts", - "ssm-contacts:ListEngagements", - "ssm-contacts:ListPageReceipts", - "ssm-contacts:ListPagesByContact", - "ssm-contacts:ListPagesByEngagement", - "ssm-incidents:GetIncidentRecord", - "ssm-incidents:GetReplicationSet", - "ssm-incidents:GetResourcePolicies", - "ssm-incidents:GetResponsePlan", - "ssm-incidents:GetTimelineEvent", - "ssm-incidents:ListIncidentRecords", - "ssm-incidents:ListRelatedItems", - "ssm-incidents:ListReplicationSets", - "ssm-incidents:ListResponsePlans", - "ssm-incidents:ListTagsForResource", - "ssm-incidents:ListTimelineEvents", - "ssm-quicksetup:GetConfiguration", - "ssm-quicksetup:GetConfigurationManager", - "ssm-quicksetup:GetServiceSettings", - "ssm-quicksetup:ListConfigurationManagers", - "ssm-quicksetup:ListConfigurations", - "ssm-quicksetup:ListQuickSetupTypes", - "ssm-quicksetup:ListTagsForResource", - "ssm-sap:GetApplication", - "ssm-sap:GetComponent", - "ssm-sap:GetConfigurationCheckOperation", - "ssm-sap:GetDatabase", - "ssm-sap:GetOperation", - "ssm-sap:GetResourcePermission", - "ssm-sap:ListApplications", - "ssm-sap:ListComponents", - "ssm-sap:ListConfigurationCheckDefinitions", - "ssm-sap:ListConfigurationCheckOperations", - "ssm-sap:ListDatabases", - "ssm-sap:ListOperationEvents", - "ssm-sap:ListOperations", - "ssm-sap:ListSubCheckResults", - "ssm-sap:ListSubCheckRuleResults", - "ssm-sap:ListTagsForResource", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "sso-directory:Describe*", - "sso-directory:List*", - "sso-directory:Search*", - "sso:Describe*", - "sso:Get*", - "sso:List*", - "states:Describe*", - "states:GetExecutionHistory", - "states:List*", - "states:ValidateStateMachineDefinition", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:GetAccessKeyInfo", - "sts:GetCallerIdentity", - "sts:GetSessionToken", - "support:DescribeAttachment", - "support:DescribeCaseAttributes", - "support:DescribeCases", - "support:DescribeCommunication", - "support:DescribeCommunications", - "support:DescribeCreateCaseOptions", - "support:DescribeIssueTypes", - "support:DescribeServices", - "support:DescribeSeverityLevels", - "support:DescribeSupportLevel", - "support:DescribeSupportedLanguages", - "support:DescribeTrustedAdvisorCheckRefreshStatuses", - "support:DescribeTrustedAdvisorCheckResult", - "support:DescribeTrustedAdvisorCheckSummaries", - "support:DescribeTrustedAdvisorChecks", - "support:SearchForCases", - "supportplans:GetSupportPlan", - "supportplans:GetSupportPlanUpdateStatus", - "supportplans:ListSupportPlanModifiers", - "sustainability:GetCarbonFootprintSummary", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "synthetics:List*", - "tag:DescribeReportCreation", - "tag:Get*", - "tax:GetExemptions", - "tax:GetTaxInheritance", - "tax:GetTaxInterview", - "tax:GetTaxRegistration", - "tax:GetTaxRegistrationDocument", - "tax:ListTaxRegistrations", - "timestream:DescribeBatchLoadTask", - "timestream:DescribeDatabase", - "timestream:DescribeEndpoints", - "timestream:DescribeTable", - "timestream:ListBatchLoadTasks", - "timestream:ListDatabases", - "timestream:ListMeasures", - "timestream:ListTables", - "timestream:ListTagsForResource", - "tnb:GetSolFunctionInstance", - "tnb:GetSolFunctionPackage", - "tnb:GetSolFunctionPackageContent", - "tnb:GetSolFunctionPackageDescriptor", - "tnb:GetSolNetworkInstance", - "tnb:GetSolNetworkOperation", - "tnb:GetSolNetworkPackage", - "tnb:GetSolNetworkPackageContent", - "tnb:GetSolNetworkPackageDescriptor", - "tnb:ListSolFunctionInstances", - "tnb:ListSolFunctionPackages", - "tnb:ListSolNetworkInstances", - "tnb:ListSolNetworkOperations", - "tnb:ListSolNetworkPackages", - "tnb:ListTagsForResource", - "transcribe:Get*", - "transcribe:List*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "translate:DescribeTextTranslationJob", - "translate:GetParallelData", - "translate:GetTerminology", - "translate:ListParallelData", - "translate:ListTerminologies", - "translate:ListTextTranslationJobs", - "trustedadvisor:Describe*", - "trustedadvisor:GetOrganizationRecommendation", - "trustedadvisor:GetRecommendation", - "trustedadvisor:ListChecks", - "trustedadvisor:ListOrganizationRecommendationAccounts", - "trustedadvisor:ListOrganizationRecommendationResources", - "trustedadvisor:ListOrganizationRecommendations", - "trustedadvisor:ListRecommendationResources", - "trustedadvisor:ListRecommendations", - "user-subscriptions:ListApplicationClaims", - "user-subscriptions:ListClaims", - "user-subscriptions:ListUserSubscriptions", - "verifiedpermissions:GetIdentitySource", - "verifiedpermissions:GetPolicy", - "verifiedpermissions:GetPolicyStore", - "verifiedpermissions:GetPolicyTemplate", - "verifiedpermissions:GetSchema", - "verifiedpermissions:IsAuthorized", - "verifiedpermissions:IsAuthorizedWithToken", - "verifiedpermissions:ListIdentitySources", - "verifiedpermissions:ListPolicies", - "verifiedpermissions:ListPolicyStores", - "verifiedpermissions:ListPolicyTemplates", - "vpc-lattice:GetAccessLogSubscription", - "vpc-lattice:GetAuthPolicy", - "vpc-lattice:GetListener", - "vpc-lattice:GetResourceConfiguration", - "vpc-lattice:GetResourceGateway", - "vpc-lattice:GetResourcePolicy", - "vpc-lattice:GetRule", - "vpc-lattice:GetService", - "vpc-lattice:GetServiceNetwork", - "vpc-lattice:GetServiceNetworkResourceAssociation", - "vpc-lattice:GetServiceNetworkServiceAssociation", - "vpc-lattice:GetServiceNetworkVpcAssociation", - "vpc-lattice:GetTargetGroup", - "vpc-lattice:ListAccessLogSubscriptions", - "vpc-lattice:ListListeners", - "vpc-lattice:ListResourceConfigurations", - "vpc-lattice:ListResourceEndpointAssociations", - "vpc-lattice:ListResourceGateways", - "vpc-lattice:ListRules", - "vpc-lattice:ListServiceNetworkResourceAssociations", - "vpc-lattice:ListServiceNetworkServiceAssociations", - "vpc-lattice:ListServiceNetworkVpcAssociations", - "vpc-lattice:ListServiceNetworks", - "vpc-lattice:ListServiceNetworkVpcEndpointAssociations", - "vpc-lattice:ListServices", - "vpc-lattice:ListTagsForResource", - "vpc-lattice:ListTargetGroups", - "vpc-lattice:ListTargets", - "waf-regional:Get*", - "waf-regional:List*", - "waf:Get*", - "waf:List*", - "wafv2:CheckCapacity", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "wellarchitected:ExportLens", - "wellarchitected:GetAnswer", - "wellarchitected:GetConsolidatedReport", - "wellarchitected:GetLens", - "wellarchitected:GetLensReview", - "wellarchitected:GetLensReviewReport", - "wellarchitected:GetLensVersionDifference", - "wellarchitected:GetMilestone", - "wellarchitected:GetProfile", - "wellarchitected:GetProfileTemplate", - "wellarchitected:GetReviewTemplate", - "wellarchitected:GetReviewTemplateAnswer", - "wellarchitected:GetReviewTemplateLensReview", - "wellarchitected:GetWorkload", - "wellarchitected:List*", - "workdocs:CheckAlias", - "workdocs:Describe*", - "workdocs:Get*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces-web:GetBrowserSettings", - "workspaces-web:GetIdentityProvider", - "workspaces-web:GetNetworkSettings", - "workspaces-web:GetPortal", - "workspaces-web:GetPortalServiceProviderMetadata", - "workspaces-web:GetTrustStore", - "workspaces-web:GetUserAccessLoggingSettings", - "workspaces-web:GetUserSettings", - "workspaces-web:ListBrowserSettings", - "workspaces-web:ListIdentityProviders", - "workspaces-web:ListNetworkSettings", - "workspaces-web:ListPortals", - "workspaces-web:ListTagsForResource", - "workspaces-web:ListTrustStores", - "workspaces-web:ListUserAccessLoggingSettings", - "workspaces-web:ListUserSettings", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Resource": "*" - } - ] - } -} \ No newline at end of file diff --git a/infrastructure/iam_roles/prod_github-access-role.json b/infrastructure/iam_roles/prod_github-access-role.json deleted file mode 100644 index afdde13a..00000000 --- a/infrastructure/iam_roles/prod_github-access-role.json +++ /dev/null @@ -1,3336 +0,0 @@ -{ - "inline": { - "CloudWatchLogsPolicy": [ - { - "Sid": "AllowLogGroup", - "Effect": "Allow", - "Action": [ - "logs:ListTagsLogGroup", - "logs:CreateLogDelivery", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "logs:DescribeLogGroups", - "logs:PutRetentionPolicy", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutResourcePolicy" - ], - "Resource": "*" - } - ], - "CloudWatchRumPolicy": [ - { - "Sid": "AllowIdentityPool", - "Effect": "Allow", - "Action": [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool" - ], - "Resource": "arn:aws:cognito-identity:eu-west-2:${account}:identitypool/*" - }, - { - "Sid": "AllowAppMonitor", - "Effect": "Allow", - "Action": [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor" - ], - "Resource": "arn:aws:rum:eu-west-2:${account}:appmonitor/*" - }, - { - "Sid": "AllowRumServiceLogs", - "Effect": "Allow", - "Action": [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups" - ], - "Resource": "arn:aws:logs:eu-west-2:${account}:log-group:*RUMService*" - }, - { - "Sid": "AllowRumServiceAllLogs", - "Effect": "Allow", - "Action": [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies" - ], - "Resource": "*" - } - ], - "ecr_policy": [ - { - "Sid": "ecrAllowPolicy", - "Effect": "Allow", - "Action": [ - "ecr:InitiateLayerUpload", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart" - ], - "Resource": [ - "arn:aws:ecr:eu-west-2:${account}:repository/ndr-prod-app", - "arn:aws:ecr:eu-west-2:${account}:repository/prod-data-collection" - ] - } - ], - "github-extended-policy-virus-scanner": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "ssm:CreateDocument", - "iam:TagRole", - "SNS:TagResource", - "SNS:SetSubscriptionAttributes", - "cognito-idp:CreateUserPool", - "cognito-idp:TagResource", - "cognito-idp:SetUserPoolMfaConfig", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "cloudformation:CreateResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:CreateGroup", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:AdminAddUserToGroup" - ], - "Resource": "*" - } - ], - "GithubCloudfrontPolicy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cloudfront:CreateOriginAccessControl", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:TagResource", - "cloudfront:CreateDistribution", - "cloudfront:CreateInvalidation", - "lambda:EnableReplication", - "cloudfront:CreateCachePolicy", - "iam:CreateServiceLinkedRole", - "cloudfront:DeleteCachePolicy", - "lambda:PublishVersion", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteDistribution", - "cloudfront:UntagResource", - "cloudfront:UpdateOriginRequestPolicy", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:UpdateOriginAccessControl" - ], - "Resource": "*" - } - ], - "GithubECSPolicy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": "ecs:TagResource", - "Resource": "*" - } - ], - "GithubSchedulerPolicy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "scheduler:UpdateSchedule", - "scheduler:CreateSchedule" - ], - "Resource": "*" - } - ], - "lambda": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "lambda:CreateFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "kms:CreateGrant", - "kms:Decrypt", - "kms:Encrypt", - "kms:TagResource", - "kms:UntagResource", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:kms:*:${account}:key/*", - "arn:aws:lambda:eu-west-2:*:function:*" - ] - } - ], - "mtls-gateway": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "acm:RequestCertificate", - "route53:ListHostedZones", - "acm:ListCertificates" - ], - "Resource": "*" - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": "apigateway:AddCertificateToDomain", - "Resource": "arn:aws:apigateway:eu-west-2::/domainnames" - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "route53:GetHostedZone", - "route53:ChangeResourceRecordSets", - "apigateway:AddCertificateToDomain", - "acm:AddTagsToCertificate", - "apigateway:RemoveCertificateFromDomain", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "arn:aws:apigateway:eu-west-2::/domainnames", - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:route53:::hostedzone/*", - "arn:aws:acm:eu-west-2:${account}:certificate/*" - ] - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "apigateway:AddCertificateToDomain", - "apigateway:RemoveCertificateFromDomain" - ], - "Resource": [ - "arn:aws:apigateway:eu-west-2::/domainnames/*", - "arn:aws:apigateway:eu-west-2::/domainnames" - ] - }, - { - "Sid": "VisualEditor4", - "Effect": "Allow", - "Action": "apigateway:AddCertificateToDomain", - "Resource": "arn:aws:apigateway:eu-west-2::/domainnames" - } - ], - "resource_tagging": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile" - ], - "Resource": [ - "arn:aws:events:*:${account}:event-bus/*", - "arn:aws:events:*:${account}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:lambda:*:${account}:event-source-mapping:*", - "arn:aws:lambda:*:${account}:code-signing-config:*", - "arn:aws:lambda:*:${account}:function:*", - "arn:aws:cognito-identity:*:${account}:identitypool/*", - "arn:aws:resource-groups:*:${account}:group/*", - "arn:aws:backup:*:${account}:backup-plan:*", - "arn:aws:backup:*:${account}:report-plan:*-*", - "arn:aws:backup:*:${account}:restore-testing-plan:*-*", - "arn:aws:backup:*:${account}:backup-vault:*", - "arn:aws:backup:*:${account}:legal-hold:*", - "arn:aws:backup:*:${account}:framework:*-*", - "arn:aws:iam::${account}:policy/*", - "arn:aws:iam::${account}:instance-profile/*", - "arn:aws:iam::${account}:role/*", - "arn:aws:sns:*:${account}:*", - "arn:aws:logs:*:${account}:log-group:*", - "arn:aws:logs:*:${account}:delivery-source:*", - "arn:aws:logs:*:${account}:delivery:*", - "arn:aws:logs:*:${account}:destination:*", - "arn:aws:logs:*:${account}:delivery-destination:*", - "arn:aws:logs:*:${account}:anomaly-detector:*" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${account}:rule/*" - ] - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${account}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${account}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${account}:loadbalancer/app/*/*" - ] - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups" - ], - "Resource": "*" - } - ], - "step_functions": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "states:DescribeStateMachine", - "states:UpdateStateMachine", - "states:DeleteStateMachine", - "states:CreateStateMachine", - "states:TagResource", - "states:UntagResource" - ], - "Resource": "arn:aws:states:eu-west-2:${account}:stateMachine:*" - } - ] - }, - "attached": { - "GitHubAllAccess": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "apigateway:DELETE", - "apigateway:PATCH", - "apigateway:POST", - "apigateway:PUT", - "cloudwatch:DeleteAlarms", - "cloudwatch:PutMetricAlarm", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:GetItem", - "dynamodb:ListTagsOfResource", - "dynamodb:PutItem", - "dynamodb:TagResource", - "dynamodb:UpdateTimeToLive", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDefaultVpc", - "ec2:CreateInternetGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteInternetGateway", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ecr:CreateRepository", - "ecr:DeleteLifecyclePolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:GetAuthorizationToken", - "ecr:GetLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:ListTagsForResource", - "ecr:PutLifecyclePolicy", - "ecr:SetRepositoryPolicy", - "ecr:TagResource", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:DescribeTaskDefinition", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:SetSecurityGroups", - "events:PutRule", - "events:PutTargets", - "iam:AttachRolePolicy", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DetachRolePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:PassRole", - "iam:PutRolePolicy", - "kms:RetireGrant", - "lambda:AddPermission", - "lambda:CreateEventSourceMapping", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:GetPolicy", - "lambda:RemovePermission", - "logs:CreateLogGroup", - "logs:DeleteLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketOwnershipControls", - "s3:PutBucketPolicy", - "s3:PutBucketTagging", - "s3:PutLifecycleConfiguration", - "s3:PutObject", - "secretsmanager:DeleteSecret", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:DeleteMessage", - "sqs:DeleteQueue", - "sqs:ListQueues", - "sqs:createqueue", - "sqs:setqueueattributes", - "ssm:AddTagsToResource", - "ssm:DeleteParameter", - "ssm:PutParameter", - "events:RemoveTargets", - "wafv2:CreateRegexPatternSet", - "wafv2:TagResource", - "wafv2:CreateWebACL", - "wafv2:AssociateWebACL", - "elasticloadbalancing:SetWebACL", - "events:DeleteRule", - "wafv2:DeleteRegexPatternSet", - "wafv2:DeleteWebACL", - "s3:PutIntelligentTieringConfiguration", - "ecs:UntagResource", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionCode", - "sqs:tagqueue", - "kms:TagResource", - "wafv2:UpdateWebACL", - "dynamodb:UpdateTable", - "kms:CreateKey", - "dynamodb:UpdateContinuousBackups", - "backup:CreateBackupVault", - "application-autoscaling:RegisterScalableTarget", - "application-autoscaling:TagResource", - "s3:PutBucketVersioning", - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:EnableKeyRotation", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:PutKeyPolicy", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateKeyDescription", - "kms:ScheduleKeyDeletion", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:UntagResource", - "application-autoscaling:ListTagsForResource", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "cloudwatch:ListTagsForResource", - "backup-storage:MountCapsule", - "backup:CreateBackupPlan", - "lambda:PutFunctionConcurrency", - "backup:CreateBackupSelection", - "backup:UpdateBackupPlan", - "backup:DescribeBackupJob", - "backup:ListTags", - "backup:TagResource", - "backup:DeleteBackupVault", - "backup:DeleteBackupSelection", - "iam:UpdateRoleDescription", - "logs:PutMetricFilter", - "ec2:AllocateAddress", - "ec2:CreateNatGateway" - ], - "Resource": "*" - } - ], - "github-extension-1": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ses:SetIdentityMailFromDomain", - "lambda:CreateFunction", - "appconfig:StartDeployment", - "elasticloadbalancing:ModifyListener", - "appconfig:TagResource", - "appconfig:CreateDeploymentStrategy", - "lambda:ListLayers", - "appconfig:DeleteHostedConfigurationVersion", - "dynamodb:UpdateTable", - "ec2:DisassociateAddress", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "lambda:RemoveLayerVersionPermission", - "ses:VerifyDomainIdentity", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "logs:DeleteMetricFilter", - "apigateway:SetWebACL", - "backup:CreateBackupSelection", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "ec2:ReleaseAddress", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "lambda:UpdateEventSourceMapping", - "backup:DeleteBackupVault", - "route53:ListHostedZones", - "kms:GetKeyPolicy", - "elasticloadbalancing:DeleteTargetGroup", - "appconfig:CreateEnvironment", - "backup:DescribeBackupVault", - "events:DeleteRule", - "appconfig:DeleteDeploymentStrategy", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "ses:DeleteIdentity", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "sns:Unsubscribe", - "iam:CreateRole", - "iam:AttachRolePolicy", - "appconfig:CreateApplication", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "backup:DeleteBackupSelection", - "iam:DetachRolePolicy", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "lambda:ListLayerVersions", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "route53:ChangeResourceRecordSets", - "ec2:CreateRouteTable", - "lambda:AddLayerVersionPermission", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "ssm:PutParameter", - "logs:PutMetricFilter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "s3:PutBucketLogging", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "appconfig:CreateConfigurationProfile", - "route53:GetChange", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "ses:VerifyDomainDkim", - "lambda:CreateEventSourceMapping", - "lambda:GetLayerVersionPolicy", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "appconfig:CreateHostedConfigurationVersion", - "apigateway:PATCH", - "lambda:DeleteLayerVersion", - "kms:DescribeKey", - "application-autoscaling:ListTagsForResource", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "s3:GetBucketPublicAccessBlock", - "ec2:AuthorizeSecurityGroupEgress", - "elasticloadbalancing:ModifyListenerAttributes", - "s3:PutBucketPublicAccessBlock", - "kms:UpdateKeyDescription", - "logs:DescribeLogGroups", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "ec2:AllocateAddress", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "lambda:DeleteFunctionConcurrency", - "lambda:GetPolicy", - "iam:DeletePolicyVersion", - "ecr:GetRepositoryPolicy", - "s3:PutBucketNotification", - "iam:UpdateAssumeRolePolicy" - ], - "Resource": "*" - } - ], - "scheduler_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": "scheduler:DeleteSchedule", - "Resource": "*" - } - ], - "ecs_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecs:UpdateCluster", - "ecs:PutClusterCapacityProviders" - ], - "Resource": "*" - } - ], - "ReadOnlyAccess": [ - { - "Sid": "ReadOnlyActionsGroup1", - "Effect": "Allow", - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAccessPreview", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:GetFindingsStatistics", - "access-analyzer:GetGeneratedPolicy", - "access-analyzer:ListAccessPreviewFindings", - "access-analyzer:ListAccessPreviews", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListPolicyGenerations", - "access-analyzer:ListTagsForResource", - "access-analyzer:ValidatePolicy", - "account:GetAccountInformation", - "account:GetAlternateContact", - "account:GetContactInformation", - "account:GetPrimaryEmail", - "account:GetRegionOptStatus", - "account:ListRegions", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "action-recommendations:ListRecommendedActions", - "aiops:GetEphemeralInvestigationResults", - "aiops:GetInvestigation", - "aiops:GetInvestigationEvent", - "aiops:GetInvestigationGroup", - "aiops:GetInvestigationResource", - "aiops:ListInvestigationEvents", - "aiops:ListInvestigationGroups", - "aiops:ListInvestigations", - "aiops:ValidateInvestigationGroup", - "airflow:ListEnvironments", - "airflow:ListTagsForResource", - "amplify:GetApp", - "amplify:GetBackendEnvironment", - "amplify:GetBranch", - "amplify:GetDomainAssociation", - "amplify:GetJob", - "amplify:GetWebhook", - "amplify:ListApps", - "amplify:ListArtifacts", - "amplify:ListBackendEnvironments", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "amplify:ListTagsForResource", - "amplify:ListWebhooks", - "aoss:BatchGetCollection", - "aoss:BatchGetLifecyclePolicy", - "aoss:BatchGetVpcEndpoint", - "aoss:GetAccessPolicy", - "aoss:GetAccountSettings", - "aoss:GetPoliciesStats", - "aoss:GetSecurityConfig", - "aoss:GetSecurityPolicy", - "aoss:ListAccessPolicies", - "aoss:ListCollections", - "aoss:ListLifecyclePolicies", - "aoss:ListSecurityConfigs", - "aoss:ListSecurityPolicies", - "aoss:ListTagsForResource", - "aoss:ListVpcEndpoints", - "apigateway:GET", - "appconfig:GetApplication", - "appconfig:GetConfiguration", - "appconfig:GetConfigurationProfile", - "appconfig:GetDeployment", - "appconfig:GetDeploymentStrategy", - "appconfig:GetEnvironment", - "appconfig:GetExtension", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListApplications", - "appconfig:ListConfigurationProfiles", - "appconfig:ListDeploymentStrategies", - "appconfig:ListDeployments", - "appconfig:ListEnvironments", - "appconfig:ListExtensions", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListTagsForResource", - "appfabric:GetAppAuthorization", - "appfabric:GetAppBundle", - "appfabric:GetIngestion", - "appfabric:GetIngestionDestination", - "appfabric:ListAppAuthorizations", - "appfabric:ListAppBundles", - "appfabric:ListIngestionDestinations", - "appfabric:ListIngestions", - "appfabric:ListTagsForResource", - "appflow:DescribeConnector", - "appflow:DescribeConnectorEntity", - "appflow:DescribeConnectorFields", - "appflow:DescribeConnectorProfiles", - "appflow:DescribeConnectors", - "appflow:DescribeFlow", - "appflow:DescribeFlowExecution", - "appflow:DescribeFlowExecutionRecords", - "appflow:DescribeFlows", - "appflow:ListConnectorEntities", - "appflow:ListConnectorFields", - "appflow:ListConnectors", - "appflow:ListFlows", - "appflow:ListTagsForResource", - "application-autoscaling:Describe*", - "application-autoscaling:GetPredictiveScalingForecast", - "application-autoscaling:ListTagsForResource", - "application-signals:BatchGetServiceLevelObjectiveBudgetReport", - "application-signals:GetService", - "application-signals:GetServiceLevelObjective", - "application-signals:ListObservedEntities", - "application-signals:ListServiceDependencies", - "application-signals:ListServiceDependents", - "application-signals:ListServiceLevelObjectives", - "application-signals:ListServiceOperations", - "application-signals:ListServices", - "application-signals:ListTagsForResource", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "apprunner:DescribeAutoScalingConfiguration", - "apprunner:DescribeCustomDomains", - "apprunner:DescribeObservabilityConfiguration", - "apprunner:DescribeService", - "apprunner:DescribeVpcConnector", - "apprunner:DescribeVpcIngressConnection", - "apprunner:DescribeWebAclForService", - "apprunner:ListAssociatedServicesForWebAcl", - "apprunner:ListAutoScalingConfigurations", - "apprunner:ListConnections", - "apprunner:ListObservabilityConfigurations", - "apprunner:ListOperations", - "apprunner:ListServices", - "apprunner:ListServicesForAutoScalingConfiguration", - "apprunner:ListTagsForResource", - "apprunner:ListVpcConnectors", - "apprunner:ListVpcIngressConnections", - "appstream:Describe*", - "appstream:List*", - "appstudio:GetAccountStatus", - "appstudio:GetEnablementJobStatus", - "appsync:Get*", - "appsync:List*", - "apptest:GetTestCase", - "apptest:GetTestConfiguration", - "apptest:GetTestRunStep", - "apptest:GetTestSuite", - "apptest:ListTagsForResource", - "apptest:ListTestCases", - "apptest:ListTestConfigurations", - "apptest:ListTestRunSteps", - "apptest:ListTestRunTestCases", - "apptest:ListTestRuns", - "apptest:ListTestSuites", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeRuleGroupsNamespace", - "aps:DescribeScraper", - "aps:DescribeWorkspace", - "aps:GetAlertManagerSilence", - "aps:GetAlertManagerStatus", - "aps:GetDefaultScraperConfiguration", - "aps:GetLabels", - "aps:GetMetricMetadata", - "aps:GetSeries", - "aps:ListAlertManagerAlertGroups", - "aps:ListAlertManagerAlerts", - "aps:ListAlertManagerReceivers", - "aps:ListAlertManagerSilences", - "aps:ListAlerts", - "aps:ListRuleGroupsNamespaces", - "aps:ListRules", - "aps:ListScrapers", - "aps:ListTagsForResource", - "aps:ListWorkspaces", - "aps:QueryMetrics", - "arc-region-switch:GetPlan", - "arc-region-switch:GetPlanEvaluationStatus", - "arc-region-switch:GetPlanExecution", - "arc-region-switch:GetPlanInRegion", - "arc-region-switch:ListPlanExecutionEvents", - "arc-region-switch:ListPlanExecutions", - "arc-region-switch:ListPlans", - "arc-region-switch:ListPlansInRegion", - "arc-region-switch:ListRoute53HealthChecks", - "arc-region-switch:ListTagsForResource", - "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", - "arc-zonal-shift:GetManagedResource", - "arc-zonal-shift:ListAutoshifts", - "arc-zonal-shift:ListManagedResources", - "arc-zonal-shift:ListZonalShifts", - "artifact:GetCustomerAgreement", - "artifact:GetReport", - "artifact:GetReportMetadata", - "artifact:GetTermForReport", - "artifact:ListAgreements", - "artifact:ListCustomerAgreements", - "artifact:ListReports", - "athena:Batch*", - "athena:Get*", - "athena:List*", - "auditmanager:GetAccountStatus", - "auditmanager:GetAssessment", - "auditmanager:GetAssessmentFramework", - "auditmanager:GetAssessmentReportUrl", - "auditmanager:GetChangeLogs", - "auditmanager:GetControl", - "auditmanager:GetDelegations", - "auditmanager:GetEvidence", - "auditmanager:GetEvidenceByEvidenceFolder", - "auditmanager:GetEvidenceFolder", - "auditmanager:GetEvidenceFoldersByAssessment", - "auditmanager:GetEvidenceFoldersByAssessmentControl", - "auditmanager:GetOrganizationAdminAccount", - "auditmanager:GetServicesInScope", - "auditmanager:GetSettings", - "auditmanager:ListAssessmentFrameworks", - "auditmanager:ListAssessmentReports", - "auditmanager:ListAssessments", - "auditmanager:ListControls", - "auditmanager:ListKeywordsForDataSource", - "auditmanager:ListNotifications", - "auditmanager:ListTagsForResource", - "auditmanager:ValidateAssessmentReportIntegrity", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "autoscaling:Describe*", - "autoscaling:GetPredictiveScalingForecast", - "aws-portal:View*", - "backup-gateway:GetBandwidthRateLimitSchedule", - "backup-gateway:GetGateway", - "backup-gateway:GetHypervisor", - "backup-gateway:GetHypervisorPropertyMappings", - "backup-gateway:GetVirtualMachine", - "backup-gateway:ListGateways", - "backup-gateway:ListHypervisors", - "backup-gateway:ListTagsForResource", - "backup-gateway:ListVirtualMachines", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:Describe*", - "batch:List*", - "bedrock-agentcore:GetAgentRuntime", - "bedrock-agentcore:GetAgentRuntimeEndpoint", - "bedrock-agentcore:GetApiKeyCredentialProvider", - "bedrock-agentcore:GetBrowser", - "bedrock-agentcore:GetBrowserSession", - "bedrock-agentcore:GetCodeInterpreter", - "bedrock-agentcore:GetCodeInterpreterSession", - "bedrock-agentcore:GetEvent", - "bedrock-agentcore:GetGateway", - "bedrock-agentcore:GetGatewayTarget", - "bedrock-agentcore:GetMemory", - "bedrock-agentcore:GetMemoryRecord", - "bedrock-agentcore:GetOauth2CredentialProvider", - "bedrock-agentcore:GetTokenVault", - "bedrock-agentcore:GetWorkloadIdentity", - "bedrock-agentcore:ListAgentRuntimeEndpoints", - "bedrock-agentcore:ListAgentRuntimes", - "bedrock-agentcore:ListAgentRuntimeVersions", - "bedrock-agentcore:ListApiKeyCredentialProviders", - "bedrock-agentcore:ListBrowsers", - "bedrock-agentcore:ListBrowserSessions", - "bedrock-agentcore:ListCodeInterpreters", - "bedrock-agentcore:ListCodeInterpreterSessions", - "bedrock-agentcore:ListEvents", - "bedrock-agentcore:ListGateways", - "bedrock-agentcore:ListGatewayTargets", - "bedrock-agentcore:ListMemories", - "bedrock-agentcore:ListMemoryRecords", - "bedrock-agentcore:ListOauth2CredentialProviders", - "bedrock-agentcore:ListWorkloadIdentities", - "bedrock-agentcore:RetrieveMemoryRecords", - "bedrock:GetAgent", - "bedrock:GetAgentActionGroup", - "bedrock:GetAgentAlias", - "bedrock:GetAgentCollaborator", - "bedrock:GetAgentKnowledgeBase", - "bedrock:GetAgentVersion", - "bedrock:GetCustomModel", - "bedrock:GetDataSource", - "bedrock:GetEvaluationJob", - "bedrock:GetFlow", - "bedrock:GetFlowAlias", - "bedrock:GetFlowVersion", - "bedrock:GetFoundationModel", - "bedrock:GetFoundationModelAvailability", - "bedrock:GetGuardrail", - "bedrock:GetInferenceProfile", - "bedrock:GetIngestionJob", - "bedrock:GetKnowledgeBase", - "bedrock:GetModelCustomizationJob", - "bedrock:GetModelInvocationJob", - "bedrock:GetModelInvocationLoggingConfiguration", - "bedrock:GetPrompt", - "bedrock:GetProvisionedModelThroughput", - "bedrock:GetUseCaseForModelAccess", - "bedrock:ListAgentActionGroups", - "bedrock:ListAgentAliases", - "bedrock:ListAgentCollaborators", - "bedrock:ListAgentKnowledgeBases", - "bedrock:ListAgentVersions", - "bedrock:ListAgents", - "bedrock:ListCustomModels", - "bedrock:ListDataSources", - "bedrock:ListEvaluationJobs", - "bedrock:ListFlowAliases", - "bedrock:ListFlowVersions", - "bedrock:ListFlows", - "bedrock:ListFoundationModelAgreementOffers", - "bedrock:ListFoundationModels", - "bedrock:ListGuardrails", - "bedrock:ListInferenceProfiles", - "bedrock:ListIngestionJobs", - "bedrock:ListKnowledgeBases", - "bedrock:ListModelCustomizationJobs", - "bedrock:ListModelInvocationJobs", - "bedrock:ListPrompts", - "bedrock:ListProvisionedModelThroughputs", - "billing:GetBillingData", - "billing:GetBillingDetails", - "billing:GetBillingNotifications", - "billing:GetBillingPreferences", - "billing:GetBillingView", - "billing:GetContractInformation", - "billing:GetCredits", - "billing:GetIAMAccessPreference", - "billing:GetResourcePolicy", - "billing:GetSellerOfRecord", - "billing:ListBillingViews", - "billing:ListSourceViewsForBillingView", - "billing:ListTagsForResource", - "billingconductor:GetBillingGroupCostReport", - "billingconductor:ListAccountAssociations", - "billingconductor:ListBillingGroupCostReports", - "billingconductor:ListBillingGroups", - "billingconductor:ListCustomLineItemVersions", - "billingconductor:ListCustomLineItems", - "billingconductor:ListPricingPlans", - "billingconductor:ListPricingPlansAssociatedWithPricingRule", - "billingconductor:ListPricingRules", - "billingconductor:ListPricingRulesAssociatedToPricingPlan", - "billingconductor:ListResourcesAssociatedToCustomLineItem", - "billingconductor:ListTagsForResource", - "braket:GetDevice", - "braket:GetJob", - "braket:GetQuantumTask", - "braket:SearchDevices", - "braket:SearchJobs", - "braket:SearchQuantumTasks", - "budgets:Describe*", - "budgets:ListTagsForResource", - "budgets:View*", - "cassandra:Select", - "ce:DescribeCostCategoryDefinition", - "ce:DescribeNotificationSubscription", - "ce:DescribeReport", - "ce:GetAnomalies", - "ce:GetAnomalyMonitors", - "ce:GetAnomalySubscriptions", - "ce:GetApproximateUsageRecords", - "ce:GetCommitmentPurchaseAnalysis", - "ce:GetCostAndUsage", - "ce:GetCostAndUsageComparisons", - "ce:GetCostAndUsageWithResources", - "ce:GetCostCategories", - "ce:GetCostComparisonDrivers", - "ce:GetCostForecast", - "ce:GetDimensionValues", - "ce:GetPreferences", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetRightsizingRecommendation", - "ce:GetSavingsPlanPurchaseRecommendationDetails", - "ce:GetSavingsPlansCoverage", - "ce:GetSavingsPlansPurchaseRecommendation", - "ce:GetSavingsPlansUtilization", - "ce:GetSavingsPlansUtilizationDetails", - "ce:GetTags", - "ce:GetUsageForecast", - "ce:ListCommitmentPurchaseAnalyses", - "ce:ListCostAllocationTagBackfillHistory", - "ce:ListCostAllocationTags", - "ce:ListCostCategoryDefinitions", - "ce:ListSavingsPlansPurchaseRecommendationGeneration", - "ce:ListTagsForResource", - "chatbot:Describe*", - "chatbot:Get*", - "chatbot:List*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cleanrooms-ml:GetAudienceGenerationJob", - "cleanrooms-ml:GetAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModelPolicy", - "cleanrooms-ml:GetTrainingDataset", - "cleanrooms-ml:ListAudienceExportJobs", - "cleanrooms-ml:ListAudienceGenerationJobs", - "cleanrooms-ml:ListAudienceModels", - "cleanrooms-ml:ListConfiguredAudienceModels", - "cleanrooms-ml:ListTagsForResource", - "cleanrooms-ml:ListTrainingDatasets", - "cleanrooms:BatchGetCollaborationAnalysisTemplate", - "cleanrooms:BatchGetSchema", - "cleanrooms:BatchGetSchemaAnalysisRule", - "cleanrooms:GetAnalysisTemplate", - "cleanrooms:GetCollaboration", - "cleanrooms:GetCollaborationAnalysisTemplate", - "cleanrooms:GetCollaborationConfiguredAudienceModelAssociation", - "cleanrooms:GetCollaborationIdNamespaceAssociation", - "cleanrooms:GetCollaborationPrivacyBudgetTemplate", - "cleanrooms:GetConfiguredAudienceModelAssociation", - "cleanrooms:GetConfiguredTable", - "cleanrooms:GetConfiguredTableAnalysisRule", - "cleanrooms:GetConfiguredTableAssociation", - "cleanrooms:GetConfiguredTableAssociationAnalysisRule", - "cleanrooms:GetIdMappingTable", - "cleanrooms:GetIdNamespaceAssociation", - "cleanrooms:GetMembership", - "cleanrooms:GetPrivacyBudgetTemplate", - "cleanrooms:GetProtectedQuery", - "cleanrooms:GetSchema", - "cleanrooms:GetSchemaAnalysisRule", - "cleanrooms:ListAnalysisTemplates", - "cleanrooms:ListCollaborationAnalysisTemplates", - "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", - "cleanrooms:ListCollaborationIdNamespaceAssociations", - "cleanrooms:ListCollaborationPrivacyBudgetTemplates", - "cleanrooms:ListCollaborationPrivacyBudgets", - "cleanrooms:ListCollaborations", - "cleanrooms:ListConfiguredAudienceModelAssociations", - "cleanrooms:ListConfiguredTableAssociations", - "cleanrooms:ListConfiguredTables", - "cleanrooms:ListIdMappingTables", - "cleanrooms:ListIdNamespaceAssociations", - "cleanrooms:ListMembers", - "cleanrooms:ListMemberships", - "cleanrooms:ListPrivacyBudgetTemplates", - "cleanrooms:ListPrivacyBudgets", - "cleanrooms:ListProtectedQueries", - "cleanrooms:ListSchemas", - "cleanrooms:ListTagsForResource", - "cleanrooms:PreviewPrivacyImpact", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:List*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Estimate*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:ValidateTemplate", - "cloudfront-keyvaluestore:Describe*", - "cloudfront-keyvaluestore:Get*", - "cloudfront-keyvaluestore:List*", - "cloudfront:Describe*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:Describe*", - "cloudhsm:GetResourcePolicy", - "cloudhsm:List*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:GenerateQuery", - "cloudwatch:GenerateQueryResultsSummary", - "cloudwatch:Get*", - "cloudwatch:List*", - "codeartifact:DescribeDomain", - "codeartifact:DescribePackage", - "codeartifact:DescribePackageVersion", - "codeartifact:DescribeRepository", - "codeartifact:GetAuthorizationToken", - "codeartifact:GetDomainPermissionsPolicy", - "codeartifact:GetPackageVersionAsset", - "codeartifact:GetPackageVersionReadme", - "codeartifact:GetRepositoryEndpoint", - "codeartifact:GetRepositoryPermissionsPolicy", - "codeartifact:ListDomains", - "codeartifact:ListPackageVersionAssets", - "codeartifact:ListPackageVersionDependencies", - "codeartifact:ListPackageVersions", - "codeartifact:ListPackages", - "codeartifact:ListRepositories", - "codeartifact:ListRepositoriesInDomain", - "codeartifact:ListTagsForResource", - "codeartifact:ReadFromRepository", - "codebuild:BatchGet*", - "codebuild:DescribeCodeCoverages", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecatalyst:GetBillingAuthorization", - "codecatalyst:GetConnection", - "codecatalyst:GetPendingConnection", - "codecatalyst:ListConnections", - "codecatalyst:ListIamRolesForConnection", - "codecatalyst:ListTagsForResource", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:Get*", - "codepipeline:List*", - "codestar-connections:GetConnection", - "codestar-connections:GetHost", - "codestar-connections:GetRepositoryLink", - "codestar-connections:GetRepositorySyncStatus", - "codestar-connections:GetResourceSyncStatus", - "codestar-connections:GetSyncConfiguration", - "codestar-connections:ListConnections", - "codestar-connections:ListHosts", - "codestar-connections:ListRepositoryLinks", - "codestar-connections:ListRepositorySyncDefinitions", - "codestar-connections:ListSyncConfigurations", - "codestar-connections:ListTagsForResource", - "codestar-notifications:ListTargets", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar:Describe*", - "codestar:Get*", - "codestar:List*", - "codestar:Verify*", - "codewhisperer:ListProfiles", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolAnalytics", - "cognito-identity:GetIdentityPoolDailyAnalytics", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetIdentityProviderDailyAnalytics", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "cognito-idp:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:List*", - "cognito-sync:QueryRecords", - "comprehend:BatchDetect*", - "comprehend:Classify*", - "comprehend:Contains*", - "comprehend:Describe*", - "comprehend:Detect*", - "comprehend:List*", - "compute-optimizer:DescribeRecommendationExportJobs", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEBSVolumeRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendations", - "compute-optimizer:GetEffectiveRecommendationPreferences", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetEnrollmentStatusesForOrganization", - "compute-optimizer:GetIdleRecommendations", - "compute-optimizer:GetLambdaFunctionRecommendations", - "compute-optimizer:GetLicenseRecommendations", - "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics", - "compute-optimizer:GetRDSDatabaseRecommendations", - "compute-optimizer:GetRecommendationPreferences", - "compute-optimizer:GetRecommendationSummaries", - "config:BatchGetAggregateResourceConfig", - "config:BatchGetResourceConfig", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectAggregateResourceConfig", - "config:SelectResourceConfig", - "connect:Describe*", - "connect:GetContactAttributes", - "connect:GetCurrentMetricData", - "connect:GetCurrentUserData", - "connect:GetFederationToken", - "connect:GetMetricData", - "connect:GetMetricDataV2", - "connect:GetTaskTemplate", - "connect:GetTrafficDistribution", - "connect:List*", - "consoleapp:GetDeviceIdentity", - "consoleapp:ListDeviceIdentities", - "consolidatedbilling:GetAccountBillingRole", - "consolidatedbilling:ListLinkedAccounts", - "controlcatalog:GetControl", - "controlcatalog:ListCommonControls", - "controlcatalog:ListControlMappings", - "controlcatalog:ListControls", - "controlcatalog:ListDomains", - "controlcatalog:ListObjectives", - "cost-optimization-hub:GetPreferences", - "cost-optimization-hub:GetRecommendation", - "cost-optimization-hub:ListEnrollmentStatuses", - "cost-optimization-hub:ListRecommendationSummaries", - "cost-optimization-hub:ListRecommendations", - "cur:GetClassicReport", - "cur:GetClassicReportPreferences", - "cur:GetUsageReport", - "customer-verification:GetCustomerVerificationDetails", - "customer-verification:GetCustomerVerificationEligibility", - "databrew:DescribeDataset", - "databrew:DescribeJob", - "databrew:DescribeJobRun", - "databrew:DescribeProject", - "databrew:DescribeRecipe", - "databrew:DescribeRuleset", - "databrew:DescribeSchedule", - "databrew:ListDatasets", - "databrew:ListJobRuns", - "databrew:ListJobs", - "databrew:ListProjects", - "databrew:ListRecipeVersions", - "databrew:ListRecipes", - "databrew:ListRulesets", - "databrew:ListSchedules", - "databrew:ListTagsForResource", - "dataexchange:Get*", - "dataexchange:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "datasync:Describe*", - "datasync:List*", - "datazone:GetAsset", - "datazone:GetAssetType", - "datazone:GetDataProduct", - "datazone:GetDataSource", - "datazone:GetDataSourceRun", - "datazone:GetDomain", - "datazone:GetDomainSharingPolicy", - "datazone:GetDomainUnit", - "datazone:GetEnvironment", - "datazone:GetEnvironmentAction", - "datazone:GetEnvironmentBlueprint", - "datazone:GetEnvironmentBlueprintConfiguration", - "datazone:GetEnvironmentProfile", - "datazone:GetFormType", - "datazone:GetGlossary", - "datazone:GetGlossaryTerm", - "datazone:GetGroupProfile", - "datazone:GetLineageNode", - "datazone:GetListing", - "datazone:GetMetadataGenerationRun", - "datazone:GetProject", - "datazone:GetProjectProfile", - "datazone:GetSubscription", - "datazone:GetSubscriptionEligibility", - "datazone:GetSubscriptionGrant", - "datazone:GetSubscriptionRequestDetails", - "datazone:GetSubscriptionTarget", - "datazone:GetTimeSeriesDataPoint", - "datazone:GetUserProfile", - "datazone:ListAccountEnvironments", - "datazone:ListAssetRevisions", - "datazone:ListDataProductRevisions", - "datazone:ListDataSourceRunActivities", - "datazone:ListDataSourceRuns", - "datazone:ListDataSources", - "datazone:ListDomainUnitsForParent", - "datazone:ListDomains", - "datazone:ListEntityOwners", - "datazone:ListEnvironmentActions", - "datazone:ListEnvironmentBlueprintConfigurationSummaries", - "datazone:ListEnvironmentBlueprintConfigurations", - "datazone:ListEnvironmentBlueprints", - "datazone:ListEnvironmentProfiles", - "datazone:ListEnvironments", - "datazone:ListGroupsForUser", - "datazone:ListLineageNodeHistory", - "datazone:ListNotifications", - "datazone:ListPolicyGrants", - "datazone:ListProjectMemberships", - "datazone:ListProjectProfiles", - "datazone:ListProjects", - "datazone:ListSubscriptionGrants", - "datazone:ListSubscriptionRequests", - "datazone:ListSubscriptionTargets", - "datazone:ListSubscriptions", - "datazone:ListTagsForResource", - "datazone:ListTimeSeriesDataPoints", - "datazone:Search", - "datazone:SearchGroupProfiles", - "datazone:SearchListings", - "datazone:SearchTypes", - "datazone:SearchUserProfiles", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "deadline:BatchGetJobEntity", - "deadline:GetApplicationVersion", - "deadline:GetBudget", - "deadline:GetFarm", - "deadline:GetFleet", - "deadline:GetJob", - "deadline:GetLicenseEndpoint", - "deadline:GetMonitor", - "deadline:GetQueue", - "deadline:GetQueueEnvironment", - "deadline:GetQueueFleetAssociation", - "deadline:GetSession", - "deadline:GetSessionAction", - "deadline:GetSessionsStatisticsAggregation", - "deadline:GetStep", - "deadline:GetStorageProfile", - "deadline:GetStorageProfileForQueue", - "deadline:GetTask", - "deadline:GetWorker", - "deadline:ListAvailableMeteredProducts", - "deadline:ListBudgets", - "deadline:ListFarmMembers", - "deadline:ListFarms", - "deadline:ListFleetMembers", - "deadline:ListFleets", - "deadline:ListJobMembers", - "deadline:ListJobParameterDefinitions", - "deadline:ListJobs", - "deadline:ListLicenseEndpoints", - "deadline:ListMeteredProducts", - "deadline:ListMonitors", - "deadline:ListQueueEnvironments", - "deadline:ListQueueFleetAssociations", - "deadline:ListQueueMembers", - "deadline:ListQueues", - "deadline:ListSessionActions", - "deadline:ListSessions", - "deadline:ListSessionsForWorker", - "deadline:ListStepConsumers", - "deadline:ListStepDependencies", - "deadline:ListSteps", - "deadline:ListStorageProfiles", - "deadline:ListStorageProfilesForQueue", - "deadline:ListTagsForResource", - "deadline:ListTasks", - "deadline:ListWorkers", - "deadline:SearchJobs", - "deadline:SearchSteps", - "deadline:SearchTasks", - "deadline:SearchWorkers", - "deepcomposer:GetComposition", - "deepcomposer:GetModel", - "deepcomposer:GetSampleModel", - "deepcomposer:ListCompositions", - "deepcomposer:ListModels", - "deepcomposer:ListSampleModels", - "deepcomposer:ListTrainingTopics", - "detective:BatchGetGraphMemberDatasources", - "detective:BatchGetMembershipDatasources", - "detective:Get*", - "detective:List*", - "detective:SearchGraph", - "devicefarm:Get*", - "devicefarm:List*", - "devops-guru:DescribeAccountHealth", - "devops-guru:DescribeAccountOverview", - "devops-guru:DescribeAnomaly", - "devops-guru:DescribeEventSourcesConfig", - "devops-guru:DescribeFeedback", - "devops-guru:DescribeInsight", - "devops-guru:DescribeOrganizationHealth", - "devops-guru:DescribeOrganizationOverview", - "devops-guru:DescribeOrganizationResourceCollectionHealth", - "devops-guru:DescribeResourceCollectionHealth", - "devops-guru:DescribeServiceIntegration", - "devops-guru:GetCostEstimation", - "devops-guru:GetResourceCollection", - "devops-guru:ListAnomaliesForInsight", - "devops-guru:ListAnomalousLogGroups", - "devops-guru:ListEvents", - "devops-guru:ListInsights", - "devops-guru:ListMonitoredResources", - "devops-guru:ListNotificationChannels", - "devops-guru:ListOrganizationInsights", - "devops-guru:ListRecommendations", - "devops-guru:SearchInsights", - "devops-guru:StartCostEstimation", - "directconnect:Describe*", - "discovery:Describe*", - "discovery:Get*", - "discovery:List*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "docdb-elastic:ListClusters", - "docdb-elastic:ListClusterSnapshots", - "docdb-elastic:ListPendingMaintenanceActions", - "docdb-elastic:ListTagsForResource", - "drs:DescribeJobLogItems", - "drs:DescribeJobs", - "drs:DescribeLaunchConfigurationTemplates", - "drs:DescribeRecoveryInstances", - "drs:DescribeRecoverySnapshots", - "drs:DescribeReplicationConfigurationTemplates", - "drs:DescribeSourceNetworks", - "drs:DescribeSourceServers", - "drs:GetFailbackReplicationConfiguration", - "drs:GetLaunchConfiguration", - "drs:GetReplicationConfiguration", - "drs:ListExtensibleSourceServers", - "drs:ListLaunchActions", - "drs:ListStagingAccounts", - "drs:ListTagsForResource", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dsql:GetCluster", - "dsql:GetVpcEndpointServiceName", - "dsql:ListClusters", - "dsql:ListTagsForResource", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:PartiQLSelect", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:DescribeInstanceImageMetadata", - "ec2:Get*", - "ec2:ListImagesInRecycleBin", - "ec2:ListSnapshotsInRecycleBin", - "ec2:SearchLocalGatewayRoutes", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr-public:BatchCheckLayerAvailability", - "ecr-public:DescribeImageTags", - "ecr-public:DescribeImages", - "ecr-public:DescribeRegistries", - "ecr-public:DescribeRepositories", - "ecr-public:GetAuthorizationToken", - "ecr-public:GetRegistryCatalogData", - "ecr-public:GetRepositoryCatalogData", - "ecr-public:GetRepositoryPolicy", - "ecr-public:ListTagsForResource", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:Describe*", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticfilesystem:ListTagsForResource", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:GetBlockPublicAccessConfiguration", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "emr-containers:DescribeJobRun", - "emr-containers:DescribeManagedEndpoint", - "emr-containers:DescribeVirtualCluster", - "emr-containers:ListJobRuns", - "emr-containers:ListManagedEndpoints", - "emr-containers:ListTagsForResource", - "emr-containers:ListVirtualClusters", - "emr-serverless:GetApplication", - "emr-serverless:GetDashboardForJobRun", - "emr-serverless:GetJobRun", - "emr-serverless:ListApplications", - "emr-serverless:ListJobRuns", - "emr-serverless:ListTagsForResource", - "es:Describe*", - "es:ESHttpGet", - "es:ESHttpHead", - "es:Get*", - "es:List*", - "events:Describe*", - "events:List*", - "events:Test*", - "evidently:GetExperiment", - "evidently:GetExperimentResults", - "evidently:GetFeature", - "evidently:GetLaunch", - "evidently:GetProject", - "evidently:GetSegment", - "evidently:ListExperiments", - "evidently:ListFeatures", - "evidently:ListLaunches", - "evidently:ListProjects", - "evidently:ListSegmentReferences", - "evidently:ListSegments", - "evidently:ListTagsForResource", - "evidently:TestSegmentPattern", - "firehose:Describe*", - "firehose:List*", - "fis:GetAction", - "fis:GetExperiment", - "fis:GetExperimentTargetAccountConfiguration", - "fis:GetExperimentTemplate", - "fis:GetTargetAccountConfiguration", - "fis:GetTargetResourceType", - "fis:ListActions", - "fis:ListExperimentResolvedTargets", - "fis:ListExperimentTargetAccountConfigurations", - "fis:ListExperimentTemplates", - "fis:ListExperiments", - "fis:ListTagsForResource", - "fis:ListTargetAccountConfigurations", - "fis:ListTargetResourceTypes", - "fms:GetAdminAccount", - "fms:GetAdminScope", - "fms:GetAppsList", - "fms:GetComplianceDetail", - "fms:GetNotificationChannel", - "fms:GetPolicy", - "fms:GetProtectionStatus", - "fms:GetProtocolsList", - "fms:GetViolationDetails", - "fms:ListAppsLists", - "fms:ListComplianceStatus", - "fms:ListMemberAccounts", - "fms:ListPolicies", - "fms:ListProtocolsLists", - "fms:ListTagsForResource", - "forecast:DescribeAutoPredictor", - "forecast:DescribeDataset", - "forecast:DescribeDatasetGroup", - "forecast:DescribeDatasetImportJob", - "forecast:DescribeExplainability", - "forecast:DescribeExplainabilityExport", - "forecast:DescribeForecast", - "forecast:DescribeForecastExportJob", - "forecast:DescribeMonitor", - "forecast:DescribePredictor", - "forecast:DescribePredictorBacktestExportJob", - "forecast:DescribeWhatIfAnalysis", - "forecast:DescribeWhatIfForecast", - "forecast:DescribeWhatIfForecastExport", - "forecast:GetAccuracyMetrics", - "forecast:ListDatasetGroups", - "forecast:ListDatasetImportJobs", - "forecast:ListDatasets", - "forecast:ListExplainabilities", - "forecast:ListExplainabilityExports", - "forecast:ListForecastExportJobs", - "forecast:ListForecasts", - "forecast:ListMonitorEvaluations", - "forecast:ListMonitors", - "forecast:ListPredictorBacktestExportJobs", - "forecast:ListPredictors", - "forecast:ListWhatIfAnalyses", - "forecast:ListWhatIfForecastExports", - "forecast:ListWhatIfForecasts", - "forecast:QueryForecast", - "forecast:QueryWhatIfForecast", - "frauddetector:BatchGetVariable", - "frauddetector:DescribeDetector", - "frauddetector:DescribeModelVersions", - "frauddetector:GetBatchImportJobs", - "frauddetector:GetBatchPredictionJobs", - "frauddetector:GetDeleteEventsByEventTypeStatus", - "frauddetector:GetDetectorVersion", - "frauddetector:GetDetectors", - "frauddetector:GetEntityTypes", - "frauddetector:GetEvent", - "frauddetector:GetEventPredictionMetadata", - "frauddetector:GetEventTypes", - "frauddetector:GetExternalModels", - "frauddetector:GetKMSEncryptionKey", - "frauddetector:GetLabels", - "frauddetector:GetListElements", - "frauddetector:GetListsMetadata", - "frauddetector:GetModelVersion", - "frauddetector:GetModels", - "frauddetector:GetOutcomes", - "frauddetector:GetRules", - "frauddetector:GetVariables", - "frauddetector:ListEventPredictions", - "frauddetector:ListTagsForResource", - "freertos:Describe*", - "freertos:List*", - "freetier:GetFreeTierAlertPreference", - "freetier:GetFreeTierUsage", - "freetier:GetAccountActivity", - "freetier:GetAccountPlanState", - "freetier:ListAccountActivities", - "fsx:Describe*", - "fsx:List*", - "gamelift:Describe*", - "gamelift:Get*", - "gamelift:List*", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:Describe*", - "glacier:Get*", - "glacier:List*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetCrawlers", - "glue:BatchGetDevEndpoints", - "glue:BatchGetJobs", - "glue:BatchGetPartition", - "glue:BatchGetTableOptimizer", - "glue:BatchGetTriggers", - "glue:BatchGetWorkflows", - "glue:CheckSchemaVersionValidity", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlerMetrics", - "glue:GetCrawlers", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobBookmark", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetJobs", - "glue:GetMLTaskRun", - "glue:GetMLTaskRuns", - "glue:GetMLTransform", - "glue:GetMLTransforms", - "glue:GetMapping", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetRegistry", - "glue:GetResourcePolicy", - "glue:GetSchema", - "glue:GetSchemaByDefinition", - "glue:GetSchemaVersion", - "glue:GetSchemaVersionsDiff", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetSession", - "glue:GetStatement", - "glue:GetTable", - "glue:GetTableOptimizer", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTables", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "glue:GetWorkflow", - "glue:GetWorkflowRun", - "glue:GetWorkflowRunProperties", - "glue:GetWorkflowRuns", - "glue:ListCrawlers", - "glue:ListCrawls", - "glue:ListDevEndpoints", - "glue:ListJobs", - "glue:ListMLTransforms", - "glue:ListRegistries", - "glue:ListSchemaVersions", - "glue:ListSchemas", - "glue:ListSessions", - "glue:ListStatements", - "glue:ListTableOptimizerRuns", - "glue:ListTriggers", - "glue:ListWorkflows", - "glue:QuerySchemaVersionMetadata", - "glue:SearchTables", - "grafana:DescribeWorkspace", - "grafana:DescribeWorkspaceAuthentication", - "grafana:DescribeWorkspaceConfiguration", - "grafana:ListPermissions", - "grafana:ListTagsForResource", - "grafana:ListVersions", - "grafana:ListWorkspaces", - "greengrass:DescribeComponent", - "greengrass:Get*", - "greengrass:List*", - "groundstation:DescribeContact", - "groundstation:GetConfig", - "groundstation:GetDataflowEndpointGroup", - "groundstation:GetMinuteUsage", - "groundstation:GetMissionProfile", - "groundstation:GetSatellite", - "groundstation:ListConfigs", - "groundstation:ListContacts", - "groundstation:ListDataflowEndpointGroups", - "groundstation:ListGroundStations", - "groundstation:ListMissionProfiles", - "groundstation:ListSatellites", - "groundstation:ListTagsForResource", - "guardduty:Describe*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "healthlake:DescribeFHIRDatastore", - "healthlake:DescribeFHIRExportJob", - "healthlake:DescribeFHIRImportJob", - "healthlake:GetCapabilities", - "healthlake:ListFHIRDatastores", - "healthlake:ListFHIRExportJobs", - "healthlake:ListFHIRImportJobs", - "healthlake:ListTagsForResource", - "healthlake:ReadResource", - "healthlake:SearchWithGet", - "healthlake:SearchWithPost", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "identity-sync:GetSyncProfile", - "identity-sync:GetSyncTarget", - "identity-sync:ListSyncFilters", - "identitystore-auth:BatchGetSession", - "identitystore-auth:ListSessions", - "identitystore:DescribeGroup", - "identitystore:DescribeGroupMembership", - "identitystore:DescribeUser", - "identitystore:GetGroupId", - "identitystore:GetGroupMembershipId", - "identitystore:GetUserId", - "identitystore:IsMemberInGroups", - "identitystore:ListGroupMemberships", - "identitystore:ListGroupMembershipsForMember", - "identitystore:ListGroups", - "identitystore:ListUsers", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector2:BatchGetAccountStatus", - "inspector2:BatchGetCodeSnippet", - "inspector2:BatchGetFreeTrialInfo", - "inspector2:BatchGetMemberEc2DeepInspectionStatus", - "inspector2:DescribeOrganizationConfiguration", - "inspector2:GetCisScanReport", - "inspector2:GetConfiguration", - "inspector2:GetDelegatedAdminAccount", - "inspector2:GetEc2DeepInspectionConfiguration", - "inspector2:GetEncryptionKey", - "inspector2:GetFindingsReportStatus", - "inspector2:GetMember", - "inspector2:GetSbomExport", - "inspector2:ListAccountPermissions", - "inspector2:ListCisScanConfigurations", - "inspector2:ListCisScans", - "inspector2:ListCoverage", - "inspector2:ListCoverageStatistics", - "inspector2:ListDelegatedAdminAccounts", - "inspector2:ListFilters", - "inspector2:ListFindingAggregations", - "inspector2:ListFindings", - "inspector2:ListMembers", - "inspector2:ListTagsForResource", - "inspector2:ListUsageTotals", - "inspector2:SearchVulnerabilities", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "internetmonitor:GetHealthEvent", - "internetmonitor:GetInternetEvent", - "internetmonitor:GetMonitor", - "internetmonitor:ListHealthEvents", - "internetmonitor:ListInternetEvents", - "internetmonitor:ListMonitors", - "internetmonitor:ListTagsForResource", - "invoicing:GetInvoiceEmailDeliveryPreferences", - "invoicing:GetInvoicePDF", - "invoicing:ListInvoiceSummaries", - "iot1click:DescribeDevice", - "iot1click:DescribePlacement", - "iot1click:DescribeProject", - "iot1click:GetDeviceMethods", - "iot1click:GetDevicesInPlacement", - "iot1click:ListDeviceEvents", - "iot1click:ListDevices", - "iot1click:ListPlacements", - "iot1click:ListProjects", - "iot1click:ListTagsForResource", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:Get*", - "iotanalytics:List*", - "iotanalytics:SampleChannelData", - "iotevents:DescribeAlarm", - "iotevents:DescribeAlarmModel", - "iotevents:DescribeDetector", - "iotevents:DescribeDetectorModel", - "iotevents:DescribeInput", - "iotevents:DescribeLoggingOptions", - "iotevents:ListAlarmModelVersions", - "iotevents:ListAlarmModels", - "iotevents:ListAlarms", - "iotevents:ListDetectorModelVersions", - "iotevents:ListDetectorModels", - "iotevents:ListDetectors", - "iotevents:ListInputs", - "iotevents:ListTagsForResource", - "iotfleethub:DescribeApplication", - "iotfleethub:ListApplications", - "iotfleetwise:GetCampaign", - "iotfleetwise:GetDecoderManifest", - "iotfleetwise:GetFleet", - "iotfleetwise:GetLoggingOptions", - "iotfleetwise:GetModelManifest", - "iotfleetwise:GetRegisterAccountStatus", - "iotfleetwise:GetSignalCatalog", - "iotfleetwise:GetVehicle", - "iotfleetwise:GetVehicleStatus", - "iotfleetwise:ListCampaigns", - "iotfleetwise:ListDecoderManifestNetworkInterfaces", - "iotfleetwise:ListDecoderManifestSignals", - "iotfleetwise:ListDecoderManifests", - "iotfleetwise:ListFleets", - "iotfleetwise:ListFleetsForVehicle", - "iotfleetwise:ListModelManifestNodes", - "iotfleetwise:ListModelManifests", - "iotfleetwise:ListSignalCatalogNodes", - "iotfleetwise:ListSignalCatalogs", - "iotfleetwise:ListTagsForResource", - "iotfleetwise:ListVehicles", - "iotfleetwise:ListVehiclesInFleet", - "iotsitewise:Describe*", - "iotsitewise:Get*", - "iotsitewise:List*", - "iotwireless:GetDestination", - "iotwireless:GetDeviceProfile", - "iotwireless:GetEventConfigurationByResourceTypes", - "iotwireless:GetFuotaTask", - "iotwireless:GetLogLevelsByResourceTypes", - "iotwireless:GetMetricConfiguration", - "iotwireless:GetMetrics", - "iotwireless:GetMulticastGroup", - "iotwireless:GetMulticastGroupSession", - "iotwireless:GetNetworkAnalyzerConfiguration", - "iotwireless:GetPartnerAccount", - "iotwireless:GetPosition", - "iotwireless:GetPositionConfiguration", - "iotwireless:GetPositionEstimate", - "iotwireless:GetResourceEventConfiguration", - "iotwireless:GetResourceLogLevel", - "iotwireless:GetResourcePosition", - "iotwireless:GetServiceEndpoint", - "iotwireless:GetServiceProfile", - "iotwireless:GetWirelessDevice", - "iotwireless:GetWirelessDeviceImportTask", - "iotwireless:GetWirelessDeviceStatistics", - "iotwireless:GetWirelessGateway", - "iotwireless:GetWirelessGatewayCertificate", - "iotwireless:GetWirelessGatewayFirmwareInformation", - "iotwireless:GetWirelessGatewayStatistics", - "iotwireless:GetWirelessGatewayTask", - "iotwireless:GetWirelessGatewayTaskDefinition", - "iotwireless:ListDestinations", - "iotwireless:ListDeviceProfiles", - "iotwireless:ListDevicesForWirelessDeviceImportTask", - "iotwireless:ListEventConfigurations", - "iotwireless:ListFuotaTasks", - "iotwireless:ListMulticastGroups", - "iotwireless:ListMulticastGroupsByFuotaTask", - "iotwireless:ListNetworkAnalyzerConfigurations", - "iotwireless:ListPartnerAccounts", - "iotwireless:ListPositionConfigurations", - "iotwireless:ListQueuedMessages", - "iotwireless:ListServiceProfiles", - "iotwireless:ListTagsForResource", - "iotwireless:ListWirelessDeviceImportTasks", - "iotwireless:ListWirelessDevices", - "iotwireless:ListWirelessGatewayTaskDefinitions", - "iotwireless:ListWirelessGateways", - "ivs:BatchGetChannel", - "ivs:GetChannel", - "ivs:GetComposition", - "ivs:GetEncoderConfiguration", - "ivs:GetIngestConfiguration", - "ivs:GetParticipant", - "ivs:GetPlaybackKeyPair", - "ivs:GetPlaybackRestrictionPolicy", - "ivs:GetPublicKey", - "ivs:GetRecordingConfiguration", - "ivs:GetStage", - "ivs:GetStageSession", - "ivs:GetStorageConfiguration", - "ivs:GetStream", - "ivs:GetStreamSession", - "ivs:ListChannels", - "ivs:ListCompositions", - "ivs:ListEncoderConfigurations", - "ivs:ListIngestConfigurations", - "ivs:ListParticipantEvents", - "ivs:ListParticipants", - "ivs:ListPlaybackKeyPairs", - "ivs:ListPlaybackRestrictionPolicies", - "ivs:ListPublicKeys", - "ivs:ListRecordingConfigurations", - "ivs:ListStageSessions", - "ivs:ListStages", - "ivs:ListStorageConfigurations", - "ivs:ListStreamKeys", - "ivs:ListStreamSessions", - "ivs:ListStreams", - "ivs:ListTagsForResource", - "ivschat:GetLoggingConfiguration", - "ivschat:GetRoom", - "ivschat:ListLoggingConfigurations", - "ivschat:ListRooms", - "ivschat:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "ReadOnlyActionsGroup2", - "Effect": "Allow", - "Action": [ - "kafka:Describe*", - "kafka:DescribeCluster", - "kafka:DescribeClusterOperation", - "kafka:DescribeClusterV2", - "kafka:DescribeConfiguration", - "kafka:DescribeConfigurationRevision", - "kafka:Get*", - "kafka:GetBootstrapBrokers", - "kafka:GetCompatibleKafkaVersions", - "kafka:List*", - "kafka:ListClusterOperations", - "kafka:ListClusters", - "kafka:ListClustersV2", - "kafka:ListConfigurationRevisions", - "kafka:ListConfigurations", - "kafka:ListKafkaVersions", - "kafka:ListNodes", - "kafka:ListTagsForResource", - "kafkaconnect:DescribeConnector", - "kafkaconnect:DescribeCustomPlugin", - "kafkaconnect:DescribeWorkerConfiguration", - "kafkaconnect:ListConnectors", - "kafkaconnect:ListCustomPlugins", - "kafkaconnect:ListWorkerConfigurations", - "kendra:BatchGetDocumentStatus", - "kendra:DescribeDataSource", - "kendra:DescribeExperience", - "kendra:DescribeFaq", - "kendra:DescribeIndex", - "kendra:DescribePrincipalMapping", - "kendra:DescribeQuerySuggestionsBlockList", - "kendra:DescribeQuerySuggestionsConfig", - "kendra:DescribeThesaurus", - "kendra:GetQuerySuggestions", - "kendra:GetSnapshots", - "kendra:ListDataSourceSyncJobs", - "kendra:ListDataSources", - "kendra:ListEntityPersonas", - "kendra:ListExperienceEntities", - "kendra:ListExperiences", - "kendra:ListFaqs", - "kendra:ListGroupsOlderThanOrderingId", - "kendra:ListIndices", - "kendra:ListQuerySuggestionsBlockLists", - "kendra:ListTagsForResource", - "kendra:ListThesauri", - "kendra:Query", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lakeformation:DescribeResource", - "lakeformation:GetDataCellsFilter", - "lakeformation:GetDataLakeSettings", - "lakeformation:GetEffectivePermissionsForPath", - "lakeformation:GetLfTag", - "lakeformation:GetResourceLfTags", - "lakeformation:ListDataCellsFilter", - "lakeformation:ListLfTags", - "lakeformation:ListPermissions", - "lakeformation:ListResources", - "lakeformation:ListTableStorageOptimizers", - "lakeformation:SearchDatabasesByLfTags", - "lakeformation:SearchTablesByLfTags", - "lambda:Get*", - "lambda:List*", - "launchwizard:DescribeAdditionalNode", - "launchwizard:DescribeProvisionedApp", - "launchwizard:DescribeProvisioningEvents", - "launchwizard:DescribeSettingsSet", - "launchwizard:GetDeployment", - "launchwizard:GetInfrastructureSuggestion", - "launchwizard:GetIpAddress", - "launchwizard:GetResourceCostEstimate", - "launchwizard:GetResourceRecommendation", - "launchwizard:GetSettingsSet", - "launchwizard:GetWorkload", - "launchwizard:GetWorkloadAsset", - "launchwizard:GetWorkloadAssets", - "launchwizard:GetWorkloadDeploymentPattern", - "launchwizard:ListAdditionalNodes", - "launchwizard:ListAllowedResources", - "launchwizard:ListDeploymentEvents", - "launchwizard:ListDeployments", - "launchwizard:ListProvisionedApps", - "launchwizard:ListResourceCostEstimates", - "launchwizard:ListSettingsSets", - "launchwizard:ListTagsForResource", - "launchwizard:ListWorkloadDeploymentOptions", - "launchwizard:ListWorkloadDeploymentPatterns", - "launchwizard:ListWorkloads", - "lex:DescribeBot", - "lex:DescribeBotAlias", - "lex:DescribeBotChannel", - "lex:DescribeBotLocale", - "lex:DescribeBotReplica", - "lex:DescribeBotVersion", - "lex:DescribeExport", - "lex:DescribeImport", - "lex:DescribeIntent", - "lex:DescribeResourcePolicy", - "lex:DescribeSlot", - "lex:DescribeSlotType", - "lex:Get*", - "lex:ListBotAliasReplicas", - "lex:ListBotAliases", - "lex:ListBotChannels", - "lex:ListBotLocales", - "lex:ListBotReplicas", - "lex:ListBotVersionReplicas", - "lex:ListBotVersions", - "lex:ListBots", - "lex:ListBuiltInIntents", - "lex:ListBuiltInSlotTypes", - "lex:ListExports", - "lex:ListImports", - "lex:ListIntents", - "lex:ListSlotTypes", - "lex:ListSlots", - "lex:ListTagsForResource", - "license-manager:Get*", - "license-manager:List*", - "lightsail:GetActiveNames", - "lightsail:GetAlarms", - "lightsail:GetAutoSnapshots", - "lightsail:GetBlueprints", - "lightsail:GetBucketAccessKeys", - "lightsail:GetBucketBundles", - "lightsail:GetBucketMetricData", - "lightsail:GetBuckets", - "lightsail:GetBundles", - "lightsail:GetCertificates", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetContainerAPIMetadata", - "lightsail:GetContainerImages", - "lightsail:GetContainerServiceDeployments", - "lightsail:GetContainerServiceMetricData", - "lightsail:GetContainerServicePowers", - "lightsail:GetContainerServices", - "lightsail:GetDisk", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDisks", - "lightsail:GetDistributionBundles", - "lightsail:GetDistributionLatestCacheReset", - "lightsail:GetDistributionMetricData", - "lightsail:GetDistributions", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetInstances", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetLoadBalancers", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetRelationalDatabases", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:FilterLogEvents", - "logs:Get*", - "logs:ListAnomalies", - "logs:ListEntitiesForLogGroup", - "logs:ListIntegrations", - "logs:ListLogAnomalyDetectors", - "logs:ListLogDeliveries", - "logs:ListLogGroupsForEntity", - "logs:ListLogGroupsForQuery", - "logs:ListTagsForResource", - "logs:ListTagsLogGroup", - "logs:StartLiveTail", - "logs:StartQuery", - "logs:StopLiveTail", - "logs:StopQuery", - "logs:TestMetricFilter", - "lookoutequipment:DescribeDataIngestionJob", - "lookoutequipment:DescribeDataset", - "lookoutequipment:DescribeInferenceScheduler", - "lookoutequipment:DescribeLabel", - "lookoutequipment:DescribeLabelGroup", - "lookoutequipment:DescribeModel", - "lookoutequipment:DescribeModelVersion", - "lookoutequipment:DescribeResourcePolicy", - "lookoutequipment:DescribeRetrainingScheduler", - "lookoutequipment:ListDataIngestionJobs", - "lookoutequipment:ListDatasets", - "lookoutequipment:ListInferenceEvents", - "lookoutequipment:ListInferenceExecutions", - "lookoutequipment:ListInferenceSchedulers", - "lookoutequipment:ListLabelGroups", - "lookoutequipment:ListLabels", - "lookoutequipment:ListModelVersions", - "lookoutequipment:ListModels", - "lookoutequipment:ListRetrainingSchedulers", - "lookoutequipment:ListSensorStatistics", - "lookoutequipment:ListTagsForResource", - "lookoutmetrics:Describe*", - "lookoutmetrics:Get*", - "lookoutmetrics:List*", - "lookoutvision:DescribeDataset", - "lookoutvision:DescribeModel", - "lookoutvision:DescribeModelPackagingJob", - "lookoutvision:DescribeProject", - "lookoutvision:ListDatasetEntries", - "lookoutvision:ListModelPackagingJobs", - "lookoutvision:ListModels", - "lookoutvision:ListProjects", - "lookoutvision:ListTagsForResource", - "m2:GetApplication", - "m2:GetApplicationVersion", - "m2:GetBatchJobExecution", - "m2:GetDataSetDetails", - "m2:GetDataSetImportTask", - "m2:GetDeployment", - "m2:GetEnvironment", - "m2:ListApplicationVersions", - "m2:ListApplications", - "m2:ListBatchJobDefinitions", - "m2:ListBatchJobExecutions", - "m2:ListDataSetImportHistory", - "m2:ListDataSets", - "m2:ListDeployments", - "m2:ListEngineVersions", - "m2:ListEnvironments", - "m2:ListTagsForResource", - "machinelearning:Describe*", - "machinelearning:Get*", - "macie2:BatchGetCustomDataIdentifiers", - "macie2:DescribeBuckets", - "macie2:DescribeClassificationJob", - "macie2:DescribeOrganizationConfiguration", - "macie2:GetAdministratorAccount", - "macie2:GetAllowList", - "macie2:GetAutomatedDiscoveryConfiguration", - "macie2:GetBucketStatistics", - "macie2:GetClassificationExportConfiguration", - "macie2:GetClassificationScope", - "macie2:GetCustomDataIdentifier", - "macie2:GetFindingStatistics", - "macie2:GetFindings", - "macie2:GetFindingsFilter", - "macie2:GetFindingsPublicationConfiguration", - "macie2:GetInvitationsCount", - "macie2:GetMacieSession", - "macie2:GetMember", - "macie2:GetResourceProfile", - "macie2:GetRevealConfiguration", - "macie2:GetSensitiveDataOccurrencesAvailability", - "macie2:GetSensitivityInspectionTemplate", - "macie2:GetUsageStatistics", - "macie2:GetUsageTotals", - "macie2:ListAllowLists", - "macie2:ListAutomatedDiscoveryAccounts", - "macie2:ListClassificationJobs", - "macie2:ListClassificationScopes", - "macie2:ListCustomDataIdentifiers", - "macie2:ListFindings", - "macie2:ListFindingsFilters", - "macie2:ListInvitations", - "macie2:ListMembers", - "macie2:ListOrganizationAdminAccounts", - "macie2:ListResourceProfileArtifacts", - "macie2:ListResourceProfileDetections", - "macie2:ListSensitivityInspectionTemplates", - "macie2:ListTagsForResource", - "macie2:SearchResources", - "managedblockchain:GetMember", - "managedblockchain:GetNetwork", - "managedblockchain:GetNode", - "managedblockchain:GetProposal", - "managedblockchain:ListInvitations", - "managedblockchain:ListMembers", - "managedblockchain:ListNetworks", - "managedblockchain:ListNodes", - "managedblockchain:ListProposalVotes", - "managedblockchain:ListProposals", - "managedblockchain:ListTagsForResource", - "mediaconnect:DescribeFlow", - "mediaconnect:DescribeOffering", - "mediaconnect:DescribeReservation", - "mediaconnect:ListEntitlements", - "mediaconnect:ListFlows", - "mediaconnect:ListOfferings", - "mediaconnect:ListReservations", - "mediaconnect:ListTagsForResource", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "medialive:DescribeChannel", - "medialive:DescribeInput", - "medialive:DescribeInputDevice", - "medialive:DescribeInputDeviceThumbnail", - "medialive:DescribeInputSecurityGroup", - "medialive:DescribeMultiplex", - "medialive:DescribeMultiplexProgram", - "medialive:DescribeOffering", - "medialive:DescribeReservation", - "medialive:DescribeSchedule", - "medialive:GetCloudWatchAlarmTemplate", - "medialive:GetCloudWatchAlarmTemplateGroup", - "medialive:GetEventBridgeRuleTemplate", - "medialive:GetEventBridgeRuleTemplateGroup", - "medialive:GetSignalMap", - "medialive:ListChannels", - "medialive:ListCloudWatchAlarmTemplateGroups", - "medialive:ListCloudWatchAlarmTemplates", - "medialive:ListEventBridgeRuleTemplateGroups", - "medialive:ListEventBridgeRuleTemplates", - "medialive:ListInputDeviceTransfers", - "medialive:ListInputDevices", - "medialive:ListInputSecurityGroups", - "medialive:ListInputs", - "medialive:ListMultiplexPrograms", - "medialive:ListMultiplexes", - "medialive:ListOfferings", - "medialive:ListReservations", - "medialive:ListSignalMaps", - "medialive:ListTagsForResource", - "mediapackage-vod:Describe*", - "mediapackage-vod:List*", - "mediapackage:Describe*", - "mediapackage:List*", - "mediapackagev2:GetChannel", - "mediapackagev2:GetChannelGroup", - "mediapackagev2:GetChannelPolicy", - "mediapackagev2:GetHeadObject", - "mediapackagev2:GetObject", - "mediapackagev2:GetOriginEndpoint", - "mediapackagev2:GetOriginEndpointPolicy", - "mediapackagev2:ListChannelGroups", - "mediapackagev2:ListChannels", - "mediapackagev2:ListOriginEndpoints", - "mediapackagev2:ListTagsForResource", - "mediastore:DescribeContainer", - "mediastore:DescribeObject", - "mediastore:GetContainerPolicy", - "mediastore:GetCorsPolicy", - "mediastore:GetLifecyclePolicy", - "mediastore:GetMetricPolicy", - "mediastore:GetObject", - "mediastore:ListContainers", - "mediastore:ListItems", - "mediastore:ListTagsForResource", - "memorydb:DescribeAcls", - "memorydb:DescribeClusters", - "memorydb:DescribeEngineVersions", - "memorydb:DescribeEvents", - "memorydb:DescribeMultiRegionClusters", - "memorydb:DescribeMultiRegionParameterGroups", - "memorydb:DescribeMultiRegionParameters", - "memorydb:DescribeParameterGroups", - "memorydb:DescribeParameters", - "memorydb:DescribeReservedNodes", - "memorydb:DescribeReservedNodesOfferings", - "memorydb:DescribeServiceUpdates", - "memorydb:DescribeSnapshots", - "memorydb:DescribeSubnetGroups", - "memorydb:DescribeUsers", - "memorydb:ListAllowedMultiRegionClusterUpdates", - "memorydb:ListAllowedNodeTypeUpdates", - "memorydb:ListTags", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mgn:DescribeJobLogItems", - "mgn:DescribeJobs", - "mgn:DescribeLaunchConfigurationTemplates", - "mgn:DescribeReplicationConfigurationTemplates", - "mgn:DescribeSourceServers", - "mgn:DescribeVcenterClients", - "mgn:GetLaunchConfiguration", - "mgn:GetReplicationConfiguration", - "mgn:ListApplications", - "mgn:ListSourceServerActions", - "mgn:ListTemplateActions", - "mgn:ListWaves", - "mobileanalytics:Get*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "monitron:GetProject", - "monitron:GetProjectAdminUser", - "monitron:ListProjects", - "monitron:ListTagsForResource", - "mpa:GetApprovalTeam", - "mpa:GetIdentitySource", - "mpa:GetPolicyVersion", - "mpa:GetResourcePolicy", - "mpa:GetSession", - "mpa:ListApprovalTeams", - "mpa:ListIdentitySources", - "mpa:ListPolicies", - "mpa:ListPolicyVersions", - "mpa:ListResourcePolicies", - "mpa:ListSessions", - "mpa:ListTagsForResource", - "mq:Describe*", - "mq:List*", - "network-firewall:DescribeFirewall", - "network-firewall:DescribeFirewallPolicy", - "network-firewall:DescribeLoggingConfiguration", - "network-firewall:DescribeResourcePolicy", - "network-firewall:DescribeRuleGroup", - "network-firewall:DescribeRuleGroupMetadata", - "network-firewall:DescribeTLSInspectionConfiguration", - "network-firewall:ListFirewallPolicies", - "network-firewall:ListFirewalls", - "network-firewall:ListRuleGroups", - "network-firewall:ListTLSInspectionConfigurations", - "network-firewall:ListTagsForResource", - "networkflowmonitor:GetMonitor", - "networkflowmonitor:GetScope", - "networkflowmonitor:ListMonitors", - "networkflowmonitor:ListScopes", - "networkmanager:DescribeGlobalNetworks", - "networkmanager:GetConnectAttachment", - "networkmanager:GetConnectPeer", - "networkmanager:GetConnectPeerAssociations", - "networkmanager:GetConnections", - "networkmanager:GetCoreNetwork", - "networkmanager:GetCoreNetworkChangeEvents", - "networkmanager:GetCoreNetworkChangeSet", - "networkmanager:GetCoreNetworkPolicy", - "networkmanager:GetCustomerGatewayAssociations", - "networkmanager:GetDevices", - "networkmanager:GetLinkAssociations", - "networkmanager:GetLinks", - "networkmanager:GetNetworkResourceCounts", - "networkmanager:GetNetworkResourceRelationships", - "networkmanager:GetNetworkResources", - "networkmanager:GetNetworkRoutes", - "networkmanager:GetNetworkTelemetry", - "networkmanager:GetResourcePolicy", - "networkmanager:GetRouteAnalysis", - "networkmanager:GetSiteToSiteVpnAttachment", - "networkmanager:GetSites", - "networkmanager:GetTransitGatewayConnectPeerAssociations", - "networkmanager:GetTransitGatewayPeering", - "networkmanager:GetTransitGatewayRegistrations", - "networkmanager:GetTransitGatewayRouteTableAttachment", - "networkmanager:GetVpcAttachment", - "networkmanager:ListAttachments", - "networkmanager:ListConnectPeers", - "networkmanager:ListCoreNetworkPolicyVersions", - "networkmanager:ListCoreNetworks", - "networkmanager:ListPeerings", - "networkmanager:ListTagsForResource", - "networkmonitor:GetMonitor", - "networkmonitor:GetProbe", - "networkmonitor:ListMonitors", - "networkmonitor:ListTagsForResource", - "nimble:GetEula", - "nimble:GetFeatureMap", - "nimble:GetLaunchProfile", - "nimble:GetLaunchProfileDetails", - "nimble:GetLaunchProfileInitialization", - "nimble:GetLaunchProfileMember", - "nimble:GetStreamingImage", - "nimble:GetStreamingSession", - "nimble:GetStudio", - "nimble:GetStudioComponent", - "nimble:GetStudioMember", - "nimble:ListEulaAcceptances", - "nimble:ListEulas", - "nimble:ListLaunchProfileMembers", - "nimble:ListLaunchProfiles", - "nimble:ListStreamingImages", - "nimble:ListStreamingSessions", - "nimble:ListStudioComponents", - "nimble:ListStudioMembers", - "nimble:ListStudios", - "nimble:ListTagsForResource", - "notifications-contacts:GetEmailContact", - "notifications-contacts:ListEmailContacts", - "notifications-contacts:ListTagsForResource", - "notifications:GetEventRule", - "notifications:GetFeatureOptInStatus", - "notifications:GetManagedNotificationChildEvent", - "notifications:GetManagedNotificationConfiguration", - "notifications:GetManagedNotificationEvent", - "notifications:GetNotificationConfiguration", - "notifications:GetNotificationEvent", - "notifications:GetNotificationsAccessForOrganization", - "notifications:List*", - "oam:GetLink", - "oam:GetSink", - "oam:GetSinkPolicy", - "oam:ListAttachedLinks", - "oam:ListLinks", - "oam:ListSinks", - "observabilityadmin:GetCentralizationRuleForOrganization", - "observabilityadmin:GetTelemetryEnrichmentStatus", - "observabilityadmin:GetTelemetryEvaluationStatus", - "observabilityadmin:GetTelemetryEvaluationStatusForOrganization", - "observabilityadmin:GetTelemetryRule", - "observabilityadmin:GetTelemetryRuleForOrganization", - "observabilityadmin:ListCentralizationRulesForOrganization", - "observabilityadmin:ListResourceTelemetry", - "observabilityadmin:ListResourceTelemetryForOrganization", - "observabilityadmin:ListTagsForResource", - "observabilityadmin:ListTelemetryRules", - "observabilityadmin:ListTelemetryRulesForOrganization", - "omics:Get*", - "omics:List*", - "one:GetDeviceConfigurationTemplate", - "one:GetDeviceInstance", - "one:GetDeviceInstanceConfiguration", - "one:GetSite", - "one:GetSiteAddress", - "one:ListDeviceConfigurationTemplates", - "one:ListDeviceInstances", - "one:ListSites", - "one:ListUsers", - "opsworks-cm:Describe*", - "opsworks-cm:List*", - "opsworks:Describe*", - "opsworks:Get*", - "organizations:Describe*", - "organizations:List*", - "osis:GetPipeline", - "osis:GetPipelineBlueprint", - "osis:GetPipelineChangeProgress", - "osis:ListPipelineBlueprints", - "osis:ListPipelines", - "osis:ListTagsForResource", - "outposts:Get*", - "outposts:List*", - "payment-cryptography:GetAlias", - "payment-cryptography:GetKey", - "payment-cryptography:GetPublicKeyCertificate", - "payment-cryptography:ListAliases", - "payment-cryptography:ListKeys", - "payment-cryptography:ListTagsForResource", - "payments:GetPaymentInstrument", - "payments:GetPaymentStatus", - "payments:ListPaymentInstruments", - "payments:ListPaymentPreferences", - "payments:ListPaymentProgramOptions", - "payments:ListPaymentProgramStatus", - "payments:ListTagsForResource", - "pca-connector-ad:GetConnector", - "pca-connector-ad:GetDirectoryRegistration", - "pca-connector-ad:GetServicePrincipalName", - "pca-connector-ad:GetTemplate", - "pca-connector-ad:GetTemplateGroupAccessControlEntry", - "pca-connector-ad:ListConnectors", - "pca-connector-ad:ListDirectoryRegistrations", - "pca-connector-ad:ListServicePrincipalNames", - "pca-connector-ad:ListTagsForResource", - "pca-connector-ad:ListTemplateGroupAccessControlEntries", - "pca-connector-ad:ListTemplates", - "pca-connector-scep:GetChallengeMetadata", - "pca-connector-scep:GetConnector", - "pca-connector-scep:ListChallengeMetadata", - "pca-connector-scep:ListConnectors", - "pca-connector-scep:ListTagsForResource", - "pcs:GetCluster", - "pcs:GetComputeNodeGroup", - "pcs:GetQueue", - "pcs:ListClusters", - "pcs:ListComputeNodeGroups", - "pcs:ListQueues", - "pcs:ListTagsForResource", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetDimensionKeyDetails", - "pi:GetResourceMetadata", - "pi:GetResourceMetrics", - "pi:ListAvailableResourceDimensions", - "pi:ListAvailableResourceMetrics", - "pipes:DescribePipe", - "pipes:ListPipes", - "pipes:ListTagsForResource", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "pricing:DescribeServices", - "pricing:GetAttributeValues", - "pricing:GetPriceListFileUrl", - "pricing:GetProducts", - "pricing:ListPriceLists", - "proton:GetDeployment", - "proton:GetEnvironment", - "proton:GetEnvironmentTemplate", - "proton:GetEnvironmentTemplateVersion", - "proton:GetService", - "proton:GetServiceInstance", - "proton:GetServiceTemplate", - "proton:GetServiceTemplateVersion", - "proton:ListDeployments", - "proton:ListEnvironmentAccountConnections", - "proton:ListEnvironmentTemplates", - "proton:ListEnvironments", - "proton:ListServiceInstances", - "proton:ListServiceTemplates", - "proton:ListServices", - "proton:ListTagsForResource", - "purchase-orders:GetPurchaseOrder", - "purchase-orders:ListPurchaseOrderInvoices", - "purchase-orders:ListPurchaseOrders", - "purchase-orders:ViewPurchaseOrders", - "qbusiness:GetApplication", - "qbusiness:GetChatControlsConfiguration", - "qbusiness:GetDataSource", - "qbusiness:GetGroup", - "qbusiness:GetIndex", - "qbusiness:GetPlugin", - "qbusiness:GetRetriever", - "qbusiness:GetUser", - "qbusiness:GetWebExperience", - "qbusiness:ListApplications", - "qbusiness:ListDataSourceSyncJobs", - "qbusiness:ListDataSources", - "qbusiness:ListGroups", - "qbusiness:ListIndices", - "qbusiness:ListPlugins", - "qbusiness:ListRetrievers", - "qbusiness:ListSubscriptions", - "qbusiness:ListTagsForResource", - "qbusiness:ListWebExperiences", - "qldb:DescribeJournalKinesisStream", - "qldb:DescribeJournalS3Export", - "qldb:DescribeLedger", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:ListJournalKinesisStreamsForLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:ListLedgers", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rbin:GetRule", - "rbin:ListRules", - "rbin:ListTagsForResource", - "rds:Describe*", - "rds:Download*", - "rds:List*", - "redshift-serverless:GetCustomDomainAssociation", - "redshift-serverless:GetEndpointAccess", - "redshift-serverless:GetNamespace", - "redshift-serverless:GetRecoveryPoint", - "redshift-serverless:GetResourcePolicy", - "redshift-serverless:GetScheduledAction", - "redshift-serverless:GetSnapshot", - "redshift-serverless:GetTableRestoreStatus", - "redshift-serverless:GetUsageLimit", - "redshift-serverless:GetWorkgroup", - "redshift-serverless:ListCustomDomainAssociations", - "redshift-serverless:ListEndpointAccess", - "redshift-serverless:ListNamespaces", - "redshift-serverless:ListRecoveryPoints", - "redshift-serverless:ListScheduledActions", - "redshift-serverless:ListSnapshotCopyConfigurations", - "redshift-serverless:ListSnapshots", - "redshift-serverless:ListTableRestoreStatus", - "redshift-serverless:ListTagsForResource", - "redshift-serverless:ListUsageLimits", - "redshift-serverless:ListWorkgroups", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:ListRecommendations", - "redshift:View*", - "refactor-spaces:GetApplication", - "refactor-spaces:GetEnvironment", - "refactor-spaces:GetResourcePolicy", - "refactor-spaces:GetRoute", - "refactor-spaces:GetService", - "refactor-spaces:ListApplications", - "refactor-spaces:ListEnvironmentVpcs", - "refactor-spaces:ListEnvironments", - "refactor-spaces:ListRoutes", - "refactor-spaces:ListServices", - "refactor-spaces:ListTagsForResource", - "rekognition:CompareFaces", - "rekognition:DescribeDataset", - "rekognition:DescribeProjectVersions", - "rekognition:DescribeProjects", - "rekognition:DescribeStreamProcessor", - "rekognition:Detect*", - "rekognition:GetCelebrityInfo", - "rekognition:GetCelebrityRecognition", - "rekognition:GetContentModeration", - "rekognition:GetFaceDetection", - "rekognition:GetFaceSearch", - "rekognition:GetLabelDetection", - "rekognition:GetPersonTracking", - "rekognition:GetSegmentDetection", - "rekognition:GetTextDetection", - "rekognition:List*", - "rekognition:RecognizeCelebrities", - "rekognition:Search*", - "resiliencehub:DescribeApp", - "resiliencehub:DescribeAppAssessment", - "resiliencehub:DescribeAppVersion", - "resiliencehub:DescribeAppVersionAppComponent", - "resiliencehub:DescribeAppVersionResource", - "resiliencehub:DescribeAppVersionResourcesResolutionStatus", - "resiliencehub:DescribeAppVersionTemplate", - "resiliencehub:DescribeDraftAppVersionResourcesImportStatus", - "resiliencehub:DescribeMetricsExport", - "resiliencehub:DescribeResiliencyPolicy", - "resiliencehub:DescribeResourceGroupingRecommendationTask", - "resiliencehub:ListAlarmRecommendations", - "resiliencehub:ListAppAssessmentComplianceDrifts", - "resiliencehub:ListAppAssessmentResourceDrifts", - "resiliencehub:ListAppAssessments", - "resiliencehub:ListAppComponentCompliances", - "resiliencehub:ListAppComponentRecommendations", - "resiliencehub:ListAppInputSources", - "resiliencehub:ListAppVersionAppComponents", - "resiliencehub:ListAppVersionResourceMappings", - "resiliencehub:ListAppVersionResources", - "resiliencehub:ListAppVersions", - "resiliencehub:ListApps", - "resiliencehub:ListMetrics", - "resiliencehub:ListRecommendationTemplates", - "resiliencehub:ListResiliencyPolicies", - "resiliencehub:ListResourceGroupingRecommendations", - "resiliencehub:ListSopRecommendations", - "resiliencehub:ListSuggestedResiliencyPolicies", - "resiliencehub:ListTagsForResource", - "resiliencehub:ListTestRecommendations", - "resiliencehub:ListUnsupportedAppVersionResources", - "resource-explorer-2:BatchGetView", - "resource-explorer-2:GetAccountLevelServiceConfiguration", - "resource-explorer-2:GetDefaultView", - "resource-explorer-2:GetIndex", - "resource-explorer-2:GetManagedView", - "resource-explorer-2:GetView", - "resource-explorer-2:ListIndexes", - "resource-explorer-2:ListIndexesForMembers", - "resource-explorer-2:ListManagedViews", - "resource-explorer-2:ListSupportedResourceTypes", - "resource-explorer-2:ListTagsForResource", - "resource-explorer-2:ListViews", - "resource-explorer-2:Search", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:Get*", - "robomaker:List*", - "rolesanywhere:GetCrl", - "rolesanywhere:GetProfile", - "rolesanywhere:GetSubject", - "rolesanywhere:GetTrustAnchor", - "rolesanywhere:ListCrls", - "rolesanywhere:ListProfiles", - "rolesanywhere:ListSubjects", - "rolesanywhere:ListTagsForResource", - "rolesanywhere:ListTrustAnchors", - "route53-recovery-cluster:Get*", - "route53-recovery-cluster:ListRoutingControls", - "route53-recovery-control-config:Describe*", - "route53-recovery-control-config:GetResourcePolicy", - "route53-recovery-control-config:List*", - "route53-recovery-readiness:Get*", - "route53-recovery-readiness:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53profiles:GetProfile", - "route53profiles:GetProfileAssociation", - "route53profiles:GetProfileResourceAssociation", - "route53profiles:ListProfileAssociations", - "route53profiles:ListProfileResourceAssociations", - "route53profiles:ListProfiles", - "route53profiles:ListTagsForResource", - "route53resolver:Get*", - "route53resolver:List*", - "rum:GetAppMonitor", - "rum:GetAppMonitorData", - "rum:ListAppMonitors", - "s3-object-lambda:GetObject", - "s3-object-lambda:GetObjectAcl", - "s3-object-lambda:GetObjectLegalHold", - "s3-object-lambda:GetObjectRetention", - "s3-object-lambda:GetObjectTagging", - "s3-object-lambda:GetObjectVersion", - "s3-object-lambda:GetObjectVersionAcl", - "s3-object-lambda:GetObjectVersionTagging", - "s3-object-lambda:ListBucket", - "s3-object-lambda:ListBucketMultipartUploads", - "s3-object-lambda:ListBucketVersions", - "s3-object-lambda:ListMultipartUploadParts", - "s3-outposts:GetAccessPoint", - "s3-outposts:GetAccessPointPolicy", - "s3-outposts:GetBucket", - "s3-outposts:GetBucketPolicy", - "s3-outposts:GetBucketTagging", - "s3-outposts:GetBucketVersioning", - "s3-outposts:GetLifecycleConfiguration", - "s3-outposts:GetObject", - "s3-outposts:GetObjectTagging", - "s3-outposts:GetObjectVersion", - "s3-outposts:GetObjectVersionForReplication", - "s3-outposts:GetObjectVersionTagging", - "s3-outposts:GetReplicationConfiguration", - "s3-outposts:ListAccessPoints", - "s3-outposts:ListBucket", - "s3-outposts:ListBucketMultipartUploads", - "s3-outposts:ListBucketVersions", - "s3-outposts:ListEndpoints", - "s3-outposts:ListMultipartUploadParts", - "s3-outposts:ListOutpostsWithS3", - "s3-outposts:ListRegionalBuckets", - "s3-outposts:ListSharedEndpoints", - "s3:DescribeJob", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "savingsplans:DescribeSavingsPlanRates", - "savingsplans:DescribeSavingsPlans", - "savingsplans:DescribeSavingsPlansOfferingRates", - "savingsplans:DescribeSavingsPlansOfferings", - "savingsplans:ListTagsForResource", - "scheduler:GetSchedule", - "scheduler:GetScheduleGroup", - "scheduler:ListScheduleGroups", - "scheduler:ListSchedules", - "scheduler:ListTagsForResource", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "secretsmanager:List*", - "securityhub:BatchGetAutomationRules", - "securityhub:BatchGetConfigurationPolicyAssociations", - "securityhub:BatchGetControlEvaluations", - "securityhub:BatchGetSecurityControls", - "securityhub:BatchGetStandardsControlAssociations", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "securitylake:GetDataLakeExceptionSubscription", - "securitylake:GetDataLakeOrganizationConfiguration", - "securitylake:GetDataLakeSources", - "securitylake:GetSubscriber", - "securitylake:ListDataLakeExceptions", - "securitylake:ListDataLakes", - "securitylake:ListLogSources", - "securitylake:ListSubscribers", - "securitylake:ListTagsForResource", - "serverlessrepo:Get*", - "serverlessrepo:List*", - "serverlessrepo:SearchApplications", - "servicecatalog:Describe*", - "servicecatalog:GetApplication", - "servicecatalog:GetAttributeGroup", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicediscovery:DiscoverInstances", - "servicediscovery:DiscoverInstancesRevision", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServices", - "ses:BatchGetMetricData", - "ses:Describe*", - "ses:Get*", - "ses:List*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "signer:DescribeSigningJob", - "signer:GetSigningPlatform", - "signer:GetSigningProfile", - "signer:ListProfilePermissions", - "signer:ListSigningJobs", - "signer:ListSigningPlatforms", - "signer:ListSigningProfiles", - "signer:ListTagsForResource", - "signin:ListTrustedIdentityPropagationApplicationsForConsole", - "sms-voice:DescribeAccountAttributes", - "sms-voice:DescribeAccountLimits", - "sms-voice:DescribeConfigurationSets", - "sms-voice:DescribeKeywords", - "sms-voice:DescribeOptOutLists", - "sms-voice:DescribeOptedOutNumbers", - "sms-voice:DescribePhoneNumbers", - "sms-voice:DescribePools", - "sms-voice:DescribeProtectConfigurations", - "sms-voice:DescribeRegistrationAttachments", - "sms-voice:DescribeRegistrationFieldDefinitions", - "sms-voice:DescribeRegistrationFieldValues", - "sms-voice:DescribeRegistrations", - "sms-voice:DescribeRegistrationSectionDefinitions", - "sms-voice:DescribeRegistrationTypeDefinitions", - "sms-voice:DescribeRegistrationVersions", - "sms-voice:DescribeSenderIds", - "sms-voice:DescribeSpendLimits", - "sms-voice:DescribeVerifiedDestinationNumbers", - "sms-voice:ListPoolOriginationIdentities", - "sms-voice:ListTagsForResource", - "snowball:Describe*", - "snowball:Get*", - "snowball:List*", - "sns:Check*", - "sns:Get*", - "sns:List*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm-contacts:DescribeEngagement", - "ssm-contacts:DescribePage", - "ssm-contacts:GetContact", - "ssm-contacts:GetContactChannel", - "ssm-contacts:ListContactChannels", - "ssm-contacts:ListContacts", - "ssm-contacts:ListEngagements", - "ssm-contacts:ListPageReceipts", - "ssm-contacts:ListPagesByContact", - "ssm-contacts:ListPagesByEngagement", - "ssm-incidents:GetIncidentRecord", - "ssm-incidents:GetReplicationSet", - "ssm-incidents:GetResourcePolicies", - "ssm-incidents:GetResponsePlan", - "ssm-incidents:GetTimelineEvent", - "ssm-incidents:ListIncidentRecords", - "ssm-incidents:ListRelatedItems", - "ssm-incidents:ListReplicationSets", - "ssm-incidents:ListResponsePlans", - "ssm-incidents:ListTagsForResource", - "ssm-incidents:ListTimelineEvents", - "ssm-quicksetup:GetConfiguration", - "ssm-quicksetup:GetConfigurationManager", - "ssm-quicksetup:GetServiceSettings", - "ssm-quicksetup:ListConfigurationManagers", - "ssm-quicksetup:ListConfigurations", - "ssm-quicksetup:ListQuickSetupTypes", - "ssm-quicksetup:ListTagsForResource", - "ssm-sap:GetApplication", - "ssm-sap:GetComponent", - "ssm-sap:GetConfigurationCheckOperation", - "ssm-sap:GetDatabase", - "ssm-sap:GetOperation", - "ssm-sap:GetResourcePermission", - "ssm-sap:ListApplications", - "ssm-sap:ListComponents", - "ssm-sap:ListConfigurationCheckDefinitions", - "ssm-sap:ListConfigurationCheckOperations", - "ssm-sap:ListDatabases", - "ssm-sap:ListOperationEvents", - "ssm-sap:ListOperations", - "ssm-sap:ListSubCheckResults", - "ssm-sap:ListSubCheckRuleResults", - "ssm-sap:ListTagsForResource", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "sso-directory:Describe*", - "sso-directory:List*", - "sso-directory:Search*", - "sso:Describe*", - "sso:Get*", - "sso:List*", - "states:Describe*", - "states:GetExecutionHistory", - "states:List*", - "states:ValidateStateMachineDefinition", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:GetAccessKeyInfo", - "sts:GetCallerIdentity", - "sts:GetSessionToken", - "support:DescribeAttachment", - "support:DescribeCaseAttributes", - "support:DescribeCases", - "support:DescribeCommunication", - "support:DescribeCommunications", - "support:DescribeCreateCaseOptions", - "support:DescribeIssueTypes", - "support:DescribeServices", - "support:DescribeSeverityLevels", - "support:DescribeSupportLevel", - "support:DescribeSupportedLanguages", - "support:DescribeTrustedAdvisorCheckRefreshStatuses", - "support:DescribeTrustedAdvisorCheckResult", - "support:DescribeTrustedAdvisorCheckSummaries", - "support:DescribeTrustedAdvisorChecks", - "support:SearchForCases", - "supportplans:GetSupportPlan", - "supportplans:GetSupportPlanUpdateStatus", - "supportplans:ListSupportPlanModifiers", - "sustainability:GetCarbonFootprintSummary", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "synthetics:List*", - "tag:DescribeReportCreation", - "tag:Get*", - "tax:GetExemptions", - "tax:GetTaxInheritance", - "tax:GetTaxInterview", - "tax:GetTaxRegistration", - "tax:GetTaxRegistrationDocument", - "tax:ListTaxRegistrations", - "timestream:DescribeBatchLoadTask", - "timestream:DescribeDatabase", - "timestream:DescribeEndpoints", - "timestream:DescribeTable", - "timestream:ListBatchLoadTasks", - "timestream:ListDatabases", - "timestream:ListMeasures", - "timestream:ListTables", - "timestream:ListTagsForResource", - "tnb:GetSolFunctionInstance", - "tnb:GetSolFunctionPackage", - "tnb:GetSolFunctionPackageContent", - "tnb:GetSolFunctionPackageDescriptor", - "tnb:GetSolNetworkInstance", - "tnb:GetSolNetworkOperation", - "tnb:GetSolNetworkPackage", - "tnb:GetSolNetworkPackageContent", - "tnb:GetSolNetworkPackageDescriptor", - "tnb:ListSolFunctionInstances", - "tnb:ListSolFunctionPackages", - "tnb:ListSolNetworkInstances", - "tnb:ListSolNetworkOperations", - "tnb:ListSolNetworkPackages", - "tnb:ListTagsForResource", - "transcribe:Get*", - "transcribe:List*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "translate:DescribeTextTranslationJob", - "translate:GetParallelData", - "translate:GetTerminology", - "translate:ListParallelData", - "translate:ListTerminologies", - "translate:ListTextTranslationJobs", - "trustedadvisor:Describe*", - "trustedadvisor:GetOrganizationRecommendation", - "trustedadvisor:GetRecommendation", - "trustedadvisor:ListChecks", - "trustedadvisor:ListOrganizationRecommendationAccounts", - "trustedadvisor:ListOrganizationRecommendationResources", - "trustedadvisor:ListOrganizationRecommendations", - "trustedadvisor:ListRecommendationResources", - "trustedadvisor:ListRecommendations", - "user-subscriptions:ListApplicationClaims", - "user-subscriptions:ListClaims", - "user-subscriptions:ListUserSubscriptions", - "verifiedpermissions:GetIdentitySource", - "verifiedpermissions:GetPolicy", - "verifiedpermissions:GetPolicyStore", - "verifiedpermissions:GetPolicyTemplate", - "verifiedpermissions:GetSchema", - "verifiedpermissions:IsAuthorized", - "verifiedpermissions:IsAuthorizedWithToken", - "verifiedpermissions:ListIdentitySources", - "verifiedpermissions:ListPolicies", - "verifiedpermissions:ListPolicyStores", - "verifiedpermissions:ListPolicyTemplates", - "vpc-lattice:GetAccessLogSubscription", - "vpc-lattice:GetAuthPolicy", - "vpc-lattice:GetListener", - "vpc-lattice:GetResourceConfiguration", - "vpc-lattice:GetResourceGateway", - "vpc-lattice:GetResourcePolicy", - "vpc-lattice:GetRule", - "vpc-lattice:GetService", - "vpc-lattice:GetServiceNetwork", - "vpc-lattice:GetServiceNetworkResourceAssociation", - "vpc-lattice:GetServiceNetworkServiceAssociation", - "vpc-lattice:GetServiceNetworkVpcAssociation", - "vpc-lattice:GetTargetGroup", - "vpc-lattice:ListAccessLogSubscriptions", - "vpc-lattice:ListListeners", - "vpc-lattice:ListResourceConfigurations", - "vpc-lattice:ListResourceEndpointAssociations", - "vpc-lattice:ListResourceGateways", - "vpc-lattice:ListRules", - "vpc-lattice:ListServiceNetworkResourceAssociations", - "vpc-lattice:ListServiceNetworkServiceAssociations", - "vpc-lattice:ListServiceNetworkVpcAssociations", - "vpc-lattice:ListServiceNetworks", - "vpc-lattice:ListServiceNetworkVpcEndpointAssociations", - "vpc-lattice:ListServices", - "vpc-lattice:ListTagsForResource", - "vpc-lattice:ListTargetGroups", - "vpc-lattice:ListTargets", - "waf-regional:Get*", - "waf-regional:List*", - "waf:Get*", - "waf:List*", - "wafv2:CheckCapacity", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "wellarchitected:ExportLens", - "wellarchitected:GetAnswer", - "wellarchitected:GetConsolidatedReport", - "wellarchitected:GetLens", - "wellarchitected:GetLensReview", - "wellarchitected:GetLensReviewReport", - "wellarchitected:GetLensVersionDifference", - "wellarchitected:GetMilestone", - "wellarchitected:GetProfile", - "wellarchitected:GetProfileTemplate", - "wellarchitected:GetReviewTemplate", - "wellarchitected:GetReviewTemplateAnswer", - "wellarchitected:GetReviewTemplateLensReview", - "wellarchitected:GetWorkload", - "wellarchitected:List*", - "workdocs:CheckAlias", - "workdocs:Describe*", - "workdocs:Get*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces-web:GetBrowserSettings", - "workspaces-web:GetIdentityProvider", - "workspaces-web:GetNetworkSettings", - "workspaces-web:GetPortal", - "workspaces-web:GetPortalServiceProviderMetadata", - "workspaces-web:GetTrustStore", - "workspaces-web:GetUserAccessLoggingSettings", - "workspaces-web:GetUserSettings", - "workspaces-web:ListBrowserSettings", - "workspaces-web:ListIdentityProviders", - "workspaces-web:ListNetworkSettings", - "workspaces-web:ListPortals", - "workspaces-web:ListTagsForResource", - "workspaces-web:ListTrustStores", - "workspaces-web:ListUserAccessLoggingSettings", - "workspaces-web:ListUserSettings", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Resource": "*" - } - ] - } -} \ No newline at end of file diff --git a/infrastructure/iam_roles/test_github-action-role.json b/infrastructure/iam_roles/test_github-action-role.json deleted file mode 100644 index aadf47a7..00000000 --- a/infrastructure/iam_roles/test_github-action-role.json +++ /dev/null @@ -1,3167 +0,0 @@ -{ - "inline": { - "cloudfront_policies": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cloudfront:CreateCachePolicy", - "cloudfront:DeleteCachePolicy", - "cloudfront:CreateOriginAccessControl", - "cloudfront:CreateDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:DeleteDistribution", - "lambda:EnableReplication", - "cloudfront:UpdateDistribution", - "cloudfront:DeleteOriginAccessControl", - "cloudfront:CreateInvalidation", - "cloudfront:CreateOriginRequestPolicy", - "cloudfront:DeleteOriginRequestPolicy", - "cloudfront:UpdateOriginRequestPolicy" - ], - "Resource": "*" - } - ], - "cloudwatch_logs_policy": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:PutRetentionPolicy", - "logs:PutResourcePolicy", - "logs:DeleteResourcePolicy", - "logs:DeleteRetentionPolicy", - "logs:TagResource", - "logs:UntagResource", - "logs:AssociateKmsKey", - "logs:DisassociateKmsKey" - ], - "Resource": "arn:aws:logs:eu-west-2:${account}:log-group:*" - } - ], - "resource_tagging": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "resource-groups:GetGroupQuery", - "backup:TagResource", - "sns:TagResource", - "lambda:TagResource", - "resource-groups:UpdateGroup", - "iam:UntagRole", - "iam:TagRole", - "resource-groups:GetTags", - "sns:UntagResource", - "resource-groups:Untag", - "lambda:UntagResource", - "elasticloadbalancing:RemoveTags", - "cognito-identity:UntagResource", - "resource-groups:GetGroup", - "resource-groups:GetGroupConfiguration", - "backup:UntagResource", - "cognito-identity:TagResource", - "resource-groups:Tag", - "logs:UntagResource", - "resource-groups:UpdateGroupQuery", - "iam:TagPolicy", - "logs:TagResource", - "events:TagResource", - "resource-groups:DeleteGroup", - "elasticloadbalancing:AddTags", - "iam:UntagPolicy", - "resource-groups:ListGroupResources", - "iam:UntagInstanceProfile", - "events:UntagResource", - "iam:TagInstanceProfile" - ], - "Resource": [ - "arn:aws:events:*:${pre-prod}:event-bus/*", - "arn:aws:events:*:${pre-prod}:rule/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:targetgroup/*/*", - "arn:aws:lambda:*:${pre-prod}:event-source-mapping:*", - "arn:aws:lambda:*:${pre-prod}:code-signing-config:*", - "arn:aws:lambda:*:${pre-prod}:function:*", - "arn:aws:cognito-identity:*:${pre-prod}:identitypool/*", - "arn:aws:resource-groups:*:${pre-prod}:group/*", - "arn:aws:backup:*:${pre-prod}:backup-plan:*", - "arn:aws:backup:*:${pre-prod}:report-plan:*-*", - "arn:aws:backup:*:${pre-prod}:restore-testing-plan:*-*", - "arn:aws:backup:*:${pre-prod}:backup-vault:*", - "arn:aws:backup:*:${pre-prod}:legal-hold:*", - "arn:aws:backup:*:${pre-prod}:framework:*-*", - "arn:aws:iam::${pre-prod}:policy/*", - "arn:aws:iam::${pre-prod}:instance-profile/*", - "arn:aws:iam::${pre-prod}:role/*", - "arn:aws:sns:*:${pre-prod}:*", - "arn:aws:logs:*:${pre-prod}:log-group:*", - "arn:aws:logs:*:${pre-prod}:delivery-source:*", - "arn:aws:logs:*:${pre-prod}:delivery:*", - "arn:aws:logs:*:${pre-prod}:destination:*", - "arn:aws:logs:*:${pre-prod}:delivery-destination:*", - "arn:aws:logs:*:${pre-prod}:anomaly-detector:*", - "*" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "events:TagResource", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags", - "events:UntagResource" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/app/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener-rule/net/*/*/*/*", - "arn:aws:events:*:${pre-prod}:rule/*" - ] - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:AddTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:${pre-prod}:truststore/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/gwy/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener-rule/net/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:listener-rule/app/*/*/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/gwy/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:${pre-prod}:loadbalancer/app/*/*" - ] - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "resource-groups:SearchResources", - "resource-groups:CreateGroup", - "resource-groups:ListGroups" - ], - "Resource": "*" - } - ], - "rum_policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:UpdateIdentityPool" - ], - "Resource": "arn:aws:cognito-identity:eu-west-2:${account}:identitypool/*" - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "rum:TagResource", - "rum:UntagResource", - "rum:ListTagsForResource", - "iam:PassRole", - "rum:UpdateAppMonitor", - "rum:GetAppMonitor", - "rum:CreateAppMonitor", - "rum:DeleteAppMonitor" - ], - "Resource": "arn:aws:rum:eu-west-2:${account}:appmonitor/*" - }, - { - "Sid": "VisualEditor2", - "Effect": "Allow", - "Action": [ - "logs:DeleteLogGroup", - "logs:DeleteResourcePolicy", - "logs:DescribeLogGroups" - ], - "Resource": "arn:aws:logs:eu-west-2:${account}:log-group:*RUMService*" - }, - { - "Sid": "VisualEditor3", - "Effect": "Allow", - "Action": [ - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:UpdateLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:DescribeResourcePolicies" - ], - "Resource": "*" - } - ], - "scheduler-policy": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "scheduler:TagResource", - "scheduler:CreateSchedule", - "scheduler:UntagResource", - "scheduler:DeleteSchedule", - "scheduler:UpdateSchedule" - ], - "Resource": "*" - } - ], - "virus-scan-cognito": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "cognito-idp:TagResource", - "cognito-idp:DeleteUserPool", - "cognito-idp:AdminCreateUser", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:CreateGroup", - "cognito-idp:CreateUserPool", - "cognito-idp:SetUserPoolMfaConfig", - "cognito-idp:AdminAddUserToGroup", - "cloudformation:CreateResource", - "cloudformation:DeleteResource", - "cognito-idp:DeleteGroup", - "appconfig:DeleteEnvironment", - "appconfig:DeleteConfigurationProfile", - "iam:RemoveRoleFromInstanceProfile", - "cognito-idp:DeleteUserPoolClient", - "cognito-idp:AdminRemoveUserFromGroup", - "cognito-idp:AdminDeleteUser" - ], - "Resource": "*" - } - ] - }, - "attached": { - "github-action-policy-2": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "acm:RequestCertificate", - "acm:AddTagsToCertificate", - "ecs:PutClusterCapacityProviders", - "backup:ListRecoveryPointsByBackupVault", - "appconfig:TagResource", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateExtensionAssociation", - "appconfig:DeleteConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateApplication", - "appconfig:GetDeploymentStrategy", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListExtensionAssociations", - "appconfig:ListDeploymentStrategies", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteEnvironment", - "appconfig:UntagResource", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListEnvironments", - "appconfig:UpdateDeploymentStrategy", - "appconfig:GetExtensionAssociation", - "appconfig:GetExtension", - "appconfig:ListDeployments", - "appconfig:GetDeployment", - "appconfig:ListExtensions", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StopDeployment", - "appconfig:CreateEnvironment", - "appconfig:UpdateEnvironment", - "appconfig:GetEnvironment", - "appconfig:ListConfigurationProfiles", - "appconfig:DeleteDeploymentStrategy", - "appconfig:ListApplications", - "appconfig:UpdateApplication", - "appconfig:CreateExtension", - "appconfig:GetConfiguration", - "appconfig:GetApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:GetConfigurationProfile", - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - "dynamodb:UpdateTimeToLive", - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "lambda:GetLayerVersion", - "lambda:PublishLayerVersion", - "lambda:DeleteLayerVersion", - "lambda:ListLayerVersions", - "lambda:ListLayers", - "lambda:AddLayerVersionPermission", - "lambda:GetLayerVersionPolicy", - "lambda:RemoveLayerVersionPermission", - "lambda:DeleteFunctionConcurrency", - "lambda:PublishVersion", - "iam:CreateServiceLinkedRole", - "iam:UpdateAssumeRolePolicy", - "elasticloadbalancing:ModifyListenerAttributes", - "apigateway:SetWebACL", - "backup:ListRecoveryPointsByBackupVault", - "iam:UpdateAssumeRolePolicy", - "iam:TagRole", - "iam:CreateInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:TagPolicy", - "ssm:CreateDocument", - "ssm:DeleteDocument", - "sns:TagResource", - "ec2:DeleteNetworkInterface", - "resource-groups:DeleteGroup", - "events:TagResource", - "kms:Encrypt", - "kms:CreateGrant" - ], - "Resource": [ - "*" - ] - } - ], - "github-action-policy": [ - { - "Sid": "Statement1", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteVpcEndpoints", - "ec2:AttachInternetGateway", - "iam:PutRolePolicy", - "ecr:DeleteRepository", - "ec2:CreateRoute", - "cloudwatch:ListTagsForResource", - "ecr:TagResource", - "dynamodb:DescribeContinuousBackups", - "events:RemoveTargets", - "lambda:DeleteFunction", - "iam:ListRolePolicies", - "ecs:TagResource", - "ecr:GetLifecyclePolicy", - "iam:GetRole", - "elasticloadbalancing:CreateTargetGroup", - "ecr:GetAuthorizationToken", - "application-autoscaling:DeleteScalingPolicy", - "kms:RetireGrant", - "elasticloadbalancing:AddTags", - "ec2:DeleteNatGateway", - "apigateway:POST", - "lambda:DeleteEventSourceMapping", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "ec2:ModifyVpcEndpoint", - "logs:ListTagsLogGroup", - "kms:PutKeyPolicy", - "events:PutRule", - "ec2:CreateVpc", - "dynamodb:ListTagsOfResource", - "iam:PassRole", - "sqs:createqueue", - "iam:DeleteRolePolicy", - "application-autoscaling:TagResource", - "elasticloadbalancing:CreateLoadBalancer", - "lambda:UpdateEventSourceMapping", - "apigateway:PUT", - "route53:ListTagsForResource", - "ec2:DescribeSecurityGroups", - "iam:CreatePolicy", - "sqs:TagQueue", - "kms:CreateAlias", - "elasticloadbalancing:DescribeTargetGroups", - "route53:AssociateVPCWithHostedZone", - "elasticloadbalancing:DeleteListener", - "iam:GetPolicyVersion", - "wafv2:AssociateWebACL", - "ec2:DeleteSubnet", - "elasticloadbalancing:SetWebACL", - "elasticloadbalancing:DescribeLoadBalancers", - "ecs:UpdateService", - "ssm:DeleteParameter", - "kms:GetKeyRotationStatus", - "dynamodb:DescribeTable", - "ssm:AddTagsToResource", - "ecs:RegisterTaskDefinition", - "route53:ListResourceRecordSets", - "ecr:CreateRepository", - "ecs:DeleteService", - "application-autoscaling:UntagResource", - "ec2:DescribePrefixLists", - "backup:CreateBackupVault", - "backup:UpdateBackupPlan", - "sqs:DeleteQueue", - "ec2:DeleteVpc", - "kms:DeleteAlias", - "sns:DeleteTopic", - "wafv2:DeleteWebACL", - "dynamodb:DeleteItem", - "iam:DeletePolicy", - "sns:SetTopicAttributes", - "lambda:PutFunctionConcurrency", - "dynamodb:UpdateContinuousBackups", - "elasticloadbalancing:CreateListener", - "ecs:CreateService", - "kms:ScheduleKeyDeletion", - "ecs:DescribeServices", - "ecr:DescribeRepositories", - "iam:CreatePolicyVersion", - "ecs:UntagResource", - "sqs:ListQueues", - "wafv2:UpdateWebACL", - "dynamodb:DescribeTimeToLive", - "kms:UpdateAlias", - "backup:GetBackupSelection", - "events:PutTargets", - "kms:ListKeys", - "lambda:AddPermission", - "ec2:DeleteSecurityGroup", - "ecr:SetRepositoryPolicy", - "application-autoscaling:DeregisterScalableTarget", - "backup:DeleteBackupPlan", - "sqs:DeleteMessage", - "cloudwatch:DeleteAlarms", - "secretsmanager:DeleteSecret", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateWebACL", - "dynamodb:DeleteTable", - "ecs:DescribeTaskDefinition", - "ec2:DeleteRouteTable", - "ec2:CreateInternetGateway", - "ec2:RevokeSecurityGroupEgress", - "sns:Subscribe", - "ec2:DeleteInternetGateway", - "wafv2:TagResource", - "dynamodb:UpdateTimeToLive", - "iam:GetPolicy", - "ec2:CreateTags", - "sns:CreateTopic", - "ecs:DeleteCluster", - "iam:UpdateRoleDescription", - "iam:DeleteRole", - "ec2:DisassociateRouteTable", - "backup:GetBackupPlan", - "wafv2:DeleteRegexPatternSet", - "ec2:RevokeSecurityGroupIngress", - "dynamodb:CreateTable", - "ec2:CreateDefaultVpc", - "ec2:CreateSubnet", - "ec2:DescribeSubnets", - "iam:GetRolePolicy", - "sqs:setqueueattributes", - "kms:UntagResource", - "ec2:CreateNatGateway", - "kms:ListResourceTags", - "ecr:ListTagsForResource", - "ecs:DeregisterTaskDefinition", - "apigateway:DELETE", - "backup:CreateBackupSelection", - "ec2:DescribeAvailabilityZones", - "kms:CreateKey", - "kms:EnableKeyRotation", - "ecr:PutLifecyclePolicy", - "s3:*", - "backup:DeleteBackupVault", - "kms:GetKeyPolicy", - "route53:ListHostedZones", - "elasticloadbalancing:DeleteTargetGroup", - "events:DeleteRule", - "backup:DescribeBackupVault", - "ec2:DescribeVpcs", - "kms:ListAliases", - "backup:CreateBackupPlan", - "lambda:RemovePermission", - "backup:ListTags", - "route53:GetHostedZone", - "iam:CreateRole", - "sns:Unsubscribe", - "iam:AttachRolePolicy", - "ec2:AssociateRouteTable", - "elasticloadbalancing:DeleteLoadBalancer", - "ec2:DescribeInternetGateways", - "iam:DetachRolePolicy", - "backup:DeleteBackupSelection", - "cloudwatch:UntagResource", - "iam:ListAttachedRolePolicies", - "dynamodb:GetItem", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "ec2:DescribeRouteTables", - "application-autoscaling:RegisterScalableTarget", - "dynamodb:PutItem", - "ecs:CreateCluster", - "ec2:CreateRouteTable", - "route53:ChangeResourceRecordSets", - "ec2:DetachInternetGateway", - "logs:CreateLogGroup", - "ecr:DeleteLifecyclePolicy", - "backup-storage:MountCapsule", - "ecs:DescribeClusters", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "ssm:PutParameter", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "ec2:DescribeSecurityGroupRules", - "application-autoscaling:PutScalingPolicy", - "ec2:DescribeVpcEndpoints", - "route53:GetChange", - "lambda:CreateEventSourceMapping", - "kms:TagResource", - "elasticloadbalancing:DescribeListeners", - "dynamodb:TagResource", - "ec2:CreateSecurityGroup", - "apigateway:PATCH", - "application-autoscaling:ListTagsForResource", - "kms:DescribeKey", - "ec2:ModifyVpcAttribute", - "ecr:DeleteRepositoryPolicy", - "ec2:AuthorizeSecurityGroupEgress", - "logs:DescribeLogGroups", - "kms:UpdateKeyDescription", - "logs:DeleteLogGroup", - "elasticloadbalancing:DescribeTags", - "ec2:DeleteRoute", - "backup:DeleteRecoveryPoint", - "cloudwatch:PutMetricAlarm", - "cloudwatch:TagResource", - "ec2:CreateVpcEndpoint", - "elasticloadbalancing:SetSecurityGroups", - "iam:DeletePolicyVersion", - "lambda:GetPolicy", - "ecr:GetRepositoryPolicy", - "ec2:AllocateAddress", - "ec2:ReleaseAddress", - "ec2:DisassociateAddress", - "logs:PutMetricFilter", - "logs:DeleteMetricFilter", - "ses:VerifyDomainIdentity", - "ses:VerifyDomainDkim", - "ses:DeleteIdentity", - "ses:SetIdentityMailFromDomain", - "dynamodb:UpdateTable", - "elasticloadbalancing:ModifyListener", - "lambda:GetLayerVersion", - "iam:CreatePolicyVersion", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "s3:PutObject", - "iam:ListRoles", - "lambda:UpdateFunctionCode", - "lambda:CreateFunction", - "lambda:GetFunction", - "lambda:UpdateFunctionConfiguration", - "lambda:GetFunctionConfiguration", - "appconfig:ListTagsForResource", - "appconfig:StartDeployment", - "appconfig:DeleteApplication", - "appconfig:GetLatestConfiguration", - "ecr:PutImage" - ], - "Resource": [ - "*" - ] - } - ], - "ReadOnlyAccess": [ - { - "Sid": "ReadOnlyActionsGroup1", - "Effect": "Allow", - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAccessPreview", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:GetFindingsStatistics", - "access-analyzer:GetGeneratedPolicy", - "access-analyzer:ListAccessPreviewFindings", - "access-analyzer:ListAccessPreviews", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListPolicyGenerations", - "access-analyzer:ListTagsForResource", - "access-analyzer:ValidatePolicy", - "account:GetAccountInformation", - "account:GetAlternateContact", - "account:GetContactInformation", - "account:GetPrimaryEmail", - "account:GetRegionOptStatus", - "account:ListRegions", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "action-recommendations:ListRecommendedActions", - "aiops:GetEphemeralInvestigationResults", - "aiops:GetInvestigation", - "aiops:GetInvestigationEvent", - "aiops:GetInvestigationGroup", - "aiops:GetInvestigationResource", - "aiops:ListInvestigationEvents", - "aiops:ListInvestigationGroups", - "aiops:ListInvestigations", - "aiops:ValidateInvestigationGroup", - "airflow:ListEnvironments", - "airflow:ListTagsForResource", - "amplify:GetApp", - "amplify:GetBackendEnvironment", - "amplify:GetBranch", - "amplify:GetDomainAssociation", - "amplify:GetJob", - "amplify:GetWebhook", - "amplify:ListApps", - "amplify:ListArtifacts", - "amplify:ListBackendEnvironments", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "amplify:ListTagsForResource", - "amplify:ListWebhooks", - "aoss:BatchGetCollection", - "aoss:BatchGetLifecyclePolicy", - "aoss:BatchGetVpcEndpoint", - "aoss:GetAccessPolicy", - "aoss:GetAccountSettings", - "aoss:GetPoliciesStats", - "aoss:GetSecurityConfig", - "aoss:GetSecurityPolicy", - "aoss:ListAccessPolicies", - "aoss:ListCollections", - "aoss:ListLifecyclePolicies", - "aoss:ListSecurityConfigs", - "aoss:ListSecurityPolicies", - "aoss:ListTagsForResource", - "aoss:ListVpcEndpoints", - "apigateway:GET", - "appconfig:GetApplication", - "appconfig:GetConfiguration", - "appconfig:GetConfigurationProfile", - "appconfig:GetDeployment", - "appconfig:GetDeploymentStrategy", - "appconfig:GetEnvironment", - "appconfig:GetExtension", - "appconfig:GetHostedConfigurationVersion", - "appconfig:ListApplications", - "appconfig:ListConfigurationProfiles", - "appconfig:ListDeploymentStrategies", - "appconfig:ListDeployments", - "appconfig:ListEnvironments", - "appconfig:ListExtensions", - "appconfig:ListHostedConfigurationVersions", - "appconfig:ListTagsForResource", - "appfabric:GetAppAuthorization", - "appfabric:GetAppBundle", - "appfabric:GetIngestion", - "appfabric:GetIngestionDestination", - "appfabric:ListAppAuthorizations", - "appfabric:ListAppBundles", - "appfabric:ListIngestionDestinations", - "appfabric:ListIngestions", - "appfabric:ListTagsForResource", - "appflow:DescribeConnector", - "appflow:DescribeConnectorEntity", - "appflow:DescribeConnectorFields", - "appflow:DescribeConnectorProfiles", - "appflow:DescribeConnectors", - "appflow:DescribeFlow", - "appflow:DescribeFlowExecution", - "appflow:DescribeFlowExecutionRecords", - "appflow:DescribeFlows", - "appflow:ListConnectorEntities", - "appflow:ListConnectorFields", - "appflow:ListConnectors", - "appflow:ListFlows", - "appflow:ListTagsForResource", - "application-autoscaling:Describe*", - "application-autoscaling:GetPredictiveScalingForecast", - "application-autoscaling:ListTagsForResource", - "application-signals:BatchGetServiceLevelObjectiveBudgetReport", - "application-signals:GetService", - "application-signals:GetServiceLevelObjective", - "application-signals:ListObservedEntities", - "application-signals:ListServiceDependencies", - "application-signals:ListServiceDependents", - "application-signals:ListServiceLevelObjectives", - "application-signals:ListServiceOperations", - "application-signals:ListServices", - "application-signals:ListTagsForResource", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "apprunner:DescribeAutoScalingConfiguration", - "apprunner:DescribeCustomDomains", - "apprunner:DescribeObservabilityConfiguration", - "apprunner:DescribeService", - "apprunner:DescribeVpcConnector", - "apprunner:DescribeVpcIngressConnection", - "apprunner:DescribeWebAclForService", - "apprunner:ListAssociatedServicesForWebAcl", - "apprunner:ListAutoScalingConfigurations", - "apprunner:ListConnections", - "apprunner:ListObservabilityConfigurations", - "apprunner:ListOperations", - "apprunner:ListServices", - "apprunner:ListServicesForAutoScalingConfiguration", - "apprunner:ListTagsForResource", - "apprunner:ListVpcConnectors", - "apprunner:ListVpcIngressConnections", - "appstream:Describe*", - "appstream:List*", - "appstudio:GetAccountStatus", - "appstudio:GetEnablementJobStatus", - "appsync:Get*", - "appsync:List*", - "apptest:GetTestCase", - "apptest:GetTestConfiguration", - "apptest:GetTestRunStep", - "apptest:GetTestSuite", - "apptest:ListTagsForResource", - "apptest:ListTestCases", - "apptest:ListTestConfigurations", - "apptest:ListTestRunSteps", - "apptest:ListTestRunTestCases", - "apptest:ListTestRuns", - "apptest:ListTestSuites", - "aps:DescribeAlertManagerDefinition", - "aps:DescribeLoggingConfiguration", - "aps:DescribeRuleGroupsNamespace", - "aps:DescribeScraper", - "aps:DescribeWorkspace", - "aps:GetAlertManagerSilence", - "aps:GetAlertManagerStatus", - "aps:GetDefaultScraperConfiguration", - "aps:GetLabels", - "aps:GetMetricMetadata", - "aps:GetSeries", - "aps:ListAlertManagerAlertGroups", - "aps:ListAlertManagerAlerts", - "aps:ListAlertManagerReceivers", - "aps:ListAlertManagerSilences", - "aps:ListAlerts", - "aps:ListRuleGroupsNamespaces", - "aps:ListRules", - "aps:ListScrapers", - "aps:ListTagsForResource", - "aps:ListWorkspaces", - "aps:QueryMetrics", - "arc-region-switch:GetPlan", - "arc-region-switch:GetPlanEvaluationStatus", - "arc-region-switch:GetPlanExecution", - "arc-region-switch:GetPlanInRegion", - "arc-region-switch:ListPlanExecutionEvents", - "arc-region-switch:ListPlanExecutions", - "arc-region-switch:ListPlans", - "arc-region-switch:ListPlansInRegion", - "arc-region-switch:ListRoute53HealthChecks", - "arc-region-switch:ListTagsForResource", - "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", - "arc-zonal-shift:GetManagedResource", - "arc-zonal-shift:ListAutoshifts", - "arc-zonal-shift:ListManagedResources", - "arc-zonal-shift:ListZonalShifts", - "artifact:GetCustomerAgreement", - "artifact:GetReport", - "artifact:GetReportMetadata", - "artifact:GetTermForReport", - "artifact:ListAgreements", - "artifact:ListCustomerAgreements", - "artifact:ListReports", - "athena:Batch*", - "athena:Get*", - "athena:List*", - "auditmanager:GetAccountStatus", - "auditmanager:GetAssessment", - "auditmanager:GetAssessmentFramework", - "auditmanager:GetAssessmentReportUrl", - "auditmanager:GetChangeLogs", - "auditmanager:GetControl", - "auditmanager:GetDelegations", - "auditmanager:GetEvidence", - "auditmanager:GetEvidenceByEvidenceFolder", - "auditmanager:GetEvidenceFolder", - "auditmanager:GetEvidenceFoldersByAssessment", - "auditmanager:GetEvidenceFoldersByAssessmentControl", - "auditmanager:GetOrganizationAdminAccount", - "auditmanager:GetServicesInScope", - "auditmanager:GetSettings", - "auditmanager:ListAssessmentFrameworks", - "auditmanager:ListAssessmentReports", - "auditmanager:ListAssessments", - "auditmanager:ListControls", - "auditmanager:ListKeywordsForDataSource", - "auditmanager:ListNotifications", - "auditmanager:ListTagsForResource", - "auditmanager:ValidateAssessmentReportIntegrity", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "autoscaling:Describe*", - "autoscaling:GetPredictiveScalingForecast", - "aws-portal:View*", - "backup-gateway:GetBandwidthRateLimitSchedule", - "backup-gateway:GetGateway", - "backup-gateway:GetHypervisor", - "backup-gateway:GetHypervisorPropertyMappings", - "backup-gateway:GetVirtualMachine", - "backup-gateway:ListGateways", - "backup-gateway:ListHypervisors", - "backup-gateway:ListTagsForResource", - "backup-gateway:ListVirtualMachines", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:Describe*", - "batch:List*", - "bedrock-agentcore:GetAgentRuntime", - "bedrock-agentcore:GetAgentRuntimeEndpoint", - "bedrock-agentcore:GetApiKeyCredentialProvider", - "bedrock-agentcore:GetBrowser", - "bedrock-agentcore:GetBrowserSession", - "bedrock-agentcore:GetCodeInterpreter", - "bedrock-agentcore:GetCodeInterpreterSession", - "bedrock-agentcore:GetEvent", - "bedrock-agentcore:GetGateway", - "bedrock-agentcore:GetGatewayTarget", - "bedrock-agentcore:GetMemory", - "bedrock-agentcore:GetMemoryRecord", - "bedrock-agentcore:GetOauth2CredentialProvider", - "bedrock-agentcore:GetTokenVault", - "bedrock-agentcore:GetWorkloadIdentity", - "bedrock-agentcore:ListAgentRuntimeEndpoints", - "bedrock-agentcore:ListAgentRuntimes", - "bedrock-agentcore:ListAgentRuntimeVersions", - "bedrock-agentcore:ListApiKeyCredentialProviders", - "bedrock-agentcore:ListBrowsers", - "bedrock-agentcore:ListBrowserSessions", - "bedrock-agentcore:ListCodeInterpreters", - "bedrock-agentcore:ListCodeInterpreterSessions", - "bedrock-agentcore:ListEvents", - "bedrock-agentcore:ListGateways", - "bedrock-agentcore:ListGatewayTargets", - "bedrock-agentcore:ListMemories", - "bedrock-agentcore:ListMemoryRecords", - "bedrock-agentcore:ListOauth2CredentialProviders", - "bedrock-agentcore:ListWorkloadIdentities", - "bedrock-agentcore:RetrieveMemoryRecords", - "bedrock:GetAgent", - "bedrock:GetAgentActionGroup", - "bedrock:GetAgentAlias", - "bedrock:GetAgentCollaborator", - "bedrock:GetAgentKnowledgeBase", - "bedrock:GetAgentVersion", - "bedrock:GetCustomModel", - "bedrock:GetDataSource", - "bedrock:GetEvaluationJob", - "bedrock:GetFlow", - "bedrock:GetFlowAlias", - "bedrock:GetFlowVersion", - "bedrock:GetFoundationModel", - "bedrock:GetFoundationModelAvailability", - "bedrock:GetGuardrail", - "bedrock:GetInferenceProfile", - "bedrock:GetIngestionJob", - "bedrock:GetKnowledgeBase", - "bedrock:GetModelCustomizationJob", - "bedrock:GetModelInvocationJob", - "bedrock:GetModelInvocationLoggingConfiguration", - "bedrock:GetPrompt", - "bedrock:GetProvisionedModelThroughput", - "bedrock:GetUseCaseForModelAccess", - "bedrock:ListAgentActionGroups", - "bedrock:ListAgentAliases", - "bedrock:ListAgentCollaborators", - "bedrock:ListAgentKnowledgeBases", - "bedrock:ListAgentVersions", - "bedrock:ListAgents", - "bedrock:ListCustomModels", - "bedrock:ListDataSources", - "bedrock:ListEvaluationJobs", - "bedrock:ListFlowAliases", - "bedrock:ListFlowVersions", - "bedrock:ListFlows", - "bedrock:ListFoundationModelAgreementOffers", - "bedrock:ListFoundationModels", - "bedrock:ListGuardrails", - "bedrock:ListInferenceProfiles", - "bedrock:ListIngestionJobs", - "bedrock:ListKnowledgeBases", - "bedrock:ListModelCustomizationJobs", - "bedrock:ListModelInvocationJobs", - "bedrock:ListPrompts", - "bedrock:ListProvisionedModelThroughputs", - "billing:GetBillingData", - "billing:GetBillingDetails", - "billing:GetBillingNotifications", - "billing:GetBillingPreferences", - "billing:GetBillingView", - "billing:GetContractInformation", - "billing:GetCredits", - "billing:GetIAMAccessPreference", - "billing:GetResourcePolicy", - "billing:GetSellerOfRecord", - "billing:ListBillingViews", - "billing:ListSourceViewsForBillingView", - "billing:ListTagsForResource", - "billingconductor:GetBillingGroupCostReport", - "billingconductor:ListAccountAssociations", - "billingconductor:ListBillingGroupCostReports", - "billingconductor:ListBillingGroups", - "billingconductor:ListCustomLineItemVersions", - "billingconductor:ListCustomLineItems", - "billingconductor:ListPricingPlans", - "billingconductor:ListPricingPlansAssociatedWithPricingRule", - "billingconductor:ListPricingRules", - "billingconductor:ListPricingRulesAssociatedToPricingPlan", - "billingconductor:ListResourcesAssociatedToCustomLineItem", - "billingconductor:ListTagsForResource", - "braket:GetDevice", - "braket:GetJob", - "braket:GetQuantumTask", - "braket:SearchDevices", - "braket:SearchJobs", - "braket:SearchQuantumTasks", - "budgets:Describe*", - "budgets:ListTagsForResource", - "budgets:View*", - "cassandra:Select", - "ce:DescribeCostCategoryDefinition", - "ce:DescribeNotificationSubscription", - "ce:DescribeReport", - "ce:GetAnomalies", - "ce:GetAnomalyMonitors", - "ce:GetAnomalySubscriptions", - "ce:GetApproximateUsageRecords", - "ce:GetCommitmentPurchaseAnalysis", - "ce:GetCostAndUsage", - "ce:GetCostAndUsageComparisons", - "ce:GetCostAndUsageWithResources", - "ce:GetCostCategories", - "ce:GetCostComparisonDrivers", - "ce:GetCostForecast", - "ce:GetDimensionValues", - "ce:GetPreferences", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetRightsizingRecommendation", - "ce:GetSavingsPlanPurchaseRecommendationDetails", - "ce:GetSavingsPlansCoverage", - "ce:GetSavingsPlansPurchaseRecommendation", - "ce:GetSavingsPlansUtilization", - "ce:GetSavingsPlansUtilizationDetails", - "ce:GetTags", - "ce:GetUsageForecast", - "ce:ListCommitmentPurchaseAnalyses", - "ce:ListCostAllocationTagBackfillHistory", - "ce:ListCostAllocationTags", - "ce:ListCostCategoryDefinitions", - "ce:ListSavingsPlansPurchaseRecommendationGeneration", - "ce:ListTagsForResource", - "chatbot:Describe*", - "chatbot:Get*", - "chatbot:List*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cleanrooms-ml:GetAudienceGenerationJob", - "cleanrooms-ml:GetAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModelPolicy", - "cleanrooms-ml:GetTrainingDataset", - "cleanrooms-ml:ListAudienceExportJobs", - "cleanrooms-ml:ListAudienceGenerationJobs", - "cleanrooms-ml:ListAudienceModels", - "cleanrooms-ml:ListConfiguredAudienceModels", - "cleanrooms-ml:ListTagsForResource", - "cleanrooms-ml:ListTrainingDatasets", - "cleanrooms:BatchGetCollaborationAnalysisTemplate", - "cleanrooms:BatchGetSchema", - "cleanrooms:BatchGetSchemaAnalysisRule", - "cleanrooms:GetAnalysisTemplate", - "cleanrooms:GetCollaboration", - "cleanrooms:GetCollaborationAnalysisTemplate", - "cleanrooms:GetCollaborationConfiguredAudienceModelAssociation", - "cleanrooms:GetCollaborationIdNamespaceAssociation", - "cleanrooms:GetCollaborationPrivacyBudgetTemplate", - "cleanrooms:GetConfiguredAudienceModelAssociation", - "cleanrooms:GetConfiguredTable", - "cleanrooms:GetConfiguredTableAnalysisRule", - "cleanrooms:GetConfiguredTableAssociation", - "cleanrooms:GetConfiguredTableAssociationAnalysisRule", - "cleanrooms:GetIdMappingTable", - "cleanrooms:GetIdNamespaceAssociation", - "cleanrooms:GetMembership", - "cleanrooms:GetPrivacyBudgetTemplate", - "cleanrooms:GetProtectedQuery", - "cleanrooms:GetSchema", - "cleanrooms:GetSchemaAnalysisRule", - "cleanrooms:ListAnalysisTemplates", - "cleanrooms:ListCollaborationAnalysisTemplates", - "cleanrooms:ListCollaborationConfiguredAudienceModelAssociations", - "cleanrooms:ListCollaborationIdNamespaceAssociations", - "cleanrooms:ListCollaborationPrivacyBudgetTemplates", - "cleanrooms:ListCollaborationPrivacyBudgets", - "cleanrooms:ListCollaborations", - "cleanrooms:ListConfiguredAudienceModelAssociations", - "cleanrooms:ListConfiguredTableAssociations", - "cleanrooms:ListConfiguredTables", - "cleanrooms:ListIdMappingTables", - "cleanrooms:ListIdNamespaceAssociations", - "cleanrooms:ListMembers", - "cleanrooms:ListMemberships", - "cleanrooms:ListPrivacyBudgetTemplates", - "cleanrooms:ListPrivacyBudgets", - "cleanrooms:ListProtectedQueries", - "cleanrooms:ListSchemas", - "cleanrooms:ListTagsForResource", - "cleanrooms:PreviewPrivacyImpact", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:List*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Estimate*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:ValidateTemplate", - "cloudfront-keyvaluestore:Describe*", - "cloudfront-keyvaluestore:Get*", - "cloudfront-keyvaluestore:List*", - "cloudfront:Describe*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:Describe*", - "cloudhsm:GetResourcePolicy", - "cloudhsm:List*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:GenerateQuery", - "cloudwatch:GenerateQueryResultsSummary", - "cloudwatch:Get*", - "cloudwatch:List*", - "codeartifact:DescribeDomain", - "codeartifact:DescribePackage", - "codeartifact:DescribePackageVersion", - "codeartifact:DescribeRepository", - "codeartifact:GetAuthorizationToken", - "codeartifact:GetDomainPermissionsPolicy", - "codeartifact:GetPackageVersionAsset", - "codeartifact:GetPackageVersionReadme", - "codeartifact:GetRepositoryEndpoint", - "codeartifact:GetRepositoryPermissionsPolicy", - "codeartifact:ListDomains", - "codeartifact:ListPackageVersionAssets", - "codeartifact:ListPackageVersionDependencies", - "codeartifact:ListPackageVersions", - "codeartifact:ListPackages", - "codeartifact:ListRepositories", - "codeartifact:ListRepositoriesInDomain", - "codeartifact:ListTagsForResource", - "codeartifact:ReadFromRepository", - "codebuild:BatchGet*", - "codebuild:DescribeCodeCoverages", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecatalyst:GetBillingAuthorization", - "codecatalyst:GetConnection", - "codecatalyst:GetPendingConnection", - "codecatalyst:ListConnections", - "codecatalyst:ListIamRolesForConnection", - "codecatalyst:ListTagsForResource", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:Get*", - "codepipeline:List*", - "codestar-connections:GetConnection", - "codestar-connections:GetHost", - "codestar-connections:GetRepositoryLink", - "codestar-connections:GetRepositorySyncStatus", - "codestar-connections:GetResourceSyncStatus", - "codestar-connections:GetSyncConfiguration", - "codestar-connections:ListConnections", - "codestar-connections:ListHosts", - "codestar-connections:ListRepositoryLinks", - "codestar-connections:ListRepositorySyncDefinitions", - "codestar-connections:ListSyncConfigurations", - "codestar-connections:ListTagsForResource", - "codestar-notifications:ListTargets", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar:Describe*", - "codestar:Get*", - "codestar:List*", - "codestar:Verify*", - "codewhisperer:ListProfiles", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolAnalytics", - "cognito-identity:GetIdentityPoolDailyAnalytics", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetIdentityProviderDailyAnalytics", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "cognito-idp:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:List*", - "cognito-sync:QueryRecords", - "comprehend:BatchDetect*", - "comprehend:Classify*", - "comprehend:Contains*", - "comprehend:Describe*", - "comprehend:Detect*", - "comprehend:List*", - "compute-optimizer:DescribeRecommendationExportJobs", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEBSVolumeRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendationProjectedMetrics", - "compute-optimizer:GetECSServiceRecommendations", - "compute-optimizer:GetEffectiveRecommendationPreferences", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetEnrollmentStatusesForOrganization", - "compute-optimizer:GetIdleRecommendations", - "compute-optimizer:GetLambdaFunctionRecommendations", - "compute-optimizer:GetLicenseRecommendations", - "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics", - "compute-optimizer:GetRDSDatabaseRecommendations", - "compute-optimizer:GetRecommendationPreferences", - "compute-optimizer:GetRecommendationSummaries", - "config:BatchGetAggregateResourceConfig", - "config:BatchGetResourceConfig", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectAggregateResourceConfig", - "config:SelectResourceConfig", - "connect:Describe*", - "connect:GetContactAttributes", - "connect:GetCurrentMetricData", - "connect:GetCurrentUserData", - "connect:GetFederationToken", - "connect:GetMetricData", - "connect:GetMetricDataV2", - "connect:GetTaskTemplate", - "connect:GetTrafficDistribution", - "connect:List*", - "consoleapp:GetDeviceIdentity", - "consoleapp:ListDeviceIdentities", - "consolidatedbilling:GetAccountBillingRole", - "consolidatedbilling:ListLinkedAccounts", - "controlcatalog:GetControl", - "controlcatalog:ListCommonControls", - "controlcatalog:ListControlMappings", - "controlcatalog:ListControls", - "controlcatalog:ListDomains", - "controlcatalog:ListObjectives", - "cost-optimization-hub:GetPreferences", - "cost-optimization-hub:GetRecommendation", - "cost-optimization-hub:ListEnrollmentStatuses", - "cost-optimization-hub:ListRecommendationSummaries", - "cost-optimization-hub:ListRecommendations", - "cur:GetClassicReport", - "cur:GetClassicReportPreferences", - "cur:GetUsageReport", - "customer-verification:GetCustomerVerificationDetails", - "customer-verification:GetCustomerVerificationEligibility", - "databrew:DescribeDataset", - "databrew:DescribeJob", - "databrew:DescribeJobRun", - "databrew:DescribeProject", - "databrew:DescribeRecipe", - "databrew:DescribeRuleset", - "databrew:DescribeSchedule", - "databrew:ListDatasets", - "databrew:ListJobRuns", - "databrew:ListJobs", - "databrew:ListProjects", - "databrew:ListRecipeVersions", - "databrew:ListRecipes", - "databrew:ListRulesets", - "databrew:ListSchedules", - "databrew:ListTagsForResource", - "dataexchange:Get*", - "dataexchange:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "datasync:Describe*", - "datasync:List*", - "datazone:GetAsset", - "datazone:GetAssetType", - "datazone:GetDataProduct", - "datazone:GetDataSource", - "datazone:GetDataSourceRun", - "datazone:GetDomain", - "datazone:GetDomainSharingPolicy", - "datazone:GetDomainUnit", - "datazone:GetEnvironment", - "datazone:GetEnvironmentAction", - "datazone:GetEnvironmentBlueprint", - "datazone:GetEnvironmentBlueprintConfiguration", - "datazone:GetEnvironmentProfile", - "datazone:GetFormType", - "datazone:GetGlossary", - "datazone:GetGlossaryTerm", - "datazone:GetGroupProfile", - "datazone:GetLineageNode", - "datazone:GetListing", - "datazone:GetMetadataGenerationRun", - "datazone:GetProject", - "datazone:GetProjectProfile", - "datazone:GetSubscription", - "datazone:GetSubscriptionEligibility", - "datazone:GetSubscriptionGrant", - "datazone:GetSubscriptionRequestDetails", - "datazone:GetSubscriptionTarget", - "datazone:GetTimeSeriesDataPoint", - "datazone:GetUserProfile", - "datazone:ListAccountEnvironments", - "datazone:ListAssetRevisions", - "datazone:ListDataProductRevisions", - "datazone:ListDataSourceRunActivities", - "datazone:ListDataSourceRuns", - "datazone:ListDataSources", - "datazone:ListDomainUnitsForParent", - "datazone:ListDomains", - "datazone:ListEntityOwners", - "datazone:ListEnvironmentActions", - "datazone:ListEnvironmentBlueprintConfigurationSummaries", - "datazone:ListEnvironmentBlueprintConfigurations", - "datazone:ListEnvironmentBlueprints", - "datazone:ListEnvironmentProfiles", - "datazone:ListEnvironments", - "datazone:ListGroupsForUser", - "datazone:ListLineageNodeHistory", - "datazone:ListNotifications", - "datazone:ListPolicyGrants", - "datazone:ListProjectMemberships", - "datazone:ListProjectProfiles", - "datazone:ListProjects", - "datazone:ListSubscriptionGrants", - "datazone:ListSubscriptionRequests", - "datazone:ListSubscriptionTargets", - "datazone:ListSubscriptions", - "datazone:ListTagsForResource", - "datazone:ListTimeSeriesDataPoints", - "datazone:Search", - "datazone:SearchGroupProfiles", - "datazone:SearchListings", - "datazone:SearchTypes", - "datazone:SearchUserProfiles", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "deadline:BatchGetJobEntity", - "deadline:GetApplicationVersion", - "deadline:GetBudget", - "deadline:GetFarm", - "deadline:GetFleet", - "deadline:GetJob", - "deadline:GetLicenseEndpoint", - "deadline:GetMonitor", - "deadline:GetQueue", - "deadline:GetQueueEnvironment", - "deadline:GetQueueFleetAssociation", - "deadline:GetSession", - "deadline:GetSessionAction", - "deadline:GetSessionsStatisticsAggregation", - "deadline:GetStep", - "deadline:GetStorageProfile", - "deadline:GetStorageProfileForQueue", - "deadline:GetTask", - "deadline:GetWorker", - "deadline:ListAvailableMeteredProducts", - "deadline:ListBudgets", - "deadline:ListFarmMembers", - "deadline:ListFarms", - "deadline:ListFleetMembers", - "deadline:ListFleets", - "deadline:ListJobMembers", - "deadline:ListJobParameterDefinitions", - "deadline:ListJobs", - "deadline:ListLicenseEndpoints", - "deadline:ListMeteredProducts", - "deadline:ListMonitors", - "deadline:ListQueueEnvironments", - "deadline:ListQueueFleetAssociations", - "deadline:ListQueueMembers", - "deadline:ListQueues", - "deadline:ListSessionActions", - "deadline:ListSessions", - "deadline:ListSessionsForWorker", - "deadline:ListStepConsumers", - "deadline:ListStepDependencies", - "deadline:ListSteps", - "deadline:ListStorageProfiles", - "deadline:ListStorageProfilesForQueue", - "deadline:ListTagsForResource", - "deadline:ListTasks", - "deadline:ListWorkers", - "deadline:SearchJobs", - "deadline:SearchSteps", - "deadline:SearchTasks", - "deadline:SearchWorkers", - "deepcomposer:GetComposition", - "deepcomposer:GetModel", - "deepcomposer:GetSampleModel", - "deepcomposer:ListCompositions", - "deepcomposer:ListModels", - "deepcomposer:ListSampleModels", - "deepcomposer:ListTrainingTopics", - "detective:BatchGetGraphMemberDatasources", - "detective:BatchGetMembershipDatasources", - "detective:Get*", - "detective:List*", - "detective:SearchGraph", - "devicefarm:Get*", - "devicefarm:List*", - "devops-guru:DescribeAccountHealth", - "devops-guru:DescribeAccountOverview", - "devops-guru:DescribeAnomaly", - "devops-guru:DescribeEventSourcesConfig", - "devops-guru:DescribeFeedback", - "devops-guru:DescribeInsight", - "devops-guru:DescribeOrganizationHealth", - "devops-guru:DescribeOrganizationOverview", - "devops-guru:DescribeOrganizationResourceCollectionHealth", - "devops-guru:DescribeResourceCollectionHealth", - "devops-guru:DescribeServiceIntegration", - "devops-guru:GetCostEstimation", - "devops-guru:GetResourceCollection", - "devops-guru:ListAnomaliesForInsight", - "devops-guru:ListAnomalousLogGroups", - "devops-guru:ListEvents", - "devops-guru:ListInsights", - "devops-guru:ListMonitoredResources", - "devops-guru:ListNotificationChannels", - "devops-guru:ListOrganizationInsights", - "devops-guru:ListRecommendations", - "devops-guru:SearchInsights", - "devops-guru:StartCostEstimation", - "directconnect:Describe*", - "discovery:Describe*", - "discovery:Get*", - "discovery:List*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "docdb-elastic:ListClusters", - "docdb-elastic:ListClusterSnapshots", - "docdb-elastic:ListPendingMaintenanceActions", - "docdb-elastic:ListTagsForResource", - "drs:DescribeJobLogItems", - "drs:DescribeJobs", - "drs:DescribeLaunchConfigurationTemplates", - "drs:DescribeRecoveryInstances", - "drs:DescribeRecoverySnapshots", - "drs:DescribeReplicationConfigurationTemplates", - "drs:DescribeSourceNetworks", - "drs:DescribeSourceServers", - "drs:GetFailbackReplicationConfiguration", - "drs:GetLaunchConfiguration", - "drs:GetReplicationConfiguration", - "drs:ListExtensibleSourceServers", - "drs:ListLaunchActions", - "drs:ListStagingAccounts", - "drs:ListTagsForResource", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dsql:GetCluster", - "dsql:GetVpcEndpointServiceName", - "dsql:ListClusters", - "dsql:ListTagsForResource", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:PartiQLSelect", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:DescribeInstanceImageMetadata", - "ec2:Get*", - "ec2:ListImagesInRecycleBin", - "ec2:ListSnapshotsInRecycleBin", - "ec2:SearchLocalGatewayRoutes", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr-public:BatchCheckLayerAvailability", - "ecr-public:DescribeImageTags", - "ecr-public:DescribeImages", - "ecr-public:DescribeRegistries", - "ecr-public:DescribeRepositories", - "ecr-public:GetAuthorizationToken", - "ecr-public:GetRegistryCatalogData", - "ecr-public:GetRepositoryCatalogData", - "ecr-public:GetRepositoryPolicy", - "ecr-public:ListTagsForResource", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:Describe*", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticfilesystem:ListTagsForResource", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:GetBlockPublicAccessConfiguration", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "emr-containers:DescribeJobRun", - "emr-containers:DescribeManagedEndpoint", - "emr-containers:DescribeVirtualCluster", - "emr-containers:ListJobRuns", - "emr-containers:ListManagedEndpoints", - "emr-containers:ListTagsForResource", - "emr-containers:ListVirtualClusters", - "emr-serverless:GetApplication", - "emr-serverless:GetDashboardForJobRun", - "emr-serverless:GetJobRun", - "emr-serverless:ListApplications", - "emr-serverless:ListJobRuns", - "emr-serverless:ListTagsForResource", - "es:Describe*", - "es:ESHttpGet", - "es:ESHttpHead", - "es:Get*", - "es:List*", - "events:Describe*", - "events:List*", - "events:Test*", - "evidently:GetExperiment", - "evidently:GetExperimentResults", - "evidently:GetFeature", - "evidently:GetLaunch", - "evidently:GetProject", - "evidently:GetSegment", - "evidently:ListExperiments", - "evidently:ListFeatures", - "evidently:ListLaunches", - "evidently:ListProjects", - "evidently:ListSegmentReferences", - "evidently:ListSegments", - "evidently:ListTagsForResource", - "evidently:TestSegmentPattern", - "firehose:Describe*", - "firehose:List*", - "fis:GetAction", - "fis:GetExperiment", - "fis:GetExperimentTargetAccountConfiguration", - "fis:GetExperimentTemplate", - "fis:GetTargetAccountConfiguration", - "fis:GetTargetResourceType", - "fis:ListActions", - "fis:ListExperimentResolvedTargets", - "fis:ListExperimentTargetAccountConfigurations", - "fis:ListExperimentTemplates", - "fis:ListExperiments", - "fis:ListTagsForResource", - "fis:ListTargetAccountConfigurations", - "fis:ListTargetResourceTypes", - "fms:GetAdminAccount", - "fms:GetAdminScope", - "fms:GetAppsList", - "fms:GetComplianceDetail", - "fms:GetNotificationChannel", - "fms:GetPolicy", - "fms:GetProtectionStatus", - "fms:GetProtocolsList", - "fms:GetViolationDetails", - "fms:ListAppsLists", - "fms:ListComplianceStatus", - "fms:ListMemberAccounts", - "fms:ListPolicies", - "fms:ListProtocolsLists", - "fms:ListTagsForResource", - "forecast:DescribeAutoPredictor", - "forecast:DescribeDataset", - "forecast:DescribeDatasetGroup", - "forecast:DescribeDatasetImportJob", - "forecast:DescribeExplainability", - "forecast:DescribeExplainabilityExport", - "forecast:DescribeForecast", - "forecast:DescribeForecastExportJob", - "forecast:DescribeMonitor", - "forecast:DescribePredictor", - "forecast:DescribePredictorBacktestExportJob", - "forecast:DescribeWhatIfAnalysis", - "forecast:DescribeWhatIfForecast", - "forecast:DescribeWhatIfForecastExport", - "forecast:GetAccuracyMetrics", - "forecast:ListDatasetGroups", - "forecast:ListDatasetImportJobs", - "forecast:ListDatasets", - "forecast:ListExplainabilities", - "forecast:ListExplainabilityExports", - "forecast:ListForecastExportJobs", - "forecast:ListForecasts", - "forecast:ListMonitorEvaluations", - "forecast:ListMonitors", - "forecast:ListPredictorBacktestExportJobs", - "forecast:ListPredictors", - "forecast:ListWhatIfAnalyses", - "forecast:ListWhatIfForecastExports", - "forecast:ListWhatIfForecasts", - "forecast:QueryForecast", - "forecast:QueryWhatIfForecast", - "frauddetector:BatchGetVariable", - "frauddetector:DescribeDetector", - "frauddetector:DescribeModelVersions", - "frauddetector:GetBatchImportJobs", - "frauddetector:GetBatchPredictionJobs", - "frauddetector:GetDeleteEventsByEventTypeStatus", - "frauddetector:GetDetectorVersion", - "frauddetector:GetDetectors", - "frauddetector:GetEntityTypes", - "frauddetector:GetEvent", - "frauddetector:GetEventPredictionMetadata", - "frauddetector:GetEventTypes", - "frauddetector:GetExternalModels", - "frauddetector:GetKMSEncryptionKey", - "frauddetector:GetLabels", - "frauddetector:GetListElements", - "frauddetector:GetListsMetadata", - "frauddetector:GetModelVersion", - "frauddetector:GetModels", - "frauddetector:GetOutcomes", - "frauddetector:GetRules", - "frauddetector:GetVariables", - "frauddetector:ListEventPredictions", - "frauddetector:ListTagsForResource", - "freertos:Describe*", - "freertos:List*", - "freetier:GetFreeTierAlertPreference", - "freetier:GetFreeTierUsage", - "freetier:GetAccountActivity", - "freetier:GetAccountPlanState", - "freetier:ListAccountActivities", - "fsx:Describe*", - "fsx:List*", - "gamelift:Describe*", - "gamelift:Get*", - "gamelift:List*", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:Describe*", - "glacier:Get*", - "glacier:List*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetCrawlers", - "glue:BatchGetDevEndpoints", - "glue:BatchGetJobs", - "glue:BatchGetPartition", - "glue:BatchGetTableOptimizer", - "glue:BatchGetTriggers", - "glue:BatchGetWorkflows", - "glue:CheckSchemaVersionValidity", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlerMetrics", - "glue:GetCrawlers", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobBookmark", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetJobs", - "glue:GetMLTaskRun", - "glue:GetMLTaskRuns", - "glue:GetMLTransform", - "glue:GetMLTransforms", - "glue:GetMapping", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetRegistry", - "glue:GetResourcePolicy", - "glue:GetSchema", - "glue:GetSchemaByDefinition", - "glue:GetSchemaVersion", - "glue:GetSchemaVersionsDiff", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetSession", - "glue:GetStatement", - "glue:GetTable", - "glue:GetTableOptimizer", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTables", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "glue:GetWorkflow", - "glue:GetWorkflowRun", - "glue:GetWorkflowRunProperties", - "glue:GetWorkflowRuns", - "glue:ListCrawlers", - "glue:ListCrawls", - "glue:ListDevEndpoints", - "glue:ListJobs", - "glue:ListMLTransforms", - "glue:ListRegistries", - "glue:ListSchemaVersions", - "glue:ListSchemas", - "glue:ListSessions", - "glue:ListStatements", - "glue:ListTableOptimizerRuns", - "glue:ListTriggers", - "glue:ListWorkflows", - "glue:QuerySchemaVersionMetadata", - "glue:SearchTables", - "grafana:DescribeWorkspace", - "grafana:DescribeWorkspaceAuthentication", - "grafana:DescribeWorkspaceConfiguration", - "grafana:ListPermissions", - "grafana:ListTagsForResource", - "grafana:ListVersions", - "grafana:ListWorkspaces", - "greengrass:DescribeComponent", - "greengrass:Get*", - "greengrass:List*", - "groundstation:DescribeContact", - "groundstation:GetConfig", - "groundstation:GetDataflowEndpointGroup", - "groundstation:GetMinuteUsage", - "groundstation:GetMissionProfile", - "groundstation:GetSatellite", - "groundstation:ListConfigs", - "groundstation:ListContacts", - "groundstation:ListDataflowEndpointGroups", - "groundstation:ListGroundStations", - "groundstation:ListMissionProfiles", - "groundstation:ListSatellites", - "groundstation:ListTagsForResource", - "guardduty:Describe*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "healthlake:DescribeFHIRDatastore", - "healthlake:DescribeFHIRExportJob", - "healthlake:DescribeFHIRImportJob", - "healthlake:GetCapabilities", - "healthlake:ListFHIRDatastores", - "healthlake:ListFHIRExportJobs", - "healthlake:ListFHIRImportJobs", - "healthlake:ListTagsForResource", - "healthlake:ReadResource", - "healthlake:SearchWithGet", - "healthlake:SearchWithPost", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "identity-sync:GetSyncProfile", - "identity-sync:GetSyncTarget", - "identity-sync:ListSyncFilters", - "identitystore-auth:BatchGetSession", - "identitystore-auth:ListSessions", - "identitystore:DescribeGroup", - "identitystore:DescribeGroupMembership", - "identitystore:DescribeUser", - "identitystore:GetGroupId", - "identitystore:GetGroupMembershipId", - "identitystore:GetUserId", - "identitystore:IsMemberInGroups", - "identitystore:ListGroupMemberships", - "identitystore:ListGroupMembershipsForMember", - "identitystore:ListGroups", - "identitystore:ListUsers", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector2:BatchGetAccountStatus", - "inspector2:BatchGetCodeSnippet", - "inspector2:BatchGetFreeTrialInfo", - "inspector2:BatchGetMemberEc2DeepInspectionStatus", - "inspector2:DescribeOrganizationConfiguration", - "inspector2:GetCisScanReport", - "inspector2:GetConfiguration", - "inspector2:GetDelegatedAdminAccount", - "inspector2:GetEc2DeepInspectionConfiguration", - "inspector2:GetEncryptionKey", - "inspector2:GetFindingsReportStatus", - "inspector2:GetMember", - "inspector2:GetSbomExport", - "inspector2:ListAccountPermissions", - "inspector2:ListCisScanConfigurations", - "inspector2:ListCisScans", - "inspector2:ListCoverage", - "inspector2:ListCoverageStatistics", - "inspector2:ListDelegatedAdminAccounts", - "inspector2:ListFilters", - "inspector2:ListFindingAggregations", - "inspector2:ListFindings", - "inspector2:ListMembers", - "inspector2:ListTagsForResource", - "inspector2:ListUsageTotals", - "inspector2:SearchVulnerabilities", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "internetmonitor:GetHealthEvent", - "internetmonitor:GetInternetEvent", - "internetmonitor:GetMonitor", - "internetmonitor:ListHealthEvents", - "internetmonitor:ListInternetEvents", - "internetmonitor:ListMonitors", - "internetmonitor:ListTagsForResource", - "invoicing:GetInvoiceEmailDeliveryPreferences", - "invoicing:GetInvoicePDF", - "invoicing:ListInvoiceSummaries", - "iot1click:DescribeDevice", - "iot1click:DescribePlacement", - "iot1click:DescribeProject", - "iot1click:GetDeviceMethods", - "iot1click:GetDevicesInPlacement", - "iot1click:ListDeviceEvents", - "iot1click:ListDevices", - "iot1click:ListPlacements", - "iot1click:ListProjects", - "iot1click:ListTagsForResource", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:Get*", - "iotanalytics:List*", - "iotanalytics:SampleChannelData", - "iotevents:DescribeAlarm", - "iotevents:DescribeAlarmModel", - "iotevents:DescribeDetector", - "iotevents:DescribeDetectorModel", - "iotevents:DescribeInput", - "iotevents:DescribeLoggingOptions", - "iotevents:ListAlarmModelVersions", - "iotevents:ListAlarmModels", - "iotevents:ListAlarms", - "iotevents:ListDetectorModelVersions", - "iotevents:ListDetectorModels", - "iotevents:ListDetectors", - "iotevents:ListInputs", - "iotevents:ListTagsForResource", - "iotfleethub:DescribeApplication", - "iotfleethub:ListApplications", - "iotfleetwise:GetCampaign", - "iotfleetwise:GetDecoderManifest", - "iotfleetwise:GetFleet", - "iotfleetwise:GetLoggingOptions", - "iotfleetwise:GetModelManifest", - "iotfleetwise:GetRegisterAccountStatus", - "iotfleetwise:GetSignalCatalog", - "iotfleetwise:GetVehicle", - "iotfleetwise:GetVehicleStatus", - "iotfleetwise:ListCampaigns", - "iotfleetwise:ListDecoderManifestNetworkInterfaces", - "iotfleetwise:ListDecoderManifestSignals", - "iotfleetwise:ListDecoderManifests", - "iotfleetwise:ListFleets", - "iotfleetwise:ListFleetsForVehicle", - "iotfleetwise:ListModelManifestNodes", - "iotfleetwise:ListModelManifests", - "iotfleetwise:ListSignalCatalogNodes", - "iotfleetwise:ListSignalCatalogs", - "iotfleetwise:ListTagsForResource", - "iotfleetwise:ListVehicles", - "iotfleetwise:ListVehiclesInFleet", - "iotsitewise:Describe*", - "iotsitewise:Get*", - "iotsitewise:List*", - "iotwireless:GetDestination", - "iotwireless:GetDeviceProfile", - "iotwireless:GetEventConfigurationByResourceTypes", - "iotwireless:GetFuotaTask", - "iotwireless:GetLogLevelsByResourceTypes", - "iotwireless:GetMetricConfiguration", - "iotwireless:GetMetrics", - "iotwireless:GetMulticastGroup", - "iotwireless:GetMulticastGroupSession", - "iotwireless:GetNetworkAnalyzerConfiguration", - "iotwireless:GetPartnerAccount", - "iotwireless:GetPosition", - "iotwireless:GetPositionConfiguration", - "iotwireless:GetPositionEstimate", - "iotwireless:GetResourceEventConfiguration", - "iotwireless:GetResourceLogLevel", - "iotwireless:GetResourcePosition", - "iotwireless:GetServiceEndpoint", - "iotwireless:GetServiceProfile", - "iotwireless:GetWirelessDevice", - "iotwireless:GetWirelessDeviceImportTask", - "iotwireless:GetWirelessDeviceStatistics", - "iotwireless:GetWirelessGateway", - "iotwireless:GetWirelessGatewayCertificate", - "iotwireless:GetWirelessGatewayFirmwareInformation", - "iotwireless:GetWirelessGatewayStatistics", - "iotwireless:GetWirelessGatewayTask", - "iotwireless:GetWirelessGatewayTaskDefinition", - "iotwireless:ListDestinations", - "iotwireless:ListDeviceProfiles", - "iotwireless:ListDevicesForWirelessDeviceImportTask", - "iotwireless:ListEventConfigurations", - "iotwireless:ListFuotaTasks", - "iotwireless:ListMulticastGroups", - "iotwireless:ListMulticastGroupsByFuotaTask", - "iotwireless:ListNetworkAnalyzerConfigurations", - "iotwireless:ListPartnerAccounts", - "iotwireless:ListPositionConfigurations", - "iotwireless:ListQueuedMessages", - "iotwireless:ListServiceProfiles", - "iotwireless:ListTagsForResource", - "iotwireless:ListWirelessDeviceImportTasks", - "iotwireless:ListWirelessDevices", - "iotwireless:ListWirelessGatewayTaskDefinitions", - "iotwireless:ListWirelessGateways", - "ivs:BatchGetChannel", - "ivs:GetChannel", - "ivs:GetComposition", - "ivs:GetEncoderConfiguration", - "ivs:GetIngestConfiguration", - "ivs:GetParticipant", - "ivs:GetPlaybackKeyPair", - "ivs:GetPlaybackRestrictionPolicy", - "ivs:GetPublicKey", - "ivs:GetRecordingConfiguration", - "ivs:GetStage", - "ivs:GetStageSession", - "ivs:GetStorageConfiguration", - "ivs:GetStream", - "ivs:GetStreamSession", - "ivs:ListChannels", - "ivs:ListCompositions", - "ivs:ListEncoderConfigurations", - "ivs:ListIngestConfigurations", - "ivs:ListParticipantEvents", - "ivs:ListParticipants", - "ivs:ListPlaybackKeyPairs", - "ivs:ListPlaybackRestrictionPolicies", - "ivs:ListPublicKeys", - "ivs:ListRecordingConfigurations", - "ivs:ListStageSessions", - "ivs:ListStages", - "ivs:ListStorageConfigurations", - "ivs:ListStreamKeys", - "ivs:ListStreamSessions", - "ivs:ListStreams", - "ivs:ListTagsForResource", - "ivschat:GetLoggingConfiguration", - "ivschat:GetRoom", - "ivschat:ListLoggingConfigurations", - "ivschat:ListRooms", - "ivschat:ListTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "ReadOnlyActionsGroup2", - "Effect": "Allow", - "Action": [ - "kafka:Describe*", - "kafka:DescribeCluster", - "kafka:DescribeClusterOperation", - "kafka:DescribeClusterV2", - "kafka:DescribeConfiguration", - "kafka:DescribeConfigurationRevision", - "kafka:Get*", - "kafka:GetBootstrapBrokers", - "kafka:GetCompatibleKafkaVersions", - "kafka:List*", - "kafka:ListClusterOperations", - "kafka:ListClusters", - "kafka:ListClustersV2", - "kafka:ListConfigurationRevisions", - "kafka:ListConfigurations", - "kafka:ListKafkaVersions", - "kafka:ListNodes", - "kafka:ListTagsForResource", - "kafkaconnect:DescribeConnector", - "kafkaconnect:DescribeCustomPlugin", - "kafkaconnect:DescribeWorkerConfiguration", - "kafkaconnect:ListConnectors", - "kafkaconnect:ListCustomPlugins", - "kafkaconnect:ListWorkerConfigurations", - "kendra:BatchGetDocumentStatus", - "kendra:DescribeDataSource", - "kendra:DescribeExperience", - "kendra:DescribeFaq", - "kendra:DescribeIndex", - "kendra:DescribePrincipalMapping", - "kendra:DescribeQuerySuggestionsBlockList", - "kendra:DescribeQuerySuggestionsConfig", - "kendra:DescribeThesaurus", - "kendra:GetQuerySuggestions", - "kendra:GetSnapshots", - "kendra:ListDataSourceSyncJobs", - "kendra:ListDataSources", - "kendra:ListEntityPersonas", - "kendra:ListExperienceEntities", - "kendra:ListExperiences", - "kendra:ListFaqs", - "kendra:ListGroupsOlderThanOrderingId", - "kendra:ListIndices", - "kendra:ListQuerySuggestionsBlockLists", - "kendra:ListTagsForResource", - "kendra:ListThesauri", - "kendra:Query", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lakeformation:DescribeResource", - "lakeformation:GetDataCellsFilter", - "lakeformation:GetDataLakeSettings", - "lakeformation:GetEffectivePermissionsForPath", - "lakeformation:GetLfTag", - "lakeformation:GetResourceLfTags", - "lakeformation:ListDataCellsFilter", - "lakeformation:ListLfTags", - "lakeformation:ListPermissions", - "lakeformation:ListResources", - "lakeformation:ListTableStorageOptimizers", - "lakeformation:SearchDatabasesByLfTags", - "lakeformation:SearchTablesByLfTags", - "lambda:Get*", - "lambda:List*", - "launchwizard:DescribeAdditionalNode", - "launchwizard:DescribeProvisionedApp", - "launchwizard:DescribeProvisioningEvents", - "launchwizard:DescribeSettingsSet", - "launchwizard:GetDeployment", - "launchwizard:GetInfrastructureSuggestion", - "launchwizard:GetIpAddress", - "launchwizard:GetResourceCostEstimate", - "launchwizard:GetResourceRecommendation", - "launchwizard:GetSettingsSet", - "launchwizard:GetWorkload", - "launchwizard:GetWorkloadAsset", - "launchwizard:GetWorkloadAssets", - "launchwizard:GetWorkloadDeploymentPattern", - "launchwizard:ListAdditionalNodes", - "launchwizard:ListAllowedResources", - "launchwizard:ListDeploymentEvents", - "launchwizard:ListDeployments", - "launchwizard:ListProvisionedApps", - "launchwizard:ListResourceCostEstimates", - "launchwizard:ListSettingsSets", - "launchwizard:ListTagsForResource", - "launchwizard:ListWorkloadDeploymentOptions", - "launchwizard:ListWorkloadDeploymentPatterns", - "launchwizard:ListWorkloads", - "lex:DescribeBot", - "lex:DescribeBotAlias", - "lex:DescribeBotChannel", - "lex:DescribeBotLocale", - "lex:DescribeBotReplica", - "lex:DescribeBotVersion", - "lex:DescribeExport", - "lex:DescribeImport", - "lex:DescribeIntent", - "lex:DescribeResourcePolicy", - "lex:DescribeSlot", - "lex:DescribeSlotType", - "lex:Get*", - "lex:ListBotAliasReplicas", - "lex:ListBotAliases", - "lex:ListBotChannels", - "lex:ListBotLocales", - "lex:ListBotReplicas", - "lex:ListBotVersionReplicas", - "lex:ListBotVersions", - "lex:ListBots", - "lex:ListBuiltInIntents", - "lex:ListBuiltInSlotTypes", - "lex:ListExports", - "lex:ListImports", - "lex:ListIntents", - "lex:ListSlotTypes", - "lex:ListSlots", - "lex:ListTagsForResource", - "license-manager:Get*", - "license-manager:List*", - "lightsail:GetActiveNames", - "lightsail:GetAlarms", - "lightsail:GetAutoSnapshots", - "lightsail:GetBlueprints", - "lightsail:GetBucketAccessKeys", - "lightsail:GetBucketBundles", - "lightsail:GetBucketMetricData", - "lightsail:GetBuckets", - "lightsail:GetBundles", - "lightsail:GetCertificates", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetContainerAPIMetadata", - "lightsail:GetContainerImages", - "lightsail:GetContainerServiceDeployments", - "lightsail:GetContainerServiceMetricData", - "lightsail:GetContainerServicePowers", - "lightsail:GetContainerServices", - "lightsail:GetDisk", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDisks", - "lightsail:GetDistributionBundles", - "lightsail:GetDistributionLatestCacheReset", - "lightsail:GetDistributionMetricData", - "lightsail:GetDistributions", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetInstances", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetLoadBalancers", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetRelationalDatabases", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:FilterLogEvents", - "logs:Get*", - "logs:ListAnomalies", - "logs:ListEntitiesForLogGroup", - "logs:ListIntegrations", - "logs:ListLogAnomalyDetectors", - "logs:ListLogDeliveries", - "logs:ListLogGroupsForEntity", - "logs:ListLogGroupsForQuery", - "logs:ListTagsForResource", - "logs:ListTagsLogGroup", - "logs:StartLiveTail", - "logs:StartQuery", - "logs:StopLiveTail", - "logs:StopQuery", - "logs:TestMetricFilter", - "lookoutequipment:DescribeDataIngestionJob", - "lookoutequipment:DescribeDataset", - "lookoutequipment:DescribeInferenceScheduler", - "lookoutequipment:DescribeLabel", - "lookoutequipment:DescribeLabelGroup", - "lookoutequipment:DescribeModel", - "lookoutequipment:DescribeModelVersion", - "lookoutequipment:DescribeResourcePolicy", - "lookoutequipment:DescribeRetrainingScheduler", - "lookoutequipment:ListDataIngestionJobs", - "lookoutequipment:ListDatasets", - "lookoutequipment:ListInferenceEvents", - "lookoutequipment:ListInferenceExecutions", - "lookoutequipment:ListInferenceSchedulers", - "lookoutequipment:ListLabelGroups", - "lookoutequipment:ListLabels", - "lookoutequipment:ListModelVersions", - "lookoutequipment:ListModels", - "lookoutequipment:ListRetrainingSchedulers", - "lookoutequipment:ListSensorStatistics", - "lookoutequipment:ListTagsForResource", - "lookoutmetrics:Describe*", - "lookoutmetrics:Get*", - "lookoutmetrics:List*", - "lookoutvision:DescribeDataset", - "lookoutvision:DescribeModel", - "lookoutvision:DescribeModelPackagingJob", - "lookoutvision:DescribeProject", - "lookoutvision:ListDatasetEntries", - "lookoutvision:ListModelPackagingJobs", - "lookoutvision:ListModels", - "lookoutvision:ListProjects", - "lookoutvision:ListTagsForResource", - "m2:GetApplication", - "m2:GetApplicationVersion", - "m2:GetBatchJobExecution", - "m2:GetDataSetDetails", - "m2:GetDataSetImportTask", - "m2:GetDeployment", - "m2:GetEnvironment", - "m2:ListApplicationVersions", - "m2:ListApplications", - "m2:ListBatchJobDefinitions", - "m2:ListBatchJobExecutions", - "m2:ListDataSetImportHistory", - "m2:ListDataSets", - "m2:ListDeployments", - "m2:ListEngineVersions", - "m2:ListEnvironments", - "m2:ListTagsForResource", - "machinelearning:Describe*", - "machinelearning:Get*", - "macie2:BatchGetCustomDataIdentifiers", - "macie2:DescribeBuckets", - "macie2:DescribeClassificationJob", - "macie2:DescribeOrganizationConfiguration", - "macie2:GetAdministratorAccount", - "macie2:GetAllowList", - "macie2:GetAutomatedDiscoveryConfiguration", - "macie2:GetBucketStatistics", - "macie2:GetClassificationExportConfiguration", - "macie2:GetClassificationScope", - "macie2:GetCustomDataIdentifier", - "macie2:GetFindingStatistics", - "macie2:GetFindings", - "macie2:GetFindingsFilter", - "macie2:GetFindingsPublicationConfiguration", - "macie2:GetInvitationsCount", - "macie2:GetMacieSession", - "macie2:GetMember", - "macie2:GetResourceProfile", - "macie2:GetRevealConfiguration", - "macie2:GetSensitiveDataOccurrencesAvailability", - "macie2:GetSensitivityInspectionTemplate", - "macie2:GetUsageStatistics", - "macie2:GetUsageTotals", - "macie2:ListAllowLists", - "macie2:ListAutomatedDiscoveryAccounts", - "macie2:ListClassificationJobs", - "macie2:ListClassificationScopes", - "macie2:ListCustomDataIdentifiers", - "macie2:ListFindings", - "macie2:ListFindingsFilters", - "macie2:ListInvitations", - "macie2:ListMembers", - "macie2:ListOrganizationAdminAccounts", - "macie2:ListResourceProfileArtifacts", - "macie2:ListResourceProfileDetections", - "macie2:ListSensitivityInspectionTemplates", - "macie2:ListTagsForResource", - "macie2:SearchResources", - "managedblockchain:GetMember", - "managedblockchain:GetNetwork", - "managedblockchain:GetNode", - "managedblockchain:GetProposal", - "managedblockchain:ListInvitations", - "managedblockchain:ListMembers", - "managedblockchain:ListNetworks", - "managedblockchain:ListNodes", - "managedblockchain:ListProposalVotes", - "managedblockchain:ListProposals", - "managedblockchain:ListTagsForResource", - "mediaconnect:DescribeFlow", - "mediaconnect:DescribeOffering", - "mediaconnect:DescribeReservation", - "mediaconnect:ListEntitlements", - "mediaconnect:ListFlows", - "mediaconnect:ListOfferings", - "mediaconnect:ListReservations", - "mediaconnect:ListTagsForResource", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "medialive:DescribeChannel", - "medialive:DescribeInput", - "medialive:DescribeInputDevice", - "medialive:DescribeInputDeviceThumbnail", - "medialive:DescribeInputSecurityGroup", - "medialive:DescribeMultiplex", - "medialive:DescribeMultiplexProgram", - "medialive:DescribeOffering", - "medialive:DescribeReservation", - "medialive:DescribeSchedule", - "medialive:GetCloudWatchAlarmTemplate", - "medialive:GetCloudWatchAlarmTemplateGroup", - "medialive:GetEventBridgeRuleTemplate", - "medialive:GetEventBridgeRuleTemplateGroup", - "medialive:GetSignalMap", - "medialive:ListChannels", - "medialive:ListCloudWatchAlarmTemplateGroups", - "medialive:ListCloudWatchAlarmTemplates", - "medialive:ListEventBridgeRuleTemplateGroups", - "medialive:ListEventBridgeRuleTemplates", - "medialive:ListInputDeviceTransfers", - "medialive:ListInputDevices", - "medialive:ListInputSecurityGroups", - "medialive:ListInputs", - "medialive:ListMultiplexPrograms", - "medialive:ListMultiplexes", - "medialive:ListOfferings", - "medialive:ListReservations", - "medialive:ListSignalMaps", - "medialive:ListTagsForResource", - "mediapackage-vod:Describe*", - "mediapackage-vod:List*", - "mediapackage:Describe*", - "mediapackage:List*", - "mediapackagev2:GetChannel", - "mediapackagev2:GetChannelGroup", - "mediapackagev2:GetChannelPolicy", - "mediapackagev2:GetHeadObject", - "mediapackagev2:GetObject", - "mediapackagev2:GetOriginEndpoint", - "mediapackagev2:GetOriginEndpointPolicy", - "mediapackagev2:ListChannelGroups", - "mediapackagev2:ListChannels", - "mediapackagev2:ListOriginEndpoints", - "mediapackagev2:ListTagsForResource", - "mediastore:DescribeContainer", - "mediastore:DescribeObject", - "mediastore:GetContainerPolicy", - "mediastore:GetCorsPolicy", - "mediastore:GetLifecyclePolicy", - "mediastore:GetMetricPolicy", - "mediastore:GetObject", - "mediastore:ListContainers", - "mediastore:ListItems", - "mediastore:ListTagsForResource", - "memorydb:DescribeAcls", - "memorydb:DescribeClusters", - "memorydb:DescribeEngineVersions", - "memorydb:DescribeEvents", - "memorydb:DescribeMultiRegionClusters", - "memorydb:DescribeMultiRegionParameterGroups", - "memorydb:DescribeMultiRegionParameters", - "memorydb:DescribeParameterGroups", - "memorydb:DescribeParameters", - "memorydb:DescribeReservedNodes", - "memorydb:DescribeReservedNodesOfferings", - "memorydb:DescribeServiceUpdates", - "memorydb:DescribeSnapshots", - "memorydb:DescribeSubnetGroups", - "memorydb:DescribeUsers", - "memorydb:ListAllowedMultiRegionClusterUpdates", - "memorydb:ListAllowedNodeTypeUpdates", - "memorydb:ListTags", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mgn:DescribeJobLogItems", - "mgn:DescribeJobs", - "mgn:DescribeLaunchConfigurationTemplates", - "mgn:DescribeReplicationConfigurationTemplates", - "mgn:DescribeSourceServers", - "mgn:DescribeVcenterClients", - "mgn:GetLaunchConfiguration", - "mgn:GetReplicationConfiguration", - "mgn:ListApplications", - "mgn:ListSourceServerActions", - "mgn:ListTemplateActions", - "mgn:ListWaves", - "mobileanalytics:Get*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "monitron:GetProject", - "monitron:GetProjectAdminUser", - "monitron:ListProjects", - "monitron:ListTagsForResource", - "mpa:GetApprovalTeam", - "mpa:GetIdentitySource", - "mpa:GetPolicyVersion", - "mpa:GetResourcePolicy", - "mpa:GetSession", - "mpa:ListApprovalTeams", - "mpa:ListIdentitySources", - "mpa:ListPolicies", - "mpa:ListPolicyVersions", - "mpa:ListResourcePolicies", - "mpa:ListSessions", - "mpa:ListTagsForResource", - "mq:Describe*", - "mq:List*", - "network-firewall:DescribeFirewall", - "network-firewall:DescribeFirewallPolicy", - "network-firewall:DescribeLoggingConfiguration", - "network-firewall:DescribeResourcePolicy", - "network-firewall:DescribeRuleGroup", - "network-firewall:DescribeRuleGroupMetadata", - "network-firewall:DescribeTLSInspectionConfiguration", - "network-firewall:ListFirewallPolicies", - "network-firewall:ListFirewalls", - "network-firewall:ListRuleGroups", - "network-firewall:ListTLSInspectionConfigurations", - "network-firewall:ListTagsForResource", - "networkflowmonitor:GetMonitor", - "networkflowmonitor:GetScope", - "networkflowmonitor:ListMonitors", - "networkflowmonitor:ListScopes", - "networkmanager:DescribeGlobalNetworks", - "networkmanager:GetConnectAttachment", - "networkmanager:GetConnectPeer", - "networkmanager:GetConnectPeerAssociations", - "networkmanager:GetConnections", - "networkmanager:GetCoreNetwork", - "networkmanager:GetCoreNetworkChangeEvents", - "networkmanager:GetCoreNetworkChangeSet", - "networkmanager:GetCoreNetworkPolicy", - "networkmanager:GetCustomerGatewayAssociations", - "networkmanager:GetDevices", - "networkmanager:GetLinkAssociations", - "networkmanager:GetLinks", - "networkmanager:GetNetworkResourceCounts", - "networkmanager:GetNetworkResourceRelationships", - "networkmanager:GetNetworkResources", - "networkmanager:GetNetworkRoutes", - "networkmanager:GetNetworkTelemetry", - "networkmanager:GetResourcePolicy", - "networkmanager:GetRouteAnalysis", - "networkmanager:GetSiteToSiteVpnAttachment", - "networkmanager:GetSites", - "networkmanager:GetTransitGatewayConnectPeerAssociations", - "networkmanager:GetTransitGatewayPeering", - "networkmanager:GetTransitGatewayRegistrations", - "networkmanager:GetTransitGatewayRouteTableAttachment", - "networkmanager:GetVpcAttachment", - "networkmanager:ListAttachments", - "networkmanager:ListConnectPeers", - "networkmanager:ListCoreNetworkPolicyVersions", - "networkmanager:ListCoreNetworks", - "networkmanager:ListPeerings", - "networkmanager:ListTagsForResource", - "networkmonitor:GetMonitor", - "networkmonitor:GetProbe", - "networkmonitor:ListMonitors", - "networkmonitor:ListTagsForResource", - "nimble:GetEula", - "nimble:GetFeatureMap", - "nimble:GetLaunchProfile", - "nimble:GetLaunchProfileDetails", - "nimble:GetLaunchProfileInitialization", - "nimble:GetLaunchProfileMember", - "nimble:GetStreamingImage", - "nimble:GetStreamingSession", - "nimble:GetStudio", - "nimble:GetStudioComponent", - "nimble:GetStudioMember", - "nimble:ListEulaAcceptances", - "nimble:ListEulas", - "nimble:ListLaunchProfileMembers", - "nimble:ListLaunchProfiles", - "nimble:ListStreamingImages", - "nimble:ListStreamingSessions", - "nimble:ListStudioComponents", - "nimble:ListStudioMembers", - "nimble:ListStudios", - "nimble:ListTagsForResource", - "notifications-contacts:GetEmailContact", - "notifications-contacts:ListEmailContacts", - "notifications-contacts:ListTagsForResource", - "notifications:GetEventRule", - "notifications:GetFeatureOptInStatus", - "notifications:GetManagedNotificationChildEvent", - "notifications:GetManagedNotificationConfiguration", - "notifications:GetManagedNotificationEvent", - "notifications:GetNotificationConfiguration", - "notifications:GetNotificationEvent", - "notifications:GetNotificationsAccessForOrganization", - "notifications:List*", - "oam:GetLink", - "oam:GetSink", - "oam:GetSinkPolicy", - "oam:ListAttachedLinks", - "oam:ListLinks", - "oam:ListSinks", - "observabilityadmin:GetCentralizationRuleForOrganization", - "observabilityadmin:GetTelemetryEnrichmentStatus", - "observabilityadmin:GetTelemetryEvaluationStatus", - "observabilityadmin:GetTelemetryEvaluationStatusForOrganization", - "observabilityadmin:GetTelemetryRule", - "observabilityadmin:GetTelemetryRuleForOrganization", - "observabilityadmin:ListCentralizationRulesForOrganization", - "observabilityadmin:ListResourceTelemetry", - "observabilityadmin:ListResourceTelemetryForOrganization", - "observabilityadmin:ListTagsForResource", - "observabilityadmin:ListTelemetryRules", - "observabilityadmin:ListTelemetryRulesForOrganization", - "omics:Get*", - "omics:List*", - "one:GetDeviceConfigurationTemplate", - "one:GetDeviceInstance", - "one:GetDeviceInstanceConfiguration", - "one:GetSite", - "one:GetSiteAddress", - "one:ListDeviceConfigurationTemplates", - "one:ListDeviceInstances", - "one:ListSites", - "one:ListUsers", - "opsworks-cm:Describe*", - "opsworks-cm:List*", - "opsworks:Describe*", - "opsworks:Get*", - "organizations:Describe*", - "organizations:List*", - "osis:GetPipeline", - "osis:GetPipelineBlueprint", - "osis:GetPipelineChangeProgress", - "osis:ListPipelineBlueprints", - "osis:ListPipelines", - "osis:ListTagsForResource", - "outposts:Get*", - "outposts:List*", - "payment-cryptography:GetAlias", - "payment-cryptography:GetKey", - "payment-cryptography:GetPublicKeyCertificate", - "payment-cryptography:ListAliases", - "payment-cryptography:ListKeys", - "payment-cryptography:ListTagsForResource", - "payments:GetPaymentInstrument", - "payments:GetPaymentStatus", - "payments:ListPaymentInstruments", - "payments:ListPaymentPreferences", - "payments:ListPaymentProgramOptions", - "payments:ListPaymentProgramStatus", - "payments:ListTagsForResource", - "pca-connector-ad:GetConnector", - "pca-connector-ad:GetDirectoryRegistration", - "pca-connector-ad:GetServicePrincipalName", - "pca-connector-ad:GetTemplate", - "pca-connector-ad:GetTemplateGroupAccessControlEntry", - "pca-connector-ad:ListConnectors", - "pca-connector-ad:ListDirectoryRegistrations", - "pca-connector-ad:ListServicePrincipalNames", - "pca-connector-ad:ListTagsForResource", - "pca-connector-ad:ListTemplateGroupAccessControlEntries", - "pca-connector-ad:ListTemplates", - "pca-connector-scep:GetChallengeMetadata", - "pca-connector-scep:GetConnector", - "pca-connector-scep:ListChallengeMetadata", - "pca-connector-scep:ListConnectors", - "pca-connector-scep:ListTagsForResource", - "pcs:GetCluster", - "pcs:GetComputeNodeGroup", - "pcs:GetQueue", - "pcs:ListClusters", - "pcs:ListComputeNodeGroups", - "pcs:ListQueues", - "pcs:ListTagsForResource", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetDimensionKeyDetails", - "pi:GetResourceMetadata", - "pi:GetResourceMetrics", - "pi:ListAvailableResourceDimensions", - "pi:ListAvailableResourceMetrics", - "pipes:DescribePipe", - "pipes:ListPipes", - "pipes:ListTagsForResource", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "pricing:DescribeServices", - "pricing:GetAttributeValues", - "pricing:GetPriceListFileUrl", - "pricing:GetProducts", - "pricing:ListPriceLists", - "proton:GetDeployment", - "proton:GetEnvironment", - "proton:GetEnvironmentTemplate", - "proton:GetEnvironmentTemplateVersion", - "proton:GetService", - "proton:GetServiceInstance", - "proton:GetServiceTemplate", - "proton:GetServiceTemplateVersion", - "proton:ListDeployments", - "proton:ListEnvironmentAccountConnections", - "proton:ListEnvironmentTemplates", - "proton:ListEnvironments", - "proton:ListServiceInstances", - "proton:ListServiceTemplates", - "proton:ListServices", - "proton:ListTagsForResource", - "purchase-orders:GetPurchaseOrder", - "purchase-orders:ListPurchaseOrderInvoices", - "purchase-orders:ListPurchaseOrders", - "purchase-orders:ViewPurchaseOrders", - "qbusiness:GetApplication", - "qbusiness:GetChatControlsConfiguration", - "qbusiness:GetDataSource", - "qbusiness:GetGroup", - "qbusiness:GetIndex", - "qbusiness:GetPlugin", - "qbusiness:GetRetriever", - "qbusiness:GetUser", - "qbusiness:GetWebExperience", - "qbusiness:ListApplications", - "qbusiness:ListDataSourceSyncJobs", - "qbusiness:ListDataSources", - "qbusiness:ListGroups", - "qbusiness:ListIndices", - "qbusiness:ListPlugins", - "qbusiness:ListRetrievers", - "qbusiness:ListSubscriptions", - "qbusiness:ListTagsForResource", - "qbusiness:ListWebExperiences", - "qldb:DescribeJournalKinesisStream", - "qldb:DescribeJournalS3Export", - "qldb:DescribeLedger", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:ListJournalKinesisStreamsForLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:ListLedgers", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rbin:GetRule", - "rbin:ListRules", - "rbin:ListTagsForResource", - "rds:Describe*", - "rds:Download*", - "rds:List*", - "redshift-serverless:GetCustomDomainAssociation", - "redshift-serverless:GetEndpointAccess", - "redshift-serverless:GetNamespace", - "redshift-serverless:GetRecoveryPoint", - "redshift-serverless:GetResourcePolicy", - "redshift-serverless:GetScheduledAction", - "redshift-serverless:GetSnapshot", - "redshift-serverless:GetTableRestoreStatus", - "redshift-serverless:GetUsageLimit", - "redshift-serverless:GetWorkgroup", - "redshift-serverless:ListCustomDomainAssociations", - "redshift-serverless:ListEndpointAccess", - "redshift-serverless:ListNamespaces", - "redshift-serverless:ListRecoveryPoints", - "redshift-serverless:ListScheduledActions", - "redshift-serverless:ListSnapshotCopyConfigurations", - "redshift-serverless:ListSnapshots", - "redshift-serverless:ListTableRestoreStatus", - "redshift-serverless:ListTagsForResource", - "redshift-serverless:ListUsageLimits", - "redshift-serverless:ListWorkgroups", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:ListRecommendations", - "redshift:View*", - "refactor-spaces:GetApplication", - "refactor-spaces:GetEnvironment", - "refactor-spaces:GetResourcePolicy", - "refactor-spaces:GetRoute", - "refactor-spaces:GetService", - "refactor-spaces:ListApplications", - "refactor-spaces:ListEnvironmentVpcs", - "refactor-spaces:ListEnvironments", - "refactor-spaces:ListRoutes", - "refactor-spaces:ListServices", - "refactor-spaces:ListTagsForResource", - "rekognition:CompareFaces", - "rekognition:DescribeDataset", - "rekognition:DescribeProjectVersions", - "rekognition:DescribeProjects", - "rekognition:DescribeStreamProcessor", - "rekognition:Detect*", - "rekognition:GetCelebrityInfo", - "rekognition:GetCelebrityRecognition", - "rekognition:GetContentModeration", - "rekognition:GetFaceDetection", - "rekognition:GetFaceSearch", - "rekognition:GetLabelDetection", - "rekognition:GetPersonTracking", - "rekognition:GetSegmentDetection", - "rekognition:GetTextDetection", - "rekognition:List*", - "rekognition:RecognizeCelebrities", - "rekognition:Search*", - "resiliencehub:DescribeApp", - "resiliencehub:DescribeAppAssessment", - "resiliencehub:DescribeAppVersion", - "resiliencehub:DescribeAppVersionAppComponent", - "resiliencehub:DescribeAppVersionResource", - "resiliencehub:DescribeAppVersionResourcesResolutionStatus", - "resiliencehub:DescribeAppVersionTemplate", - "resiliencehub:DescribeDraftAppVersionResourcesImportStatus", - "resiliencehub:DescribeMetricsExport", - "resiliencehub:DescribeResiliencyPolicy", - "resiliencehub:DescribeResourceGroupingRecommendationTask", - "resiliencehub:ListAlarmRecommendations", - "resiliencehub:ListAppAssessmentComplianceDrifts", - "resiliencehub:ListAppAssessmentResourceDrifts", - "resiliencehub:ListAppAssessments", - "resiliencehub:ListAppComponentCompliances", - "resiliencehub:ListAppComponentRecommendations", - "resiliencehub:ListAppInputSources", - "resiliencehub:ListAppVersionAppComponents", - "resiliencehub:ListAppVersionResourceMappings", - "resiliencehub:ListAppVersionResources", - "resiliencehub:ListAppVersions", - "resiliencehub:ListApps", - "resiliencehub:ListMetrics", - "resiliencehub:ListRecommendationTemplates", - "resiliencehub:ListResiliencyPolicies", - "resiliencehub:ListResourceGroupingRecommendations", - "resiliencehub:ListSopRecommendations", - "resiliencehub:ListSuggestedResiliencyPolicies", - "resiliencehub:ListTagsForResource", - "resiliencehub:ListTestRecommendations", - "resiliencehub:ListUnsupportedAppVersionResources", - "resource-explorer-2:BatchGetView", - "resource-explorer-2:GetAccountLevelServiceConfiguration", - "resource-explorer-2:GetDefaultView", - "resource-explorer-2:GetIndex", - "resource-explorer-2:GetManagedView", - "resource-explorer-2:GetView", - "resource-explorer-2:ListIndexes", - "resource-explorer-2:ListIndexesForMembers", - "resource-explorer-2:ListManagedViews", - "resource-explorer-2:ListSupportedResourceTypes", - "resource-explorer-2:ListTagsForResource", - "resource-explorer-2:ListViews", - "resource-explorer-2:Search", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:Get*", - "robomaker:List*", - "rolesanywhere:GetCrl", - "rolesanywhere:GetProfile", - "rolesanywhere:GetSubject", - "rolesanywhere:GetTrustAnchor", - "rolesanywhere:ListCrls", - "rolesanywhere:ListProfiles", - "rolesanywhere:ListSubjects", - "rolesanywhere:ListTagsForResource", - "rolesanywhere:ListTrustAnchors", - "route53-recovery-cluster:Get*", - "route53-recovery-cluster:ListRoutingControls", - "route53-recovery-control-config:Describe*", - "route53-recovery-control-config:GetResourcePolicy", - "route53-recovery-control-config:List*", - "route53-recovery-readiness:Get*", - "route53-recovery-readiness:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53profiles:GetProfile", - "route53profiles:GetProfileAssociation", - "route53profiles:GetProfileResourceAssociation", - "route53profiles:ListProfileAssociations", - "route53profiles:ListProfileResourceAssociations", - "route53profiles:ListProfiles", - "route53profiles:ListTagsForResource", - "route53resolver:Get*", - "route53resolver:List*", - "rum:GetAppMonitor", - "rum:GetAppMonitorData", - "rum:ListAppMonitors", - "s3-object-lambda:GetObject", - "s3-object-lambda:GetObjectAcl", - "s3-object-lambda:GetObjectLegalHold", - "s3-object-lambda:GetObjectRetention", - "s3-object-lambda:GetObjectTagging", - "s3-object-lambda:GetObjectVersion", - "s3-object-lambda:GetObjectVersionAcl", - "s3-object-lambda:GetObjectVersionTagging", - "s3-object-lambda:ListBucket", - "s3-object-lambda:ListBucketMultipartUploads", - "s3-object-lambda:ListBucketVersions", - "s3-object-lambda:ListMultipartUploadParts", - "s3-outposts:GetAccessPoint", - "s3-outposts:GetAccessPointPolicy", - "s3-outposts:GetBucket", - "s3-outposts:GetBucketPolicy", - "s3-outposts:GetBucketTagging", - "s3-outposts:GetBucketVersioning", - "s3-outposts:GetLifecycleConfiguration", - "s3-outposts:GetObject", - "s3-outposts:GetObjectTagging", - "s3-outposts:GetObjectVersion", - "s3-outposts:GetObjectVersionForReplication", - "s3-outposts:GetObjectVersionTagging", - "s3-outposts:GetReplicationConfiguration", - "s3-outposts:ListAccessPoints", - "s3-outposts:ListBucket", - "s3-outposts:ListBucketMultipartUploads", - "s3-outposts:ListBucketVersions", - "s3-outposts:ListEndpoints", - "s3-outposts:ListMultipartUploadParts", - "s3-outposts:ListOutpostsWithS3", - "s3-outposts:ListRegionalBuckets", - "s3-outposts:ListSharedEndpoints", - "s3:DescribeJob", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "savingsplans:DescribeSavingsPlanRates", - "savingsplans:DescribeSavingsPlans", - "savingsplans:DescribeSavingsPlansOfferingRates", - "savingsplans:DescribeSavingsPlansOfferings", - "savingsplans:ListTagsForResource", - "scheduler:GetSchedule", - "scheduler:GetScheduleGroup", - "scheduler:ListScheduleGroups", - "scheduler:ListSchedules", - "scheduler:ListTagsForResource", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "secretsmanager:List*", - "securityhub:BatchGetAutomationRules", - "securityhub:BatchGetConfigurationPolicyAssociations", - "securityhub:BatchGetControlEvaluations", - "securityhub:BatchGetSecurityControls", - "securityhub:BatchGetStandardsControlAssociations", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "securitylake:GetDataLakeExceptionSubscription", - "securitylake:GetDataLakeOrganizationConfiguration", - "securitylake:GetDataLakeSources", - "securitylake:GetSubscriber", - "securitylake:ListDataLakeExceptions", - "securitylake:ListDataLakes", - "securitylake:ListLogSources", - "securitylake:ListSubscribers", - "securitylake:ListTagsForResource", - "serverlessrepo:Get*", - "serverlessrepo:List*", - "serverlessrepo:SearchApplications", - "servicecatalog:Describe*", - "servicecatalog:GetApplication", - "servicecatalog:GetAttributeGroup", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicediscovery:DiscoverInstances", - "servicediscovery:DiscoverInstancesRevision", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServices", - "ses:BatchGetMetricData", - "ses:Describe*", - "ses:Get*", - "ses:List*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "signer:DescribeSigningJob", - "signer:GetSigningPlatform", - "signer:GetSigningProfile", - "signer:ListProfilePermissions", - "signer:ListSigningJobs", - "signer:ListSigningPlatforms", - "signer:ListSigningProfiles", - "signer:ListTagsForResource", - "signin:ListTrustedIdentityPropagationApplicationsForConsole", - "sms-voice:DescribeAccountAttributes", - "sms-voice:DescribeAccountLimits", - "sms-voice:DescribeConfigurationSets", - "sms-voice:DescribeKeywords", - "sms-voice:DescribeOptOutLists", - "sms-voice:DescribeOptedOutNumbers", - "sms-voice:DescribePhoneNumbers", - "sms-voice:DescribePools", - "sms-voice:DescribeProtectConfigurations", - "sms-voice:DescribeRegistrationAttachments", - "sms-voice:DescribeRegistrationFieldDefinitions", - "sms-voice:DescribeRegistrationFieldValues", - "sms-voice:DescribeRegistrations", - "sms-voice:DescribeRegistrationSectionDefinitions", - "sms-voice:DescribeRegistrationTypeDefinitions", - "sms-voice:DescribeRegistrationVersions", - "sms-voice:DescribeSenderIds", - "sms-voice:DescribeSpendLimits", - "sms-voice:DescribeVerifiedDestinationNumbers", - "sms-voice:ListPoolOriginationIdentities", - "sms-voice:ListTagsForResource", - "snowball:Describe*", - "snowball:Get*", - "snowball:List*", - "sns:Check*", - "sns:Get*", - "sns:List*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm-contacts:DescribeEngagement", - "ssm-contacts:DescribePage", - "ssm-contacts:GetContact", - "ssm-contacts:GetContactChannel", - "ssm-contacts:ListContactChannels", - "ssm-contacts:ListContacts", - "ssm-contacts:ListEngagements", - "ssm-contacts:ListPageReceipts", - "ssm-contacts:ListPagesByContact", - "ssm-contacts:ListPagesByEngagement", - "ssm-incidents:GetIncidentRecord", - "ssm-incidents:GetReplicationSet", - "ssm-incidents:GetResourcePolicies", - "ssm-incidents:GetResponsePlan", - "ssm-incidents:GetTimelineEvent", - "ssm-incidents:ListIncidentRecords", - "ssm-incidents:ListRelatedItems", - "ssm-incidents:ListReplicationSets", - "ssm-incidents:ListResponsePlans", - "ssm-incidents:ListTagsForResource", - "ssm-incidents:ListTimelineEvents", - "ssm-quicksetup:GetConfiguration", - "ssm-quicksetup:GetConfigurationManager", - "ssm-quicksetup:GetServiceSettings", - "ssm-quicksetup:ListConfigurationManagers", - "ssm-quicksetup:ListConfigurations", - "ssm-quicksetup:ListQuickSetupTypes", - "ssm-quicksetup:ListTagsForResource", - "ssm-sap:GetApplication", - "ssm-sap:GetComponent", - "ssm-sap:GetConfigurationCheckOperation", - "ssm-sap:GetDatabase", - "ssm-sap:GetOperation", - "ssm-sap:GetResourcePermission", - "ssm-sap:ListApplications", - "ssm-sap:ListComponents", - "ssm-sap:ListConfigurationCheckDefinitions", - "ssm-sap:ListConfigurationCheckOperations", - "ssm-sap:ListDatabases", - "ssm-sap:ListOperationEvents", - "ssm-sap:ListOperations", - "ssm-sap:ListSubCheckResults", - "ssm-sap:ListSubCheckRuleResults", - "ssm-sap:ListTagsForResource", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "sso-directory:Describe*", - "sso-directory:List*", - "sso-directory:Search*", - "sso:Describe*", - "sso:Get*", - "sso:List*", - "states:Describe*", - "states:GetExecutionHistory", - "states:List*", - "states:ValidateStateMachineDefinition", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:GetAccessKeyInfo", - "sts:GetCallerIdentity", - "sts:GetSessionToken", - "support:DescribeAttachment", - "support:DescribeCaseAttributes", - "support:DescribeCases", - "support:DescribeCommunication", - "support:DescribeCommunications", - "support:DescribeCreateCaseOptions", - "support:DescribeIssueTypes", - "support:DescribeServices", - "support:DescribeSeverityLevels", - "support:DescribeSupportLevel", - "support:DescribeSupportedLanguages", - "support:DescribeTrustedAdvisorCheckRefreshStatuses", - "support:DescribeTrustedAdvisorCheckResult", - "support:DescribeTrustedAdvisorCheckSummaries", - "support:DescribeTrustedAdvisorChecks", - "support:SearchForCases", - "supportplans:GetSupportPlan", - "supportplans:GetSupportPlanUpdateStatus", - "supportplans:ListSupportPlanModifiers", - "sustainability:GetCarbonFootprintSummary", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "synthetics:List*", - "tag:DescribeReportCreation", - "tag:Get*", - "tax:GetExemptions", - "tax:GetTaxInheritance", - "tax:GetTaxInterview", - "tax:GetTaxRegistration", - "tax:GetTaxRegistrationDocument", - "tax:ListTaxRegistrations", - "timestream:DescribeBatchLoadTask", - "timestream:DescribeDatabase", - "timestream:DescribeEndpoints", - "timestream:DescribeTable", - "timestream:ListBatchLoadTasks", - "timestream:ListDatabases", - "timestream:ListMeasures", - "timestream:ListTables", - "timestream:ListTagsForResource", - "tnb:GetSolFunctionInstance", - "tnb:GetSolFunctionPackage", - "tnb:GetSolFunctionPackageContent", - "tnb:GetSolFunctionPackageDescriptor", - "tnb:GetSolNetworkInstance", - "tnb:GetSolNetworkOperation", - "tnb:GetSolNetworkPackage", - "tnb:GetSolNetworkPackageContent", - "tnb:GetSolNetworkPackageDescriptor", - "tnb:ListSolFunctionInstances", - "tnb:ListSolFunctionPackages", - "tnb:ListSolNetworkInstances", - "tnb:ListSolNetworkOperations", - "tnb:ListSolNetworkPackages", - "tnb:ListTagsForResource", - "transcribe:Get*", - "transcribe:List*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "translate:DescribeTextTranslationJob", - "translate:GetParallelData", - "translate:GetTerminology", - "translate:ListParallelData", - "translate:ListTerminologies", - "translate:ListTextTranslationJobs", - "trustedadvisor:Describe*", - "trustedadvisor:GetOrganizationRecommendation", - "trustedadvisor:GetRecommendation", - "trustedadvisor:ListChecks", - "trustedadvisor:ListOrganizationRecommendationAccounts", - "trustedadvisor:ListOrganizationRecommendationResources", - "trustedadvisor:ListOrganizationRecommendations", - "trustedadvisor:ListRecommendationResources", - "trustedadvisor:ListRecommendations", - "user-subscriptions:ListApplicationClaims", - "user-subscriptions:ListClaims", - "user-subscriptions:ListUserSubscriptions", - "verifiedpermissions:GetIdentitySource", - "verifiedpermissions:GetPolicy", - "verifiedpermissions:GetPolicyStore", - "verifiedpermissions:GetPolicyTemplate", - "verifiedpermissions:GetSchema", - "verifiedpermissions:IsAuthorized", - "verifiedpermissions:IsAuthorizedWithToken", - "verifiedpermissions:ListIdentitySources", - "verifiedpermissions:ListPolicies", - "verifiedpermissions:ListPolicyStores", - "verifiedpermissions:ListPolicyTemplates", - "vpc-lattice:GetAccessLogSubscription", - "vpc-lattice:GetAuthPolicy", - "vpc-lattice:GetListener", - "vpc-lattice:GetResourceConfiguration", - "vpc-lattice:GetResourceGateway", - "vpc-lattice:GetResourcePolicy", - "vpc-lattice:GetRule", - "vpc-lattice:GetService", - "vpc-lattice:GetServiceNetwork", - "vpc-lattice:GetServiceNetworkResourceAssociation", - "vpc-lattice:GetServiceNetworkServiceAssociation", - "vpc-lattice:GetServiceNetworkVpcAssociation", - "vpc-lattice:GetTargetGroup", - "vpc-lattice:ListAccessLogSubscriptions", - "vpc-lattice:ListListeners", - "vpc-lattice:ListResourceConfigurations", - "vpc-lattice:ListResourceEndpointAssociations", - "vpc-lattice:ListResourceGateways", - "vpc-lattice:ListRules", - "vpc-lattice:ListServiceNetworkResourceAssociations", - "vpc-lattice:ListServiceNetworkServiceAssociations", - "vpc-lattice:ListServiceNetworkVpcAssociations", - "vpc-lattice:ListServiceNetworks", - "vpc-lattice:ListServiceNetworkVpcEndpointAssociations", - "vpc-lattice:ListServices", - "vpc-lattice:ListTagsForResource", - "vpc-lattice:ListTargetGroups", - "vpc-lattice:ListTargets", - "waf-regional:Get*", - "waf-regional:List*", - "waf:Get*", - "waf:List*", - "wafv2:CheckCapacity", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "wellarchitected:ExportLens", - "wellarchitected:GetAnswer", - "wellarchitected:GetConsolidatedReport", - "wellarchitected:GetLens", - "wellarchitected:GetLensReview", - "wellarchitected:GetLensReviewReport", - "wellarchitected:GetLensVersionDifference", - "wellarchitected:GetMilestone", - "wellarchitected:GetProfile", - "wellarchitected:GetProfileTemplate", - "wellarchitected:GetReviewTemplate", - "wellarchitected:GetReviewTemplateAnswer", - "wellarchitected:GetReviewTemplateLensReview", - "wellarchitected:GetWorkload", - "wellarchitected:List*", - "workdocs:CheckAlias", - "workdocs:Describe*", - "workdocs:Get*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces-web:GetBrowserSettings", - "workspaces-web:GetIdentityProvider", - "workspaces-web:GetNetworkSettings", - "workspaces-web:GetPortal", - "workspaces-web:GetPortalServiceProviderMetadata", - "workspaces-web:GetTrustStore", - "workspaces-web:GetUserAccessLoggingSettings", - "workspaces-web:GetUserSettings", - "workspaces-web:ListBrowserSettings", - "workspaces-web:ListIdentityProviders", - "workspaces-web:ListNetworkSettings", - "workspaces-web:ListPortals", - "workspaces-web:ListTagsForResource", - "workspaces-web:ListTrustStores", - "workspaces-web:ListUserAccessLoggingSettings", - "workspaces-web:ListUserSettings", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Resource": "*" - } - ] - } -} \ No newline at end of file