From 7328177c251d75ae75ca8f9545acc447ce11c981 Mon Sep 17 00:00:00 2001 From: udondan Date: Thu, 14 Nov 2024 01:32:20 +0000 Subject: [PATCH] Updates AWS managed policies --- ...pplicationAutoscalingECSServicePolicy.json | 1 + .../AWSAuditManagerServiceRolePolicy.json | 1 + .../managed-policies/AWSBackupFullAccess.json | 9 +- .../AWSBackupServiceRolePolicyForBackup.json | 22 +- .../AWSBillingReadOnlyAccess.json | 11 +- ...SCloudFrontVPCOriginServiceRolePolicy.json | 113 ++++++ .../AWSCompromisedKeyQuarantineV2.json | 31 +- .../AWSCompromisedKeyQuarantineV3.json | 102 ++++++ .../AWSConfigServiceRolePolicy.json | 136 ++++++- ...SDataExchangeDataGrantOwnerFullAccess.json | 60 ++++ ...taExchangeDataGrantReceiverFullAccess.json | 60 ++++ .../AWSDataExchangeProviderFullAccess.json | 12 + .../AWSDataExchangeReadOnly.json | 4 + ...ServiceRolePolicyForLicenseManagement.json | 19 + ...iceRolePolicyForOrganizationDiscovery.json | 17 + .../AWSDataSyncFullAccess.json | 11 + .../AWSDataSyncServiceRolePolicy.json | 26 ++ .../AWSDeadlineCloud-UserAccessFarms.json | 2 + .../AWSDeadlineCloud-UserAccessJobs.json | 2 + .../AWSDeadlineCloud-UserAccessQueues.json | 2 + .../AWSDirectoryServiceDataFullAccess.json | 32 ++ ...AWSDirectoryServiceDataReadOnlyAccess.json | 23 ++ ...ElasticLoadBalancingServiceRolePolicy.json | 1 + .../AWSGlobalAcceleratorSLRPolicy.json | 3 +- ...tityCenterAllowListForIdentityContext.json | 3 + .../AWSIPAMServiceRolePolicy.json | 5 +- ...rviceMultiRegionKeysServiceRolePolicy.json | 1 + ...gerUserSubscriptionsServiceRolePolicy.json | 47 ++- .../AWSMarketplaceSellerFullAccess.json | 3 + ...WSMarketplaceSellerProductsFullAccess.json | 2 + .../AWSMarketplaceSellerProductsReadOnly.json | 9 + .../AWSPCSServiceRolePolicy.json | 210 +++++++++++ ...ReachabilityAnalyzerServiceRolePolicy.json | 7 - ...silienceHubAsssessmentExecutionPolicy.json | 2 + .../AWSResourceExplorerServiceRolePolicy.json | 130 ++++--- .../AWSSSMForSAPServiceLinkedRolePolicy.json | 79 +++- .../AWSSSOMasterAccountAdministrator.json | 10 + .../AWSServiceRoleForAmazonEKSNodegroup.json | 4 +- .../AWSServiceRoleForMonitronPolicy.json | 4 +- ...rviceRoleForProcurementInsightsPolicy.json | 17 + .../AWSSocialMessagingServiceRolePolicy.json | 16 + .../AWSSupportPlansFullAccess.json | 1 + .../AWSSupportPlansReadOnlyAccess.json | 3 +- .../AWSSupportServiceRolePolicy.json | 159 +++++++- .../AWSThinkboxAWSPortalAdminPolicy.json | 14 +- ...boxDeadlineResourceTrackerAdminPolicy.json | 2 +- .../AWSTrustedAdvisorServiceRolePolicy.json | 2 + .../managed-policies/AWS_ConfigRole.json | 137 ++++++- .../AccessAnalyzerServiceRolePolicy.json | 2 + .../AmazonBedrockReadOnly.json | 14 +- ...ognitoUnAuthedIdentitiesSessionPolicy.json | 18 +- ...nnectCampaignsServiceLinkedRolePolicy.json | 63 +++- .../AmazonConnectServiceLinkedRolePolicy.json | 124 ++++++- ...nnectSynchronizationServiceRolePolicy.json | 118 +++--- ...DataZoneBedrockModelConsumptionPolicy.json | 23 ++ ...nDataZoneBedrockModelManagementPolicy.json | 73 ++++ ...ataZoneRedshiftGlueProvisioningPolicy.json | 3 +- .../AmazonEC2ContainerRegistryPullOnly.json | 15 + .../AmazonEC2RolePolicyForLaunchWizard.json | 3 +- ...ECSInfrastructureRolePolicyForVolumes.json | 6 + .../AmazonECS_FullAccess.json | 23 +- .../AmazonEKSBlockStoragePolicy.json | 91 +++++ .../AmazonEKSClusterPolicy.json | 1 + .../AmazonEKSComputePolicy.json | 88 +++++ .../AmazonEKSLoadBalancingPolicy.json | 231 ++++++++++++ .../AmazonEKSLocalOutpostClusterPolicy.json | 1 + .../AmazonEKSNetworkingPolicy.json | 59 +++ .../AmazonEKSServicePolicy.json | 19 +- .../AmazonEKSServiceRolePolicy.json | 29 +- .../AmazonEKSWorkerNodeMinimalPolicy.json | 13 + .../AmazonElasticFileSystemFullAccess.json | 19 +- ...AmazonElasticFileSystemReadOnlyAccess.json | 2 + ...zonElasticFileSystemServiceRolePolicy.json | 4 +- .../AmazonGuardDutyServiceRolePolicy.json | 1 + .../AmazonInspector2ServiceRolePolicy.json | 1 + .../AmazonODBServiceRolePolicy.json | 28 ++ .../AmazonOpenSearchServiceRolePolicy.json | 5 +- .../AmazonQDeveloperAccess.json | 4 +- .../managed-policies/AmazonQFullAccess.json | 27 +- .../AmazonRDSBetaServiceRolePolicy.json | 7 - .../AmazonRDSPreviewServiceRolePolicy.json | 7 - .../AmazonRoute53ProfilesFullAccess.json | 2 + .../AmazonRoute53ProfilesReadOnlyAccess.json | 1 + .../AmazonRoute53ResolverFullAccess.json | 1 + .../AmazonRoute53ResolverReadOnlyAccess.json | 1 + .../managed-policies/AmazonSNSFullAccess.json | 29 +- .../AmazonSNSReadOnlyAccess.json | 27 +- ...azonSageMakerCanvasDataPrepFullAccess.json | 5 +- .../AmazonSageMakerCanvasFullAccess.json | 5 +- ...zonSageMakerHyperPodServiceRolePolicy.json | 43 +++ .../AmazonTimestreamInfluxDBFullAccess.json | 3 +- .../AmazonVerifiedPermissionsFullAccess.json | 24 ++ ...azonVerifiedPermissionsReadOnlyAccess.json | 32 ++ .../AmazonWorkSpacesThinClientFullAccess.json | 39 ++ ...zonWorkSpacesThinClientReadOnlyAccess.json | 34 +- ...ueSessionUserRestrictedNotebookPolicy.json | 18 +- ...sionUserRestrictedNotebookServiceRole.json | 15 +- .../AwsGlueSessionUserRestrictedPolicy.json | 15 +- ...sGlueSessionUserRestrictedServiceRole.json | 15 +- .../_static/managed-policies/Billing.json | 15 +- .../CloudWatchInternetMonitorFullAccess.json | 70 ++++ ...oudWatchInternetMonitorReadOnlyAccess.json | 28 ++ ...ApplicationSignalsExecutionRolePolicy.json | 35 ++ .../CloudWatchSyntheticsFullAccess.json | 8 +- .../ElasticLoadBalancingFullAccess.json | 1 + .../GameLiftContainerFleetPolicy.json | 46 +++ .../managed-policies/IVSReadOnlyAccess.json | 4 + .../managed-policies/PowerUserAccess.json | 7 +- .../QAppsServiceRolePolicy.json | 18 + .../managed-policies/ReadOnlyAccess.json | 188 ++++++++-- ...sTaggingAPITagUntagSupportedResources.json | 340 ++++++++++++++++++ .../SSMQuickSetupRolePolicy.json | 7 +- .../managed-policies/SecurityAudit.json | 19 + .../managed-policies/ViewOnlyAccess.json | 6 + .../_static/managed-policies/index.json | 2 +- .../aws-managed-policies/cdk-iam-floyd.ts | 155 ++++++++ .../aws-managed-policies/iam-floyd.ts | 62 ++++ 117 files changed, 3776 insertions(+), 233 deletions(-) create mode 100644 docs/source/_static/managed-policies/AWSCloudFrontVPCOriginServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json create mode 100644 docs/source/_static/managed-policies/AWSDataExchangeDataGrantOwnerFullAccess.json create mode 100644 docs/source/_static/managed-policies/AWSDataExchangeDataGrantReceiverFullAccess.json create mode 100644 docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForLicenseManagement.json create mode 100644 docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.json create mode 100644 docs/source/_static/managed-policies/AWSDataSyncServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json create mode 100644 docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json create mode 100644 docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/AWSServiceRoleForProcurementInsightsPolicy.json create mode 100644 docs/source/_static/managed-policies/AWSSocialMessagingServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonDataZoneBedrockModelConsumptionPolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonDataZoneBedrockModelManagementPolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonEC2ContainerRegistryPullOnly.json create mode 100644 docs/source/_static/managed-policies/AmazonEKSBlockStoragePolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonEKSComputePolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonEKSLoadBalancingPolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonEKSNetworkingPolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonEKSWorkerNodeMinimalPolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonODBServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/AmazonVerifiedPermissionsFullAccess.json create mode 100644 docs/source/_static/managed-policies/AmazonVerifiedPermissionsReadOnlyAccess.json create mode 100644 docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json create mode 100644 docs/source/_static/managed-policies/CloudWatchInternetMonitorFullAccess.json create mode 100644 docs/source/_static/managed-policies/CloudWatchInternetMonitorReadOnlyAccess.json create mode 100644 docs/source/_static/managed-policies/CloudWatchLambdaApplicationSignalsExecutionRolePolicy.json create mode 100644 docs/source/_static/managed-policies/GameLiftContainerFleetPolicy.json create mode 100644 docs/source/_static/managed-policies/QAppsServiceRolePolicy.json create mode 100644 docs/source/_static/managed-policies/ResourceGroupsTaggingAPITagUntagSupportedResources.json diff --git a/docs/source/_static/managed-policies/AWSApplicationAutoscalingECSServicePolicy.json b/docs/source/_static/managed-policies/AWSApplicationAutoscalingECSServicePolicy.json index 79886aa14..fb0bbdd0f 100644 --- a/docs/source/_static/managed-policies/AWSApplicationAutoscalingECSServicePolicy.json +++ b/docs/source/_static/managed-policies/AWSApplicationAutoscalingECSServicePolicy.json @@ -8,6 +8,7 @@ "ecs:UpdateService", "cloudwatch:PutMetricAlarm", "cloudwatch:DescribeAlarms", + "cloudwatch:GetMetricData", "cloudwatch:DeleteAlarms" ], "Resource": [ diff --git a/docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json index a2848bd32..16096c366 100644 --- a/docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSAuditManagerServiceRolePolicy.json @@ -15,6 +15,7 @@ "bedrock:GetModelInvocationLoggingConfiguration", "bedrock:ListCustomModels", "bedrock:ListFoundationModels", + "bedrock:ListGuardrails", "bedrock:ListModelCustomizationJobs", "cloudfront:GetDistribution", "cloudfront:GetDistributionConfig", diff --git a/docs/source/_static/managed-policies/AWSBackupFullAccess.json b/docs/source/_static/managed-policies/AWSBackupFullAccess.json index b46e9b78a..fe18cea8d 100644 --- a/docs/source/_static/managed-policies/AWSBackupFullAccess.json +++ b/docs/source/_static/managed-policies/AWSBackupFullAccess.json @@ -149,11 +149,18 @@ "Effect": "Allow", "Action": [ "storagegateway:DescribeGatewayInformation", - "storagegateway:ListVolumes", "storagegateway:ListLocalDisks" ], "Resource": "arn:aws:storagegateway:*:*:gateway/*" }, + { + "Sid": "StorageGatewayGatewayStarPermissions", + "Effect": "Allow", + "Action": [ + "storagegateway:ListVolumes" + ], + "Resource": "*" + }, { "Sid": "IamRolePermissions", "Effect": "Allow", diff --git a/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json b/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json index 79ae606a3..99088cc9e 100644 --- a/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json +++ b/docs/source/_static/managed-policies/AWSBackupServiceRolePolicyForBackup.json @@ -38,14 +38,10 @@ "Resource": "*" }, { - "Sid": "RDSModifyPermissions", + "Sid": "RDSInstanceAutomatedBackupPermissions", "Effect": "Allow", - "Action": [ - "rds:ModifyDBInstance" - ], - "Resource": [ - "arn:aws:rds:*:*:db:*" - ] + "Action": "rds:DeleteDBInstanceAutomatedBackup", + "Resource": "arn:aws:rds:*:*:auto-backup:*" }, { "Sid": "RDSClusterPermissions", @@ -60,10 +56,18 @@ { "Sid": "RDSClusterBackupPermissions", "Effect": "Allow", + "Action": "rds:DeleteDBClusterAutomatedBackup", + "Resource": "arn:aws:rds:*:*:cluster-auto-backup:*" + }, + { + "Sid": "RDSModifyPermissions", + "Effect": "Allow", "Action": [ - "rds:DeleteDBClusterAutomatedBackup" + "rds:ModifyDBInstance" ], - "Resource": "arn:aws:rds:*:*:cluster-auto-backup:*" + "Resource": [ + "arn:aws:rds:*:*:db:*" + ] }, { "Sid": "RDSBackupPermissions", diff --git a/docs/source/_static/managed-policies/AWSBillingReadOnlyAccess.json b/docs/source/_static/managed-policies/AWSBillingReadOnlyAccess.json index ce0cdc8e8..2cdb5b186 100644 --- a/docs/source/_static/managed-policies/AWSBillingReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AWSBillingReadOnlyAccess.json @@ -40,11 +40,20 @@ "invoicing:GetInvoiceEmailDeliveryPreferences", "invoicing:GetInvoicePDF", "invoicing:ListInvoiceSummaries", + "payments:GetFinancingApplication", + "payments:GetFinancingLine", + "payments:GetFinancingLineWithdrawal", + "payments:GetFinancingOption", "payments:GetPaymentInstrument", "payments:GetPaymentStatus", + "payments:ListFinancingApplications", + "payments:ListFinancingLines", + "payments:ListFinancingLineWithdrawals", + "payments:ListPaymentInstruments", "payments:ListPaymentPreferences", + "payments:ListPaymentProgramOptions", + "payments:ListPaymentProgramStatus", "payments:ListTagsForResource", - "payments:ListPaymentInstruments", "purchase-orders:GetPurchaseOrder", "purchase-orders:ViewPurchaseOrders", "purchase-orders:ListPurchaseOrderInvoices", diff --git a/docs/source/_static/managed-policies/AWSCloudFrontVPCOriginServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSCloudFrontVPCOriginServiceRolePolicy.json new file mode 100644 index 000000000..ce8bc0c23 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSCloudFrontVPCOriginServiceRolePolicy.json @@ -0,0 +1,113 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "EC2Action1", + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/aws.cloudfront.vpcorigin": "enabled" + } + }, + "Resource": "arn:aws:ec2:*:*:network-interface/*" + }, + { + "Sid": "EC2Action2", + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface" + ], + "Resource": [ + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:security-group/*" + ] + }, + { + "Sid": "EC2Action3", + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Condition": { + "StringEquals": { + "aws:RequestTag/aws.cloudfront.vpcorigin": "enabled" + } + }, + "Resource": [ + "arn:aws:ec2:*:*:security-group/*" + ] + }, + { + "Sid": "EC2Action4", + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": [ + "arn:aws:ec2:*:*:vpc/*" + ] + }, + { + "Sid": "EC2Action5", + "Effect": "Allow", + "Action": [ + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:DeleteNetworkInterface", + "ec2:DeleteSecurityGroup", + "ec2:AssignIpv6Addresses", + "ec2:UnassignIpv6Addresses" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/aws.cloudfront.vpcorigin": "enabled" + } + }, + "Resource": "*" + }, + { + "Sid": "EC2Action6", + "Effect": "Allow", + "Action": [ + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeSubnets", + "ec2:DescribeRegions", + "ec2:DescribeAddresses" + ], + "Resource": "*" + }, + { + "Sid": "EC2Action7", + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Condition": { + "StringEquals": { + "aws:RequestTag/aws.cloudfront.vpcorigin": "enabled", + "ec2:CreateAction": [ + "CreateNetworkInterface", + "CreateSecurityGroup" + ] + } + }, + "Resource": [ + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:network-interface/*" + ] + }, + { + "Sid": "ElbAction1", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeTargetGroups" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV2.json b/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV2.json index ddb4af7a6..37e05c351 100644 --- a/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV2.json +++ b/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV2.json @@ -63,7 +63,36 @@ "ec2:PurchaseReservedInstancesOffering", "ec2:AcceptReservedInstancesExchangeQuote", "ec2:CreateReservedInstancesListing", - "savingsplans:CreateSavingsPlan" + "savingsplans:CreateSavingsPlan", + "ecs:CreateService", + "ecs:CreateCluster", + "ecs:RegisterTaskDefinition", + "ecr:GetAuthorizationToken", + "bedrock:CreateModelInvocationJob", + "bedrock:InvokeModelWithResponseStream", + "bedrock:CreateFoundationModelAgreement", + "bedrock:PutFoundationModelEntitlement", + "bedrock:InvokeModel", + "s3:CreateBucket", + "s3:PutBucketCors", + "s3:GetObject", + "s3:ListBucket", + "sagemaker:CreateEndpointConfig", + "sagemaker:CreateProcessingJob", + "ses:GetSendQuota", + "ses:ListIdentities", + "sts:GetSessionToken", + "sts:GetFederationToken", + "amplify:CreateDeployment", + "amplify:CreateBackendEnvironment", + "codebuild:CreateProject", + "glue:CreateJob", + "iam:DeleteRole", + "iam:DeleteAccessKey", + "iam:ListUsers", + "lambda:GetEventSourceMapping", + "sns:GetSMSAttributes", + "mediapackagev2:CreateChannel" ], "Resource": [ "*" diff --git a/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json b/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json new file mode 100644 index 000000000..37e05c351 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json @@ -0,0 +1,102 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": [ + "cloudtrail:LookupEvents", + "ec2:RequestSpotInstances", + "ec2:RunInstances", + "ec2:StartInstances", + "iam:AddUserToGroup", + "iam:AttachGroupPolicy", + "iam:AttachRolePolicy", + "iam:AttachUserPolicy", + "iam:ChangePassword", + "iam:CreateAccessKey", + "iam:CreateInstanceProfile", + "iam:CreateLoginProfile", + "iam:CreatePolicyVersion", + "iam:CreateRole", + "iam:CreateUser", + "iam:DetachUserPolicy", + "iam:PassRole", + "iam:PutGroupPolicy", + "iam:PutRolePolicy", + "iam:PutUserPermissionsBoundary", + "iam:PutUserPolicy", + "iam:SetDefaultPolicyVersion", + "iam:UpdateAccessKey", + "iam:UpdateAccountPasswordPolicy", + "iam:UpdateAssumeRolePolicy", + "iam:UpdateLoginProfile", + "iam:UpdateUser", + "lambda:AddLayerVersionPermission", + "lambda:AddPermission", + "lambda:CreateFunction", + "lambda:GetPolicy", + "lambda:ListTags", + "lambda:PutProvisionedConcurrencyConfig", + "lambda:TagResource", + "lambda:UntagResource", + "lambda:UpdateFunctionCode", + "lightsail:Create*", + "lightsail:Delete*", + "lightsail:DownloadDefaultKeyPair", + "lightsail:GetInstanceAccessDetails", + "lightsail:Start*", + "lightsail:Update*", + "organizations:CreateAccount", + "organizations:CreateOrganization", + "organizations:InviteAccountToOrganization", + "s3:DeleteBucket", + "s3:DeleteObject", + "s3:DeleteObjectVersion", + "s3:PutLifecycleConfiguration", + "s3:PutBucketAcl", + "s3:PutBucketOwnershipControls", + "s3:DeleteBucketPolicy", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:PutAccountPublicAccessBlock", + "s3:PutBucketPolicy", + "s3:ListAllMyBuckets", + "ec2:PurchaseReservedInstancesOffering", + "ec2:AcceptReservedInstancesExchangeQuote", + "ec2:CreateReservedInstancesListing", + "savingsplans:CreateSavingsPlan", + "ecs:CreateService", + "ecs:CreateCluster", + "ecs:RegisterTaskDefinition", + "ecr:GetAuthorizationToken", + "bedrock:CreateModelInvocationJob", + "bedrock:InvokeModelWithResponseStream", + "bedrock:CreateFoundationModelAgreement", + "bedrock:PutFoundationModelEntitlement", + "bedrock:InvokeModel", + "s3:CreateBucket", + "s3:PutBucketCors", + "s3:GetObject", + "s3:ListBucket", + "sagemaker:CreateEndpointConfig", + "sagemaker:CreateProcessingJob", + "ses:GetSendQuota", + "ses:ListIdentities", + "sts:GetSessionToken", + "sts:GetFederationToken", + "amplify:CreateDeployment", + "amplify:CreateBackendEnvironment", + "codebuild:CreateProject", + "glue:CreateJob", + "iam:DeleteRole", + "iam:DeleteAccessKey", + "iam:ListUsers", + "lambda:GetEventSourceMapping", + "sns:GetSMSAttributes", + "mediapackagev2:CreateChannel" + ], + "Resource": [ + "*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json index f1e41bcf4..445092da1 100644 --- a/docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json @@ -29,14 +29,30 @@ "amplifyuibuilder:ExportThemes", "amplifyuibuilder:GetTheme", "amplifyuibuilder:ListThemes", + "aoss:BatchGetCollection", + "aoss:BatchGetLifecyclePolicy", + "aoss:BatchGetVpcEndpoint", + "aoss:GetAccessPolicy", + "aoss:GetSecurityConfig", + "aoss:GetSecurityPolicy", + "aoss:ListAccessPolicies", + "aoss:ListCollections", + "aoss:ListLifecyclePolicies", + "aoss:ListSecurityConfigs", + "aoss:ListSecurityPolicies", + "aoss:ListVpcEndpoints", + "app-integrations:GetApplication", "app-integrations:GetEventIntegration", + "app-integrations:ListApplications", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", + "app-integrations:ListTagsForResource", "appconfig:GetApplication", "appconfig:GetConfigurationProfile", "appconfig:GetDeployment", "appconfig:GetDeploymentStrategy", "appconfig:GetEnvironment", + "appconfig:GetExtension", "appconfig:GetExtensionAssociation", "appconfig:GetHostedConfigurationVersion", "appconfig:ListApplications", @@ -45,6 +61,7 @@ "appconfig:ListDeploymentStrategies", "appconfig:ListEnvironments", "appconfig:ListExtensionAssociations", + "appconfig:ListExtensions", "appconfig:ListHostedConfigurationVersions", "appconfig:ListTagsForResource", "appflow:DescribeConnectorProfiles", @@ -73,6 +90,7 @@ "apprunner:ListServices", "apprunner:ListTagsForResource", "apprunner:ListVpcConnectors", + "appstream:DescribeAppBlockBuilders", "appstream:DescribeApplications", "appstream:DescribeDirectoryConfigs", "appstream:DescribeFleets", @@ -119,12 +137,16 @@ "backup:GetBackupSelection", "backup:GetBackupVaultAccessPolicy", "backup:GetBackupVaultNotifications", + "backup:GetRestoreTestingPlan", + "backup:GetRestoreTestingSelection", "backup:ListBackupPlans", "backup:ListBackupSelections", "backup:ListBackupVaults", "backup:ListFrameworks", "backup:ListRecoveryPointsByBackupVault", "backup:ListReportPlans", + "backup:ListRestoreTestingPlans", + "backup:ListRestoreTestingSelections", "backup:ListTags", "batch:DescribeComputeEnvironments", "batch:DescribeJobQueues", @@ -164,9 +186,12 @@ "cloudfront:ListResponseHeadersPolicies", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", + "cloudTrail:GetChannel", "cloudtrail:GetEventDataStore", "cloudtrail:GetEventSelectors", + "cloudtrail:GetInsightSelectors", "cloudtrail:GetTrailStatus", + "cloudTrail:ListChannels", "cloudtrail:ListEventDataStores", "cloudtrail:ListTags", "cloudtrail:ListTrails", @@ -230,8 +255,11 @@ "connect:DescribeInstanceStorageConfig", "connect:DescribePhoneNumber", "connect:DescribePrompt", + "connect:DescribeQueue", "connect:DescribeQuickConnect", + "connect:DescribeRoutingProfile", "connect:DescribeRule", + "connect:DescribeSecurityProfile", "connect:DescribeUser", "connect:GetTaskTemplate", "connect:ListApprovedOrigins", @@ -243,9 +271,16 @@ "connect:ListPhoneNumbers", "connect:ListPhoneNumbersV2", "connect:ListPrompts", + "connect:ListQueueQuickConnects", + "connect:ListQueues", "connect:ListQuickConnects", + "connect:ListRoutingProfileQueues", + "connect:ListRoutingProfiles", "connect:ListRules", "connect:ListSecurityKeys", + "connect:ListSecurityProfileApplications", + "connect:ListSecurityProfilePermissions", + "connect:ListSecurityProfiles", "connect:ListTagsForResource", "connect:ListTaskTemplates", "connect:ListUsers", @@ -277,6 +312,8 @@ "datasync:ListLocations", "datasync:ListTagsForResource", "datasync:ListTasks", + "datazone:GetDomain", + "datazone:ListDomains", "dax:DescribeClusters", "dax:DescribeParameterGroups", "dax:DescribeParameters", @@ -294,6 +331,7 @@ "devicefarm:ListTagsForResource", "devicefarm:ListTestGridProjects", "devops-guru:GetResourceCollection", + "devops-guru:ListNotificationChannels", "dms:DescribeCertificates", "dms:DescribeEndpoints", "dms:DescribeEventSubscriptions", @@ -540,15 +578,19 @@ "glue:GetMLTransforms", "glue:GetPartition", "glue:GetPartitions", + "glue:GetRegistry", "glue:GetSecurityConfiguration", "glue:GetSecurityConfigurations", "glue:GetTable", "glue:GetTags", + "glue:GetTrigger", "glue:GetWorkflow", "glue:ListCrawlers", "glue:ListDevEndpoints", "glue:ListJobs", "glue:ListMLTransforms", + "glue:ListRegistries", + "glue:ListTriggers", "glue:ListWorkflows", "grafana:DescribeWorkspace", "grafana:DescribeWorkspaceAuthentication", @@ -626,6 +668,10 @@ "iam:ListUserPolicies", "iam:ListUsers", "iam:ListVirtualMFADevices", + "identitystore:DescribeGroup", + "identitystore:DescribeGroupMembership", + "identitystore:ListGroupMemberships", + "identitystore:ListGroups", "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "imagebuilder:GetDistributionConfiguration", @@ -633,6 +679,7 @@ "imagebuilder:GetImagePipeline", "imagebuilder:GetImageRecipe", "imagebuilder:GetInfrastructureConfiguration", + "imagebuilder:GetLifecyclePolicy", "imagebuilder:ListComponentBuildVersions", "imagebuilder:ListComponents", "imagebuilder:ListContainerRecipes", @@ -642,12 +689,14 @@ "imagebuilder:ListImageRecipes", "imagebuilder:ListImages", "imagebuilder:ListInfrastructureConfigurations", + "imagebuilder:ListLifecyclePolicies", "inspector2:BatchGetAccountStatus", "inspector2:GetDelegatedAdminAccount", "inspector2:ListFilters", "inspector2:ListMembers", "iot:DescribeAccountAuditConfiguration", "iot:DescribeAuthorizer", + "iot:DescribeBillingGroup", "iot:DescribeCACertificate", "iot:DescribeCertificate", "iot:DescribeCustomMetric", @@ -660,10 +709,13 @@ "iot:DescribeRoleAlias", "iot:DescribeScheduledAudit", "iot:DescribeSecurityProfile", + "iot:DescribeThingGroup", + "iot:DescribeThingType", "iot:GetPolicy", "iot:GetTopicRule", "iot:GetTopicRuleDestination", "iot:ListAuthorizers", + "iot:ListBillingGroups", "iot:ListCACertificates", "iot:ListCertificates", "iot:ListCustomMetrics", @@ -680,6 +732,8 @@ "iot:ListSecurityProfilesForTarget", "iot:ListTagsForResource", "iot:ListTargetsForSecurityProfile", + "iot:ListThingGroups", + "iot:ListThingTypes", "iot:ListTopicRuleDestinations", "iot:ListTopicRules", "iot:ListV2LoggingLevels", @@ -700,6 +754,21 @@ "iotevents:ListDetectorModels", "iotevents:ListInputs", "iotevents:ListTagsForResource", + "iotfleetwise:GetDecoderManifest", + "iotfleetwise:GetFleet", + "iotfleetwise:GetModelManifest", + "iotfleetwise:GetSignalCatalog", + "iotfleetwise:GetVehicle", + "iotfleetwise:ListDecoderManifestNetworkInterfaces", + "iotfleetwise:ListDecoderManifests", + "iotfleetwise:ListDecoderManifestSignals", + "iotfleetwise:ListFleets", + "iotfleetwise:ListModelManifestNodes", + "iotfleetwise:ListModelManifests", + "iotfleetwise:ListSignalCatalogNodes", + "iotfleetwise:ListSignalCatalogs", + "iotfleetwise:ListTagsForResource", + "iotfleetwise:ListVehicles", "iotsitewise:DescribeAccessPolicy", "iotsitewise:DescribeAsset", "iotsitewise:DescribeAssetModel", @@ -727,26 +796,45 @@ "iottwinmaker:ListSyncJobs", "iottwinmaker:ListTagsForResource", "iottwinmaker:ListWorkspaces", + "iotwireless:GetDestination", + "iotwireless:GetDeviceProfile", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:GetServiceProfile", "iotwireless:GetWirelessDevice", + "iotwireless:GetWirelessGateway", "iotwireless:GetWirelessGatewayTaskDefinition", + "iotwireless:ListDestinations", + "iotwireless:ListDeviceProfiles", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "iotwireless:ListServiceProfiles", "iotwireless:ListTagsForResource", "iotwireless:ListWirelessDevices", + "iotwireless:ListWirelessGateways", "iotwireless:ListWirelessGatewayTaskDefinitions", "ivs:GetChannel", + "ivs:GetEncoderConfiguration", "ivs:GetPlaybackKeyPair", + "ivs:GetPlaybackRestrictionPolicy", "ivs:GetRecordingConfiguration", + "ivs:GetStage", + "ivs:GetStorageConfiguration", "ivs:GetStreamKey", "ivs:ListChannels", + "ivs:ListEncoderConfigurations", "ivs:ListPlaybackKeyPairs", + "ivs:ListPlaybackRestrictionPolicies", "ivs:ListRecordingConfigurations", + "ivs:ListStages", + "ivs:ListStorageConfigurations", "ivs:ListStreamKeys", "ivs:ListTagsForResource", + "ivschat:GetLoggingConfiguration", + "ivschat:GetRoom", + "ivschat:ListLoggingConfigurations", + "ivschat:ListRooms", + "ivschat:ListTagsForResource", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:DescribeConfiguration", @@ -837,7 +925,9 @@ "logs:DescribeLogGroups", "logs:DescribeMetricFilters", "logs:GetDataProtectionPolicy", + "logs:GetLogAnomalyDetector", "logs:GetLogDelivery", + "logs:ListLogAnomalyDetectors", "logs:ListLogDeliveries", "logs:ListTagsLogGroup", "lookoutequipment:DescribeInferenceScheduler", @@ -867,16 +957,28 @@ "managedblockchain:ListInvitations", "managedblockchain:ListMembers", "managedblockchain:ListNodes", + "mediaconnect:DescribeBridge", "mediaconnect:DescribeFlow", + "mediaconnect:DescribeGateway", + "mediaconnect:ListBridges", "mediaconnect:ListFlows", + "mediaconnect:ListGateways", "mediaconnect:ListTagsForResource", "mediapackage-vod:DescribePackagingConfiguration", "mediapackage-vod:DescribePackagingGroup", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", "mediapackage-vod:ListTagsForResource", + "mediatailor:DescribeChannel", + "mediatailor:DescribeLiveSource", + "mediatailor:DescribeSourceLocation", + "mediatailor:DescribeVodSource", "mediatailor:GetPlaybackConfiguration", + "mediatailor:ListChannels", + "mediatailor:ListLiveSources", "mediatailor:ListPlaybackConfigurations", + "mediatailor:ListSourceLocations", + "mediatailor:ListVodSources", "memorydb:DescribeAcls", "memorydb:DescribeClusters", "memorydb:DescribeParameterGroups", @@ -920,6 +1022,11 @@ "nimble:ListStreamingImages", "nimble:ListStudioComponents", "nimble:ListStudios", + "oam:GetSink", + "oam:GetSinkPolicy", + "oam:ListSinks", + "omics:GetWorkflow", + "omics:ListWorkflows", "opsworks:DescribeInstances", "opsworks:DescribeLayers", "opsworks:DescribeTimeBasedAutoScaling", @@ -948,6 +1055,11 @@ "panorama:ListApplicationInstances", "panorama:ListNodes", "panorama:ListPackages", + "payment-cryptography:GetAlias", + "payment-cryptography:GetKey", + "payment-cryptography:ListAliases", + "payment-cryptography:ListKeys", + "payment-cryptography:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", @@ -1005,6 +1117,8 @@ "rds:DescribeDBParameters", "rds:DescribeDBProxies", "rds:DescribeDBProxyEndpoints", + "rds:DescribeDBProxyTargetGroups", + "rds:DescribeDBProxyTargets", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", @@ -1036,6 +1150,7 @@ "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", + "rekognition:DescribeProjects", "rekognition:DescribeStreamProcessor", "rekognition:ListStreamProcessors", "rekognition:ListTagsForResource", @@ -1153,12 +1268,15 @@ "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", + "s3:GetStorageLensGroup", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", + "s3:ListStorageLensGroups", + "s3:ListTagsForResource", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets", "sagemaker:DescribeAppImageConfig", @@ -1204,6 +1322,11 @@ "sagemaker:ListProjects", "sagemaker:ListTags", "sagemaker:ListWorkteams", + "scheduler:GetSchedule", + "scheduler:GetScheduleGroup", + "scheduler:ListScheduleGroups", + "scheduler:ListSchedules", + "scheduler:ListTagsForResource", "schemas:DescribeDiscoverer", "schemas:DescribeRegistry", "schemas:DescribeSchema", @@ -1254,15 +1377,16 @@ "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", + "ssm-sap:ListTagsForResource", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:DescribeDocumentPermission", "ssm:DescribeParameters", "ssm:GetAutomationExecution", "ssm:GetDocument", + "ssm:GetServiceSetting", "ssm:ListDocuments", "ssm:ListTagsForResource", - "ssm-sap:ListTagsForResource", "sso:DescribeInstanceAccessControlAttributeConfiguration", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", @@ -1313,6 +1437,16 @@ "transfer:ListWorkflows", "voiceid:DescribeDomain", "voiceid:ListTagsForResource", + "vpc-lattice:GetAccessLogSubscription", + "vpc-lattice:GetService", + "vpc-lattice:GetServiceNetwork", + "vpc-lattice:GetTargetGroup", + "vpc-lattice:ListAccessLogSubscriptions", + "vpc-lattice:ListServiceNetworks", + "vpc-lattice:ListServices", + "vpc-lattice:ListTagsForResource", + "vpc-lattice:ListTargetGroups", + "vpc-lattice:ListTargets", "waf-regional:GetLoggingConfiguration", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", diff --git a/docs/source/_static/managed-policies/AWSDataExchangeDataGrantOwnerFullAccess.json b/docs/source/_static/managed-policies/AWSDataExchangeDataGrantOwnerFullAccess.json new file mode 100644 index 000000000..da73c9a41 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDataExchangeDataGrantOwnerFullAccess.json @@ -0,0 +1,60 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DataExchangeActions", + "Effect": "Allow", + "Action": [ + "dataexchange:CreateDataSet", + "dataexchange:UpdateDataSet", + "dataexchange:GetDataSet", + "dataexchange:DeleteDataSet", + "dataexchange:ListDataSets", + "dataexchange:CreateRevision", + "dataexchange:UpdateRevision", + "dataexchange:GetRevision", + "dataexchange:DeleteRevision", + "dataexchange:RevokeRevision", + "dataexchange:ListDataSetRevisions", + "dataexchange:CreateAsset", + "dataexchange:UpdateAsset", + "dataexchange:GetAsset", + "dataexchange:DeleteAsset", + "dataexchange:ListRevisionAssets", + "dataexchange:SendApiAsset", + "dataexchange:CreateDataGrant", + "dataexchange:GetDataGrant", + "dataexchange:DeleteDataGrant", + "dataexchange:ListDataGrants", + "dataexchange:PublishToDataGrant", + "dataexchange:SendDataSetNotification", + "dataexchange:TagResource", + "dataexchange:UntagResource" + ], + "Resource": "*" + }, + { + "Sid": "DataExchangeJobsActions", + "Effect": "Allow", + "Action": [ + "dataexchange:CreateJob", + "dataexchange:StartJob", + "dataexchange:CancelJob" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "dataexchange:JobType": [ + "IMPORT_ASSETS_FROM_S3", + "IMPORT_ASSET_FROM_SIGNED_URL", + "EXPORT_ASSETS_TO_S3", + "EXPORT_ASSET_TO_SIGNED_URL", + "IMPORT_ASSET_FROM_API_GATEWAY_API", + "IMPORT_ASSETS_FROM_REDSHIFT_DATA_SHARES", + "IMPORT_ASSETS_FROM_LAKE_FORMATION_TAG_POLICY" + ] + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDataExchangeDataGrantReceiverFullAccess.json b/docs/source/_static/managed-policies/AWSDataExchangeDataGrantReceiverFullAccess.json new file mode 100644 index 000000000..fc8896c2e --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDataExchangeDataGrantReceiverFullAccess.json @@ -0,0 +1,60 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DataExchangeReadOnlyActions", + "Effect": "Allow", + "Action": [ + "dataexchange:GetDataSet", + "dataexchange:ListDataSets", + "dataexchange:GetRevision", + "dataexchange:ListDataSetRevisions", + "dataexchange:GetAsset", + "dataexchange:ListRevisionAssets", + "dataexchange:SendApiAsset" + ], + "Resource": "*" + }, + { + "Sid": "DataExchangeExportActions", + "Effect": "Allow", + "Action": [ + "dataexchange:CreateJob", + "dataexchange:StartJob", + "dataexchange:CancelJob" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "dataexchange:JobType": [ + "EXPORT_ASSETS_TO_S3", + "EXPORT_ASSET_TO_SIGNED_URL", + "EXPORT_REVISIONS_TO_S3" + ] + } + } + }, + { + "Sid": "DataExchangeEventActionActions", + "Effect": "Allow", + "Action": [ + "dataexchange:CreateEventAction", + "dataexchange:UpdateEventAction", + "dataexchange:DeleteEventAction", + "dataexchange:GetEventAction", + "dataexchange:ListEventActions" + ], + "Resource": "*" + }, + { + "Sid": "DataExchangeDataGrantActions", + "Effect": "Allow", + "Action": [ + "dataexchange:AcceptDataGrant", + "dataexchange:ListReceivedDataGrants", + "dataexchange:GetReceivedDataGrant" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json b/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json index 8bf267d3c..28bd8f89d 100644 --- a/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json +++ b/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "DataExchangeActions", "Effect": "Allow", "Action": [ "dataexchange:CreateDataSet", @@ -16,12 +17,14 @@ "dataexchange:PublishDataSet", "dataexchange:SendApiAsset", "dataexchange:RevokeRevision", + "dataexchange:SendDataSetNotification", "tag:GetTagKeys", "tag:GetTagValues" ], "Resource": "*" }, { + "Sid": "DataExchangeJobsActions", "Effect": "Allow", "Action": [ "dataexchange:CreateJob", @@ -43,6 +46,7 @@ } }, { + "Sid": "S3GetActionConditionalResourceAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::*aws-data-exchange*", @@ -55,6 +59,7 @@ } }, { + "Sid": "S3GetActionConditionalTagAndADX", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", @@ -70,6 +75,7 @@ } }, { + "Sid": "S3WriteActions", "Effect": "Allow", "Action": [ "s3:PutObject", @@ -85,6 +91,7 @@ } }, { + "Sid": "S3ReadActions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", @@ -94,6 +101,7 @@ "Resource": "*" }, { + "Sid": "AWSMarketplaceActions", "Effect": "Allow", "Action": [ "aws-marketplace:DescribeEntity", @@ -113,6 +121,7 @@ "Resource": "*" }, { + "Sid": "KMSActions", "Effect": "Allow", "Action": [ "kms:DescribeKey", @@ -122,6 +131,7 @@ "Resource": "*" }, { + "Sid": "RedshiftConditionalActions", "Effect": "Allow", "Action": [ "redshift:AuthorizeDataShare" @@ -134,6 +144,7 @@ } }, { + "Sid": "RedshiftActions", "Effect": "Allow", "Action": [ "redshift:DescribeDataSharesForProducer", @@ -142,6 +153,7 @@ "Resource": "*" }, { + "Sid": "APIGatewayActions", "Effect": "Allow", "Action": [ "apigateway:GET" diff --git a/docs/source/_static/managed-policies/AWSDataExchangeReadOnly.json b/docs/source/_static/managed-policies/AWSDataExchangeReadOnly.json index b4dbf3ff3..591ec5e25 100644 --- a/docs/source/_static/managed-policies/AWSDataExchangeReadOnly.json +++ b/docs/source/_static/managed-policies/AWSDataExchangeReadOnly.json @@ -10,6 +10,10 @@ "dataexchange:GetEventAction", "dataexchange:GetJob", "dataexchange:GetRevision", + "dataexchange:GetDataGrant", + "dataexchange:GetReceivedDataGrant", + "dataexchange:ListDataGrants", + "dataexchange:ListReceivedDataGrants", "dataexchange:ListDataSetRevisions", "dataexchange:ListDataSets", "dataexchange:ListEventActions", diff --git a/docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForLicenseManagement.json b/docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForLicenseManagement.json new file mode 100644 index 000000000..f064ce670 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForLicenseManagement.json @@ -0,0 +1,19 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowLicenseManagerActions", + "Effect": "Allow", + "Action": [ + "organizations:DescribeOrganization", + "license-manager:ListDistributedGrants", + "license-manager:GetGrant", + "license-manager:CreateGrantVersion", + "license-manager:DeleteGrant" + ], + "Resource": [ + "*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.json b/docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.json new file mode 100644 index 000000000..b29e29246 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAWSOrganizationsActions", + "Effect": "Allow", + "Action": [ + "organizations:DescribeOrganization", + "organizations:DescribeAccount", + "organizations:ListAccounts" + ], + "Resource": [ + "*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDataSyncFullAccess.json b/docs/source/_static/managed-policies/AWSDataSyncFullAccess.json index 66fbe269b..98b3dde30 100644 --- a/docs/source/_static/managed-policies/AWSDataSyncFullAccess.json +++ b/docs/source/_static/managed-policies/AWSDataSyncFullAccess.json @@ -49,6 +49,17 @@ ] } } + }, + { + "Sid": "DataSyncCreateSLRPermissions", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/datasync.amazonaws.com/AWSServiceRoleForDataSync", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "datasync.amazonaws.com" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDataSyncServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSDataSyncServiceRolePolicy.json new file mode 100644 index 000000000..40c985849 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDataSyncServiceRolePolicy.json @@ -0,0 +1,26 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DataSyncCloudWatchLogCreateAccess", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream" + ], + "Resource": [ + "arn:*:logs:*:*:log-group:/aws/datasync*" + ] + }, + { + "Sid": "DataSyncCloudWatchLogStreamUpdateAccess", + "Effect": "Allow", + "Action": [ + "logs:PutLogEvents" + ], + "Resource": [ + "arn:*:logs:*:*:log-group:/aws/datasync*:log-stream:*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessFarms.json b/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessFarms.json index 8bce35442..e7d6275a9 100644 --- a/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessFarms.json +++ b/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessFarms.json @@ -162,6 +162,7 @@ "deadline:GetFarm", "deadline:GetFleet", "deadline:GetJob", + "deadline:GetJobTemplate", "deadline:GetQueue", "deadline:GetQueueEnvironment", "deadline:GetQueueFleetAssociation", @@ -172,6 +173,7 @@ "deadline:GetStorageProfileForQueue", "deadline:GetTask", "deadline:GetWorker", + "deadline:ListJobParameterDefinitions", "deadline:ListQueueEnvironments", "deadline:ListQueueFleetAssociations", "deadline:ListSessionActions", diff --git a/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessJobs.json b/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessJobs.json index f45ae0f0b..9afead245 100644 --- a/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessJobs.json +++ b/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessJobs.json @@ -116,10 +116,12 @@ "Effect": "Allow", "Action": [ "deadline:GetJob", + "deadline:GetJobTemplate", "deadline:GetSession", "deadline:GetSessionAction", "deadline:GetStep", "deadline:GetTask", + "deadline:ListJobParameterDefinitions", "deadline:ListSessionActions", "deadline:ListSessions", "deadline:ListStepConsumers", diff --git a/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessQueues.json b/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessQueues.json index 60ae84d47..2df382449 100644 --- a/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessQueues.json +++ b/docs/source/_static/managed-policies/AWSDeadlineCloud-UserAccessQueues.json @@ -142,6 +142,7 @@ "Action": [ "deadline:AssumeQueueRoleForRead", "deadline:GetJob", + "deadline:GetJobTemplate", "deadline:GetQueue", "deadline:GetQueueEnvironment", "deadline:GetQueueFleetAssociation", @@ -150,6 +151,7 @@ "deadline:GetStep", "deadline:GetStorageProfileForQueue", "deadline:GetTask", + "deadline:ListJobParameterDefinitions", "deadline:ListQueueEnvironments", "deadline:ListQueueFleetAssociations", "deadline:ListSessionActions", diff --git a/docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json b/docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json new file mode 100644 index 000000000..68fc73c9a --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json @@ -0,0 +1,32 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DSDataFullAccess", + "Effect": "Allow", + "Action": [ + "ds:AccessDSData", + "ds-data:AddGroupMember", + "ds-data:CreateGroup", + "ds-data:CreateUser", + "ds-data:DeleteGroup", + "ds-data:DeleteUser", + "ds-data:DescribeGroup", + "ds-data:DescribeUser", + "ds-data:DisableUser", + "ds-data:ListGroupMembers", + "ds-data:ListGroups", + "ds-data:ListGroupsForMember", + "ds-data:ListUsers", + "ds-data:RemoveGroupMember", + "ds-data:SearchGroups", + "ds-data:SearchUsers", + "ds-data:UpdateGroup", + "ds-data:UpdateUser" + ], + "Resource": [ + "arn:aws:ds:*:*:directory/*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json b/docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json new file mode 100644 index 000000000..56808365c --- /dev/null +++ b/docs/source/_static/managed-policies/AWSDirectoryServiceDataReadOnlyAccess.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DSDataReadOnlyAccess", + "Effect": "Allow", + "Action": [ + "ds:AccessDSData", + "ds-data:DescribeGroup", + "ds-data:DescribeUser", + "ds-data:ListGroupMembers", + "ds-data:ListGroups", + "ds-data:ListGroupsForMember", + "ds-data:ListUsers", + "ds-data:SearchGroups", + "ds-data:SearchUsers" + ], + "Resource": [ + "arn:aws:ds:*:*:directory/*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSElasticLoadBalancingServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSElasticLoadBalancingServiceRolePolicy.json index a5e609618..09e649506 100644 --- a/docs/source/_static/managed-policies/AWSElasticLoadBalancingServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSElasticLoadBalancingServiceRolePolicy.json @@ -19,6 +19,7 @@ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:GetCoipPoolUsage", + "ec2:GetSecurityGroupsForVpc", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AllocateAddress", "ec2:AuthorizeSecurityGroupIngress", diff --git a/docs/source/_static/managed-policies/AWSGlobalAcceleratorSLRPolicy.json b/docs/source/_static/managed-policies/AWSGlobalAcceleratorSLRPolicy.json index 1443c6b8d..1f6376566 100644 --- a/docs/source/_static/managed-policies/AWSGlobalAcceleratorSLRPolicy.json +++ b/docs/source/_static/managed-policies/AWSGlobalAcceleratorSLRPolicy.json @@ -37,7 +37,8 @@ "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", - "ec2:DescribeSecurityGroups" + "ec2:DescribeSecurityGroups", + "ec2:GetSecurityGroupsForVpc" ], "Resource": "*" }, diff --git a/docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json b/docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json index 16e3c7a55..27c3879da 100644 --- a/docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json +++ b/docs/source/_static/managed-policies/AWSIAMIdentityCenterAllowListForIdentityContext.json @@ -77,6 +77,7 @@ "lakeformation:GetDataAccess", "s3:GetAccessGrantsInstanceForPrefix", "s3:GetDataAccess", + "s3:ListCallerAccessGrants", "q:StartConversation", "q:SendMessage", "q:ListConversations", @@ -114,6 +115,8 @@ "qapps:GetQAppSessionMetadata", "qapps:UpdateQAppSessionMetadata", "qapps:TagResource", + "qapps:ListQAppSessionData", + "qapps:ExportQAppSessionData", "qbusiness:Chat", "qbusiness:ChatSync", "qbusiness:ListConversations", diff --git a/docs/source/_static/managed-policies/AWSIPAMServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSIPAMServiceRolePolicy.json index 759ffca96..11b101e36 100644 --- a/docs/source/_static/managed-policies/AWSIPAMServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSIPAMServiceRolePolicy.json @@ -24,7 +24,10 @@ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", - "organizations:ListDelegatedAdministrators" + "organizations:ListDelegatedAdministrators", + "organizations:ListChildren", + "organizations:ListParents", + "organizations:DescribeOrganizationalUnit" ], "Resource": "*" }, diff --git a/docs/source/_static/managed-policies/AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy.json index ff1e8d905..35e232006 100644 --- a/docs/source/_static/managed-policies/AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "KMSSynchronizeMultiRegionKey", "Effect": "Allow", "Action": [ "kms:SynchronizeMultiRegionKey" diff --git a/docs/source/_static/managed-policies/AWSLicenseManagerUserSubscriptionsServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSLicenseManagerUserSubscriptionsServiceRolePolicy.json index 234eed125..bb51ef88e 100644 --- a/docs/source/_static/managed-policies/AWSLicenseManagerUserSubscriptionsServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSLicenseManagerUserSubscriptionsServiceRolePolicy.json @@ -42,7 +42,11 @@ "ec2:productCode": [ "bz0vcy31ooqlzk5tsash4r1ik", "d44g89hc0gp9jdzm99rznthpw", - "77yzkpa7kvee1y1tt7wnsdwoc" + "77yzkpa7kvee1y1tt7wnsdwoc", + "a8jthu9h8pjsn4b8ylvfl6sfr", + "7at6der8hnlov1g347e6tdkde", + "3t0v0vuhvxjzm6m462f9v8iz4", + "4gs2prcp03ojilgkjx8m3ifh7" ] } }, @@ -74,6 +78,47 @@ "aws:ResourceTag/AWSLicenseManager": "UserSubscriptions" } } + }, + { + "Sid": "ReadHostedZonePermissions", + "Effect": "Allow", + "Action": [ + "route53:GetHostedZone", + "route53:ListResourceRecordSets" + ], + "Resource": "*" + }, + { + "Sid": "ReadSecurityGroupRulePermissions", + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroupRules" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Sid": "DescribeSubnetsPermissions", + "Action": [ + "ec2:DescribeSubnets" + ], + "Resource": "*" + }, + { + "Sid": "DescribeNetworkInterfacePermissions", + "Effect": "Allow", + "Action": [ + "ec2:DescribeNetworkInterfaces" + ], + "Resource": "*" + }, + { + "Sid": "ReadSecretPermissions", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": "arn:aws:secretsmanager:*:*:secret:license-manager-user-*" } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSMarketplaceSellerFullAccess.json b/docs/source/_static/managed-policies/AWSMarketplaceSellerFullAccess.json index 84334a10d..a2bee2de1 100644 --- a/docs/source/_static/managed-policies/AWSMarketplaceSellerFullAccess.json +++ b/docs/source/_static/managed-policies/AWSMarketplaceSellerFullAccess.json @@ -5,6 +5,7 @@ "Sid": "MarketplaceManagement", "Effect": "Allow", "Action": [ + "aws-marketplace-management:uploadFiles", "aws-marketplace-management:viewReports", "aws-marketplace-management:viewSupport", "aws-marketplace:ListChangeSets", @@ -18,6 +19,8 @@ "aws-marketplace:UpdateTask", "aws-marketplace:CompleteTask", "aws-marketplace:GetSellerDashboard", + "aws-marketplace:ListAssessments", + "aws-marketplace:DescribeAssessment", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:ModifyImageAttribute", diff --git a/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsFullAccess.json b/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsFullAccess.json index 6ff9180e7..11693fc51 100644 --- a/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsFullAccess.json +++ b/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsFullAccess.json @@ -14,6 +14,8 @@ "aws-marketplace:DescribeTask", "aws-marketplace:UpdateTask", "aws-marketplace:CompleteTask", + "aws-marketplace:ListAssessments", + "aws-marketplace:DescribeAssessment", "ec2:DescribeImages", "ec2:DescribeSnapshots", "ec2:ModifyImageAttribute", diff --git a/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsReadOnly.json b/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsReadOnly.json index 47a214441..08b096515 100644 --- a/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsReadOnly.json +++ b/docs/source/_static/managed-policies/AWSMarketplaceSellerProductsReadOnly.json @@ -10,6 +10,8 @@ "aws-marketplace:DescribeEntity", "aws-marketplace:ListTasks", "aws-marketplace:DescribeTask", + "aws-marketplace:ListAssessments", + "aws-marketplace:DescribeAssessment", "ec2:DescribeImages", "ec2:DescribeSnapshots" ], @@ -21,6 +23,13 @@ "aws-marketplace:ListTagsForResource" ], "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" + }, + { + "Effect": "Allow", + "Action": [ + "aws-marketplace:GetResourcePolicy" + ], + "Resource": "arn:aws:aws-marketplace:*:*:AWSMarketplace/*" } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json new file mode 100644 index 000000000..99766a096 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSPCSServiceRolePolicy.json @@ -0,0 +1,210 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "PermissionsToCreatePCSNetworkInterfaces", + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface" + ], + "Resource": "arn:aws:ec2:*:*:network-interface/*", + "Condition": { + "Null": { + "aws:RequestTag/AWSPCSManaged": "false" + } + } + }, + { + "Sid": "PermissionsToCreatePCSNetworkInterfacesInSubnet", + "Effect": "Allow", + "Action": [ + "ec2:CreateNetworkInterface" + ], + "Resource": [ + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:security-group/*" + ] + }, + { + "Sid": "PermissionsToManagePCSNetworkInterfaces", + "Effect": "Allow", + "Action": [ + "ec2:DeleteNetworkInterface", + "ec2:CreateNetworkInterfacePermission" + ], + "Resource": "arn:aws:ec2:*:*:network-interface/*", + "Condition": { + "Null": { + "aws:ResourceTag/AWSPCSManaged": "false" + } + } + }, + { + "Sid": "PermissionsToDescribePCSResources", + "Effect": "Allow", + "Action": [ + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeInstances", + "ec2:DescribeInstanceTypes", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeSecurityGroups", + "ec2:DescribeKeyPairs", + "ec2:DescribeImages", + "ec2:DescribeImageAttribute" + ], + "Resource": "*" + }, + { + "Sid": "PermissionsToCreatePCSLaunchTemplates", + "Effect": "Allow", + "Action": [ + "ec2:CreateLaunchTemplate" + ], + "Resource": "arn:aws:ec2:*:*:launch-template/*", + "Condition": { + "Null": { + "aws:RequestTag/AWSPCSManaged": "false" + } + } + }, + { + "Sid": "PermissionsToManagePCSLaunchTemplates", + "Effect": "Allow", + "Action": [ + "ec2:DeleteLaunchTemplate", + "ec2:DeleteLaunchTemplateVersions", + "ec2:CreateLaunchTemplateVersion" + ], + "Resource": "arn:aws:ec2:*:*:launch-template/*", + "Condition": { + "Null": { + "aws:ResourceTag/AWSPCSManaged": "false" + } + } + }, + { + "Sid": "PermissionsToTerminatePCSManagedInstances", + "Effect": "Allow", + "Action": [ + "ec2:TerminateInstances" + ], + "Resource": "arn:aws:ec2:*:*:instance/*", + "Condition": { + "Null": { + "aws:ResourceTag/AWSPCSManaged": "false" + } + } + }, + { + "Sid": "PermissionsToPassRoleToEC2", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": [ + "arn:aws:iam::*:role/*/AWSPCS*", + "arn:aws:iam::*:role/AWSPCS*", + "arn:aws:iam::*:role/aws-pcs/*", + "arn:aws:iam::*:role/*/aws-pcs/*" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ec2.amazonaws.com" + ] + } + } + }, + { + "Sid": "PermissionsToControlClusterInstanceAttributes", + "Effect": "Allow", + "Action": [ + "ec2:RunInstances", + "ec2:CreateFleet" + ], + "Resource": [ + "arn:aws:ec2:*::image/*", + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*:*:launch-template/*", + "arn:aws:ec2:*:*:placement-group/*", + "arn:aws:ec2:*:*:capacity-reservation/*", + "arn:aws:resource-groups:*:*:group/*", + "arn:aws:ec2:*:*:fleet/*", + "arn:aws:ec2:*:*:spot-instances-request/*" + ] + }, + { + "Sid": "PermissionsToProvisionClusterInstances", + "Effect": "Allow", + "Action": [ + "ec2:RunInstances", + "ec2:CreateFleet" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/AWSPCSManaged": "false" + } + } + }, + { + "Sid": "PermissionsToTagPCSResources", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "RunInstances", + "CreateLaunchTemplate", + "CreateFleet", + "CreateNetworkInterface" + ] + } + } + }, + { + "Sid": "PermissionsToPublishMetrics", + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": "AWS/PCS" + } + } + }, + { + "Sid": "PermissionsToManageSecret", + "Effect": "Allow", + "Action": [ + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", + "secretsmanager:UpdateSecretVersionStage", + "secretsmanager:DeleteSecret" + ], + "Resource": "arn:aws:secretsmanager:*:*:secret:pcs!*", + "Condition": { + "StringEquals": { + "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "pcs", + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json index 59bc51c6f..3e5889ac8 100644 --- a/docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSReachabilityAnalyzerServiceRolePolicy.json @@ -49,13 +49,6 @@ "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", - "globalaccelerator:ListAccelerators", - "globalaccelerator:ListCustomRoutingAccelerators", - "globalaccelerator:ListCustomRoutingEndpointGroups", - "globalaccelerator:ListCustomRoutingListeners", - "globalaccelerator:ListCustomRoutingPortMappings", - "globalaccelerator:ListEndpointGroups", - "globalaccelerator:ListListeners", "network-firewall:DescribeFirewall", "network-firewall:DescribeFirewallPolicy", "network-firewall:DescribeResourcePolicy", diff --git a/docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json b/docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json index 098036c52..819d4f10d 100644 --- a/docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json +++ b/docs/source/_static/managed-policies/AWSResilienceHubAsssessmentExecutionPolicy.json @@ -68,6 +68,8 @@ "elasticache:DescribeGlobalReplicationGroups", "elasticache:DescribeReplicationGroups", "elasticache:DescribeSnapshots", + "elasticache:DescribeServerlessCaches", + "elasticache:DescribeServerlessCacheSnapshots", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", diff --git a/docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json index acdf893e5..1f7fdfb0f 100644 --- a/docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSResourceExplorerServiceRolePolicy.json @@ -5,18 +5,15 @@ "Sid": "CloudTrailEventsAccess", "Effect": "Allow", "Action": [ - "cloudtrail:CreateServiceLinkedChannel" + "cloudtrail:CreateServiceLinkedChannel", + "cloudtrail:GetServiceLinkedChannel" ], - "Resource": [ - "arn:aws:cloudtrail:*:*:channel/aws-service-channel/resource-explorer-2/*" - ] + "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/resource-explorer-2/*" }, { "Sid": "ApiGatewayAccess", "Effect": "Allow", - "Action": [ - "apigateway:GET" - ], + "Action": "apigateway:GET", "Resource": [ "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/restapis/*/deployments" @@ -28,6 +25,7 @@ "Action": [ "access-analyzer:ListAnalyzers", "acm-pca:ListCertificateAuthorities", + "airflow:ListEnvironments", "amplify:ListApps", "amplify:ListBackendEnvironments", "amplify:ListBranches", @@ -35,6 +33,10 @@ "amplifyuibuilder:ListComponents", "amplifyuibuilder:ListThemes", "app-integrations:ListEventIntegrations", + "appflow:ListFlows", + "appmesh:ListMeshes", + "appmesh:ListVirtualNodes", + "appmesh:ListVirtualServices", "apprunner:ListServices", "apprunner:ListVpcConnectors", "appstream:DescribeAppBlocks", @@ -47,14 +49,17 @@ "aps:ListWorkspaces", "athena:ListDataCatalogs", "athena:ListWorkGroups", + "auditmanager:GetAccountStatus", + "auditmanager:ListAssessments", "autoscaling:DescribeAutoScalingGroups", "backup:ListBackupPlans", + "backup:ListBackupVaults", "backup:ListReportPlans", "batch:DescribeComputeEnvironments", "batch:DescribeJobQueues", "batch:ListSchedulingPolicies", - "cloudformation:ListStacks", "cloudformation:ListStackSets", + "cloudformation:ListStacks", "cloudfront:ListCachePolicies", "cloudfront:ListCloudFrontOriginAccessIdentities", "cloudfront:ListDistributions", @@ -75,14 +80,24 @@ "codebuild:ListProjects", "codecommit:ListRepositories", "codeguru-profiler:ListProfilingGroups", + "codeguru-reviewer:ListRepositoryAssociations", "codepipeline:ListPipelines", "codestar-connections:ListConnections", "cognito-identity:ListIdentityPools", "cognito-idp:ListUserPools", + "connect:ListInstances", + "connect:ListQuickConnects", + "connect:ListUsers", "databrew:ListDatasets", "databrew:ListRecipes", "databrew:ListRulesets", + "databrew:ListSchedules", + "datasync:ListLocations", + "datasync:ListTasks", "detective:ListGraphs", + "dms:DescribeEndpoints", + "dms:DescribeReplicationInstances", + "dms:DescribeReplicationTasks", "ds:DescribeDirectories", "dynamodb:ListStreams", "dynamodb:ListTables", @@ -109,8 +124,8 @@ "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeIpamPools", - "ec2:DescribeIpams", "ec2:DescribeIpamScopes", + "ec2:DescribeIpams", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeManagedPrefixLists", @@ -146,15 +161,15 @@ "ec2:DescribeVerifiedAccessInstances", "ec2:DescribeVerifiedAccessTrustProviders", "ec2:DescribeVolumes", - "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", + "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcs", "ec2:DescribeVpnConnections", "ec2:DescribeVpnGateways", "ec2:GetSubnetCidrReservations", - "ecr:DescribeRepositories", "ecr-public:DescribeRepositories", + "ecr:DescribeRepositories", "ecs:DescribeCapacityProviders", "ecs:DescribeServices", "ecs:ListClusters", @@ -162,6 +177,7 @@ "ecs:ListServices", "ecs:ListTaskDefinitions", "ecs:ListTasks", + "eks:ListClusters", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheSecurityGroups", @@ -172,8 +188,8 @@ "elasticache:DescribeSnapshots", "elasticache:DescribeUserGroups", "elasticache:DescribeUsers", - "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeApplicationVersions", + "elasticbeanstalk:DescribeApplications", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", @@ -200,10 +216,13 @@ "frauddetector:GetLabels", "frauddetector:GetOutcomes", "frauddetector:GetVariables", + "gamelift:DescribeGameSessionQueues", + "gamelift:DescribeMatchmakingConfigurations", + "gamelift:DescribeMatchmakingRuleSets", "gamelift:ListAliases", + "gamelift:ListBuilds", "geo:ListPlaceIndexes", "geo:ListTrackers", - "greengrass:ListComponents", "globalaccelerator:ListAccelerators", "globalaccelerator:ListEndpointGroups", "globalaccelerator:ListListeners", @@ -211,8 +230,15 @@ "glue:GetJobs", "glue:GetTables", "glue:GetTriggers", + "glue:ListMLTransforms", "greengrass:ListComponentVersions", + "greengrass:ListComponents", "greengrass:ListGroups", + "groundstation:ListConfigs", + "guardduty:ListDetectors", + "guardduty:ListFilters", + "guardduty:ListIPSets", + "guardduty:ListThreatIntelSets", "healthlake:ListFHIRDatastores", "iam:ListGroups", "iam:ListInstanceProfiles", @@ -232,15 +258,8 @@ "imagebuilder:ListImageRecipes", "imagebuilder:ListImages", "imagebuilder:ListInfrastructureConfigurations", - "iotanalytics:ListChannels", - "iotanalytics:ListDatasets", - "iotanalytics:ListDatastores", - "iotanalytics:ListPipelines", - "iotevents:ListAlarmModels", - "iotevents:ListDetectorModels", - "iotevents:ListInputs", - "iot:ListJobTemplates", "iot:ListAuthorizers", + "iot:ListJobTemplates", "iot:ListMitigationActions", "iot:ListPolicies", "iot:ListProvisioningTemplates", @@ -249,48 +268,65 @@ "iot:ListThings", "iot:ListTopicRuleDestinations", "iot:ListTopicRules", + "iotanalytics:ListChannels", + "iotanalytics:ListDatasets", + "iotanalytics:ListDatastores", + "iotanalytics:ListPipelines", + "iotevents:ListAlarmModels", + "iotevents:ListDetectorModels", + "iotevents:ListInputs", "iotsitewise:ListAssetModels", "iotsitewise:ListAssets", + "iotsitewise:ListDashboards", "iotsitewise:ListGateways", + "iotsitewise:ListPortals", + "iotsitewise:ListProjects", "iottwinmaker:ListComponentTypes", "iottwinmaker:ListEntities", "iottwinmaker:ListScenes", "iottwinmaker:ListWorkspaces", - "kafka:ListConfigurations", - "kms:ListKeys", + "iotwireless:ListServiceProfiles", "ivs:ListChannels", + "ivs:ListRecordingConfigurations", "ivs:ListStreamKeys", "kafka:ListClusters", + "kafka:ListConfigurations", + "kendra:ListIndices", "kinesis:ListStreamConsumers", "kinesis:ListStreams", "kinesisanalytics:ListApplications", "kinesisvideo:ListStreams", + "kms:ListKeys", "lambda:ListAliases", "lambda:ListCodeSigningConfigs", "lambda:ListEventSourceMappings", "lambda:ListFunctions", - "lambda:ListLayers", "lambda:ListLayerVersions", - "lex:ListBots", + "lambda:ListLayers", "lex:ListBotAliases", + "lex:ListBots", "logs:DescribeDestinations", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "lookoutmetrics:ListAlerts", "lookoutvision:ListProjects", - "mediapackage:ListChannels", - "mediapackage:ListOriginEndpoints", + "macie2:ListCustomDataIdentifiers", + "macie2:ListFindingsFilters", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", - "mq:ListBrokers", + "mediapackage:ListChannels", + "mediapackage:ListOriginEndpoints", "mediatailor:ListPlaybackConfigurations", "memorydb:DescribeACLs", "memorydb:DescribeClusters", "memorydb:DescribeParameterGroups", + "memorydb:DescribeSubnetGroups", "memorydb:DescribeUsers", "mobiletargeting:GetApps", + "mobiletargeting:GetCampaigns", "mobiletargeting:GetSegments", "mobiletargeting:ListTemplates", + "mq:ListBrokers", "network-firewall:ListFirewallPolicies", "network-firewall:ListFirewalls", "networkmanager:DescribeGlobalNetworks", @@ -300,20 +336,26 @@ "networkmanager:ListCoreNetworks", "organizations:DescribeAccount", "organizations:DescribeOrganization", - "organizations:ListAccounts", "organizations:ListAWSServiceAccessForOrganization", + "organizations:ListAccounts", "organizations:ListDelegatedAdministrators", "panorama:ListPackages", "personalize:ListDatasetGroups", "personalize:ListDatasets", "personalize:ListSchemas", + "proton:ListEnvironmentAccountConnections", "qldb:ListJournalKinesisStreamsForLedger", "qldb:ListLedgers", + "quicksight:DescribeAccountSubscription", + "quicksight:ListDataSets", + "quicksight:ListDataSources", + "quicksight:ListTemplates", + "ram:GetResourceShares", "rds:DescribeBlueGreenDeployments", "rds:DescribeDBClusterEndpoints", "rds:DescribeDBClusterParameterGroups", - "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshots", + "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstanceAutomatedBackups", "rds:DescribeDBInstances", @@ -328,9 +370,9 @@ "rds:DescribeOptionGroups", "rds:DescribeReservedDBInstances", "redshift:DescribeClusterParameterGroups", - "redshift:DescribeClusters", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", + "redshift:DescribeClusters", "redshift:DescribeEventSubscriptions", "redshift:DescribeSnapshotCopyGrants", "redshift:DescribeSnapshotSchedules", @@ -346,35 +388,43 @@ "resource-explorer-2:ListIndexes", "resource-explorer-2:ListViews", "resource-groups:ListGroups", - "route53:ListHealthChecks", - "route53:ListHostedZones", + "robomaker:ListRobotApplications", + "robomaker:ListSimulationApplications", "route53-recovery-readiness:ListRecoveryGroups", "route53-recovery-readiness:ListResourceSets", + "route53:ListHealthChecks", + "route53:ListHostedZones", "route53resolver:ListFirewallDomainLists", "route53resolver:ListFirewallRuleGroups", "route53resolver:ListResolverEndpoints", + "route53resolver:ListResolverQueryLogConfigs", "route53resolver:ListResolverRules", "s3:GetBucketLocation", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListStorageLensConfigurations", + "sagemaker:ListDomains", + "sagemaker:ListEndpoints", + "sagemaker:ListFeatureGroups", + "sagemaker:ListImages", "sagemaker:ListModels", "sagemaker:ListNotebookInstances", + "sagemaker:ListPipelines", "secretsmanager:ListSecrets", "servicecatalog:ListApplications", "servicecatalog:ListAttributeGroups", "signer:ListSigningProfiles", "sns:ListTopics", "sqs:ListQueues", + "ssm-incidents:ListResponsePlans", "ssm:DescribeAutomationExecutions", "ssm:DescribeInstanceInformation", - "ssm:DescribeMaintenanceWindows", "ssm:DescribeMaintenanceWindowTargets", "ssm:DescribeMaintenanceWindowTasks", + "ssm:DescribeMaintenanceWindows", "ssm:DescribeParameters", "ssm:DescribePatchBaselines", - "ssm-incidents:ListResponsePlans", "ssm:ListAssociations", "ssm:ListDocuments", "ssm:ListInventoryEntries", @@ -382,13 +432,13 @@ "states:ListActivities", "states:ListStateMachines", "timestream:ListDatabases", - "wisdom:listAssistantAssociations", + "transfer:ListWorkflows", "wisdom:ListAssistants", - "wisdom:listKnowledgeBases" + "wisdom:listAssistantAssociations", + "wisdom:listKnowledgeBases", + "workspaces:DescribeWorkspaces" ], - "Resource": [ - "*" - ] + "Resource": "*" } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json b/docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json index c73d7e526..efa40a3f6 100644 --- a/docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json @@ -117,7 +117,7 @@ "Sid": "CreateServiceLinkedRole", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:*:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry", + "Resource": "arn:aws:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry", "Condition": { "StringEquals": { "iam:AWSServiceName": "servicecatalog-appregistry.amazonaws.com" @@ -271,6 +271,83 @@ "ec2:resourceTag/SSMForSAPManaged": "True" } } + }, + { + "Sid": "SsmSapResourceGroup", + "Effect": "Allow", + "Action": [ + "resource-groups:Tag", + "resource-groups:CreateGroup" + ], + "Resource": "arn:aws:resource-groups:*:*:group/SystemsManagerForSAP-*", + "Condition": { + "StringEquals": { + "aws:RequestTag/SSMForSAPCreated": "True" + }, + "ArnLike": { + "aws:RequestTag/awsApplication": "arn:aws:resource-groups:*:*:group/*/*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "SSMForSAPCreated", + "awsApplication" + ] + } + } + }, + { + "Sid": "ManageSsmSapTagsOnEc2Instances", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:instance/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/SSMForSAPManaged": "True" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": [ + "SystemsManagerForSAP-*" + ] + } + } + }, + { + "Sid": "ManageSsmSapTagsOnEbsVolumes", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "ForAllValues:StringLike": { + "aws:TagKeys": [ + "SystemsManagerForSAP-*" + ] + } + } + }, + { + "Sid": "ManageAppTagsOnEbsVolumes", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "ArnLike": { + "aws:RequestTag/awsApplication": "arn:aws:resource-groups:*:*:group/*/*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "awsApplication" + ] + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json b/docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json index d9243798a..2ad12fca5 100644 --- a/docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json +++ b/docs/source/_static/managed-policies/AWSSSOMasterAccountAdministrator.json @@ -66,6 +66,16 @@ "organizations:ServicePrincipal": "sso.amazonaws.com" } } + }, + { + "Sid": "AllowDeleteSyncProfile", + "Effect": "Allow", + "Action": [ + "identity-sync:DeleteSyncProfile" + ], + "Resource": [ + "arn:aws:identity-sync:*:*:profile/*" + ] } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json b/docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json index 6df56663c..d70f106d9 100644 --- a/docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json +++ b/docs/source/_static/managed-policies/AWSServiceRoleForAmazonEKSNodegroup.json @@ -62,7 +62,9 @@ "autoscaling:PutLifecycleHook", "autoscaling:PutNotificationConfiguration", "autoscaling:EnableMetricsCollection", - "autoscaling:PutScheduledUpdateGroupAction" + "autoscaling:PutScheduledUpdateGroupAction", + "autoscaling:ResumeProcesses", + "autoscaling:SuspendProcesses" ], "Resource": "arn:aws:autoscaling:*:*:*:autoScalingGroupName/eks-*" }, diff --git a/docs/source/_static/managed-policies/AWSServiceRoleForMonitronPolicy.json b/docs/source/_static/managed-policies/AWSServiceRoleForMonitronPolicy.json index 5e931e136..3ee60d2ec 100644 --- a/docs/source/_static/managed-policies/AWSServiceRoleForMonitronPolicy.json +++ b/docs/source/_static/managed-policies/AWSServiceRoleForMonitronPolicy.json @@ -11,7 +11,9 @@ "sso:AssociateProfile", "sso:ListDirectoryAssociations", "sso-directory:DescribeUsers", - "sso-directory:SearchUsers" + "sso-directory:SearchUsers", + "sso:CreateApplicationAssignment", + "sso:ListApplicationAssignments" ], "Resource": "*" } diff --git a/docs/source/_static/managed-policies/AWSServiceRoleForProcurementInsightsPolicy.json b/docs/source/_static/managed-policies/AWSServiceRoleForProcurementInsightsPolicy.json new file mode 100644 index 000000000..7ac8a44f0 --- /dev/null +++ b/docs/source/_static/managed-policies/AWSServiceRoleForProcurementInsightsPolicy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ProcurementInsightsPermissions", + "Effect": "Allow", + "Action": [ + "organizations:DescribeAccount", + "organizations:DescribeOrganization", + "organizations:ListAccounts" + ], + "Resource": [ + "*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSSocialMessagingServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSSocialMessagingServiceRolePolicy.json new file mode 100644 index 000000000..c66f3c0cb --- /dev/null +++ b/docs/source/_static/managed-policies/AWSSocialMessagingServiceRolePolicy.json @@ -0,0 +1,16 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudwatchMetricPublishing", + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": "AWS/SocialMessaging" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json b/docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json index 10f3df05a..a7e1f10a7 100644 --- a/docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json +++ b/docs/source/_static/managed-policies/AWSSupportPlansFullAccess.json @@ -6,6 +6,7 @@ "Action": [ "supportplans:GetSupportPlan", "supportplans:GetSupportPlanUpdateStatus", + "supportplans:ListSupportPlanModifiers", "supportplans:StartSupportPlanUpdate", "supportplans:CreateSupportPlanSchedule" ], diff --git a/docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json b/docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json index eb7f53033..c7b88d292 100644 --- a/docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AWSSupportPlansReadOnlyAccess.json @@ -5,7 +5,8 @@ "Effect": "Allow", "Action": [ "supportplans:GetSupportPlan", - "supportplans:GetSupportPlanUpdateStatus" + "supportplans:GetSupportPlanUpdateStatus", + "supportplans:ListSupportPlanModifiers" ], "Resource": "*" } diff --git a/docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json index 17a715cd3..d68b05020 100644 --- a/docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json @@ -84,6 +84,8 @@ "access-analyzer:listArchiveRules", "access-analyzer:listFindings", "access-analyzer:listPolicyGenerations", + "account:getRegionOptStatus", + "account:listRegions", "acm-pca:describeCertificateAuthority", "acm-pca:describeCertificateAuthorityAuditReport", "acm-pca:getCertificate", @@ -112,6 +114,37 @@ "amplify:listWebhooks", "amplifyuibuilder:exportComponents", "amplifyuibuilder:exportThemes", + "aoss:batchGetCollection", + "aoss:batchGetEffectiveLifecyclePolicy", + "aoss:batchGetLifecyclePolicy", + "aoss:batchGetVpcEndpoint", + "aoss:getAccessPolicy", + "aoss:getAccountSettings", + "aoss:getPoliciesStats", + "aoss:getSecurityConfig", + "aoss:getSecurityPolicy", + "aoss:listAccessPolicies", + "aoss:listCollections", + "aoss:listLifecyclePolicies", + "aoss:listSecurityConfigs", + "aoss:listSecurityPolicies", + "aoss:listTagsForResource", + "aoss:listVpcEndpoints", + "appconfig:getApplication", + "appconfig:getConfigurationProfile", + "appconfig:getDeployment", + "appconfig:getDeploymentStrategy", + "appconfig:getEnvironment", + "appconfig:getExtension", + "appconfig:getExtensionAssociation", + "appconfig:listApplications", + "appconfig:listConfigurationProfiles", + "appconfig:listDeployments", + "appconfig:listDeploymentStrategies", + "appconfig:listEnvironments", + "appconfig:listExtensionAssociations", + "appconfig:listHostedConfigurationVersions", + "appconfig:listExtensions", "appflow:describeConnectorEntity", "appflow:describeConnectorProfiles", "appflow:describeConnectors", @@ -160,6 +193,13 @@ "apprunner:listConnections", "apprunner:listOperations", "apprunner:listServices", + "application-signals:getServiceLevelObjective", + "application-signals:getService", + "application-signals:listServiceDependencies", + "application-signals:listServiceDependents", + "application-signals:listServiceLevelObjectives", + "application-signals:listServiceOperations", + "application-signals:listServices", "apprunner:listTagsForResource", "appstream:describeAppBlockBuilderAppBlockAssociations", "appstream:describeAppBlockBuilders", @@ -231,6 +271,9 @@ "athena:listSessions", "athena:listTagsForResource", "athena:listWorkGroups", + "athena:getCapacityAssignmentConfiguration", + "athena:getCapacityReservation", + "athena:listCapacityReservations", "auditmanager:getAccountStatus", "auditmanager:getDelegations", "auditmanager:listAssessmentFrameworks", @@ -259,6 +302,7 @@ "autoscaling:describeScalingActivities", "autoscaling:describeScalingProcessTypes", "autoscaling:describeScheduledActions", + "autoscaling:describeTrafficSources", "autoscaling:describeTags", "autoscaling:describeTerminationPolicyTypes", "autoscaling:describeWarmPool", @@ -318,6 +362,28 @@ "batch:describeJobQueues", "batch:describeJobs", "batch:listJobs", + "bedrock:getAgent", + "bedrock:getAgentActionGroup", + "bedrock:getAgentAlias", + "bedrock:getAgentKnowledgeBase", + "bedrock:getAgentVersion", + "bedrock:getCustomModel", + "bedrock:getDataSource", + "bedrock:getIngestionJob", + "bedrock:getKnowledgeBase", + "bedrock:getModelCustomizationJob", + "bedrock:getModelInvocationLoggingConfiguration", + "bedrock:listAgentActionGroups", + "bedrock:listAgentAliases", + "bedrock:listAgentKnowledgeBases", + "bedrock:listAgents", + "bedrock:listAgentVersions", + "bedrock:listCustomModels", + "bedrock:listDataSources", + "bedrock:listIngestionJobs", + "bedrock:listKnowledgeBases", + "bedrock:listModelCustomizationJobs", + "bedrock:listProvisionedModelThroughputs", "braket:getDevice", "braket:getQuantumTask", "braket:searchDevices", @@ -481,6 +547,7 @@ "cloudwatch:describeAnomalyDetectors", "cloudwatch:describeInsightRules", "cloudwatch:getDashboard", + "cloudWatch:getMetricWidgetImage", "cloudwatch:getInsightRuleReport", "cloudwatch:getMetricData", "cloudwatch:getMetricStatistics", @@ -519,6 +586,18 @@ "codecommit:getRepositoryTriggers", "codecommit:listBranches", "codecommit:listRepositories", + "codeconnections:getConnection", + "codeconnections:getHost", + "codeconnections:getRepositoryLink", + "codeconnections:getRepositorySyncStatus", + "codeconnections:getResourceSyncStatus", + "codeconnections:getSyncBlockerSummary", + "codeconnections:getSyncConfiguration", + "codeconnections:listConnections", + "codeconnections:listHosts", + "codeconnections:listRepositoryLinks", + "codeconnections:listRepositorySyncDefinitions", + "codeconnections:listSyncConfigurations", "codedeploy:batchGetApplicationRevisions", "codedeploy:batchGetApplications", "codedeploy:batchGetDeploymentGroups", @@ -746,6 +825,23 @@ "dax:describeParameterGroups", "dax:describeParameters", "dax:describeSubnetGroups", + "deadline:listAvailableMeteredProducts", + "deadline:listBudgets", + "deadline:listFarmMembers", + "deadline:listFarms", + "deadline:listFleetMembers", + "deadline:listFleets", + "deadline:listJobMembers", + "deadline:listJobs", + "deadline:listLicenseEndpoints", + "deadline:listMeteredProducts", + "deadline:listMonitors", + "deadline:listQueueEnvironments", + "deadline:listQueueFleetAssociations", + "deadline:listQueueMembers", + "deadline:listQueues", + "deadline:listStorageProfiles", + "deadline:listWorkers", "detective:getMembers", "detective:listGraphs", "detective:listInvitations", @@ -866,6 +962,7 @@ "dynamodb:describeStream", "dynamodb:describeTable", "dynamodb:describeTimeToLive", + "dynamodb:getResourcePolicy", "dynamodb:listBackups", "dynamodb:listContributorInsights", "dynamodb:listExports", @@ -961,6 +1058,7 @@ "ec2:describeSecurityGroups", "ec2:describeSnapshotAttribute", "ec2:describeSnapshots", + "ec2:describeSnapshotTierStatus", "ec2:describeSpotDatafeedSubscription", "ec2:describeSpotFleetInstances", "ec2:describeSpotFleetRequestHistory", @@ -1006,6 +1104,7 @@ "ec2:describeVpnGateways", "ec2:getAssociatedIpv6PoolCidrs", "ec2:getCapacityReservationUsage", + "ec2:getSubnetCidrReservations", "ec2:getCoipPoolUsage", "ec2:getConsoleOutput", "ec2:getConsoleScreenshot", @@ -1034,6 +1133,19 @@ "ec2:searchLocalGatewayRoutes", "ec2:searchTransitGatewayMulticastGroups", "ec2:searchTransitGatewayRoutes", + "ec2:describeIpamByoasn", + "ec2:describeIpamPools", + "ec2:describeIpamResourceDiscoveries", + "ec2:describeIpamResourceDiscoveryAssociations", + "ec2:describeIpams", + "ec2:describeIpamScopes", + "ec2:getIpamAddressHistory", + "ec2:getIpamDiscoveredAccounts", + "ec2:getIpamDiscoveredPublicAddresses", + "ec2:getIpamDiscoveredResourceCidrs", + "ec2:getIpamPoolAllocations", + "ec2:getIpamPoolCidrs", + "ec2:getIpamResourceCidrs", "ecr-public:describeImages", "ecr-public:describeImageTags", "ecr-public:describeRegistries", @@ -1084,6 +1196,8 @@ "eks:describeFargateProfile", "eks:describeIdentityProviderConfig", "eks:describeNodegroup", + "eks:describePodIdentityAssociation", + "eks:listPodIdentityAssociations", "eks:describeUpdate", "eks:listAccessEntries", "eks:listAccessPolicies", @@ -1134,6 +1248,8 @@ "elasticbeanstalk:listPlatformVersions", "elasticbeanstalk:validateConfigurationSettings", "elasticfilesystem:describeAccessPoints", + "elasticfilesystem:describeBackupPolicy", + "elasticfilesystem:describeReplicationConfigurations", "elasticfilesystem:describeFileSystemPolicy", "elasticfilesystem:describeFileSystems", "elasticfilesystem:describeLifecycleConfiguration", @@ -1149,6 +1265,9 @@ "elasticloadbalancing:describeLoadBalancerPolicies", "elasticloadbalancing:describeLoadBalancerPolicyTypes", "elasticloadbalancing:describeLoadBalancers", + "elasticloadbalancing:describeTrustStores", + "elasticloadbalancing:describeTrustStoreAssociations", + "elasticloadbalancing:describeTrustStoreRevocations", "elasticloadbalancing:describeRules", "elasticloadbalancing:describeSSLPolicies", "elasticloadbalancing:describeTags", @@ -1279,6 +1398,7 @@ "forecast:listForecastExportJobs", "forecast:listForecasts", "forecast:listPredictors", + "freetier:getFreeTierUsage", "fsx:describeBackups", "fsx:describeDataRepositoryAssociations", "fsx:describeDataRepositoryTasks", @@ -1572,6 +1692,8 @@ "inspector2:batchGetAccountStatus", "inspector2:batchGetFreeTrialInfo", "inspector2:describeOrganizationConfiguration", + "inspector2:getConfiguration", + "inspector2:getEc2DeepInspectionConfiguration", "inspector2:getDelegatedAdminAccount", "inspector2:getMember", "inspector2:getSbomExport", @@ -1638,6 +1760,7 @@ "iot:listTopicRules", "iot:listTunnels", "iot:listV2LoggingLevels", + "iot:listNamedShadowsForThing", "iotevents:describeDetector", "iotevents:describeDetectorModel", "iotevents:describeInput", @@ -1813,10 +1936,13 @@ "lambda:listLayers", "lambda:listLayerVersions", "lambda:listProvisionedConcurrencyConfigs", + "lambda:listTags", "lambda:listVersionsByFunction", "launchwizard:describeProvisionedApp", "launchwizard:describeProvisioningEvents", "launchwizard:listProvisionedApps", + "launchwizard:listDeployments", + "launchwizard:listDeploymentEvents", "lex:describeBot", "lex:describeBotAlias", "lex:describeBotLocale", @@ -2228,6 +2354,12 @@ "opsworks:getHostnameSuggestion", "organizations:listAccounts", "organizations:listTagsForResource", + "osis:getPipeline", + "osis:getPipelineBlueprint", + "osis:getPipelineChangeProgress", + "osis:listPipelineBlueprints", + "osis:listPipelines", + "osis:validatePipeline", "outposts:getCatalogItem", "outposts:getConnection", "outposts:getOrder", @@ -2537,6 +2669,13 @@ "route53domains:listPrices", "route53domains:listTagsForDomain", "route53domains:viewBilling", + "route53profiles:getProfile", + "route53profiles:listProfileAssociations", + "route53profiles:listProfileResourceAssociations", + "route53profiles:listProfiles", + "route53profiles:listTagsForResource", + "route53profiles:getProfileResourceAssociation", + "route53profiles:getProfileAssociation", "route53resolver:getFirewallConfig", "route53resolver:getFirewallDomainList", "route53resolver:getFirewallRuleGroup", @@ -2787,6 +2926,14 @@ "securityhub:listEnabledProductsForImport", "securityhub:listInvitations", "securityhub:listMembers", + "securityhub:describeOrganizationConfiguration", + "securityhub:batchGetConfigurationPolicyAssociations", + "securityhub:getConfigurationPolicy", + "securityhub:getConfigurationPolicyAssociation", + "securityhub:listConfigurationPolicies", + "securityhub:listConfigurationPolicyAssociations", + "securityhub:getFindingAggregator", + "securityhub:listFindingAggregators", "securitylake:getDataLakeExceptionSubscription", "securitylake:getDataLakeOrganizationConfiguration", "securitylake:getDataLakeSources", @@ -3282,6 +3429,10 @@ "workspaces-web:listUserSettings", "workspaces:describeAccount", "workspaces:describeAccountModifications", + "workspaces:describeApplicationAssociations", + "workspaces:describeWorkspaceAssociations", + "workspaces:describeWorkspacesPools", + "workspaces:describeWorkspacesPoolSessions", "workspaces:describeIpGroups", "workspaces:describeTags", "workspaces:describeWorkspaceBundles", @@ -3293,7 +3444,13 @@ "xray:getGroup", "xray:getGroups", "xray:getSamplingRules", - "xray:listResourcePolicies" + "xray:listResourcePolicies", + "xray:getInsightImpactGraph", + "xray:getSamplingStatisticSummaries", + "xray:getSamplingTargets", + "xray:getServiceGraph", + "xray:getTimeSeriesServiceStatistics", + "xray:getTraceGraph" ], "Effect": "Allow", "Resource": [ diff --git a/docs/source/_static/managed-policies/AWSThinkboxAWSPortalAdminPolicy.json b/docs/source/_static/managed-policies/AWSThinkboxAWSPortalAdminPolicy.json index 6abfb0ab7..c0c791d74 100644 --- a/docs/source/_static/managed-policies/AWSThinkboxAWSPortalAdminPolicy.json +++ b/docs/source/_static/managed-policies/AWSThinkboxAWSPortalAdminPolicy.json @@ -94,7 +94,7 @@ "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { - "StringLike": { + "ArnLike": { "ec2:InstanceProfile": "arn:aws:iam::*:instance-profile/AWSPortal*" } } @@ -116,8 +116,8 @@ "Action": "ec2:TerminateInstances", "Resource": "*", "Condition": { - "StringLike": { - "ec2:ResourceTag/aws:ec2spot:fleet-request-id": "*" + "Null": { + "ec2:ResourceTag/aws:ec2spot:fleet-request-id": false } } }, @@ -127,8 +127,8 @@ "Action": "ec2:TerminateInstances", "Resource": "*", "Condition": { - "StringLike": { - "ec2:PlacementGroup": "*DeadlinePlacementGroup*" + "ArnLike": { + "ec2:PlacementGroup": "arn:aws:ec2:*:*:placement-group/*DeadlinePlacementGroup*" } } }, @@ -140,8 +140,8 @@ ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { - "StringLike": { - "ec2:PlacementGroup": "*DeadlinePlacementGroup*" + "ArnLike": { + "ec2:PlacementGroup": "arn:aws:ec2:*:*:placement-group/*DeadlinePlacementGroup*" } } }, diff --git a/docs/source/_static/managed-policies/AWSThinkboxDeadlineResourceTrackerAdminPolicy.json b/docs/source/_static/managed-policies/AWSThinkboxDeadlineResourceTrackerAdminPolicy.json index ee41b3672..c33a9ef90 100644 --- a/docs/source/_static/managed-policies/AWSThinkboxDeadlineResourceTrackerAdminPolicy.json +++ b/docs/source/_static/managed-policies/AWSThinkboxDeadlineResourceTrackerAdminPolicy.json @@ -177,7 +177,7 @@ "*" ], "Condition": { - "StringLike": { + "ArnLike": { "lambda:FunctionArn": [ "arn:aws:lambda:*:*:function:DeadlineResourceTracker*" ] diff --git a/docs/source/_static/managed-policies/AWSTrustedAdvisorServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSTrustedAdvisorServiceRolePolicy.json index bdd702930..f2d7547ea 100644 --- a/docs/source/_static/managed-policies/AWSTrustedAdvisorServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AWSTrustedAdvisorServiceRolePolicy.json @@ -53,6 +53,8 @@ "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "iam:GenerateCredentialReport", diff --git a/docs/source/_static/managed-policies/AWS_ConfigRole.json b/docs/source/_static/managed-policies/AWS_ConfigRole.json index df67d1e5a..d67d00629 100644 --- a/docs/source/_static/managed-policies/AWS_ConfigRole.json +++ b/docs/source/_static/managed-policies/AWS_ConfigRole.json @@ -29,15 +29,31 @@ "amplifyuibuilder:ExportThemes", "amplifyuibuilder:GetTheme", "amplifyuibuilder:ListThemes", + "aoss:BatchGetCollection", + "aoss:BatchGetLifecyclePolicy", + "aoss:BatchGetVpcEndpoint", + "aoss:GetAccessPolicy", + "aoss:GetSecurityConfig", + "aoss:GetSecurityPolicy", + "aoss:ListAccessPolicies", + "aoss:ListCollections", + "aoss:ListLifecyclePolicies", + "aoss:ListSecurityConfigs", + "aoss:ListSecurityPolicies", + "aoss:ListVpcEndpoints", "apigateway:GET", + "app-integrations:GetApplication", "app-integrations:GetEventIntegration", + "app-integrations:ListApplications", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", + "app-integrations:ListTagsForResource", "appconfig:GetApplication", "appconfig:GetConfigurationProfile", "appconfig:GetDeployment", "appconfig:GetDeploymentStrategy", "appconfig:GetEnvironment", + "appconfig:GetExtension", "appconfig:GetExtensionAssociation", "appconfig:GetHostedConfigurationVersion", "appconfig:ListApplications", @@ -46,6 +62,7 @@ "appconfig:ListDeploymentStrategies", "appconfig:ListEnvironments", "appconfig:ListExtensionAssociations", + "appconfig:ListExtensions", "appconfig:ListHostedConfigurationVersions", "appconfig:ListTagsForResource", "appflow:DescribeConnectorProfiles", @@ -74,6 +91,7 @@ "apprunner:ListServices", "apprunner:ListTagsForResource", "apprunner:ListVpcConnectors", + "appstream:DescribeAppBlockBuilders", "appstream:DescribeApplications", "appstream:DescribeDirectoryConfigs", "appstream:DescribeFleets", @@ -120,12 +138,16 @@ "backup:GetBackupSelection", "backup:GetBackupVaultAccessPolicy", "backup:GetBackupVaultNotifications", + "backup:GetRestoreTestingPlan", + "backup:GetRestoreTestingSelection", "backup:ListBackupPlans", "backup:ListBackupSelections", "backup:ListBackupVaults", "backup:ListFrameworks", "backup:ListRecoveryPointsByBackupVault", "backup:ListReportPlans", + "backup:ListRestoreTestingPlans", + "backup:ListRestoreTestingSelections", "backup:ListTags", "batch:DescribeComputeEnvironments", "batch:DescribeJobQueues", @@ -165,9 +187,12 @@ "cloudfront:ListResponseHeadersPolicies", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", + "cloudTrail:GetChannel", "cloudtrail:GetEventDataStore", "cloudtrail:GetEventSelectors", + "cloudtrail:GetInsightSelectors", "cloudtrail:GetTrailStatus", + "cloudTrail:ListChannels", "cloudtrail:ListEventDataStores", "cloudtrail:ListTags", "cloudtrail:ListTrails", @@ -231,8 +256,11 @@ "connect:DescribeInstanceStorageConfig", "connect:DescribePhoneNumber", "connect:DescribePrompt", + "connect:DescribeQueue", "connect:DescribeQuickConnect", + "connect:DescribeRoutingProfile", "connect:DescribeRule", + "connect:DescribeSecurityProfile", "connect:DescribeUser", "connect:GetTaskTemplate", "connect:ListApprovedOrigins", @@ -244,9 +272,16 @@ "connect:ListPhoneNumbers", "connect:ListPhoneNumbersV2", "connect:ListPrompts", + "connect:ListQueueQuickConnects", + "connect:ListQueues", "connect:ListQuickConnects", + "connect:ListRoutingProfileQueues", + "connect:ListRoutingProfiles", "connect:ListRules", "connect:ListSecurityKeys", + "connect:ListSecurityProfileApplications", + "connect:ListSecurityProfilePermissions", + "connect:ListSecurityProfiles", "connect:ListTagsForResource", "connect:ListTaskTemplates", "connect:ListUsers", @@ -278,6 +313,8 @@ "datasync:ListLocations", "datasync:ListTagsForResource", "datasync:ListTasks", + "datazone:GetDomain", + "datazone:ListDomains", "dax:DescribeClusters", "dax:DescribeParameterGroups", "dax:DescribeParameters", @@ -295,6 +332,7 @@ "devicefarm:ListTagsForResource", "devicefarm:ListTestGridProjects", "devops-guru:GetResourceCollection", + "devops-guru:ListNotificationChannels", "dms:DescribeCertificates", "dms:DescribeEndpoints", "dms:DescribeEventSubscriptions", @@ -332,6 +370,7 @@ "ec2:DescribeTrafficMirrorTargets", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", + "ec2:DescribeVpcEndpoints", "ec2:GetEbsEncryptionByDefault", "ec2:GetInstanceTypesFromInstanceRequirements", "ec2:GetIpamPoolAllocations", @@ -541,15 +580,19 @@ "glue:GetMLTransforms", "glue:GetPartition", "glue:GetPartitions", + "glue:GetRegistry", "glue:GetSecurityConfiguration", "glue:GetSecurityConfigurations", "glue:GetTable", "glue:GetTags", + "glue:GetTrigger", "glue:GetWorkflow", "glue:ListCrawlers", "glue:ListDevEndpoints", "glue:ListJobs", "glue:ListMLTransforms", + "glue:ListRegistries", + "glue:ListTriggers", "glue:ListWorkflows", "grafana:DescribeWorkspace", "grafana:DescribeWorkspaceAuthentication", @@ -627,6 +670,10 @@ "iam:ListUserPolicies", "iam:ListUsers", "iam:ListVirtualMFADevices", + "identitystore:DescribeGroup", + "identitystore:DescribeGroupMembership", + "identitystore:ListGroupMemberships", + "identitystore:ListGroups", "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "imagebuilder:GetDistributionConfiguration", @@ -634,6 +681,7 @@ "imagebuilder:GetImagePipeline", "imagebuilder:GetImageRecipe", "imagebuilder:GetInfrastructureConfiguration", + "imagebuilder:GetLifecyclePolicy", "imagebuilder:ListComponentBuildVersions", "imagebuilder:ListComponents", "imagebuilder:ListContainerRecipes", @@ -643,12 +691,14 @@ "imagebuilder:ListImageRecipes", "imagebuilder:ListImages", "imagebuilder:ListInfrastructureConfigurations", + "imagebuilder:ListLifecyclePolicies", "inspector2:BatchGetAccountStatus", "inspector2:GetDelegatedAdminAccount", "inspector2:ListFilters", "inspector2:ListMembers", "iot:DescribeAccountAuditConfiguration", "iot:DescribeAuthorizer", + "iot:DescribeBillingGroup", "iot:DescribeCACertificate", "iot:DescribeCertificate", "iot:DescribeCustomMetric", @@ -661,10 +711,13 @@ "iot:DescribeRoleAlias", "iot:DescribeScheduledAudit", "iot:DescribeSecurityProfile", + "iot:DescribeThingGroup", + "iot:DescribeThingType", "iot:GetPolicy", "iot:GetTopicRule", "iot:GetTopicRuleDestination", "iot:ListAuthorizers", + "iot:ListBillingGroups", "iot:ListCACertificates", "iot:ListCertificates", "iot:ListCustomMetrics", @@ -681,6 +734,8 @@ "iot:ListSecurityProfilesForTarget", "iot:ListTagsForResource", "iot:ListTargetsForSecurityProfile", + "iot:ListThingGroups", + "iot:ListThingTypes", "iot:ListTopicRuleDestinations", "iot:ListTopicRules", "iot:ListV2LoggingLevels", @@ -701,6 +756,21 @@ "iotevents:ListDetectorModels", "iotevents:ListInputs", "iotevents:ListTagsForResource", + "iotfleetwise:GetDecoderManifest", + "iotfleetwise:GetFleet", + "iotfleetwise:GetModelManifest", + "iotfleetwise:GetSignalCatalog", + "iotfleetwise:GetVehicle", + "iotfleetwise:ListDecoderManifestNetworkInterfaces", + "iotfleetwise:ListDecoderManifests", + "iotfleetwise:ListDecoderManifestSignals", + "iotfleetwise:ListFleets", + "iotfleetwise:ListModelManifestNodes", + "iotfleetwise:ListModelManifests", + "iotfleetwise:ListSignalCatalogNodes", + "iotfleetwise:ListSignalCatalogs", + "iotfleetwise:ListTagsForResource", + "iotfleetwise:ListVehicles", "iotsitewise:DescribeAccessPolicy", "iotsitewise:DescribeAsset", "iotsitewise:DescribeAssetModel", @@ -728,26 +798,45 @@ "iottwinmaker:ListSyncJobs", "iottwinmaker:ListTagsForResource", "iottwinmaker:ListWorkspaces", + "iotwireless:GetDestination", + "iotwireless:GetDeviceProfile", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:GetServiceProfile", "iotwireless:GetWirelessDevice", + "iotwireless:GetWirelessGateway", "iotwireless:GetWirelessGatewayTaskDefinition", + "iotwireless:ListDestinations", + "iotwireless:ListDeviceProfiles", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "iotwireless:ListServiceProfiles", "iotwireless:ListTagsForResource", "iotwireless:ListWirelessDevices", + "iotwireless:ListWirelessGateways", "iotwireless:ListWirelessGatewayTaskDefinitions", "ivs:GetChannel", + "ivs:GetEncoderConfiguration", "ivs:GetPlaybackKeyPair", + "ivs:GetPlaybackRestrictionPolicy", "ivs:GetRecordingConfiguration", + "ivs:GetStage", + "ivs:GetStorageConfiguration", "ivs:GetStreamKey", "ivs:ListChannels", + "ivs:ListEncoderConfigurations", "ivs:ListPlaybackKeyPairs", + "ivs:ListPlaybackRestrictionPolicies", "ivs:ListRecordingConfigurations", + "ivs:ListStages", + "ivs:ListStorageConfigurations", "ivs:ListStreamKeys", "ivs:ListTagsForResource", + "ivschat:GetLoggingConfiguration", + "ivschat:GetRoom", + "ivschat:ListLoggingConfigurations", + "ivschat:ListRooms", + "ivschat:ListTagsForResource", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:DescribeConfiguration", @@ -838,7 +927,9 @@ "logs:DescribeLogGroups", "logs:DescribeMetricFilters", "logs:GetDataProtectionPolicy", + "logs:GetLogAnomalyDetector", "logs:GetLogDelivery", + "logs:ListLogAnomalyDetectors", "logs:ListLogDeliveries", "logs:ListTagsLogGroup", "lookoutequipment:DescribeInferenceScheduler", @@ -868,16 +959,28 @@ "managedblockchain:ListInvitations", "managedblockchain:ListMembers", "managedblockchain:ListNodes", + "mediaconnect:DescribeBridge", "mediaconnect:DescribeFlow", + "mediaconnect:DescribeGateway", + "mediaconnect:ListBridges", "mediaconnect:ListFlows", + "mediaconnect:ListGateways", "mediaconnect:ListTagsForResource", "mediapackage-vod:DescribePackagingConfiguration", "mediapackage-vod:DescribePackagingGroup", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", "mediapackage-vod:ListTagsForResource", + "mediatailor:DescribeChannel", + "mediatailor:DescribeLiveSource", + "mediatailor:DescribeSourceLocation", + "mediatailor:DescribeVodSource", "mediatailor:GetPlaybackConfiguration", + "mediatailor:ListChannels", + "mediatailor:ListLiveSources", "mediatailor:ListPlaybackConfigurations", + "mediatailor:ListSourceLocations", + "mediatailor:ListVodSources", "memorydb:DescribeAcls", "memorydb:DescribeClusters", "memorydb:DescribeParameterGroups", @@ -921,6 +1024,11 @@ "nimble:ListStreamingImages", "nimble:ListStudioComponents", "nimble:ListStudios", + "oam:GetSink", + "oam:GetSinkPolicy", + "oam:ListSinks", + "omics:GetWorkflow", + "omics:ListWorkflows", "opsworks:DescribeInstances", "opsworks:DescribeLayers", "opsworks:DescribeTimeBasedAutoScaling", @@ -949,6 +1057,11 @@ "panorama:ListApplicationInstances", "panorama:ListNodes", "panorama:ListPackages", + "payment-cryptography:GetAlias", + "payment-cryptography:GetKey", + "payment-cryptography:ListAliases", + "payment-cryptography:ListKeys", + "payment-cryptography:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", @@ -1006,6 +1119,8 @@ "rds:DescribeDBParameters", "rds:DescribeDBProxies", "rds:DescribeDBProxyEndpoints", + "rds:DescribeDBProxyTargetGroups", + "rds:DescribeDBProxyTargets", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", @@ -1037,6 +1152,7 @@ "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", + "rekognition:DescribeProjects", "rekognition:DescribeStreamProcessor", "rekognition:ListStreamProcessors", "rekognition:ListTagsForResource", @@ -1154,12 +1270,15 @@ "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", + "s3:GetStorageLensGroup", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", + "s3:ListStorageLensGroups", + "s3:ListTagsForResource", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets", "sagemaker:DescribeAppImageConfig", @@ -1205,6 +1324,11 @@ "sagemaker:ListProjects", "sagemaker:ListTags", "sagemaker:ListWorkteams", + "scheduler:GetSchedule", + "scheduler:GetScheduleGroup", + "scheduler:ListScheduleGroups", + "scheduler:ListSchedules", + "scheduler:ListTagsForResource", "schemas:DescribeDiscoverer", "schemas:DescribeRegistry", "schemas:DescribeSchema", @@ -1255,15 +1379,16 @@ "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", + "ssm-sap:ListTagsForResource", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:DescribeDocumentPermission", "ssm:DescribeParameters", "ssm:GetAutomationExecution", "ssm:GetDocument", + "ssm:GetServiceSetting", "ssm:ListDocuments", "ssm:ListTagsForResource", - "ssm-sap:ListTagsForResource", "sso:DescribeInstanceAccessControlAttributeConfiguration", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", @@ -1314,6 +1439,16 @@ "transfer:ListWorkflows", "voiceid:DescribeDomain", "voiceid:ListTagsForResource", + "vpc-lattice:GetAccessLogSubscription", + "vpc-lattice:GetService", + "vpc-lattice:GetServiceNetwork", + "vpc-lattice:GetTargetGroup", + "vpc-lattice:ListAccessLogSubscriptions", + "vpc-lattice:ListServiceNetworks", + "vpc-lattice:ListServices", + "vpc-lattice:ListTagsForResource", + "vpc-lattice:ListTargetGroups", + "vpc-lattice:ListTargets", "waf-regional:GetLoggingConfiguration", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", diff --git a/docs/source/_static/managed-policies/AccessAnalyzerServiceRolePolicy.json b/docs/source/_static/managed-policies/AccessAnalyzerServiceRolePolicy.json index c4167f19f..e65e3abc1 100644 --- a/docs/source/_static/managed-policies/AccessAnalyzerServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AccessAnalyzerServiceRolePolicy.json @@ -23,6 +23,8 @@ "iam:ListEntitiesForPolicy", "iam:ListRoles", "iam:ListUsers", + "iam:ListRoleTags", + "iam:ListUserTags", "iam:GetUser", "iam:GetGroup", "iam:GenerateServiceLastAccessedDetails", diff --git a/docs/source/_static/managed-policies/AmazonBedrockReadOnly.json b/docs/source/_static/managed-policies/AmazonBedrockReadOnly.json index cce29461e..d10ace202 100644 --- a/docs/source/_static/managed-policies/AmazonBedrockReadOnly.json +++ b/docs/source/_static/managed-policies/AmazonBedrockReadOnly.json @@ -15,7 +15,19 @@ "bedrock:ListCustomModels", "bedrock:GetCustomModel", "bedrock:ListTagsForResource", - "bedrock:GetFoundationModelAvailability" + "bedrock:GetFoundationModelAvailability", + "bedrock:GetGuardrail", + "bedrock:ListGuardrails", + "bedrock:GetEvaluationJob", + "bedrock:ListEvaluationJobs", + "bedrock:GetModelInvocationJob", + "bedrock:ListModelInvocationJobs", + "bedrock:GetInferenceProfile", + "bedrock:ListInferenceProfiles", + "bedrock:ListImportedModels", + "bedrock:GetImportedModel", + "bedrock:ListModelImportJobs", + "bedrock:GetModelImportJob" ], "Resource": "*" } diff --git a/docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json b/docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json index 435e80f78..a715d9926 100644 --- a/docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json +++ b/docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "CognitoUnAuthedIdentitiesSessionPolicy", "Effect": "Allow", "Action": [ "rum:PutRumEvents", @@ -13,7 +14,22 @@ "rekognition:*", "mobiletargeting:*", "firehose:*", - "personalize:*" + "personalize:*", + "geo:GetMap*", + "geo:SearchPlaceIndex*", + "geo:GetPlace", + "geo:CalculateRoute*", + "geo:*Geofence", + "geo:*Geofences", + "geo:*DevicePosition*", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncryptTo", + "kms:ReEncryptFrom", + "kms:GenerateDataKey", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext", + "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*" } diff --git a/docs/source/_static/managed-policies/AmazonConnectCampaignsServiceLinkedRolePolicy.json b/docs/source/_static/managed-policies/AmazonConnectCampaignsServiceLinkedRolePolicy.json index f49c9ce6e..691fdda6d 100644 --- a/docs/source/_static/managed-policies/AmazonConnectCampaignsServiceLinkedRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonConnectCampaignsServiceLinkedRolePolicy.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "ConnectCampaignAccess", "Effect": "Allow", "Action": [ "connect-campaigns:ListCampaigns" @@ -9,12 +10,72 @@ "Resource": "*" }, { + "Sid": "ConnectAccess", "Effect": "Allow", "Action": [ "connect:BatchPutContact", - "connect:StopContact" + "connect:StopContact", + "connect:DescribeContactFlow", + "connect:SendOutboundEmail" ], "Resource": "arn:aws:connect:*:*:instance/*" + }, + { + "Sid": "EventBridgeListRuleAccess", + "Effect": "Allow", + "Action": [ + "events:ListRules" + ], + "Resource": "arn:aws:events:*:*:rule/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "EventBridgeManagedResourceAccess", + "Effect": "Allow", + "Action": [ + "events:DeleteRule", + "events:PutRule", + "events:PutTargets", + "events:RemoveTargets" + ], + "Resource": "arn:aws:events:*:*:rule/ConnectCampaignsRule*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}", + "events:ManagedBy": "connect-campaigns.amazonaws.com" + } + } + }, + { + "Sid": "EventBridgeListTargetsByRuleAccess", + "Effect": "Allow", + "Action": [ + "events:ListTargetsByRule" + ], + "Resource": "arn:aws:events:*:*:rule/ConnectCampaignsRule*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "AllowWisdomForConnectCampaignsEnabledTaggedResources", + "Effect": "Allow", + "Action": [ + "wisdom:GetMessageTemplate", + "wisdom:RenderMessageTemplate" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/AmazonConnectCampaignsEnabled": "True" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json b/docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json index 23b7686a4..5f5eb74ca 100644 --- a/docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonConnectServiceLinkedRolePolicy.json @@ -77,7 +77,14 @@ "profile:ListCalculatedAttributeDefinitions", "profile:ListCalculatedAttributesForProfile", "profile:GetDomain", - "profile:ListIntegrations" + "profile:ListIntegrations", + "profile:ListSegmentDefinitions", + "profile:ListProfileAttributeValues", + "profile:CreateSegmentEstimate", + "profile:GetSegmentEstimate", + "profile:BatchGetProfile", + "profile:BatchGetCalculatedAttributeForProfile", + "profile:GetSegmentMembership" ], "Resource": "arn:aws:profile:*:*:domains/amazon-connect-*" }, @@ -86,7 +93,8 @@ "Effect": "Allow", "Action": [ "profile:ListProfileObjects", - "profile:GetProfileObjectType" + "profile:GetProfileObjectType", + "profile:ListObjectTypeAttributes" ], "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*" @@ -138,7 +146,21 @@ "wisdom:UpdateQuickResponse", "wisdom:DeleteQuickResponse", "wisdom:PutFeedback", - "wisdom:ListContentAssociations" + "wisdom:ListContentAssociations", + "wisdom:CreateMessageTemplate", + "wisdom:UpdateMessageTemplate", + "wisdom:UpdateMessageTemplateMetadata", + "wisdom:GetMessageTemplate", + "wisdom:DeleteMessageTemplate", + "wisdom:ListMessageTemplates", + "wisdom:SearchMessageTemplates", + "wisdom:ActivateMessageTemplate", + "wisdom:DeactivateMessageTemplate", + "wisdom:CreateMessageTemplateVersion", + "wisdom:ListMessageTemplateVersions", + "wisdom:CreateMessageTemplateAttachment", + "wisdom:DeleteMessageTemplateAttachment", + "wisdom:RenderMessageTemplate" ], "Resource": "*", "Condition": { @@ -170,6 +192,20 @@ "arn:aws:profile:*:*:domains/amazon-connect-*/calculated-attributes/*" ] }, + { + "Sid": "AllowCustomerProfilesSegmentationForConnectDomain", + "Effect": "Allow", + "Action": [ + "profile:CreateSegmentDefinition", + "profile:GetSegmentDefinition", + "profile:DeleteSegmentDefinition", + "profile:CreateSegmentSnapshot", + "profile:GetSegmentSnapshot" + ], + "Resource": [ + "arn:aws:profile:*:*:domains/amazon-connect-*/segment-definitions/*" + ] + }, { "Sid": "AllowPutMetricsForConnectNamespace", "Effect": "Allow", @@ -218,6 +254,88 @@ "Resource": [ "arn:aws:profile:*:*:domains/amazon-connect-*/object-types/*" ] + }, + { + "Sid": "AllowChimeSDKVoiceConnectorGetOperationForConnect", + "Effect": "Allow", + "Action": [ + "chime:GetVoiceConnector" + ], + "Resource": "arn:aws:chime:*:*:vc/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/AmazonConnectEnabled": "True", + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "AllowChimeSDKVoiceConnectorListOperationForConnect", + "Effect": "Allow", + "Action": [ + "chime:ListVoiceConnectors" + ], + "Resource": "arn:aws:chime:*:*:vc/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "SESPermissionsForManagingReceiptRules", + "Effect": "Allow", + "Action": [ + "ses:DescribeReceiptRule", + "ses:UpdateReceiptRule" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "SESPermissionForManagingConnectProvidedSESIdentity", + "Effect": "Allow", + "Action": [ + "ses:DeleteEmailIdentity" + ], + "Resource": "arn:aws:ses:*:*:identity/*.email.connect.aws*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "SESConfigurationSetPermissionsForSendingEmail", + "Effect": "Allow", + "Action": [ + "ses:SendRawEmail" + ], + "Resource": "arn:aws:ses:*:*:configuration-set/configuration-set-for-connect-DO-NOT-DELETE", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "PassRoleToSESForReceiptRuleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::*:role/service-role/AmazonConnectEmailSESAccessRole" + ], + "Condition": { + "StringLike": { + "iam:PassedToService": "ses.amazonaws.com" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json index 384a1f370..e76939b5a 100644 --- a/docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonConnectSynchronizationServiceRolePolicy.json @@ -5,76 +5,56 @@ "Sid": "AllowConnectActions", "Effect": "Allow", "Action": [ - "connect:CreateUser*", - "connect:UpdateUser*", - "connect:DeleteUser*", - "connect:DescribeUser*", - "connect:ListUser*", - "connect:CreateRoutingProfile", - "connect:UpdateRoutingProfile*", - "connect:DeleteRoutingProfile", - "connect:DescribeRoutingProfile", - "connect:ListRoutingProfile*", - "connect:CreateAgentStatus", - "connect:UpdateAgentStatus", - "connect:DescribeAgentStatus", - "connect:ListAgentStatuses", - "connect:CreateQuickConnect", - "connect:UpdateQuickConnect*", - "connect:DeleteQuickConnect", - "connect:DescribeQuickConnect", - "connect:ListQuickConnects", - "connect:CreateHoursOfOperation", - "connect:UpdateHoursOfOperation", - "connect:DeleteHoursOfOperation", - "connect:DescribeHoursOfOperation", - "connect:ListHoursOfOperations", - "connect:CreateQueue", - "connect:UpdateQueue*", - "connect:DeleteQueue", - "connect:DescribeQueue", - "connect:ListQueue*", - "connect:CreatePrompt", - "connect:UpdatePrompt", - "connect:DeletePrompt", - "connect:DescribePrompt", - "connect:ListPrompts", - "connect:GetPromptFile", - "connect:CreateSecurityProfile", - "connect:UpdateSecurityProfile", - "connect:DeleteSecurityProfile", - "connect:DescribeSecurityProfile", - "connect:ListSecurityProfile*", - "connect:CreateContactFlow*", - "connect:UpdateContactFlow*", - "connect:DeleteContactFlow*", - "connect:DescribeContactFlow*", - "connect:ListContactFlow*", - "connect:BatchGetFlowAssociation", - "connect:CreatePredefinedAttribute", - "connect:UpdatePredefinedAttribute", - "connect:DeletePredefinedAttribute", - "connect:DescribePredefinedAttribute", - "connect:ListPredefinedAttributes", - "connect:ListTagsForResource", + "connect:Create*", + "connect:Update*", + "connect:Delete*", + "connect:Describe*", + "connect:List*", + "connect:Search*", + "connect:Associate*", + "connect:Disassociate*", + "connect:Get*", + "connect:BatchGet*", "connect:TagResource", - "connect:UntagResource", - "connect:ListTrafficDistributionGroups", - "connect:ListPhoneNumbersV2", - "connect:UpdatePhoneNumber", - "connect:DescribePhoneNumber", - "connect:AssociatePhoneNumberContactFlow", - "connect:DisassociatePhoneNumberContactFlow", - "connect:AssociateRoutingProfileQueues", - "connect:DisassociateQueueQuickConnects", - "connect:AssociateQueueQuickConnects", - "connect:DisassociateUserProficiencies", - "connect:AssociateUserProficiencies", - "connect:DisassociateRoutingProfileQueues", - "connect:CreateAuthenticationProfile", - "connect:UpdateAuthenticationProfile", - "connect:DescribeAuthenticationProfile", - "connect:ListAuthenticationProfiles" + "connect:UntagResource" + ], + "Resource": "*" + }, + { + "Sid": "DisallowedConnectActions", + "Effect": "Deny", + "Action": [ + "connect:Start*", + "connect:Stop*", + "connect:Resume*", + "connect:Suspend*", + "connect:*Contact", + "connect:SearchContacts", + "connect:*ContactAttributes*", + "connect:*RealtimeContact*", + "connect:*AnalyticsData*", + "connect:*MetricData*", + "connect:*UserData*", + "connect:*ContactEvaluation", + "connect:*AttachedFile*", + "connect:UpdateContactSchedule", + "connect:UpdateContactRoutingData", + "connect:ListContactReferences", + "connect:CreateParticipant", + "connect:CreatePersistentContactAssociation", + "connect:CreateInstance", + "connect:DeleteInstance", + "connect:ListInstances", + "connect:ReplicateInstance", + "connect:GetFederationToken", + "connect:ClaimPhoneNumber", + "connect:ImportPhoneNumber", + "connect:ReleasePhoneNumber", + "connect:SearchAvailablePhoneNumbers", + "connect:CreateTrafficDistributionGroup", + "connect:DeleteTrafficDistributionGroup", + "connect:GetTrafficDistribution", + "connect:UpdateTrafficDistribution" ], "Resource": "*" }, diff --git a/docs/source/_static/managed-policies/AmazonDataZoneBedrockModelConsumptionPolicy.json b/docs/source/_static/managed-policies/AmazonDataZoneBedrockModelConsumptionPolicy.json new file mode 100644 index 000000000..e2fceb6c0 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonDataZoneBedrockModelConsumptionPolicy.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "InvokeDomainInferenceProfiles", + "Effect": "Allow", + "Action": [ + "bedrock:InvokeModel", + "bedrock:InvokeModelWithResponseStream" + ], + "Resource": "arn:aws:bedrock:*:*:application-inference-profile/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/AmazonDataZoneDomain": "${datazone:domainId}", + "aws:ResourceAccount": "${aws:PrincipalAccount}" + }, + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "true" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonDataZoneBedrockModelManagementPolicy.json b/docs/source/_static/managed-policies/AmazonDataZoneBedrockModelManagementPolicy.json new file mode 100644 index 000000000..58faf4f9a --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonDataZoneBedrockModelManagementPolicy.json @@ -0,0 +1,73 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ManageApplicationInferenceProfile", + "Effect": "Allow", + "Action": [ + "bedrock:CreateInferenceProfile", + "bedrock:TagResource" + ], + "Resource": [ + "arn:aws:bedrock:*:*:application-inference-profile/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + }, + "ForAnyValue:StringEquals": { + "aws:TagKeys": [ + "AmazonDataZoneProject" + ] + }, + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "false", + "aws:RequestTag/AmazonDataZoneProject": "false" + } + } + }, + { + "Sid": "DeleteApplicationInferenceProfile", + "Effect": "Allow", + "Action": [ + "bedrock:DeleteInferenceProfile" + ], + "Resource": [ + "arn:aws:bedrock:*:*:application-inference-profile/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + }, + "Null": { + "aws:ResourceTag/AmazonDataZoneProject": "false" + } + } + }, + { + "Sid": "CreateApplicationInferenceProfileUsingFoundationModels", + "Effect": "Allow", + "Action": [ + "bedrock:CreateInferenceProfile" + ], + "Resource": [ + "arn:aws:bedrock:*::foundation-model/*" + ] + }, + { + "Sid": "CreateApplicationInferenceProfileUsingBedrockModels", + "Effect": "Allow", + "Action": [ + "bedrock:CreateInferenceProfile" + ], + "Resource": [ + "arn:aws:bedrock:*:*:inference-profile/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonDataZoneRedshiftGlueProvisioningPolicy.json b/docs/source/_static/managed-policies/AmazonDataZoneRedshiftGlueProvisioningPolicy.json index 48c6b4831..46cd0ddbd 100644 --- a/docs/source/_static/managed-policies/AmazonDataZoneRedshiftGlueProvisioningPolicy.json +++ b/docs/source/_static/managed-policies/AmazonDataZoneRedshiftGlueProvisioningPolicy.json @@ -225,7 +225,8 @@ "iam:DeletePolicy", "iam:CreatePolicy", "iam:GetPolicy", - "iam:ListPolicyVersions" + "iam:ListPolicyVersions", + "iam:DeletePolicyVersion" ], "Resource": [ "arn:aws:iam::*:policy/datazone*" diff --git a/docs/source/_static/managed-policies/AmazonEC2ContainerRegistryPullOnly.json b/docs/source/_static/managed-policies/AmazonEC2ContainerRegistryPullOnly.json new file mode 100644 index 000000000..9acc9bcec --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonEC2ContainerRegistryPullOnly.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchImportUpstreamImage" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json b/docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json index 03f2f71cb..d4494b629 100644 --- a/docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json +++ b/docs/source/_static/managed-policies/AmazonEC2RolePolicyForLaunchWizard.json @@ -144,7 +144,8 @@ "ssm:GetDocument" ], "Resource": [ - "arn:aws:ssm:*:*:document/AWSSAP-InstallBackint" + "arn:aws:ssm:*:*:document/AWSSAP-InstallBackint", + "arn:aws:ssm:*:*:document/AWSSAP-InstallBackintForAWSBackup" ] }, { diff --git a/docs/source/_static/managed-policies/AmazonECSInfrastructureRolePolicyForVolumes.json b/docs/source/_static/managed-policies/AmazonECSInfrastructureRolePolicyForVolumes.json index f7e385d2d..2498d9afd 100644 --- a/docs/source/_static/managed-policies/AmazonECSInfrastructureRolePolicyForVolumes.json +++ b/docs/source/_static/managed-policies/AmazonECSInfrastructureRolePolicyForVolumes.json @@ -15,6 +15,12 @@ } } }, + { + "Sid": "CreateEBSManagedVolumeFromSnapshot", + "Effect": "Allow", + "Action": "ec2:CreateVolume", + "Resource": "arn:aws:ec2:*:*:snapshot/*" + }, { "Sid": "TagOnCreateVolume", "Effect": "Allow", diff --git a/docs/source/_static/managed-policies/AmazonECS_FullAccess.json b/docs/source/_static/managed-policies/AmazonECS_FullAccess.json index fa569f519..04a08ee96 100644 --- a/docs/source/_static/managed-policies/AmazonECS_FullAccess.json +++ b/docs/source/_static/managed-policies/AmazonECS_FullAccess.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "ECSIntegrationsManagementPolicy", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", @@ -124,6 +125,7 @@ ] }, { + "Sid": "SSMPolicy", "Effect": "Allow", "Action": [ "ssm:GetParameter", @@ -133,6 +135,7 @@ "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*" }, { + "Sid": "ManagedCloudformationResourcesCleanupPolicy", "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", @@ -150,6 +153,7 @@ } }, { + "Sid": "TasksPassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ @@ -162,6 +166,20 @@ } }, { + "Sid": "InfrastructurePassRolePolicy", + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": [ + "arn:aws:iam::*:role/ecsInfrastructureRole" + ], + "Condition": { + "StringEquals": { + "iam:PassedToService": "ecs.amazonaws.com" + } + } + }, + { + "Sid": "InstancePassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ @@ -177,6 +195,7 @@ } }, { + "Sid": "AutoScalingPassRolePolicy", "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ @@ -192,14 +211,15 @@ } }, { + "Sid": "ServiceLinkedRoleCreationPolicy", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ - "autoscaling.amazonaws.com", "ecs.amazonaws.com", + "autoscaling.amazonaws.com", "ecs.application-autoscaling.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com" @@ -208,6 +228,7 @@ } }, { + "Sid": "ELBTaggingPolicy", "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags" diff --git a/docs/source/_static/managed-policies/AmazonEKSBlockStoragePolicy.json b/docs/source/_static/managed-policies/AmazonEKSBlockStoragePolicy.json new file mode 100644 index 000000000..fd02a490f --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonEKSBlockStoragePolicy.json @@ -0,0 +1,91 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:EnableFastSnapshotRestores" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateVolume", + "CreateSnapshot" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "arn:aws:ec2:*:*:volume/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "CSIVolumeName", + "ebs.csi.eks.amazonaws.com/cluster", + "kubernetes.io/cluster/*", + "kubernetes.io/created-for/*", + "Name", + "KubernetesCluster" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume" + ], + "Resource": "arn:aws:ec2:*:*:snapshot/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSnapshot" + ], + "Resource": "arn:aws:ec2:*:*:volume/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSnapshot" + ], + "Resource": "arn:aws:ec2:*:*:snapshot/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "CSIVolumeSnapshotName", + "ebs.csi.eks.amazonaws.com/cluster", + "kubernetes.io/cluster/*", + "Name" + ] + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonEKSClusterPolicy.json b/docs/source/_static/managed-policies/AmazonEKSClusterPolicy.json index 09fa0e9fd..7b4347503 100644 --- a/docs/source/_static/managed-policies/AmazonEKSClusterPolicy.json +++ b/docs/source/_static/managed-policies/AmazonEKSClusterPolicy.json @@ -32,6 +32,7 @@ "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", + "ec2:DescribeInstanceTopology", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", diff --git a/docs/source/_static/managed-policies/AmazonEKSComputePolicy.json b/docs/source/_static/managed-policies/AmazonEKSComputePolicy.json new file mode 100644 index 000000000..66f8c0510 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonEKSComputePolicy.json @@ -0,0 +1,88 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateFleet", + "ec2:RunInstances" + ], + "Resource": [ + "arn:aws:ec2:*::image/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:subnet/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateFleet", + "ec2:RunInstances" + ], + "Resource": "arn:aws:ec2:*:*:launch-template/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateFleet", + "ec2:RunInstances", + "ec2:CreateLaunchTemplate" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "StringLike": { + "aws:RequestTag/eks:kubernetes-node-class-name": "*", + "aws:RequestTag/eks:kubernetes-node-pool-name": "*" + }, + "ForAllValues:StringLike": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "eks:kubernetes-node-class-name", + "eks:kubernetes-node-pool-name", + "kubernetes.io/cluster/*" + ] + } + } + }, + { + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateFleet", + "RunInstances", + "CreateLaunchTemplate" + ] + } + } + }, + { + "Effect": "Allow", + "Action": "iam:AddRoleToInstanceProfile", + "Resource": "arn:aws:iam::*:instance-profile/eks*" + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonEKSLoadBalancingPolicy.json b/docs/source/_static/managed-policies/AmazonEKSLoadBalancingPolicy.json new file mode 100644 index 000000000..fb992016e --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonEKSLoadBalancingPolicy.json @@ -0,0 +1,231 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateRule", + "ec2:CreateSecurityGroup" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "arn:aws:ec2:*:*:vpc/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group-rule/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringLike": { + "aws:ResourceTag/Name": "eks-cluster-sg*" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "elasticloadbalancing:CreateAction": [ + "CreateLoadBalancer", + "CreateTargetGroup", + "CreateListener", + "CreateRule" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": [ + "CreateSecurityGroup", + "AuthorizeSecurityGroupIngress" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:ModifyListenerAttributes", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL" + ], + "Resource": [ + "arn:aws:wafv2:*:*:*/webacl/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "shield:CreateProtection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "shield:DeleteProtection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "shield:TagResource" + ], + "Resource": "arn:aws:shield::*:protection/*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "ingress.eks.amazonaws.com/stack", + "ingress.eks.amazonaws.com/resource", + "service.eks.amazonaws.com/stack", + "service.eks.amazonaws.com/resource" + ] + } + } + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:DescribeTargetGroups" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonEKSLocalOutpostClusterPolicy.json b/docs/source/_static/managed-policies/AmazonEKSLocalOutpostClusterPolicy.json index b66f7e2a2..852bfe238 100644 --- a/docs/source/_static/managed-policies/AmazonEKSLocalOutpostClusterPolicy.json +++ b/docs/source/_static/managed-policies/AmazonEKSLocalOutpostClusterPolicy.json @@ -9,6 +9,7 @@ "ec2:DescribeTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeInstanceTypes", + "ec2:DescribeAvailabilityZones", "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", diff --git a/docs/source/_static/managed-policies/AmazonEKSNetworkingPolicy.json b/docs/source/_static/managed-policies/AmazonEKSNetworkingPolicy.json new file mode 100644 index 000000000..00dcffaf5 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonEKSNetworkingPolicy.json @@ -0,0 +1,59 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "ec2:CreateNetworkInterface", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + }, + "StringLike": { + "aws:RequestTag/eks:kubernetes-cni-node-name": "*" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": [ + "eks:eks-cluster-name", + "eks:kubernetes-cni-node-name" + ] + } + } + }, + { + "Effect": "Allow", + "Action": "ec2:CreateNetworkInterface", + "Resource": [ + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:subnet/*" + ] + }, + { + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateNetworkInterface" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AttachNetworkInterface", + "ec2:DetachNetworkInterface", + "ec2:UnassignPrivateIpAddresses", + "ec2:UnassignIpv6Addresses", + "ec2:AssignPrivateIpAddresses", + "ec2:AssignIpv6Addresses" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonEKSServicePolicy.json b/docs/source/_static/managed-policies/AmazonEKSServicePolicy.json index 0fdee77d0..278770f2b 100644 --- a/docs/source/_static/managed-policies/AmazonEKSServicePolicy.json +++ b/docs/source/_static/managed-policies/AmazonEKSServicePolicy.json @@ -15,7 +15,8 @@ "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "iam:ListAttachedRolePolicies", - "eks:UpdateClusterVersion" + "eks:UpdateClusterVersion", + "ec2:GetSecurityGroupsForVpc" ], "Resource": "*" }, @@ -30,6 +31,20 @@ "arn:aws:ec2:*:*:subnet/*" ] }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:network-interface/*" + ], + "Condition": { + "StringLike": { + "aws:RequestTag/Name": "eks-cluster-*" + } + } + }, { "Effect": "Allow", "Action": "route53:AssociateVPCWithHostedZone", @@ -56,7 +71,7 @@ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", - "Resource": "*", + "Resource": "arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", "Condition": { "StringLike": { "iam:AWSServiceName": "eks.amazonaws.com" diff --git a/docs/source/_static/managed-policies/AmazonEKSServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonEKSServiceRolePolicy.json index bbffa3baf..95daf9be0 100644 --- a/docs/source/_static/managed-policies/AmazonEKSServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonEKSServiceRolePolicy.json @@ -15,7 +15,8 @@ "ec2:DescribeVpcs", "ec2:CreateNetworkInterfacePermission", "iam:ListAttachedRolePolicies", - "ec2:CreateSecurityGroup" + "ec2:CreateSecurityGroup", + "ec2:GetSecurityGroupsForVpc" ], "Resource": "*" }, @@ -28,7 +29,7 @@ ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { - "ForAnyValue:StringLike": { + "StringLike": { "ec2:ResourceTag/Name": "eks-cluster-sg*" } } @@ -41,7 +42,9 @@ ], "Resource": [ "arn:aws:ec2:*:*:vpc/*", - "arn:aws:ec2:*:*:subnet/*" + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "ForAnyValue:StringLike": { @@ -58,14 +61,12 @@ "ec2:DeleteTags" ], "Resource": [ - "arn:aws:ec2:*:*:security-group/*" + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { - "ForAnyValue:StringLike": { - "aws:TagKeys": [ - "kubernetes.io/cluster/*" - ], - "aws:RequestTag/Name": "eks-cluster-sg*" + "StringLike": { + "aws:RequestTag/Name": "eks-cluster-*" } } }, @@ -91,6 +92,16 @@ "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*:*:*" + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*", + "Condition": { + "StringLike": { + "cloudwatch:namespace": "AWS/EKS" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonEKSWorkerNodeMinimalPolicy.json b/docs/source/_static/managed-policies/AmazonEKSWorkerNodeMinimalPolicy.json new file mode 100644 index 000000000..2a73cac49 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonEKSWorkerNodeMinimalPolicy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "WorkerNodePermissions", + "Effect": "Allow", + "Action": [ + "eks-auth:AssumeRoleForPodIdentity" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonElasticFileSystemFullAccess.json b/docs/source/_static/managed-policies/AmazonElasticFileSystemFullAccess.json index ae5a5340b..5fe7d15c6 100644 --- a/docs/source/_static/managed-policies/AmazonElasticFileSystemFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonElasticFileSystemFullAccess.json @@ -2,6 +2,8 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "ElasticFileSystemFullAccess", + "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:GetMetricData", @@ -48,17 +50,17 @@ "elasticfilesystem:ListTagsForResource", "elasticfilesystem:Backup", "elasticfilesystem:Restore", + "elasticfilesystem:ReplicationRead", + "elasticfilesystem:ReplicationWrite", "kms:DescribeKey", "kms:ListAliases" ], - "Sid": "ElasticFileSystemFullAccess", - "Effect": "Allow", "Resource": "*" }, { - "Action": "iam:CreateServiceLinkedRole", "Sid": "CreateServiceLinkedRoleForEFS", "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { @@ -67,6 +69,17 @@ ] } } + }, + { + "Sid": "IAMPassRoleAccessForEFS", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/*", + "Condition": { + "StringLike": { + "iam:PassedToService": "elasticfilesystem.amazonaws.com" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json index b395c450c..bba87514c 100644 --- a/docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "ElasticFileSystemReadOnlyAccess", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", @@ -24,6 +25,7 @@ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeReplicationConfigurations", "elasticfilesystem:ListTagsForResource", + "elasticfilesystem:ReplicationRead", "kms:ListAliases" ], "Resource": "*" diff --git a/docs/source/_static/managed-policies/AmazonElasticFileSystemServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonElasticFileSystemServiceRolePolicy.json index 49f383953..3ea839639 100644 --- a/docs/source/_static/managed-policies/AmazonElasticFileSystemServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonElasticFileSystemServiceRolePolicy.json @@ -76,7 +76,9 @@ "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:CreateReplicationConfiguration", "elasticfilesystem:DescribeReplicationConfigurations", - "elasticfilesystem:DeleteReplicationConfiguration" + "elasticfilesystem:DeleteReplicationConfiguration", + "elasticfilesystem:ReplicationRead", + "elasticfilesystem:ReplicationWrite" ], "Resource": "*" } diff --git a/docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json index 24ef613ba..a25004544 100644 --- a/docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json @@ -27,6 +27,7 @@ "eks:ListClusters", "eks:DescribeCluster", "ec2:DescribeVpcEndpointServices", + "ec2:DescribeVpcs", "ec2:DescribeSecurityGroups", "ecs:ListClusters", "ecs:DescribeClusters" diff --git a/docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json index 43107177c..854ba542a 100644 --- a/docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json @@ -93,6 +93,7 @@ "lambda:ListFunctions", "lambda:GetFunction", "lambda:GetLayerVersion", + "lambda:ListTags", "cloudwatch:GetMetricData" ], "Resource": "*" diff --git a/docs/source/_static/managed-policies/AmazonODBServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonODBServiceRolePolicy.json new file mode 100644 index 000000000..67eba0e52 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonODBServiceRolePolicy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudWatch", + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": [ + "AWS/ODB" + ] + } + } + }, + { + "Sid": "EC2", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json index e2930914c..f1fad98cb 100644 --- a/docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonOpenSearchServiceRolePolicy.json @@ -126,7 +126,10 @@ "Resource": "*", "Condition": { "StringEquals": { - "cloudwatch:namespace": "AWS/ES" + "cloudwatch:namespace": [ + "AWS/ES", + "AWS/OpenSearch" + ] } } }, diff --git a/docs/source/_static/managed-policies/AmazonQDeveloperAccess.json b/docs/source/_static/managed-policies/AmazonQDeveloperAccess.json index 47a6de652..91d37e070 100644 --- a/docs/source/_static/managed-policies/AmazonQDeveloperAccess.json +++ b/docs/source/_static/managed-policies/AmazonQDeveloperAccess.json @@ -14,7 +14,9 @@ "q:StartTroubleshootingResolutionExplanation", "q:GetTroubleshootingResults", "q:UpdateTroubleshootingCommandResult", - "q:GetIdentityMetaData" + "q:GetIdentityMetaData", + "q:GenerateCodeFromCommands", + "q:UsePlugin" ], "Resource": "*" }, diff --git a/docs/source/_static/managed-policies/AmazonQFullAccess.json b/docs/source/_static/managed-policies/AmazonQFullAccess.json index 104280a45..931c1907e 100644 --- a/docs/source/_static/managed-policies/AmazonQFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonQFullAccess.json @@ -16,7 +16,17 @@ "q:UpdateTroubleshootingCommandResult", "q:GetIdentityMetadata", "q:CreateAssignment", - "q:DeleteAssignment" + "q:DeleteAssignment", + "q:GenerateCodeFromCommands", + "q:CreatePlugin", + "q:DeletePlugin", + "q:GetPlugin", + "q:UsePlugin", + "q:ListPlugins", + "q:ListPluginProviders", + "q:ListTagsForResource", + "q:UntagResource", + "q:TagResource" ], "Resource": "*" }, @@ -36,6 +46,21 @@ "sts:SetContext" ], "Resource": "arn:aws:sts::*:self" + }, + { + "Sid": "AllowPassRoleToAmazonQ", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "arn:aws:iam::*:role/*", + "Condition": { + "StringEquals": { + "iam:PassedToService": [ + "q.amazonaws.com" + ] + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json index bba51e8c0..2945d0cdd 100644 --- a/docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonRDSBetaServiceRolePolicy.json @@ -38,13 +38,6 @@ ], "Resource": "*" }, - { - "Effect": "Allow", - "Action": [ - "sns:Publish" - ], - "Resource": "*" - }, { "Effect": "Allow", "Action": [ diff --git a/docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json index 3053bc56b..129aeed6e 100644 --- a/docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json +++ b/docs/source/_static/managed-policies/AmazonRDSPreviewServiceRolePolicy.json @@ -41,13 +41,6 @@ ], "Resource": "*" }, - { - "Effect": "Allow", - "Action": [ - "sns:Publish" - ], - "Resource": "*" - }, { "Effect": "Allow", "Action": [ diff --git a/docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json b/docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json index d8026e13d..b50711691 100644 --- a/docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonRoute53ProfilesFullAccess.json @@ -13,11 +13,13 @@ "route53profiles:DisassociateResourceFromProfile", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", + "route53profiles:GetProfilePolicy", "route53profiles:GetProfileResourceAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfileResourceAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", + "route53profiles:PutProfilePolicy", "route53profiles:TagResource", "route53profiles:UntagResource", "route53profiles:UpdateProfileResourceAssociation", diff --git a/docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json index e3c761761..a9568aced 100644 --- a/docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AmazonRoute53ProfilesReadOnlyAccess.json @@ -7,6 +7,7 @@ "Action": [ "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", + "route53profiles:GetProfilePolicy", "route53profiles:GetProfileResourceAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfileResourceAssociations", diff --git a/docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json b/docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json index 2ee114cbd..1e86a8293 100644 --- a/docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonRoute53ResolverFullAccess.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "AmazonRoute53ResolverFullAccess", "Effect": "Allow", "Action": [ "route53resolver:*", diff --git a/docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json index 61b9adb16..064d2e13c 100644 --- a/docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AmazonRoute53ResolverReadOnlyAccess.json @@ -2,6 +2,7 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "AmazonRoute53ResolverReadOnlyAccess", "Effect": "Allow", "Action": [ "route53resolver:Get*", diff --git a/docs/source/_static/managed-policies/AmazonSNSFullAccess.json b/docs/source/_static/managed-policies/AmazonSNSFullAccess.json index af3485769..407556762 100644 --- a/docs/source/_static/managed-policies/AmazonSNSFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonSNSFullAccess.json @@ -2,11 +2,34 @@ "Version": "2012-10-17", "Statement": [ { - "Action": [ - "sns:*" - ], + "Sid": "SNSFullAccess", "Effect": "Allow", + "Action": "sns:*", "Resource": "*" + }, + { + "Sid": "SMSAccessViaSNS", + "Effect": "Allow", + "Action": [ + "sms-voice:DescribeVerifiedDestinationNumbers", + "sms-voice:CreateVerifiedDestinationNumber", + "sms-voice:SendDestinationNumberVerificationCode", + "sms-voice:SendTextMessage", + "sms-voice:DeleteVerifiedDestinationNumber", + "sms-voice:VerifyDestinationNumber", + "sms-voice:DescribeAccountAttributes", + "sms-voice:DescribeSpendLimits", + "sms-voice:DescribePhoneNumbers", + "sms-voice:SetTextMessageSpendLimitOverride", + "sms-voice:DescribeOptedOutNumbers", + "sms-voice:DeleteOptedOutNumber" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:CalledViaLast": "sns.amazonaws.com" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json index 461123091..c12ad4eb0 100644 --- a/docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AmazonSNSReadOnlyAccess.json @@ -2,12 +2,37 @@ "Version": "2012-10-17", "Statement": [ { + "Sid": "SNSReadOnlyAccess", "Effect": "Allow", "Action": [ "sns:GetTopicAttributes", - "sns:List*" + "sns:List*", + "sns:CheckIfPhoneNumberIsOptedOut", + "sns:GetEndpointAttributes", + "sns:GetDataProtectionPolicy", + "sns:GetPlatformApplicationAttributes", + "sns:GetSMSAttributes", + "sns:GetSMSSandboxAccountStatus", + "sns:GetSubscriptionAttributes" ], "Resource": "*" + }, + { + "Sid": "SMSAccessViaSNS", + "Effect": "Allow", + "Action": [ + "sms-voice:DescribeVerifiedDestinationNumbers", + "sms-voice:DescribeAccountAttributes", + "sms-voice:DescribeSpendLimits", + "sms-voice:DescribePhoneNumbers", + "sms-voice:DescribeOptedOutNumbers" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:CalledViaLast": "sns.amazonaws.com" + } + } } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json b/docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json index 39cb804f3..c5d25e1d8 100644 --- a/docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonSageMakerCanvasDataPrepFullAccess.json @@ -391,7 +391,10 @@ "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*", + "Resource": [ + "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", + "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" + ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", diff --git a/docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json b/docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json index bd3b06e62..4844f17e2 100644 --- a/docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonSageMakerCanvasFullAccess.json @@ -512,7 +512,10 @@ "Sid": "IAMPassOperationForEMRServerless", "Effect": "Allow", "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*", + "Resource": [ + "arn:aws:iam::*:role/service-role/AmazonSageMakerCanvasEMRSExecutionAccess-*", + "arn:aws:iam::*:role/AmazonSageMakerCanvasEMRSExecutionAccess-*" + ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com", diff --git a/docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json new file mode 100644 index 000000000..b24698231 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonSageMakerHyperPodServiceRolePolicy.json @@ -0,0 +1,43 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "EKSClusterDescribePermissions", + "Effect": "Allow", + "Action": "eks:DescribeCluster", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "CloudWatchLogGroupPermissions", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup" + ], + "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "CloudWatchLogStreamPermissions", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/Clusters/*:log-stream:*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonTimestreamInfluxDBFullAccess.json b/docs/source/_static/managed-policies/AmazonTimestreamInfluxDBFullAccess.json index d421e288e..664533f4e 100644 --- a/docs/source/_static/managed-policies/AmazonTimestreamInfluxDBFullAccess.json +++ b/docs/source/_static/managed-policies/AmazonTimestreamInfluxDBFullAccess.json @@ -38,7 +38,8 @@ "Action": [ "ec2:DescribeSubnets", "ec2:DescribeVpcs", - "ec2:DescribeSecurityGroups" + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables" ], "Resource": [ "*" diff --git a/docs/source/_static/managed-policies/AmazonVerifiedPermissionsFullAccess.json b/docs/source/_static/managed-policies/AmazonVerifiedPermissionsFullAccess.json new file mode 100644 index 000000000..a0ed70bac --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonVerifiedPermissionsFullAccess.json @@ -0,0 +1,24 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AccountLevelPermissions", + "Effect": "Allow", + "Action": [ + "verifiedpermissions:CreatePolicyStore", + "verifiedpermissions:ListPolicyStores" + ], + "Resource": "*" + }, + { + "Sid": "PolicyStoreLevelPermissions", + "Effect": "Allow", + "Action": [ + "verifiedpermissions:*" + ], + "Resource": [ + "arn:aws:verifiedpermissions::*:policy-store/*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonVerifiedPermissionsReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonVerifiedPermissionsReadOnlyAccess.json new file mode 100644 index 000000000..de880e18e --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonVerifiedPermissionsReadOnlyAccess.json @@ -0,0 +1,32 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AccountLevelPermissions", + "Effect": "Allow", + "Action": [ + "verifiedpermissions:ListPolicyStores" + ], + "Resource": "*" + }, + { + "Sid": "PolicyStoreLevelPermissions", + "Effect": "Allow", + "Action": [ + "verifiedpermissions:GetIdentitySource", + "verifiedpermissions:GetPolicy", + "verifiedpermissions:GetPolicyStore", + "verifiedpermissions:GetPolicyTemplate", + "verifiedpermissions:GetSchema", + "verifiedpermissions:IsAuthorized", + "verifiedpermissions:IsAuthorizedWithToken", + "verifiedpermissions:ListIdentitySources", + "verifiedpermissions:ListPolicies", + "verifiedpermissions:ListPolicyTemplates" + ], + "Resource": [ + "arn:aws:verifiedpermissions::*:policy-store/*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json b/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json new file mode 100644 index 000000000..36f11a840 --- /dev/null +++ b/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientFullAccess.json @@ -0,0 +1,39 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowThinClientFullAccess", + "Effect": "Allow", + "Action": [ + "thinclient:*" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesAccess", + "Effect": "Allow", + "Action": [ + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesWebAccess", + "Effect": "Allow", + "Action": [ + "workspaces-web:GetPortal", + "workspaces-web:GetUserSettings", + "workspaces-web:ListPortals" + ], + "Resource": "*" + }, + { + "Sid": "AllowAppStreamAccess", + "Effect": "Allow", + "Action": [ + "appstream:DescribeStacks" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json index 95d20e06b..1018dc30a 100644 --- a/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/AmazonWorkSpacesThinClientReadOnlyAccess.json @@ -5,16 +5,42 @@ "Sid": "AllowThinClientReadAccess", "Effect": "Allow", "Action": [ - "thinclient:GetEnvironment", - "thinclient:ListEnvironments", "thinclient:GetDevice", + "thinclient:GetEnvironment", + "thinclient:GetSoftwareSet", "thinclient:ListDevices", "thinclient:ListDeviceSessions", - "thinclient:GetSoftwareSet", + "thinclient:ListEnvironments", "thinclient:ListSoftwareSets", "thinclient:ListTagsForResource" ], - "Resource": "arn:aws:thinclient:*:*:*" + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesAccess", + "Effect": "Allow", + "Action": [ + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + }, + { + "Sid": "AllowWorkSpacesWebAccess", + "Effect": "Allow", + "Action": [ + "workspaces-web:GetPortal", + "workspaces-web:GetUserSettings", + "workspaces-web:ListPortals" + ], + "Resource": "*" + }, + { + "Sid": "AllowAppStreamAccess", + "Effect": "Allow", + "Action": [ + "appstream:DescribeStacks" + ], + "Resource": "*" } ] } \ No newline at end of file diff --git a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json index 85e69d1b3..3f2d477f6 100644 --- a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json +++ b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookPolicy.json @@ -21,6 +21,20 @@ } } }, + { + "Sid": "AllowGlueTaggingAction", + "Effect": "Allow", + "Action": [ + "glue:TagResource" + ], + "Resource": "arn:aws:glue:*:*:session/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}", + "aws:RequestTag/owner": "${aws:PrincipalTag/owner}" + } + } + }, { "Sid": "NotebookAllowActions1", "Effect": "Allow", @@ -67,7 +81,6 @@ "Sid": "NotebookDenyActions", "Effect": "Deny", "Action": [ - "glue:TagResource", "glue:UntagResource", "tag:TagResources", "tag:UntagResources" @@ -90,7 +103,8 @@ "iam:PassRole" ], "Resource": [ - "arn:aws:iam::*:role/service-role/AwsGlueSessionServiceRoleUserRestrictedForNotebook*" + "arn:aws:iam::*:role/service-role/AwsGlueSessionServiceRoleUserRestrictedForNotebook*", + "arn:aws:iam::*:role/AwsGlueSessionUserRestrictedNotebookServiceRole*" ], "Condition": { "StringLike": { diff --git a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json index 53d2d03c8..114f0585a 100644 --- a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json +++ b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedNotebookServiceRole.json @@ -40,6 +40,20 @@ } } }, + { + "Sid": "AllowGlueTaggingAction", + "Effect": "Allow", + "Action": [ + "glue:TagResource" + ], + "Resource": "arn:aws:glue:*:*:session/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}", + "aws:RequestTag/owner": "${aws:PrincipalTag/owner}" + } + } + }, { "Effect": "Allow", "Action": [ @@ -72,7 +86,6 @@ { "Effect": "Deny", "Action": [ - "glue:TagResource", "glue:UntagResource", "tag:TagResources", "tag:UntagResources" diff --git a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json index 0dd1a8bb1..f475fa9f1 100644 --- a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json +++ b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedPolicy.json @@ -21,6 +21,20 @@ } } }, + { + "Sid": "AllowGlueTaggingAction", + "Effect": "Allow", + "Action": [ + "glue:TagResource" + ], + "Resource": "arn:aws:glue:*:*:session/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/owner": "${aws:userid}", + "aws:RequestTag/owner": "${aws:userid}" + } + } + }, { "Sid": "AllowCompletionActions", "Effect": "Allow", @@ -67,7 +81,6 @@ "Sid": "DenyTagActions", "Effect": "Deny", "Action": [ - "glue:TagResource", "glue:UntagResource", "tag:TagResources", "tag:UntagResources" diff --git a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json index 3144fa1b3..4e71069c6 100644 --- a/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json +++ b/docs/source/_static/managed-policies/AwsGlueSessionUserRestrictedServiceRole.json @@ -53,6 +53,20 @@ } } }, + { + "Sid": "AllowGlueTaggingAction", + "Effect": "Allow", + "Action": [ + "glue:TagResource" + ], + "Resource": "arn:aws:glue:*:*:session/*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/owner": "${aws:userid}", + "aws:RequestTag/owner": "${aws:userid}" + } + } + }, { "Sid": "AllowStatementActions", "Effect": "Allow", @@ -88,7 +102,6 @@ "Sid": "DenyTagActions", "Effect": "Deny", "Action": [ - "glue:TagResource", "glue:UntagResource", "tag:TagResources", "tag:UntagResources" diff --git a/docs/source/_static/managed-policies/Billing.json b/docs/source/_static/managed-policies/Billing.json index 916d80c0d..89ce3b811 100644 --- a/docs/source/_static/managed-policies/Billing.json +++ b/docs/source/_static/managed-policies/Billing.json @@ -72,18 +72,29 @@ "invoicing:GetInvoicePDF", "invoicing:ListInvoiceSummaries", "invoicing:PutInvoiceEmailDeliveryPreferences", + "payments:CreateFinancingApplication", "payments:CreatePaymentInstrument", "payments:DeletePaymentInstrument", + "payments:GetFinancingApplication", + "payments:GetFinancingLine", + "payments:GetFinancingLineWithdrawal", + "payments:GetFinancingOption", "payments:GetPaymentInstrument", "payments:GetPaymentStatus", + "payments:ListFinancingApplications", + "payments:ListFinancingLines", + "payments:ListFinancingLineWithdrawals", "payments:ListPaymentPreferences", + "payments:ListPaymentProgramOptions", + "payments:ListPaymentProgramStatus", "payments:ListTagsForResource", "payments:ListPaymentInstruments", "payments:MakePayment", "payments:TagResource", - "payments:UpdatePaymentPreferences", - "payments:UpdatePaymentInstrument", "payments:UntagResource", + "payments:UpdateFinancingApplication", + "payments:UpdatePaymentInstrument", + "payments:UpdatePaymentPreferences", "pricing:DescribeServices", "purchase-orders:AddPurchaseOrder", "purchase-orders:DeletePurchaseOrder", diff --git a/docs/source/_static/managed-policies/CloudWatchInternetMonitorFullAccess.json b/docs/source/_static/managed-policies/CloudWatchInternetMonitorFullAccess.json new file mode 100644 index 000000000..2107c2adc --- /dev/null +++ b/docs/source/_static/managed-policies/CloudWatchInternetMonitorFullAccess.json @@ -0,0 +1,70 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "FullAccessActions", + "Effect": "Allow", + "Action": [ + "internetmonitor:CreateMonitor", + "internetmonitor:DeleteMonitor", + "internetmonitor:GetHealthEvent", + "internetmonitor:GetInternetEvent", + "internetmonitor:GetMonitor", + "internetmonitor:GetQueryResults", + "internetmonitor:GetQueryStatus", + "internetmonitor:Link", + "internetmonitor:ListHealthEvents", + "internetmonitor:ListInternetEvents", + "internetmonitor:ListMonitors", + "internetmonitor:ListTagsForResource", + "internetmonitor:StartQuery", + "internetmonitor:StopQuery", + "internetmonitor:TagResource", + "internetmonitor:UntagResource", + "internetmonitor:UpdateMonitor" + ], + "Resource": "*" + }, + { + "Sid": "ServiceLinkedRoleActions", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "internetmonitor.amazonaws.com" + } + } + }, + { + "Sid": "RolePolicyActions", + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/internetmonitor.amazonaws.com/AWSServiceRoleForInternetMonitor", + "Condition": { + "ArnEquals": { + "iam:PolicyARN": "arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy" + } + } + }, + { + "Sid": "ReadOnlyActions", + "Effect": "Allow", + "Action": [ + "cloudwatch:GetMetricData", + "cloudfront:GetDistribution", + "cloudfront:ListDistributions", + "ec2:DescribeVpcs", + "elasticloadbalancing:DescribeLoadBalancers", + "logs:DescribeLogGroups", + "logs:GetQueryResults", + "logs:StartQuery", + "logs:StopQuery", + "workspaces:DescribeWorkspaceDirectories" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/CloudWatchInternetMonitorReadOnlyAccess.json b/docs/source/_static/managed-policies/CloudWatchInternetMonitorReadOnlyAccess.json new file mode 100644 index 000000000..85669d3ff --- /dev/null +++ b/docs/source/_static/managed-policies/CloudWatchInternetMonitorReadOnlyAccess.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ReadOnlyActions", + "Effect": "Allow", + "Action": [ + "cloudwatch:GetMetricData", + "internetmonitor:GetHealthEvent", + "internetmonitor:GetInternetEvent", + "internetmonitor:GetMonitor", + "internetmonitor:GetQueryResults", + "internetmonitor:GetQueryStatus", + "internetmonitor:ListHealthEvents", + "internetmonitor:ListInternetEvents", + "internetmonitor:ListMonitors", + "internetmonitor:ListTagsForResource", + "internetmonitor:StartQuery", + "internetmonitor:StopQuery", + "logs:DescribeLogGroups", + "logs:GetQueryResults", + "logs:StartQuery", + "logs:StopQuery" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/CloudWatchLambdaApplicationSignalsExecutionRolePolicy.json b/docs/source/_static/managed-policies/CloudWatchLambdaApplicationSignalsExecutionRolePolicy.json new file mode 100644 index 000000000..90b36eb47 --- /dev/null +++ b/docs/source/_static/managed-policies/CloudWatchLambdaApplicationSignalsExecutionRolePolicy.json @@ -0,0 +1,35 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "CloudWatchApplicationSignalsXrayWritePermissions", + "Effect": "Allow", + "Action": [ + "xray:PutTraceSegments" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "CloudWatchApplicationSignalsLogGroupWritePermissions", + "Effect": "Allow", + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/CloudWatchSyntheticsFullAccess.json b/docs/source/_static/managed-policies/CloudWatchSyntheticsFullAccess.json index 2fd4a19db..80495b01d 100644 --- a/docs/source/_static/managed-policies/CloudWatchSyntheticsFullAccess.json +++ b/docs/source/_static/managed-policies/CloudWatchSyntheticsFullAccess.json @@ -114,7 +114,10 @@ "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:GetFunctionConfiguration", - "lambda:DeleteFunction" + "lambda:DeleteFunction", + "lambda:ListTags", + "lambda:TagResource", + "lambda:UntagResource" ], "Resource": [ "arn:aws:lambda:*:*:function:cwsyn-*" @@ -129,7 +132,8 @@ ], "Resource": [ "arn:aws:lambda:*:*:layer:cwsyn-*", - "arn:aws:lambda:*:*:layer:Synthetics:*" + "arn:aws:lambda:*:*:layer:Synthetics:*", + "arn:aws:lambda:*:*:layer:Synthetics_Selenium:*" ] }, { diff --git a/docs/source/_static/managed-policies/ElasticLoadBalancingFullAccess.json b/docs/source/_static/managed-policies/ElasticLoadBalancingFullAccess.json index ec91b7da8..175c8c482 100644 --- a/docs/source/_static/managed-policies/ElasticLoadBalancingFullAccess.json +++ b/docs/source/_static/managed-policies/ElasticLoadBalancingFullAccess.json @@ -22,6 +22,7 @@ "ec2:DescribeRouteTables", "ec2:DescribeCoipPools", "ec2:GetCoipPoolUsage", + "ec2:GetSecurityGroupsForVpc", "ec2:DescribeVpcPeeringConnections", "cognito-idp:DescribeUserPoolClient" ], diff --git a/docs/source/_static/managed-policies/GameLiftContainerFleetPolicy.json b/docs/source/_static/managed-policies/GameLiftContainerFleetPolicy.json new file mode 100644 index 000000000..34ac1acc0 --- /dev/null +++ b/docs/source/_static/managed-policies/GameLiftContainerFleetPolicy.json @@ -0,0 +1,46 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "WriteGameSessionLogsToLogStream", + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:PutRetentionPolicy" + ], + "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*" + }, + { + "Sid": "CreateLogGroupToStoreGameSessionLogs", + "Effect": "Allow", + "Action": "logs:CreateLogGroup", + "Resource": "arn:aws:logs:*:*:log-group:gamelift-*" + }, + { + "Sid": "WriteGameSessionLogsToS3Bucket", + "Effect": "Allow", + "Action": [ + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::gamelift-*" + ], + "Condition": { + "StringEquals": { + "s3:ResourceAccount": "${aws:PrincipalAccount}" + } + } + }, + { + "Sid": "RetrieveComputeAuthToken", + "Effect": "Allow", + "Action": [ + "gamelift:GetComputeAuthToken" + ], + "Resource": [ + "arn:aws:gamelift:*:*:containerfleet/*" + ] + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/IVSReadOnlyAccess.json b/docs/source/_static/managed-policies/IVSReadOnlyAccess.json index 2fc1fa540..63efd012d 100644 --- a/docs/source/_static/managed-policies/IVSReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/IVSReadOnlyAccess.json @@ -9,9 +9,11 @@ "ivs:GetChannel", "ivs:GetComposition", "ivs:GetEncoderConfiguration", + "ivs:GetIngestConfiguration", "ivs:GetParticipant", "ivs:GetPlaybackKeyPair", "ivs:GetPlaybackRestrictionPolicy", + "ivs:GetPublicKey", "ivs:GetRecordingConfiguration", "ivs:GetStage", "ivs:GetStageSession", @@ -21,10 +23,12 @@ "ivs:ListChannels", "ivs:ListCompositions", "ivs:ListEncoderConfigurations", + "ivs:ListIngestConfigurations", "ivs:ListParticipants", "ivs:ListParticipantEvents", "ivs:ListPlaybackKeyPairs", "ivs:ListPlaybackRestrictionPolicies", + "ivs:ListPublicKeys", "ivs:ListRecordingConfigurations", "ivs:ListStages", "ivs:ListStageSessions", diff --git a/docs/source/_static/managed-policies/PowerUserAccess.json b/docs/source/_static/managed-policies/PowerUserAccess.json index 565169632..8a27abd67 100644 --- a/docs/source/_static/managed-policies/PowerUserAccess.json +++ b/docs/source/_static/managed-policies/PowerUserAccess.json @@ -13,12 +13,13 @@ { "Effect": "Allow", "Action": [ + "account:GetAccountInformation", + "account:GetPrimaryEmail", + "account:ListRegions", "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole", "iam:ListRoles", - "organizations:DescribeOrganization", - "account:ListRegions", - "account:GetAccountInformation" + "organizations:DescribeOrganization" ], "Resource": "*" } diff --git a/docs/source/_static/managed-policies/QAppsServiceRolePolicy.json b/docs/source/_static/managed-policies/QAppsServiceRolePolicy.json new file mode 100644 index 000000000..e8a2bba06 --- /dev/null +++ b/docs/source/_static/managed-policies/QAppsServiceRolePolicy.json @@ -0,0 +1,18 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "QAppsPutMetricDataPermission", + "Effect": "Allow", + "Action": [ + "cloudwatch:PutMetricData" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "cloudwatch:namespace": "AWS/QApps" + } + } + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/ReadOnlyAccess.json b/docs/source/_static/managed-policies/ReadOnlyAccess.json index 3e0780505..6a3e1c89f 100644 --- a/docs/source/_static/managed-policies/ReadOnlyAccess.json +++ b/docs/source/_static/managed-policies/ReadOnlyAccess.json @@ -104,11 +104,11 @@ "application-signals:BatchGetServiceLevelObjectiveBudgetReport", "application-signals:GetService", "application-signals:GetServiceLevelObjective", - "application-signals:ListServices", "application-signals:ListServiceDependencies", "application-signals:ListServiceDependents", "application-signals:ListServiceLevelObjectives", "application-signals:ListServiceOperations", + "application-signals:ListServices", "application-signals:ListTagsForResource", "applicationinsights:Describe*", "applicationinsights:List*", @@ -219,12 +219,19 @@ "bedrock:GetAgentVersion", "bedrock:GetCustomModel", "bedrock:GetDataSource", + "bedrock:GetEvaluationJob", + "bedrock:GetFlow", + "bedrock:GetFlowAlias", + "bedrock:GetFlowVersion", "bedrock:GetFoundationModel", "bedrock:GetFoundationModelAvailability", + "bedrock:GetGuardrail", + "bedrock:GetInferenceProfile", "bedrock:GetIngestionJob", "bedrock:GetKnowledgeBase", "bedrock:GetModelCustomizationJob", "bedrock:GetModelInvocationLoggingConfiguration", + "bedrock:GetPrompt", "bedrock:GetProvisionedModelThroughput", "bedrock:GetUseCaseForModelAccess", "bedrock:ListAgentActionGroups", @@ -234,11 +241,18 @@ "bedrock:ListAgentVersions", "bedrock:ListCustomModels", "bedrock:ListDataSources", + "bedrock:ListEvaluationJobs", + "bedrock:ListFlows", + "bedrock:ListFlowAliases", + "bedrock:ListFlowVersions", "bedrock:ListFoundationModelAgreementOffers", "bedrock:ListFoundationModels", + "bedrock:ListGuardrails", + "bedrock:ListInferenceProfiles", "bedrock:ListIngestionJobs", "bedrock:ListKnowledgeBases", "bedrock:ListModelCustomizationJobs", + "bedrock:ListPrompts", "bedrock:ListProvisionedModelThroughputs", "billing:GetBillingData", "billing:GetBillingDetails", @@ -268,6 +282,7 @@ "braket:SearchJobs", "braket:SearchQuantumTasks", "budgets:Describe*", + "budgets:ListTagsForResource", "budgets:View*", "cassandra:Select", "ce:DescribeCostCategoryDefinition", @@ -294,8 +309,8 @@ "ce:GetSavingsPlansUtilizationDetails", "ce:GetTags", "ce:GetUsageForecast", - "ce:ListCostAllocationTags", "ce:ListCostAllocationTagBackfillHistory", + "ce:ListCostAllocationTags", "ce:ListCostCategoryDefinitions", "ce:ListSavingsPlansPurchaseRecommendationGeneration", "ce:ListTagsForResource", @@ -310,6 +325,17 @@ "chime:Retrieve*", "chime:Search*", "chime:Validate*", + "cleanrooms-ml:GetAudienceGenerationJob", + "cleanrooms-ml:GetAudienceModel", + "cleanrooms-ml:GetConfiguredAudienceModel", + "cleanrooms-ml:GetConfiguredAudienceModelPolicy", + "cleanrooms-ml:GetTrainingDataset", + "cleanrooms-ml:ListAudienceExportJobs", + "cleanrooms-ml:ListAudienceGenerationJobs", + "cleanrooms-ml:ListAudienceModels", + "cleanrooms-ml:ListConfiguredAudienceModels", + "cleanrooms-ml:ListTagsForResource", + "cleanrooms-ml:ListTrainingDatasets", "cleanrooms:BatchGetCollaborationAnalysisTemplate", "cleanrooms:BatchGetSchema", "cleanrooms:GetAnalysisTemplate", @@ -334,17 +360,6 @@ "cleanrooms:ListProtectedQueries", "cleanrooms:ListSchemas", "cleanrooms:ListTagsForResource", - "cleanrooms-ml:GetTrainingDataset", - "cleanrooms-ml:GetAudienceGenerationJob", - "cleanrooms-ml:GetAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModel", - "cleanrooms-ml:GetConfiguredAudienceModelPolicy", - "cleanrooms-ml:ListAudienceExportJobs", - "cleanrooms-ml:ListAudienceGenerationJobs", - "cleanrooms-ml:ListAudienceModels", - "cleanrooms-ml:ListConfiguredAudienceModels", - "cleanrooms-ml:ListTrainingDatasets", - "cleanrooms-ml:ListTagsForResource", "cloud9:Describe*", "cloud9:List*", "clouddirectory:BatchRead", @@ -543,6 +558,69 @@ "datapipeline:Validate*", "datasync:Describe*", "datasync:List*", + "datazone:GetAsset", + "datazone:GetAssetType", + "datazone:GetDataProduct", + "datazone:GetDataSource", + "datazone:GetDataSourceRun", + "datazone:GetDomain", + "datazone:GetDomainSharingPolicy", + "datazone:GetDomainUnit", + "datazone:GetEnvironment", + "datazone:GetEnvironmentAction", + "datazone:GetEnvironmentBlueprint", + "datazone:GetEnvironmentBlueprintConfiguration", + "datazone:GetEnvironmentProfile", + "datazone:GetFormType", + "datazone:GetGlossary", + "datazone:GetGlossaryTerm", + "datazone:GetGroupProfile", + "datazone:GetLineageNode", + "datazone:GetListing", + "datazone:GetListing", + "datazone:GetMetadataGenerationRun", + "datazone:GetProject", + "datazone:GetProjectProfile", + "datazone:GetSubscription", + "datazone:GetSubscriptionEligibility", + "datazone:GetSubscriptionGrant", + "datazone:GetSubscriptionRequestDetails", + "datazone:GetSubscriptionTarget", + "datazone:GetTimeSeriesDataPoint", + "datazone:GetUserProfile", + "datazone:ListAccountEnvironments", + "datazone:ListAssetRevisions", + "datazone:ListDataProductRevisions", + "datazone:ListDataSourceRunActivities", + "datazone:ListDataSourceRuns", + "datazone:ListDataSources", + "datazone:ListDomains", + "datazone:ListDomainUnitsForParent", + "datazone:ListEntityOwners", + "datazone:ListEnvironmentActions", + "datazone:ListEnvironmentBlueprintConfigurations", + "datazone:ListEnvironmentBlueprintConfigurationSummaries", + "datazone:ListEnvironmentBlueprints", + "datazone:ListEnvironmentProfiles", + "datazone:ListEnvironments", + "datazone:ListGroupsForUser", + "datazone:ListLineageNodeHistory", + "datazone:ListNotifications", + "datazone:ListPolicyGrants", + "datazone:ListProjectMemberships", + "datazone:ListProjectProfiles", + "datazone:ListProjects", + "datazone:ListSubscriptionGrants", + "datazone:ListSubscriptionRequests", + "datazone:ListSubscriptions", + "datazone:ListSubscriptionTargets", + "datazone:ListTagsForResource", + "datazone:ListTimeSeriesDataPoints", + "datazone:Search", + "datazone:SearchGroupProfiles", + "datazone:SearchListings", + "datazone:SearchTypes", + "datazone:SearchUserProfiles", "dax:BatchGetItem", "dax:Describe*", "dax:GetItem", @@ -575,6 +653,7 @@ "deadline:ListFleetMembers", "deadline:ListFleets", "deadline:ListJobMembers", + "deadline:ListJobParameterDefinitions", "deadline:ListJobs", "deadline:ListLicenseEndpoints", "deadline:ListMeteredProducts", @@ -897,8 +976,8 @@ "glue:GetSecurityConfiguration", "glue:GetSecurityConfigurations", "glue:GetTable", - "glue:GetTables", "glue:GetTableOptimizer", + "glue:GetTables", "glue:GetTableVersion", "glue:GetTableVersions", "glue:GetTags", @@ -1087,8 +1166,8 @@ "iotwireless:GetEventConfigurationByResourceTypes", "iotwireless:GetFuotaTask", "iotwireless:GetLogLevelsByResourceTypes", - "iotwireless:GetMetrics", "iotwireless:GetMetricConfiguration", + "iotwireless:GetMetrics", "iotwireless:GetMulticastGroup", "iotwireless:GetMulticastGroupSession", "iotwireless:GetNetworkAnalyzerConfiguration", @@ -1131,25 +1210,29 @@ "ivs:GetChannel", "ivs:GetComposition", "ivs:GetEncoderConfiguration", - "ivs:GetStage", - "ivs:GetStageSession", + "ivs:GetIngestConfiguration", + "ivs:GetPublicKey", "ivs:GetParticipant", "ivs:GetPlaybackKeyPair", "ivs:GetPlaybackRestrictionPolicy", "ivs:GetRecordingConfiguration", + "ivs:GetStage", + "ivs:GetStageSession", "ivs:GetStreamSession", "ivs:ListChannels", "ivs:ListCompositions", "ivs:ListEncoderConfigurations", - "ivs:ListParticipants", + "ivs:ListIngestConfigurations", "ivs:ListParticipantEvents", + "ivs:ListParticipants", "ivs:ListPlaybackKeyPairs", "ivs:ListPlaybackRestrictionPolicies", + "ivs:ListPublicKeys", "ivs:ListRecordingConfigurations", "ivs:ListStages", "ivs:ListStageSessions", - "ivs:ListStreams", "ivs:ListStreamKeys", + "ivs:ListStreams", "ivs:ListStreamSessions", "ivs:ListTagsForResource", "ivschat:GetLoggingConfiguration", @@ -1270,13 +1353,13 @@ "lex:DescribeSlot", "lex:DescribeSlotType", "lex:Get*", - "lex:ListBotAliasReplicas", "lex:ListBotAliases", + "lex:ListBotAliasReplicas", "lex:ListBotChannels", "lex:ListBotLocales", "lex:ListBotReplicas", - "lex:ListBotVersionReplicas", "lex:ListBots", + "lex:ListBotVersionReplicas", "lex:ListBotVersions", "lex:ListBuiltInIntents", "lex:ListBuiltInSlotTypes", @@ -1687,6 +1770,11 @@ "pca-connector-ad:ListTagsForResource", "pca-connector-ad:ListTemplateGroupAccessControlEntries", "pca-connector-ad:ListTemplates", + "pca-connector-scep:GetChallengeMetadata", + "pca-connector-scep:GetConnector", + "pca-connector-scep:ListChallengeMetadata", + "pca-connector-scep:ListConnectors", + "pca-connector-scep:ListTagsForResource", "personalize:Describe*", "personalize:Get*", "personalize:List*", @@ -1728,6 +1816,25 @@ "purchase-orders:ListPurchaseOrderInvoices", "purchase-orders:ListPurchaseOrders", "purchase-orders:ViewPurchaseOrders", + "qbusiness:GetApplication", + "qbusiness:GetChatControlsConfiguration", + "qbusiness:GetDataSource", + "qbusiness:GetGroup", + "qbusiness:GetIndex", + "qbusiness:GetPlugin", + "qbusiness:GetRetriever", + "qbusiness:GetUser", + "qbusiness:GetWebExperience", + "qbusiness:ListApplications", + "qbusiness:ListDataSources", + "qbusiness:ListDataSourceSyncJobs", + "qbusiness:ListGroups", + "qbusiness:ListIndices", + "qbusiness:ListPlugins", + "qbusiness:ListRetrievers", + "qbusiness:ListSubscriptions", + "qbusiness:ListTagsForResource", + "qbusiness:ListWebExperiences", "qldb:DescribeJournalKinesisStream", "qldb:DescribeJournalS3Export", "qldb:DescribeLedger", @@ -1810,6 +1917,7 @@ "resiliencehub:DescribeAppVersionTemplate", "resiliencehub:DescribeDraftAppVersionResourcesImportStatus", "resiliencehub:DescribeResiliencyPolicy", + "resiliencehub:DescribeResourceGroupingRecommendationTask", "resiliencehub:ListAlarmRecommendations", "resiliencehub:ListAppAssessmentComplianceDrifts", "resiliencehub:ListAppAssessmentResourceDrifts", @@ -1824,6 +1932,7 @@ "resiliencehub:ListAppVersions", "resiliencehub:ListRecommendationTemplates", "resiliencehub:ListResiliencyPolicies", + "resiliencehub:ListResourceGroupingRecommendations", "resiliencehub:ListSopRecommendations", "resiliencehub:ListSuggestedResiliencyPolicies", "resiliencehub:ListTagsForResource", @@ -1888,10 +1997,23 @@ "s3-outposts:GetBucket", "s3-outposts:GetBucketPolicy", "s3-outposts:GetBucketTagging", + "s3-outposts:GetBucketVersioning", "s3-outposts:GetLifecycleConfiguration", + "s3-outposts:GetObject", + "s3-outposts:GetObjectTagging", + "s3-outposts:GetObjectVersion", + "s3-outposts:GetObjectVersionForReplication", + "s3-outposts:GetObjectVersionTagging", + "s3-outposts:GetReplicationConfiguration", "s3-outposts:ListAccessPoints", + "s3-outposts:ListBucket", + "s3-outposts:ListBucketMultipartUploads", + "s3-outposts:ListBucketVersions", "s3-outposts:ListEndpoints", + "s3-outposts:ListMultipartUploadParts", + "s3-outposts:ListOutpostsWithS3", "s3-outposts:ListRegionalBuckets", + "s3-outposts:ListSharedEndpoints", "s3:DescribeJob", "s3:Get*", "s3:List*", @@ -1926,6 +2048,8 @@ "secretsmanager:Describe*", "secretsmanager:GetResourcePolicy", "secretsmanager:List*", + "securityhub:BatchGetAutomationRules", + "securityhub:BatchGetConfigurationPolicyAssociations", "securityhub:BatchGetControlEvaluations", "securityhub:BatchGetSecurityControls", "securityhub:BatchGetStandardsControlAssociations", @@ -2023,6 +2147,17 @@ "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm-incidents:ListTimelineEvents", + "ssm-sap:GetApplication", + "ssm-sap:GetComponent", + "ssm-sap:GetDatabase", + "ssm-sap:GetOperation", + "ssm-sap:GetResourcePermission", + "ssm-sap:ListApplications", + "ssm-sap:ListComponents", + "ssm-sap:ListDatabases", + "ssm-sap:ListOperationEvents", + "ssm-sap:ListOperations", + "ssm-sap:ListTagsForResource", "ssm:Describe*", "ssm:Get*", "ssm:List*", @@ -2105,6 +2240,17 @@ "translate:ListTerminologies", "translate:ListTextTranslationJobs", "trustedadvisor:Describe*", + "trustedadvisor:GetOrganizationRecommendation", + "trustedadvisor:GetRecommendation", + "trustedadvisor:ListChecks", + "trustedadvisor:ListOrganizationRecommendationAccounts", + "trustedadvisor:ListOrganizationRecommendationResources", + "trustedadvisor:ListOrganizationRecommendations", + "trustedadvisor:ListRecommendationResources", + "trustedadvisor:ListRecommendations", + "user-subscriptions:ListApplicationClaims", + "user-subscriptions:ListClaims", + "user-subscriptions:ListUserSubscriptions", "verifiedpermissions:GetIdentitySource", "verifiedpermissions:GetPolicy", "verifiedpermissions:GetPolicyStore", diff --git a/docs/source/_static/managed-policies/ResourceGroupsTaggingAPITagUntagSupportedResources.json b/docs/source/_static/managed-policies/ResourceGroupsTaggingAPITagUntagSupportedResources.json new file mode 100644 index 000000000..17aa07f28 --- /dev/null +++ b/docs/source/_static/managed-policies/ResourceGroupsTaggingAPITagUntagSupportedResources.json @@ -0,0 +1,340 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "a4b:TagResource", + "a4b:UntagResource", + "access-analyzer:TagResource", + "access-analyzer:UntagResource", + "acm-pca:TagCertificateAuthority", + "acm-pca:UntagCertificateAuthority", + "acm:AddTagsToCertificate", + "acm:RemoveTagsFromCertificate", + "amplify:TagResource", + "amplify:UntagResource", + "appconfig:TagResource", + "appconfig:UntagResource", + "appflow:TagResource", + "appflow:UntagResource", + "appmesh:TagResource", + "appmesh:UntagResource", + "appstream:TagResource", + "appstream:UntagResource", + "appsync:TagResource", + "appsync:UntagResource", + "athena:TagResource", + "athena:UntagResource", + "auditmanager:TagResource", + "auditmanager:UntagResource", + "autoscaling:CreateOrUpdateTags", + "autoscaling:DeleteTags", + "backup:TagResource", + "backup:UntagResource", + "batch:TagResource", + "batch:UntagResource", + "braket:TagResource", + "braket:UntagResource", + "cassandra:TagResource", + "cassandra:UntagResource", + "chime:TagResource", + "chime:UntagResource", + "cloud9:TagResource", + "cloud9:UntagResource", + "clouddirectory:TagResource", + "clouddirectory:UntagResource", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudhsm:TagResource", + "cloudhsm:UntagResource", + "cloudtrail:AddTags", + "cloudtrail:RemoveTags", + "cloudwatch:TagResource", + "cloudwatch:UntagResource", + "codeartifact:TagResource", + "codeartifact:UntagResource", + "codecommit:TagResource", + "codecommit:UntagResource", + "codedeploy:AddTagsToOnPremisesInstances", + "codedeploy:RemoveTagsFromOnPremisesInstances", + "codedeploy:TagResource", + "codedeploy:UntagResource", + "codeguru-profiler:TagResource", + "codeguru-profiler:UntagResource", + "codepipeline:TagResource", + "codepipeline:UntagResource", + "codestar-connections:TagResource", + "codestar-connections:UntagResource", + "codestar:TagProject", + "codestar:UntagProject", + "cognito-identity:TagResource", + "cognito-identity:UntagResource", + "cognito-idp:TagResource", + "cognito-idp:UntagResource", + "comprehend:TagResource", + "comprehend:UntagResource", + "config:TagResource", + "config:UntagResource", + "connect:TagResource", + "connect:UntagResource", + "dataexchange:TagResource", + "dataexchange:UntagResource", + "datapipeline:AddTags", + "datapipeline:RemoveTags", + "datasync:TagResource", + "datasync:UntagResource", + "deepcomposer:TagResource", + "deepcomposer:UntagResource", + "detective:TagResource", + "detective:UntagResource", + "devicefarm:TagResource", + "devicefarm:UntagResource", + "directconnect:TagResource", + "directconnect:UntagResource", + "dlm:TagResource", + "dlm:UntagResource", + "dms:AddTagsToResource", + "dms:RemoveTagsFromResource", + "dynamodb:TagResource", + "dynamodb:UntagResource", + "ec2:CreateTags", + "ec2:DeleteTags", + "ecr:TagResource", + "ecr:UntagResource", + "ecs:TagResource", + "ecs:UntagResource", + "eks:TagResource", + "eks:UntagResource", + "elastic-inference:TagResource", + "elastic-inference:UntagResource", + "elasticache:AddTagsToResource", + "elasticache:RemoveTagsFromResource", + "elasticbeanstalk:UpdateTagsForResource", + "elasticfilesystem:CreateTags", + "elasticfilesystem:DeleteTags", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags", + "elasticmapreduce:AddTags", + "elasticmapreduce:RemoveTags", + "emr-containers:TagResource", + "emr-containers:UntagResource", + "es:AddTags", + "es:RemoveTags", + "events:TagResource", + "events:UntagResource", + "firehose:TagDeliveryStream", + "firehose:UntagDeliveryStream", + "fms:TagResource", + "fms:UntagResource", + "forecast:TagResource", + "forecast:UntagResource", + "frauddetector:TagResource", + "frauddetector:UntagResource", + "fsx:TagResource", + "fsx:UntagResource", + "gamelift:TagResource", + "gamelift:UntagResource", + "glacier:AddTagsToVault", + "glacier:RemoveTagsFromVault", + "globalaccelerator:TagResource", + "globalaccelerator:UntagResource", + "glue:TagResource", + "glue:UntagResource", + "greengrass:TagResource", + "greengrass:UntagResource", + "groundstation:TagResource", + "groundstation:UntagResource", + "guardduty:TagResource", + "guardduty:UntagResource", + "iam:TagInstanceProfile", + "iam:TagMFADevice", + "iam:TagOpenIDConnectProvider", + "iam:TagPolicy", + "iam:TagRole", + "iam:TagSAMLProvider", + "iam:TagServerCertificate", + "iam:TagUser", + "iam:UntagInstanceProfile", + "iam:UntagMFADevice", + "iam:UntagOpenIDConnectProvider", + "iam:UntagPolicy", + "iam:UntagRole", + "iam:UntagSAMLProvider", + "iam:UntagServerCertificate", + "iam:UntagUser", + "imagebuilder:TagResource", + "imagebuilder:UntagResource", + "inspector:ListTagsForResource", + "inspector:SetTagsForResource", + "iot1click:TagResource", + "iot1click:UntagResource", + "iot:TagResource", + "iot:UntagResource", + "iotanalytics:TagResource", + "iotanalytics:UntagResource", + "iotdeviceadvisor:TagResource", + "iotdeviceadvisor:UntagResource", + "iotevents:TagResource", + "iotevents:UntagResource", + "iotfleethub:TagResource", + "iotfleethub:UntagResource", + "iotsitewise:TagResource", + "iotsitewise:UntagResource", + "iottwinmaker:TagResource", + "iottwinmaker:UntagResource", + "iotwireless:TagResource", + "iotwireless:UntagResource", + "ivs:TagResource", + "ivs:UntagResource", + "kafka:TagResource", + "kafka:UntagResource", + "kendra:TagResource", + "kendra:UntagResource", + "kinesis:AddTagsToStream", + "kinesis:RemoveTagsFromStream", + "kinesisanalytics:TagResource", + "kinesisanalytics:UntagResource", + "kms:TagResource", + "kms:UntagResource", + "lambda:TagResource", + "lambda:UntagResource", + "lex:TagResource", + "lex:UntagResource", + "license-manager:TagResource", + "license-manager:UntagResource", + "lightsail:TagResource", + "lightsail:UntagResource", + "logs:TagLogGroup", + "logs:TagResource", + "logs:UntagLogGroup", + "logs:UntagResource", + "lookoutequipment:TagResource", + "lookoutequipment:UntagResource", + "machinelearning:AddTags", + "machinelearning:DeleteTags", + "macie2:TagResource", + "macie2:UntagResource", + "managedblockchain:TagResource", + "managedblockchain:UntagResource", + "mediaconnect:TagResource", + "mediaconnect:UntagResource", + "mediaconvert:TagResource", + "mediaconvert:UntagResource", + "medialive:CreateTags", + "medialive:DeleteTags", + "mediapackage-vod:TagResource", + "mediapackage-vod:UntagResource", + "mediapackage:TagResource", + "mediapackage:UntagResource", + "mediatailor:TagResource", + "mediatailor:UntagResource", + "mobiletargeting:TagResource", + "mobiletargeting:UntagResource", + "mq:CreateTags", + "mq:DeleteTags", + "neptune-graph:TagResource", + "neptune-graph:UntagResource", + "network-firewall:TagResource", + "network-firewall:UntagResource", + "networkmanager:TagResource", + "networkmanager:UntagResource", + "opsworks-cm:TagResource", + "opsworks-cm:UntagResource", + "opsworks:TagResource", + "opsworks:UntagResource", + "organizations:TagResource", + "organizations:UntagResource", + "outposts:TagResource", + "outposts:UntagResource", + "qldb:TagResource", + "qldb:UntagResource", + "quicksight:TagResource", + "quicksight:UntagResource", + "ram:TagResource", + "ram:UntagResource", + "rds:AddTagsToResource", + "rds:RemoveTagsFromResource", + "redshift:CreateTags", + "redshift:DeleteTags", + "resource-explorer-2:TagResource", + "resource-explorer-2:UntagResource", + "resource-groups:Tag", + "resource-groups:Untag", + "robomaker:TagResource", + "robomaker:UntagResource", + "route53:ChangeTagsForResource", + "route53domains:DeleteTagsForDomain", + "route53domains:UpdateTagsForDomain", + "route53resolver:TagResource", + "route53resolver:UntagResource", + "s3:GetBucketTagging", + "s3:GetJobTagging", + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging", + "s3:GetStorageLensConfigurationTagging", + "s3:DeleteJobTagging", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersionTagging", + "s3:PutBucketTagging", + "s3:PutJobTagging", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging", + "s3:PutStorageLensConfigurationTagging", + "s3:DeleteStorageLensConfigurationTagging", + "s3:TagResource", + "s3:UntagResource", + "sagemaker:AddTags", + "sagemaker:DeleteTags", + "savingsplans:TagResource", + "savingsplans:UntagResource", + "schemas:TagResource", + "schemas:UntagResource", + "secretsmanager:TagResource", + "secretsmanager:UntagResource", + "securityhub:TagResource", + "securityhub:UntagResource", + "servicediscovery:TagResource", + "servicediscovery:UntagResource", + "servicequotas:TagResource", + "servicequotas:UntagResource", + "ses:TagResource", + "ses:UntagResource", + "sns:TagResource", + "sns:UntagResource", + "sqs:TagQueue", + "sqs:UntagQueue", + "ssm:AddTagsToResource", + "ssm:RemoveTagsFromResource", + "states:TagResource", + "states:UntagResource", + "storagegateway:AddTagsToResource", + "storagegateway:RemoveTagsFromResource", + "swf:TagResource", + "swf:UntagResource", + "synthetics:TagResource", + "synthetics:UntagResource", + "tag:GetResources", + "tag:TagResources", + "tag:UntagResources", + "transfer:TagResource", + "transfer:UntagResource", + "waf-regional:TagResource", + "waf-regional:UntagResource", + "waf:TagResource", + "waf:UntagResource", + "wafv2:TagResource", + "wafv2:UntagResource", + "worklink:TagResource", + "worklink:UntagResource", + "workmail:TagResource", + "workmail:UntagResource", + "workspaces:CreateTags", + "workspaces:DeleteTags", + "xray:TagResource", + "xray:UntagResource" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json b/docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json index 996f3b1ec..a4101ba34 100644 --- a/docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json +++ b/docs/source/_static/managed-policies/SSMQuickSetupRolePolicy.json @@ -62,7 +62,9 @@ ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*", - "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*" + "arn:aws:cloudformation:*:*:stackset/SSMQuickSetup*", + "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*", + "arn:aws:cloudformation:*:*:stack/StackSet-SSMQuickSetup*" ] }, { @@ -74,8 +76,11 @@ ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*", + "arn:aws:cloudformation:*:*:stackset/SSMQuickSetup*", "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*", + "arn:aws:cloudformation:*:*:stack/StackSet-SSMQuickSetup*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-*", + "arn:aws:cloudformation:*:*:stackset-target/SSMQuickSetup*", "arn:aws:cloudformation:*:*:type/resource/*" ], "Condition": { diff --git a/docs/source/_static/managed-policies/SecurityAudit.json b/docs/source/_static/managed-policies/SecurityAudit.json index 873ce180e..bdc69fc37 100644 --- a/docs/source/_static/managed-policies/SecurityAudit.json +++ b/docs/source/_static/managed-policies/SecurityAudit.json @@ -16,6 +16,7 @@ "access-analyzer:ListFindings", "access-analyzer:ListTagsForResource", "account:GetAlternateContact", + "account:GetPrimaryEmail", "account:GetRegionOptStatus", "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", @@ -425,11 +426,18 @@ "lightsail:GetInstances", "lightsail:GetLoadBalancers", "logs:Describe*", + "logs:GetLogDelivery", + "logs:ListLogDeliveries", "logs:ListTagsForResource", "logs:ListTagsLogGroup", "lookoutequipment:ListDatasets", "lookoutmetrics:ListAnomalyDetectors", "lookoutvision:ListProjects", + "m2:ListEnvironments", + "m2:ListApplications", + "m2:GetEnvironment", + "m2:GetApplication", + "m2:ListTagsForResource", "machinelearning:DescribeMLModels", "macie2:ListFindings", "managedblockchain:ListNetworks", @@ -476,6 +484,17 @@ "profile:GetDomain", "profile:ListDomains", "profile:ListIntegrations", + "qbusiness:ListApplications", + "qbusiness:ListDataSourceSyncJobs", + "qbusiness:ListDataSources", + "qbusiness:ListDocuments", + "qbusiness:ListGroups", + "qbusiness:ListIndices", + "qbusiness:ListPlugins", + "qbusiness:ListRetrievers", + "qbusiness:ListSubscriptions", + "qbusiness:ListTagsForResource", + "qbusiness:ListWebExperiences", "qldb:DescribeJournalS3Export", "qldb:DescribeLedger", "qldb:ListJournalS3Exports", diff --git a/docs/source/_static/managed-policies/ViewOnlyAccess.json b/docs/source/_static/managed-policies/ViewOnlyAccess.json index 6f25cac95..347bd3f6e 100644 --- a/docs/source/_static/managed-policies/ViewOnlyAccess.json +++ b/docs/source/_static/managed-policies/ViewOnlyAccess.json @@ -179,6 +179,7 @@ "elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:List*", @@ -234,6 +235,11 @@ "lookoutvision:ListModelPackagingJobs", "lookoutvision:ListModels", "lookoutvision:ListProjects", + "m2:ListEnvironments", + "m2:ListApplications", + "m2:GetEnvironment", + "m2:GetApplication", + "m2:ListTagsForResource", "machinelearning:Describe*", "mediaconnect:ListEntitlements", "mediaconnect:ListFlows", diff --git a/docs/source/_static/managed-policies/index.json b/docs/source/_static/managed-policies/index.json index 5ff6a1e0b..e221c3552 100644 --- a/docs/source/_static/managed-policies/index.json +++ b/docs/source/_static/managed-policies/index.json @@ -1 +1 @@ -["AccessAnalyzerServiceRolePolicy","AdministratorAccess","AdministratorAccess-Amplify","AdministratorAccess-AWSElasticBeanstalk","AlexaForBusinessDeviceSetup","AlexaForBusinessFullAccess","AlexaForBusinessGatewayExecution","AlexaForBusinessLifesizeDelegatedAccessPolicy","AlexaForBusinessNetworkProfileServicePolicy","AlexaForBusinessPolyDelegatedAccessPolicy","AlexaForBusinessReadOnlyAccess","AmazonAPIGatewayAdministrator","AmazonAPIGatewayInvokeFullAccess","AmazonAPIGatewayPushToCloudWatchLogs","AmazonAppFlowFullAccess","AmazonAppFlowReadOnlyAccess","AmazonAppStreamFullAccess","AmazonAppStreamPCAAccess","AmazonAppStreamReadOnlyAccess","AmazonAppStreamServiceAccess","AmazonAthenaFullAccess","AmazonAugmentedAIFullAccess","AmazonAugmentedAIHumanLoopFullAccess","AmazonAugmentedAIIntegratedAPIAccess","AmazonBedrockFullAccess","AmazonBedrockReadOnly","AmazonBedrockStudioPermissionsBoundary","AmazonBraketFullAccess","AmazonBraketJobsExecutionPolicy","AmazonBraketServiceRolePolicy","AmazonChimeFullAccess","AmazonChimeReadOnly","AmazonChimeSDK","AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy","AmazonChimeSDKMessagingServiceRolePolicy","AmazonChimeServiceRolePolicy","AmazonChimeTranscriptionServiceLinkedRolePolicy","AmazonChimeUserManagement","AmazonChimeVoiceConnectorServiceLinkedRolePolicy","AmazonCloudDirectoryFullAccess","AmazonCloudDirectoryReadOnlyAccess","AmazonCloudWatchEvidentlyFullAccess","AmazonCloudWatchEvidentlyReadOnlyAccess","AmazonCloudWatchEvidentlyServiceRolePolicy","AmazonCloudWatchRUMFullAccess","AmazonCloudWatchRUMReadOnlyAccess","AmazonCloudWatchRUMServiceRolePolicy","AmazonCodeCatalystFullAccess","AmazonCodeCatalystReadOnlyAccess","AmazonCodeCatalystSupportAccess","AmazonCodeGuruProfilerAgentAccess","AmazonCodeGuruProfilerFullAccess","AmazonCodeGuruProfilerReadOnlyAccess","AmazonCodeGuruReviewerFullAccess","AmazonCodeGuruReviewerReadOnlyAccess","AmazonCodeGuruReviewerServiceRolePolicy","AmazonCodeGuruSecurityFullAccess","AmazonCodeGuruSecurityScanAccess","AmazonCognitoDeveloperAuthenticatedIdentities","AmazonCognitoIdpEmailServiceRolePolicy","AmazonCognitoIdpServiceRolePolicy","AmazonCognitoPowerUser","AmazonCognitoReadOnly","AmazonCognitoUnAuthedIdentitiesSessionPolicy","AmazonCognitoUnauthenticatedIdentities","AmazonConnect_FullAccess","AmazonConnectCampaignsServiceLinkedRolePolicy","AmazonConnectReadOnlyAccess","AmazonConnectServiceLinkedRolePolicy","AmazonConnectSynchronizationServiceRolePolicy","AmazonConnectVoiceIDFullAccess","AmazonDataZoneDomainExecutionRolePolicy","AmazonDataZoneEnvironmentRolePermissionsBoundary","AmazonDataZoneFullAccess","AmazonDataZoneFullUserAccess","AmazonDataZoneGlueManageAccessRolePolicy","AmazonDataZoneRedshiftGlueProvisioningPolicy","AmazonDataZoneRedshiftManageAccessRolePolicy","AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary","AmazonDataZoneSageMakerManageAccessRolePolicy","AmazonDataZoneSageMakerProvisioningRolePolicy","AmazonDetectiveFullAccess","AmazonDetectiveInvestigatorAccess","AmazonDetectiveMemberAccess","AmazonDetectiveOrganizationsAccess","AmazonDetectiveServiceLinkedRolePolicy","AmazonDevOpsGuruConsoleFullAccess","AmazonDevOpsGuruFullAccess","AmazonDevOpsGuruOrganizationsAccess","AmazonDevOpsGuruReadOnlyAccess","AmazonDevOpsGuruServiceRolePolicy","AmazonDMSCloudWatchLogsRole","AmazonDMSRedshiftS3Role","AmazonDMSVPCManagementRole","AmazonDocDB-ElasticServiceRolePolicy","AmazonDocDBConsoleFullAccess","AmazonDocDBElasticFullAccess","AmazonDocDBElasticReadOnlyAccess","AmazonDocDBFullAccess","AmazonDocDBReadOnlyAccess","AmazonDRSVPCManagement","AmazonDynamoDBFullAccess","AmazonDynamoDBFullAccesswithDataPipeline","AmazonDynamoDBReadOnlyAccess","AmazonEBSCSIDriverPolicy","AmazonEC2ContainerRegistryFullAccess","AmazonEC2ContainerRegistryPowerUser","AmazonEC2ContainerRegistryReadOnly","AmazonEC2ContainerServiceAutoscaleRole","AmazonEC2ContainerServiceEventsRole","AmazonEC2ContainerServiceforEC2Role","AmazonEC2ContainerServiceRole","AmazonEC2FullAccess","AmazonEC2ReadOnlyAccess","AmazonEC2RoleforAWSCodeDeploy","AmazonEC2RoleforAWSCodeDeployLimited","AmazonEC2RoleforDataPipelineRole","AmazonEC2RoleforSSM","AmazonEC2RolePolicyForLaunchWizard","AmazonEC2SpotFleetAutoscaleRole","AmazonEC2SpotFleetTaggingRole","AmazonECS_FullAccess","AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity","AmazonECSInfrastructureRolePolicyForVolumes","AmazonECSServiceRolePolicy","AmazonECSTaskExecutionRolePolicy","AmazonEFSCSIDriverPolicy","AmazonEKS_CNI_Policy","AmazonEKSClusterPolicy","AmazonEKSConnectorServiceRolePolicy","AmazonEKSFargatePodExecutionRolePolicy","AmazonEKSForFargateServiceRolePolicy","AmazonEKSLocalOutpostClusterPolicy","AmazonEKSLocalOutpostServiceRolePolicy","AmazonEKSServicePolicy","AmazonEKSServiceRolePolicy","AmazonEKSVPCResourceController","AmazonEKSWorkerNodePolicy","AmazonElastiCacheFullAccess","AmazonElastiCacheReadOnlyAccess","AmazonElasticContainerRegistryPublicFullAccess","AmazonElasticContainerRegistryPublicPowerUser","AmazonElasticContainerRegistryPublicReadOnly","AmazonElasticFileSystemClientFullAccess","AmazonElasticFileSystemClientReadOnlyAccess","AmazonElasticFileSystemClientReadWriteAccess","AmazonElasticFileSystemFullAccess","AmazonElasticFileSystemReadOnlyAccess","AmazonElasticFileSystemServiceRolePolicy","AmazonElasticFileSystemsUtils","AmazonElasticMapReduceEditorsRole","AmazonElasticMapReduceforAutoScalingRole","AmazonElasticMapReduceforEC2Role","AmazonElasticMapReduceFullAccess","AmazonElasticMapReducePlacementGroupPolicy","AmazonElasticMapReduceReadOnlyAccess","AmazonElasticMapReduceRole","AmazonElasticsearchServiceRolePolicy","AmazonElasticTranscoder_FullAccess","AmazonElasticTranscoder_JobsSubmitter","AmazonElasticTranscoder_ReadOnlyAccess","AmazonElasticTranscoderRole","AmazonEMRCleanupPolicy","AmazonEMRContainersServiceRolePolicy","AmazonEMRFullAccessPolicy_v2","AmazonEMRReadOnlyAccessPolicy_v2","AmazonEMRServerlessServiceRolePolicy","AmazonEMRServicePolicy_v2","AmazonESCognitoAccess","AmazonESFullAccess","AmazonESReadOnlyAccess","AmazonEventBridgeApiDestinationsServiceRolePolicy","AmazonEventBridgeFullAccess","AmazonEventBridgePipesFullAccess","AmazonEventBridgePipesOperatorAccess","AmazonEventBridgePipesReadOnlyAccess","AmazonEventBridgeReadOnlyAccess","AmazonEventBridgeSchedulerFullAccess","AmazonEventBridgeSchedulerReadOnlyAccess","AmazonEventBridgeSchemasFullAccess","AmazonEventBridgeSchemasReadOnlyAccess","AmazonEventBridgeSchemasServiceRolePolicy","AmazonFISServiceRolePolicy","AmazonForecastFullAccess","AmazonFraudDetectorFullAccessPolicy","AmazonFreeRTOSFullAccess","AmazonFreeRTOSOTAUpdate","AmazonFSxConsoleFullAccess","AmazonFSxConsoleReadOnlyAccess","AmazonFSxFullAccess","AmazonFSxReadOnlyAccess","AmazonFSxServiceRolePolicy","AmazonGlacierFullAccess","AmazonGlacierReadOnlyAccess","AmazonGrafanaAthenaAccess","AmazonGrafanaCloudWatchAccess","AmazonGrafanaRedshiftAccess","AmazonGrafanaServiceLinkedRolePolicy","AmazonGuardDutyFullAccess","AmazonGuardDutyMalwareProtectionServiceRolePolicy","AmazonGuardDutyReadOnlyAccess","AmazonGuardDutyServiceRolePolicy","AmazonHealthLakeFullAccess","AmazonHealthLakeReadOnlyAccess","AmazonHoneycodeFullAccess","AmazonHoneycodeReadOnlyAccess","AmazonHoneycodeServiceRolePolicy","AmazonHoneycodeTeamAssociationFullAccess","AmazonHoneycodeTeamAssociationReadOnlyAccess","AmazonHoneycodeWorkbookFullAccess","AmazonHoneycodeWorkbookReadOnlyAccess","AmazonInspector2AgentlessServiceRolePolicy","AmazonInspector2FullAccess","AmazonInspector2ManagedCisPolicy","AmazonInspector2ReadOnlyAccess","AmazonInspector2ServiceRolePolicy","AmazonInspectorFullAccess","AmazonInspectorReadOnlyAccess","AmazonInspectorServiceRolePolicy","AmazonKendraFullAccess","AmazonKendraReadOnlyAccess","AmazonKeyspacesFullAccess","AmazonKeyspacesReadOnlyAccess","AmazonKeyspacesReadOnlyAccess_v2","AmazonKinesisAnalyticsFullAccess","AmazonKinesisAnalyticsReadOnly","AmazonKinesisFirehoseFullAccess","AmazonKinesisFirehoseReadOnlyAccess","AmazonKinesisFullAccess","AmazonKinesisReadOnlyAccess","AmazonKinesisVideoStreamsFullAccess","AmazonKinesisVideoStreamsReadOnlyAccess","AmazonLaunchWizardFullAccessV2","AmazonLexChannelsAccess","AmazonLexFullAccess","AmazonLexReadOnly","AmazonLexReplicationPolicy","AmazonLexRunBotsOnly","AmazonLexV2BotPolicy","AmazonLookoutEquipmentFullAccess","AmazonLookoutEquipmentReadOnlyAccess","AmazonLookoutMetricsFullAccess","AmazonLookoutMetricsReadOnlyAccess","AmazonLookoutVisionConsoleFullAccess","AmazonLookoutVisionConsoleReadOnlyAccess","AmazonLookoutVisionFullAccess","AmazonLookoutVisionReadOnlyAccess","AmazonMachineLearningBatchPredictionsAccess","AmazonMachineLearningCreateOnlyAccess","AmazonMachineLearningFullAccess","AmazonMachineLearningManageRealTimeEndpointOnlyAccess","AmazonMachineLearningReadOnlyAccess","AmazonMachineLearningRealTimePredictionOnlyAccess","AmazonMachineLearningRoleforRedshiftDataSourceV3","AmazonMacieFullAccess","AmazonMacieHandshakeRole","AmazonMacieReadOnlyAccess","AmazonMacieServiceRole","AmazonMacieServiceRolePolicy","AmazonManagedBlockchainConsoleFullAccess","AmazonManagedBlockchainFullAccess","AmazonManagedBlockchainReadOnlyAccess","AmazonManagedBlockchainServiceRolePolicy","AmazonMCSFullAccess","AmazonMCSReadOnlyAccess","AmazonMechanicalTurkFullAccess","AmazonMechanicalTurkReadOnly","AmazonMemoryDBFullAccess","AmazonMemoryDBReadOnlyAccess","AmazonMobileAnalyticsFinancialReportAccess","AmazonMobileAnalyticsFullAccess","AmazonMobileAnalyticsNon-financialReportAccess","AmazonMobileAnalyticsWriteOnlyAccess","AmazonMonitronFullAccess","AmazonMQApiFullAccess","AmazonMQApiReadOnlyAccess","AmazonMQFullAccess","AmazonMQReadOnlyAccess","AmazonMQServiceRolePolicy","AmazonMSKConnectReadOnlyAccess","AmazonMSKFullAccess","AmazonMSKReadOnlyAccess","AmazonMWAAServiceRolePolicy","AmazonNimbleStudio-LaunchProfileWorker","AmazonNimbleStudio-StudioAdmin","AmazonNimbleStudio-StudioUser","AmazonOmicsFullAccess","AmazonOmicsReadOnlyAccess","AmazonOneEnterpriseFullAccess","AmazonOneEnterpriseInstallerAccess","AmazonOneEnterpriseReadOnlyAccess","AmazonOpenSearchDashboardsServiceRolePolicy","AmazonOpenSearchDirectQueryGlueCreateAccess","AmazonOpenSearchIngestionFullAccess","AmazonOpenSearchIngestionReadOnlyAccess","AmazonOpenSearchIngestionServiceRolePolicy","AmazonOpenSearchServerlessServiceRolePolicy","AmazonOpenSearchServiceCognitoAccess","AmazonOpenSearchServiceFullAccess","AmazonOpenSearchServiceReadOnlyAccess","AmazonOpenSearchServiceRolePolicy","AmazonPersonalizeFullAccess","AmazonPollyFullAccess","AmazonPollyReadOnlyAccess","AmazonPrometheusConsoleFullAccess","AmazonPrometheusFullAccess","AmazonPrometheusQueryAccess","AmazonPrometheusRemoteWriteAccess","AmazonPrometheusScraperServiceRolePolicy","AmazonQDeveloperAccess","AmazonQFullAccess","AmazonQLDBConsoleFullAccess","AmazonQLDBFullAccess","AmazonQLDBReadOnly","AmazonRDSBetaServiceRolePolicy","AmazonRDSCustomInstanceProfileRolePolicy","AmazonRDSCustomPreviewServiceRolePolicy","AmazonRDSCustomServiceRolePolicy","AmazonRDSDataFullAccess","AmazonRDSDirectoryServiceAccess","AmazonRDSEnhancedMonitoringRole","AmazonRDSFullAccess","AmazonRDSPerformanceInsightsFullAccess","AmazonRDSPerformanceInsightsReadOnly","AmazonRDSPreviewServiceRolePolicy","AmazonRDSReadOnlyAccess","AmazonRDSServiceRolePolicy","AmazonRedshiftAllCommandsFullAccess","AmazonRedshiftDataFullAccess","AmazonRedshiftFullAccess","AmazonRedshiftQueryEditor","AmazonRedshiftQueryEditorV2FullAccess","AmazonRedshiftQueryEditorV2NoSharing","AmazonRedshiftQueryEditorV2ReadSharing","AmazonRedshiftQueryEditorV2ReadWriteSharing","AmazonRedshiftReadOnlyAccess","AmazonRedshiftServiceLinkedRolePolicy","AmazonRekognitionCustomLabelsFullAccess","AmazonRekognitionFullAccess","AmazonRekognitionReadOnlyAccess","AmazonRekognitionServiceRole","AmazonRoute53AutoNamingFullAccess","AmazonRoute53AutoNamingReadOnlyAccess","AmazonRoute53AutoNamingRegistrantAccess","AmazonRoute53DomainsFullAccess","AmazonRoute53DomainsReadOnlyAccess","AmazonRoute53FullAccess","AmazonRoute53ProfilesFullAccess","AmazonRoute53ProfilesReadOnlyAccess","AmazonRoute53ReadOnlyAccess","AmazonRoute53RecoveryClusterFullAccess","AmazonRoute53RecoveryClusterReadOnlyAccess","AmazonRoute53RecoveryControlConfigFullAccess","AmazonRoute53RecoveryControlConfigReadOnlyAccess","AmazonRoute53RecoveryReadinessFullAccess","AmazonRoute53RecoveryReadinessReadOnlyAccess","AmazonRoute53ResolverFullAccess","AmazonRoute53ResolverReadOnlyAccess","AmazonS3FullAccess","AmazonS3ObjectLambdaExecutionRolePolicy","AmazonS3OutpostsFullAccess","AmazonS3OutpostsReadOnlyAccess","AmazonS3ReadOnlyAccess","AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy","AmazonSageMakerCanvasAIServicesAccess","AmazonSageMakerCanvasBedrockAccess","AmazonSageMakerCanvasDataPrepFullAccess","AmazonSageMakerCanvasDirectDeployAccess","AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy","AmazonSageMakerCanvasForecastAccess","AmazonSageMakerCanvasFullAccess","AmazonSageMakerClusterInstanceRolePolicy","AmazonSageMakerCoreServiceRolePolicy","AmazonSageMakerEdgeDeviceFleetPolicy","AmazonSageMakerFeatureStoreAccess","AmazonSageMakerFullAccess","AmazonSageMakerGeospatialExecutionRole","AmazonSageMakerGeospatialFullAccess","AmazonSageMakerGroundTruthExecution","AmazonSageMakerMechanicalTurkAccess","AmazonSageMakerModelGovernanceUseAccess","AmazonSageMakerModelRegistryFullAccess","AmazonSageMakerNotebooksServiceRolePolicy","AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy","AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy","AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy","AmazonSageMakerPipelinesIntegrations","AmazonSageMakerReadOnly","AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy","AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy","AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy","AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy","AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy","AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy","AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy","AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy","AmazonSecurityLakeAdministrator","AmazonSecurityLakeMetastoreManager","AmazonSecurityLakePermissionsBoundary","AmazonSESFullAccess","AmazonSESReadOnlyAccess","AmazonSESServiceRolePolicy","AmazonSNSFullAccess","AmazonSNSReadOnlyAccess","AmazonSNSRole","AmazonSQSFullAccess","AmazonSQSReadOnlyAccess","AmazonSSMAutomationApproverAccess","AmazonSSMAutomationRole","AmazonSSMDirectoryServiceAccess","AmazonSSMFullAccess","AmazonSSMMaintenanceWindowRole","AmazonSSMManagedEC2InstanceDefaultPolicy","AmazonSSMManagedInstanceCore","AmazonSSMPatchAssociation","AmazonSSMReadOnlyAccess","AmazonSSMServiceRolePolicy","AmazonTextractFullAccess","AmazonTextractServiceRole","AmazonTimestreamConsoleFullAccess","AmazonTimestreamFullAccess","AmazonTimestreamInfluxDBFullAccess","AmazonTimestreamInfluxDBServiceRolePolicy","AmazonTimestreamReadOnlyAccess","AmazonTranscribeFullAccess","AmazonTranscribeReadOnlyAccess","AmazonVPCCrossAccountNetworkInterfaceOperations","AmazonVPCFullAccess","AmazonVPCNetworkAccessAnalyzerFullAccessPolicy","AmazonVPCReachabilityAnalyzerFullAccessPolicy","AmazonVPCReachabilityAnalyzerPathComponentReadPolicy","AmazonVPCReadOnlyAccess","AmazonWorkDocsFullAccess","AmazonWorkDocsReadOnlyAccess","AmazonWorkMailEventsServiceRolePolicy","AmazonWorkMailFullAccess","AmazonWorkMailMessageFlowFullAccess","AmazonWorkMailMessageFlowReadOnlyAccess","AmazonWorkMailReadOnlyAccess","AmazonWorkSpacesAdmin","AmazonWorkSpacesApplicationManagerAdminAccess","AmazonWorkspacesPCAAccess","AmazonWorkSpacesPoolServiceAccess","AmazonWorkSpacesSecureBrowserReadOnly","AmazonWorkSpacesSelfServiceAccess","AmazonWorkSpacesServiceAccess","AmazonWorkSpacesThinClientReadOnlyAccess","AmazonWorkSpacesWebReadOnly","AmazonWorkSpacesWebServiceRolePolicy","AmazonZocaloFullAccess","AmazonZocaloReadOnlyAccess","AmplifyBackendDeployFullAccess","APIGatewayServiceRolePolicy","AppIntegrationsServiceLinkedRolePolicy","ApplicationAutoScalingForAmazonAppStreamAccess","ApplicationDiscoveryServiceContinuousExportServiceRolePolicy","AppRunnerNetworkingServiceRolePolicy","AppRunnerServiceRolePolicy","AppStudioServiceRolePolicy","AutoScalingConsoleFullAccess","AutoScalingConsoleReadOnlyAccess","AutoScalingFullAccess","AutoScalingNotificationAccessRole","AutoScalingReadOnlyAccess","AutoScalingServiceRolePolicy","AWS_ConfigRole","AWSAccountActivityAccess","AWSAccountManagementFullAccess","AWSAccountManagementReadOnlyAccess","AWSAccountUsageReportAccess","AWSAgentlessDiscoveryService","AWSAppFabricFullAccess","AWSAppFabricReadOnlyAccess","AWSAppFabricServiceRolePolicy","AWSApplicationAutoscalingAppStreamFleetPolicy","AWSApplicationAutoscalingCassandraTablePolicy","AWSApplicationAutoscalingComprehendEndpointPolicy","AWSApplicationAutoScalingCustomResourcePolicy","AWSApplicationAutoscalingDynamoDBTablePolicy","AWSApplicationAutoscalingEC2SpotFleetRequestPolicy","AWSApplicationAutoscalingECSServicePolicy","AWSApplicationAutoscalingElastiCacheRGPolicy","AWSApplicationAutoscalingEMRInstanceGroupPolicy","AWSApplicationAutoscalingKafkaClusterPolicy","AWSApplicationAutoscalingLambdaConcurrencyPolicy","AWSApplicationAutoscalingNeptuneClusterPolicy","AWSApplicationAutoscalingRDSClusterPolicy","AWSApplicationAutoscalingSageMakerEndpointPolicy","AWSApplicationAutoscalingWorkSpacesPoolPolicy","AWSApplicationDiscoveryAgentAccess","AWSApplicationDiscoveryAgentlessCollectorAccess","AWSApplicationDiscoveryServiceFullAccess","AWSApplicationMigrationAgentInstallationPolicy","AWSApplicationMigrationAgentPolicy","AWSApplicationMigrationAgentPolicy_v2","AWSApplicationMigrationConversionServerPolicy","AWSApplicationMigrationEC2Access","AWSApplicationMigrationFullAccess","AWSApplicationMigrationMGHAccess","AWSApplicationMigrationReadOnlyAccess","AWSApplicationMigrationReplicationServerPolicy","AWSApplicationMigrationServiceEc2InstancePolicy","AWSApplicationMigrationServiceRolePolicy","AWSApplicationMigrationSSMAccess","AWSApplicationMigrationVCenterClientPolicy","AWSAppMeshEnvoyAccess","AWSAppMeshFullAccess","AWSAppMeshPreviewEnvoyAccess","AWSAppMeshPreviewServiceRolePolicy","AWSAppMeshReadOnly","AWSAppMeshServiceRolePolicy","AWSAppRunnerFullAccess","AWSAppRunnerReadOnlyAccess","AWSAppRunnerServicePolicyForECRAccess","AWSAppSyncAdministrator","AWSAppSyncInvokeFullAccess","AWSAppSyncPushToCloudWatchLogs","AWSAppSyncSchemaAuthor","AWSAppSyncServiceRolePolicy","AWSArtifactAccountSync","AWSArtifactReportsReadOnlyAccess","AWSArtifactServiceRolePolicy","AWSAuditManagerAdministratorAccess","AWSAuditManagerServiceRolePolicy","AWSAutoScalingPlansEC2AutoScalingPolicy","AWSBackupAuditAccess","AWSBackupDataTransferAccess","AWSBackupFullAccess","AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync","AWSBackupOperatorAccess","AWSBackupOrganizationAdminAccess","AWSBackupRestoreAccessForSAPHANA","AWSBackupServiceLinkedRolePolicyForBackup","AWSBackupServiceLinkedRolePolicyForBackupTest","AWSBackupServiceRolePolicyForBackup","AWSBackupServiceRolePolicyForRestores","AWSBackupServiceRolePolicyForS3Backup","AWSBackupServiceRolePolicyForS3Restore","AWSBatchFullAccess","AWSBatchServiceEventTargetRole","AWSBatchServiceRole","AWSBCMDataExportsServiceRolePolicy","AWSBillingConductorFullAccess","AWSBillingConductorReadOnlyAccess","AWSBillingReadOnlyAccess","AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM","AWSBudgetsActionsWithAWSResourceControlAccess","AWSBudgetsReadOnlyAccess","AWSBugBustFullAccess","AWSBugBustPlayerAccess","AWSBugBustServiceRolePolicy","AWSCertificateManagerFullAccess","AWSCertificateManagerPrivateCAAuditor","AWSCertificateManagerPrivateCAFullAccess","AWSCertificateManagerPrivateCAPrivilegedUser","AWSCertificateManagerPrivateCAReadOnly","AWSCertificateManagerPrivateCAUser","AWSCertificateManagerReadOnly","AWSChatbotServiceLinkedRolePolicy","AWSCleanRoomsFullAccess","AWSCleanRoomsFullAccessNoQuerying","AWSCleanRoomsMLFullAccess","AWSCleanRoomsMLReadOnlyAccess","AWSCleanRoomsReadOnlyAccess","AWSCloud9Administrator","AWSCloud9EnvironmentMember","AWSCloud9ServiceRolePolicy","AWSCloud9SSMInstanceProfile","AWSCloud9User","AWSCloudFormationFullAccess","AWSCloudFormationReadOnlyAccess","AWSCloudFrontLogger","AWSCloudHSMFullAccess","AWSCloudHSMReadOnlyAccess","AWSCloudHSMRole","AWSCloudMapDiscoverInstanceAccess","AWSCloudMapFullAccess","AWSCloudMapReadOnlyAccess","AWSCloudMapRegisterInstanceAccess","AWSCloudShellFullAccess","AWSCloudTrail_FullAccess","AWSCloudTrail_ReadOnlyAccess","AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy","AWSCodeArtifactAdminAccess","AWSCodeArtifactReadOnlyAccess","AWSCodeBuildAdminAccess","AWSCodeBuildDeveloperAccess","AWSCodeBuildReadOnlyAccess","AWSCodeCommitFullAccess","AWSCodeCommitPowerUser","AWSCodeCommitReadOnly","AWSCodeDeployDeployerAccess","AWSCodeDeployFullAccess","AWSCodeDeployReadOnlyAccess","AWSCodeDeployRole","AWSCodeDeployRoleForCloudFormation","AWSCodeDeployRoleForECS","AWSCodeDeployRoleForECSLimited","AWSCodeDeployRoleForLambda","AWSCodeDeployRoleForLambdaLimited","AWSCodePipeline_FullAccess","AWSCodePipeline_ReadOnlyAccess","AWSCodePipelineApproverAccess","AWSCodePipelineCustomActionAccess","AWSCodeStarFullAccess","AWSCodeStarNotificationsServiceRolePolicy","AWSCodeStarServiceRole","AWSCompromisedKeyQuarantine","AWSCompromisedKeyQuarantineV2","AWSConfigMultiAccountSetupPolicy","AWSConfigRemediationServiceRolePolicy","AWSConfigRoleForOrganizations","AWSConfigRulesExecutionRole","AWSConfigServiceRolePolicy","AWSConfigUserAccess","AWSConnector","AWSControlTowerAccountServiceRolePolicy","AWSControlTowerServiceRolePolicy","AWSCostAndUsageReportAutomationPolicy","AWSDataExchangeFullAccess","AWSDataExchangeProviderFullAccess","AWSDataExchangeReadOnly","AWSDataExchangeSubscriberFullAccess","AWSDataLifecycleManagerServiceRole","AWSDataLifecycleManagerServiceRoleForAMIManagement","AWSDataLifecycleManagerSSMFullAccess","AWSDataPipeline_FullAccess","AWSDataPipeline_PowerUser","AWSDataSyncDiscoveryServiceRolePolicy","AWSDataSyncFullAccess","AWSDataSyncReadOnlyAccess","AWSDeadlineCloud-FleetWorker","AWSDeadlineCloud-UserAccessFarms","AWSDeadlineCloud-UserAccessFleets","AWSDeadlineCloud-UserAccessJobs","AWSDeadlineCloud-UserAccessQueues","AWSDeadlineCloud-WorkerHost","AWSDeepLensLambdaFunctionAccessPolicy","AWSDeepLensServiceRolePolicy","AWSDeepRacerAccountAdminAccess","AWSDeepRacerCloudFormationAccessPolicy","AWSDeepRacerDefaultMultiUserAccess","AWSDeepRacerFullAccess","AWSDeepRacerRoboMakerAccessPolicy","AWSDeepRacerServiceRolePolicy","AWSDenyAll","AWSDeviceFarmFullAccess","AWSDeviceFarmServiceRolePolicy","AWSDeviceFarmTestGridServiceRolePolicy","AWSDirectConnectFullAccess","AWSDirectConnectReadOnlyAccess","AWSDirectConnectServiceRolePolicy","AWSDirectoryServiceFullAccess","AWSDirectoryServiceReadOnlyAccess","AWSDiscoveryContinuousExportFirehosePolicy","AWSDMSFleetAdvisorServiceRolePolicy","AWSDMSServerlessServiceRolePolicy","AWSEC2CapacityReservationFleetRolePolicy","AWSEC2FleetServiceRolePolicy","AWSEC2SpotFleetServiceRolePolicy","AWSEC2SpotServiceRolePolicy","AWSEC2VssSnapshotPolicy","AWSECRPullThroughCache_ServiceRolePolicy","AWSElasticBeanstalkCustomPlatformforEC2Role","AWSElasticBeanstalkEnhancedHealth","AWSElasticBeanstalkMaintenance","AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy","AWSElasticBeanstalkManagedUpdatesServiceRolePolicy","AWSElasticBeanstalkMulticontainerDocker","AWSElasticBeanstalkReadOnly","AWSElasticBeanstalkRoleCore","AWSElasticBeanstalkRoleCWL","AWSElasticBeanstalkRoleECS","AWSElasticBeanstalkRoleRDS","AWSElasticBeanstalkRoleSNS","AWSElasticBeanstalkRoleWorkerTier","AWSElasticBeanstalkService","AWSElasticBeanstalkServiceRolePolicy","AWSElasticBeanstalkWebTier","AWSElasticBeanstalkWorkerTier","AWSElasticDisasterRecoveryAgentInstallationPolicy","AWSElasticDisasterRecoveryAgentPolicy","AWSElasticDisasterRecoveryConsoleFullAccess","AWSElasticDisasterRecoveryConsoleFullAccess_v2","AWSElasticDisasterRecoveryConversionServerPolicy","AWSElasticDisasterRecoveryCrossAccountReplicationPolicy","AWSElasticDisasterRecoveryEc2InstancePolicy","AWSElasticDisasterRecoveryFailbackInstallationPolicy","AWSElasticDisasterRecoveryFailbackPolicy","AWSElasticDisasterRecoveryLaunchActionsPolicy","AWSElasticDisasterRecoveryNetworkReplicationPolicy","AWSElasticDisasterRecoveryReadOnlyAccess","AWSElasticDisasterRecoveryRecoveryInstancePolicy","AWSElasticDisasterRecoveryReplicationServerPolicy","AWSElasticDisasterRecoveryServiceRolePolicy","AWSElasticDisasterRecoveryStagingAccountPolicy","AWSElasticDisasterRecoveryStagingAccountPolicy_v2","AWSElasticLoadBalancingClassicServiceRolePolicy","AWSElasticLoadBalancingServiceRolePolicy","AWSElementalMediaConvertFullAccess","AWSElementalMediaConvertReadOnly","AWSElementalMediaLiveFullAccess","AWSElementalMediaLiveReadOnly","AWSElementalMediaPackageFullAccess","AWSElementalMediaPackageReadOnly","AWSElementalMediaPackageV2FullAccess","AWSElementalMediaPackageV2ReadOnly","AWSElementalMediaStoreFullAccess","AWSElementalMediaStoreReadOnly","AWSElementalMediaTailorFullAccess","AWSElementalMediaTailorReadOnly","AWSEnhancedClassicNetworkingMangementPolicy","AWSEntityResolutionConsoleFullAccess","AWSEntityResolutionConsoleReadOnlyAccess","AWSFaultInjectionSimulatorEC2Access","AWSFaultInjectionSimulatorECSAccess","AWSFaultInjectionSimulatorEKSAccess","AWSFaultInjectionSimulatorNetworkAccess","AWSFaultInjectionSimulatorRDSAccess","AWSFaultInjectionSimulatorSSMAccess","AWSFinSpaceServiceRolePolicy","AWSFMAdminFullAccess","AWSFMAdminReadOnlyAccess","AWSFMMemberReadOnlyAccess","AWSForWordPressPluginPolicy","AWSGitSyncServiceRolePolicy","AWSGlobalAcceleratorSLRPolicy","AWSGlueConsoleFullAccess","AWSGlueConsoleSageMakerNotebookFullAccess","AwsGlueDataBrewFullAccessPolicy","AWSGlueDataBrewServiceRole","AWSGlueSchemaRegistryFullAccess","AWSGlueSchemaRegistryReadonlyAccess","AWSGlueServiceNotebookRole","AWSGlueServiceRole","AwsGlueSessionUserRestrictedNotebookPolicy","AwsGlueSessionUserRestrictedNotebookServiceRole","AwsGlueSessionUserRestrictedPolicy","AwsGlueSessionUserRestrictedServiceRole","AWSGrafanaAccountAdministrator","AWSGrafanaConsoleReadOnlyAccess","AWSGrafanaWorkspacePermissionManagement","AWSGrafanaWorkspacePermissionManagementV2","AWSGreengrassFullAccess","AWSGreengrassReadOnlyAccess","AWSGreengrassResourceAccessRolePolicy","AWSGroundStationAgentInstancePolicy","AWSHealth_EventProcessorServiceRolePolicy","AWSHealthFullAccess","AWSHealthImagingFullAccess","AWSHealthImagingReadOnlyAccess","AWSIAMIdentityCenterAllowListForIdentityContext","AWSIdentitySyncFullAccess","AWSIdentitySyncReadOnlyAccess","AWSImageBuilderFullAccess","AWSImageBuilderReadOnlyAccess","AWSImportExportFullAccess","AWSImportExportReadOnlyAccess","AWSIncidentManagerIncidentAccessServiceRolePolicy","AWSIncidentManagerResolverAccess","AWSIncidentManagerServiceRolePolicy","AWSIoT1ClickFullAccess","AWSIoT1ClickReadOnlyAccess","AWSIoTAnalyticsFullAccess","AWSIoTAnalyticsReadOnlyAccess","AWSIoTConfigAccess","AWSIoTConfigReadOnlyAccess","AWSIoTDataAccess","AWSIoTDeviceDefenderAddThingsToThingGroupMitigationAction","AWSIoTDeviceDefenderAudit","AWSIoTDeviceDefenderEnableIoTLoggingMitigationAction","AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction","AWSIoTDeviceDefenderReplaceDefaultPolicyMitigationAction","AWSIoTDeviceDefenderUpdateCACertMitigationAction","AWSIoTDeviceDefenderUpdateDeviceCertMitigationAction","AWSIoTDeviceTesterForFreeRTOSFullAccess","AWSIoTDeviceTesterForGreengrassFullAccess","AWSIoTEventsFullAccess","AWSIoTEventsReadOnlyAccess","AWSIoTFleetHubFederationAccess","AWSIoTFleetwiseServiceRolePolicy","AWSIoTFullAccess","AWSIoTLogging","AWSIoTOTAUpdate","AWSIoTRuleActions","AWSIoTSiteWiseConsoleFullAccess","AWSIoTSiteWiseFullAccess","AWSIoTSiteWiseMonitorPortalAccess","AWSIoTSiteWiseMonitorServiceRolePolicy","AWSIoTSiteWiseReadOnlyAccess","AWSIoTThingsRegistration","AWSIoTTwinMakerServiceRolePolicy","AWSIoTWirelessDataAccess","AWSIoTWirelessFullAccess","AWSIoTWirelessFullPublishAccess","AWSIoTWirelessGatewayCertManager","AWSIoTWirelessLogging","AWSIoTWirelessReadOnlyAccess","AWSIPAMServiceRolePolicy","AWSIQContractServiceRolePolicy","AWSIQFullAccess","AWSIQPermissionServiceRolePolicy","AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy","AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy","AWSKeyManagementServicePowerUser","AWSLakeFormationCrossAccountManager","AWSLakeFormationDataAdmin","AWSLambda_FullAccess","AWSLambda_ReadOnlyAccess","AWSLambdaBasicExecutionRole","AWSLambdaDynamoDBExecutionRole","AWSLambdaENIManagementAccess","AWSLambdaExecute","AWSLambdaInvocation-DynamoDB","AWSLambdaKinesisExecutionRole","AWSLambdaMSKExecutionRole","AWSLambdaReplicator","AWSLambdaRole","AWSLambdaSQSQueueExecutionRole","AWSLambdaVPCAccessExecutionRole","AWSLicenseManagerConsumptionPolicy","AWSLicenseManagerLinuxSubscriptionsServiceRolePolicy","AWSLicenseManagerMasterAccountRolePolicy","AWSLicenseManagerMemberAccountRolePolicy","AWSLicenseManagerServiceRolePolicy","AWSLicenseManagerUserSubscriptionsServiceRolePolicy","AWSM2ServicePolicy","AWSManagedServices_ContactsServiceRolePolicy","AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy","AWSManagedServices_EventsServiceRolePolicy","AWSManagedServicesDeploymentToolkitPolicy","AWSMarketplaceAmiIngestion","AWSMarketplaceDeploymentServiceRolePolicy","AWSMarketplaceFullAccess","AWSMarketplaceGetEntitlements","AWSMarketplaceImageBuildFullAccess","AWSMarketplaceLicenseManagementServiceRolePolicy","AWSMarketplaceManageSubscriptions","AWSMarketplaceMeteringFullAccess","AWSMarketplaceMeteringRegisterUsage","AWSMarketplaceProcurementSystemAdminFullAccess","AWSMarketplacePurchaseOrdersServiceRolePolicy","AWSMarketplaceRead-only","AWSMarketplaceResaleAuthorizationServiceRolePolicy","AWSMarketplaceSellerFullAccess","AWSMarketplaceSellerProductsFullAccess","AWSMarketplaceSellerProductsReadOnly","AWSMediaConnectServicePolicy","AWSMediaTailorServiceRolePolicy","AWSMigrationHubDiscoveryAccess","AWSMigrationHubDMSAccess","AWSMigrationHubFullAccess","AWSMigrationHubOrchestratorConsoleFullAccess","AWSMigrationHubOrchestratorInstanceRolePolicy","AWSMigrationHubOrchestratorPlugin","AWSMigrationHubOrchestratorServiceRolePolicy","AWSMigrationHubRefactorSpaces-EnvironmentsWithoutBridgesFullAccess","AWSMigrationHubRefactorSpaces-SSMAutomationPolicy","AWSMigrationHubRefactorSpacesFullAccess","AWSMigrationHubRefactorSpacesServiceRolePolicy","AWSMigrationHubSMSAccess","AWSMigrationHubStrategyCollector","AWSMigrationHubStrategyConsoleFullAccess","AWSMigrationHubStrategyServiceRolePolicy","AWSMSKReplicatorExecutionRole","AWSNetworkFirewallServiceRolePolicy","AWSNetworkManagerCloudWANServiceRolePolicy","AWSNetworkManagerFullAccess","AWSNetworkManagerReadOnlyAccess","AWSNetworkManagerServiceRolePolicy","AWSOpsWorks_FullAccess","AWSOpsWorksCloudWatchLogs","AWSOpsWorksCMInstanceProfileRole","AWSOpsWorksCMServiceRole","AWSOpsWorksInstanceRegistration","AWSOpsWorksRegisterCLI_EC2","AWSOpsWorksRegisterCLI_OnPremises","AWSOrganizationsFullAccess","AWSOrganizationsReadOnlyAccess","AWSOrganizationsServiceTrustPolicy","AWSOutpostsAuthorizeServerPolicy","AWSOutpostsServiceRolePolicy","AWSPanoramaApplianceRolePolicy","AWSPanoramaApplianceServiceRolePolicy","AWSPanoramaFullAccess","AWSPanoramaGreengrassGroupRolePolicy","AWSPanoramaSageMakerRolePolicy","AWSPanoramaServiceLinkedRolePolicy","AWSPanoramaServiceRolePolicy","AWSPriceListServiceFullAccess","AWSPrivateCAAuditor","AWSPrivateCAFullAccess","AWSPrivateCAPrivilegedUser","AWSPrivateCAReadOnly","AWSPrivateCAUser","AWSPrivateMarketplaceAdminFullAccess","AWSPrivateMarketplaceRequests","AWSPrivateNetworksServiceRolePolicy","AWSProtonCodeBuildProvisioningBasicAccess","AWSProtonCodeBuildProvisioningServiceRolePolicy","AWSProtonDeveloperAccess","AWSProtonFullAccess","AWSProtonReadOnlyAccess","AWSProtonServiceGitSyncServiceRolePolicy","AWSProtonSyncServiceRolePolicy","AWSPurchaseOrdersServiceRolePolicy","AWSQuickSetupCFGCPacksPermissionsBoundary","AWSQuickSetupDeploymentRolePolicy","AWSQuickSetupDevOpsGuruPermissionsBoundary","AWSQuickSetupDistributorPermissionsBoundary","AWSQuickSetupPatchPolicyBaselineAccess","AWSQuickSetupPatchPolicyDeploymentRolePolicy","AWSQuickSetupPatchPolicyPermissionsBoundary","AWSQuickSetupSchedulerPermissionsBoundary","AWSQuickSetupSSMHostMgmtPermissionsBoundary","AWSQuickSightAssetBundleExportPolicy","AWSQuickSightAssetBundleImportPolicy","AWSQuicksightAthenaAccess","AWSQuickSightDescribeRDS","AWSQuickSightDescribeRedshift","AWSQuickSightElasticsearchPolicy","AWSQuickSightIoTAnalyticsAccess","AWSQuickSightListIAM","AWSQuicksightOpenSearchPolicy","AWSQuickSightSageMakerPolicy","AWSQuickSightTimestreamPolicy","AWSReachabilityAnalyzerServiceRolePolicy","AWSRefactoringToolkitFullAccess","AWSRefactoringToolkitSidecarPolicy","AWSrePostPrivateCloudWatchAccess","AWSRepostSpaceSupportOperationsPolicy","AWSResilienceHubAsssessmentExecutionPolicy","AWSResourceAccessManagerFullAccess","AWSResourceAccessManagerReadOnlyAccess","AWSResourceAccessManagerResourceShareParticipantAccess","AWSResourceAccessManagerServiceRolePolicy","AWSResourceExplorerFullAccess","AWSResourceExplorerOrganizationsAccess","AWSResourceExplorerReadOnlyAccess","AWSResourceExplorerServiceRolePolicy","AWSResourceGroupsReadOnlyAccess","AWSRoboMaker_FullAccess","AWSRoboMakerReadOnlyAccess","AWSRoboMakerServicePolicy","AWSRoboMakerServiceRolePolicy","AWSRolesAnywhereServicePolicy","AWSS3OnOutpostsServiceRolePolicy","AWSSavingsPlansFullAccess","AWSSavingsPlansReadOnlyAccess","AWSSecurityHubFullAccess","AWSSecurityHubOrganizationsAccess","AWSSecurityHubReadOnlyAccess","AWSSecurityHubServiceRolePolicy","AWSServiceCatalogAdminFullAccess","AWSServiceCatalogAdminReadOnlyAccess","AWSServiceCatalogAppRegistryFullAccess","AWSServiceCatalogAppRegistryReadOnlyAccess","AWSServiceCatalogAppRegistryServiceRolePolicy","AWSServiceCatalogEndUserFullAccess","AWSServiceCatalogEndUserReadOnlyAccess","AWSServiceCatalogOrgsDataSyncServiceRolePolicy","AWSServiceCatalogSyncServiceRolePolicy","AWSServiceRoleForAmazonEKSNodegroup","AWSServiceRoleForAmazonQDeveloper","AWSServiceRoleForCloudWatchAlarmsActionSSMServiceRolePolicy","AWSServiceRoleForCloudWatchMetrics_DbPerfInsightsServiceRolePolicy","AWSServiceRoleForCodeGuru-Profiler","AWSServiceRoleForCodeWhispererPolicy","AWSServiceRoleForEC2ScheduledInstances","AWSServiceRoleForGroundStationDataflowEndpointGroupPolicy","AWSServiceRoleForImageBuilder","AWSServiceRoleForIoTSiteWise","AWSServiceRoleForLogDeliveryPolicy","AWSServiceRoleForMonitronPolicy","AWSServiceRoleForNeptuneGraphPolicy","AWSServiceRoleForPrivateMarketplaceAdminPolicy","AWSServiceRoleForSMS","AWSServiceRoleForUserSubscriptions","AWSServiceRolePolicyForBackupReports","AWSServiceRolePolicyForBackupRestoreTesting","AWSShieldDRTAccessPolicy","AWSShieldServiceRolePolicy","AWSSSMForSAPServiceLinkedRolePolicy","AWSSSMOpsInsightsServiceRolePolicy","AWSSSODirectoryAdministrator","AWSSSODirectoryReadOnly","AWSSSOMasterAccountAdministrator","AWSSSOMemberAccountAdministrator","AWSSSOReadOnly","AWSSSOServiceRolePolicy","AWSStepFunctionsConsoleFullAccess","AWSStepFunctionsFullAccess","AWSStepFunctionsReadOnlyAccess","AWSStorageGatewayFullAccess","AWSStorageGatewayReadOnlyAccess","AWSStorageGatewayServiceRolePolicy","AWSSupplyChainFederationAdminAccess","AWSSupportAccess","AWSSupportAppFullAccess","AWSSupportAppReadOnlyAccess","AWSSupportPlansFullAccess","AWSSupportPlansReadOnlyAccess","AWSSupportServiceRolePolicy","AWSSystemsManagerAccountDiscoveryServicePolicy","AWSSystemsManagerChangeManagementServicePolicy","AWSSystemsManagerEnableConfigRecordingExecutionPolicy","AWSSystemsManagerEnableExplorerExecutionPolicy","AWSSystemsManagerForSAPFullAccess","AWSSystemsManagerForSAPReadOnlyAccess","AWSSystemsManagerOpsDataSyncServiceRolePolicy","AWSThinkboxAssetServerPolicy","AWSThinkboxAWSPortalAdminPolicy","AWSThinkboxAWSPortalGatewayPolicy","AWSThinkboxAWSPortalWorkerPolicy","AWSThinkboxDeadlineResourceTrackerAccessPolicy","AWSThinkboxDeadlineResourceTrackerAdminPolicy","AWSThinkboxDeadlineSpotEventPluginAdminPolicy","AWSThinkboxDeadlineSpotEventPluginWorkerPolicy","AWSTransferConsoleFullAccess","AWSTransferFullAccess","AWSTransferLoggingAccess","AWSTransferReadOnlyAccess","AWSTrustedAdvisorPriorityFullAccess","AWSTrustedAdvisorPriorityReadOnlyAccess","AWSTrustedAdvisorReportingServiceRolePolicy","AWSTrustedAdvisorServiceRolePolicy","AWSUserNotificationsServiceLinkedRolePolicy","AWSVendorInsightsAssessorFullAccess","AWSVendorInsightsAssessorReadOnly","AWSVendorInsightsVendorFullAccess","AWSVendorInsightsVendorReadOnly","AWSVpcLatticeServiceRolePolicy","AWSVPCS2SVpnServiceRolePolicy","AWSVPCTransitGatewayServiceRolePolicy","AWSVPCVerifiedAccessServiceRolePolicy","AWSWAFConsoleFullAccess","AWSWAFConsoleReadOnlyAccess","AWSWAFFullAccess","AWSWAFReadOnlyAccess","AWSWellArchitectedDiscoveryServiceRolePolicy","AWSWellArchitectedOrganizationsServiceRolePolicy","AWSWickrFullAccess","AWSXrayCrossAccountSharingConfiguration","AWSXRayDaemonWriteAccess","AWSXrayFullAccess","AWSXrayReadOnlyAccess","AWSXrayWriteOnlyAccess","AWSZonalAutoshiftPracticeRunSLRPolicy","BatchServiceRolePolicy","Billing","CertificateManagerServiceRolePolicy","ClientVPNServiceConnectionsRolePolicy","ClientVPNServiceRolePolicy","CloudFormationStackSetsOrgAdminServiceRolePolicy","CloudFormationStackSetsOrgMemberServiceRolePolicy","CloudFrontFullAccess","CloudFrontReadOnlyAccess","CloudHSMServiceRolePolicy","CloudSearchFullAccess","CloudSearchReadOnlyAccess","CloudTrailServiceRolePolicy","CloudWatch-CrossAccountAccess","CloudWatchActionsEC2Access","CloudWatchAgentAdminPolicy","CloudWatchAgentServerPolicy","CloudWatchApplicationInsightsFullAccess","CloudWatchApplicationInsightsReadOnlyAccess","CloudwatchApplicationInsightsServiceLinkedRolePolicy","CloudWatchApplicationSignalsFullAccess","CloudWatchApplicationSignalsReadOnlyAccess","CloudWatchApplicationSignalsServiceRolePolicy","CloudWatchAutomaticDashboardsAccess","CloudWatchCrossAccountSharingConfiguration","CloudWatchEventsBuiltInTargetExecutionAccess","CloudWatchEventsFullAccess","CloudWatchEventsInvocationAccess","CloudWatchEventsReadOnlyAccess","CloudWatchEventsServiceRolePolicy","CloudWatchFullAccess","CloudWatchFullAccessV2","CloudWatchInternetMonitorServiceRolePolicy","CloudWatchLambdaInsightsExecutionRolePolicy","CloudWatchLogsCrossAccountSharingConfiguration","CloudWatchLogsFullAccess","CloudWatchLogsReadOnlyAccess","CloudWatchNetworkMonitorServiceRolePolicy","CloudWatchReadOnlyAccess","CloudWatchSyntheticsFullAccess","CloudWatchSyntheticsReadOnlyAccess","ComprehendDataAccessRolePolicy","ComprehendFullAccess","ComprehendMedicalFullAccess","ComprehendReadOnly","ComputeOptimizerReadOnlyAccess","ComputeOptimizerServiceRolePolicy","ConfigConformsServiceRolePolicy","CostOptimizationHubAdminAccess","CostOptimizationHubReadOnlyAccess","CostOptimizationHubServiceRolePolicy","CustomerProfilesServiceLinkedRolePolicy","DatabaseAdministrator","DataScientist","DAXServiceRolePolicy","DynamoDBCloudWatchContributorInsightsServiceRolePolicy","DynamoDBKinesisReplicationServiceRolePolicy","DynamoDBReplicationServiceRolePolicy","EC2FastLaunchFullAccess","EC2FastLaunchServiceRolePolicy","EC2FleetTimeShiftableServiceRolePolicy","Ec2ImageBuilderCrossAccountDistributionAccess","EC2ImageBuilderLifecycleExecutionPolicy","EC2InstanceConnect","Ec2InstanceConnectEndpoint","EC2InstanceProfileForImageBuilder","EC2InstanceProfileForImageBuilderECRContainerBuilds","ECRReplicationServiceRolePolicy","ECRTemplateServiceRolePolicy","ElastiCacheServiceRolePolicy","ElasticLoadBalancingFullAccess","ElasticLoadBalancingReadOnly","ElementalActivationsDownloadSoftwareAccess","ElementalActivationsFullAccess","ElementalActivationsGenerateLicenses","ElementalActivationsReadOnlyAccess","ElementalAppliancesSoftwareFullAccess","ElementalAppliancesSoftwareReadOnlyAccess","ElementalSupportCenterFullAccess","EMRDescribeClusterPolicyForEMRWAL","FMSServiceRolePolicy","FSxDeleteServiceLinkedRoleAccess","GameLiftGameServerGroupPolicy","GlobalAcceleratorFullAccess","GlobalAcceleratorReadOnlyAccess","GreengrassOTAUpdateArtifactAccess","GroundTruthSyntheticConsoleFullAccess","GroundTruthSyntheticConsoleReadOnlyAccess","Health_OrganizationsServiceRolePolicy","IAMAccessAdvisorReadOnly","IAMAccessAnalyzerFullAccess","IAMAccessAnalyzerReadOnlyAccess","IAMFullAccess","IAMReadOnlyAccess","IAMSelfManageServiceSpecificCredentials","IAMUserChangePassword","IAMUserSSHKeys","IVSFullAccess","IVSReadOnlyAccess","IVSRecordToS3","KafkaConnectServiceRolePolicy","KafkaServiceRolePolicy","KeyspacesReplicationServiceRolePolicy","LakeFormationDataAccessServiceRolePolicy","LexBotPolicy","LexChannelPolicy","LightsailExportAccess","MediaConnectGatewayInstanceRolePolicy","MediaPackageServiceRolePolicy","MemoryDBServiceRolePolicy","MigrationHubDMSAccessServiceRolePolicy","MigrationHubServiceRolePolicy","MigrationHubSMSAccessServiceRolePolicy","MonitronServiceRolePolicy","NeptuneConsoleFullAccess","NeptuneFullAccess","NeptuneGraphReadOnlyAccess","NeptuneReadOnlyAccess","NetworkAdministrator","OAMFullAccess","OAMReadOnlyAccess","OpensearchIngestionSelfManagedVpcePolicy","PartnerCentralAccountManagementUserRoleAssociation","PowerUserAccess","QBusinessServiceRolePolicy","QuickSightAccessForS3StorageManagementAnalyticsReadOnly","RDSCloudHsmAuthorizationRole","ReadOnlyAccess","ResourceGroupsandTagEditorFullAccess","ResourceGroupsandTagEditorReadOnlyAccess","ResourceGroupsServiceRolePolicy","ROSAAmazonEBSCSIDriverOperatorPolicy","ROSACloudNetworkConfigOperatorPolicy","ROSAControlPlaneOperatorPolicy","ROSAImageRegistryOperatorPolicy","ROSAIngressOperatorPolicy","ROSAInstallerPolicy","ROSAKMSProviderPolicy","ROSAKubeControllerPolicy","ROSAManageSubscription","ROSANodePoolManagementPolicy","ROSASRESupportPolicy","ROSAWorkerInstancePolicy","Route53RecoveryReadinessServiceRolePolicy","Route53ResolverServiceRolePolicy","S3StorageLensServiceRolePolicy","SecretsManagerReadWrite","SecurityAudit","SecurityLakeServiceLinkedRole","ServerMigration_ServiceRole","ServerMigrationConnector","ServerMigrationServiceConsoleFullAccess","ServerMigrationServiceLaunchRole","ServerMigrationServiceRoleForInstanceValidation","ServiceQuotasFullAccess","ServiceQuotasReadOnlyAccess","ServiceQuotasServiceRolePolicy","SimpleWorkflowFullAccess","SplitCostAllocationDataServiceRolePolicy","SSMQuickSetupRolePolicy","SupportUser","SystemAdministrator","TranslateFullAccess","TranslateReadOnly","ViewOnlyAccess","VMImportExportRoleForAWSConnector","VPCLatticeFullAccess","VPCLatticeReadOnlyAccess","VPCLatticeServicesInvokeAccess","WAFLoggingServiceRolePolicy","WAFRegionalLoggingServiceRolePolicy","WAFV2LoggingServiceRolePolicy","WellArchitectedConsoleFullAccess","WellArchitectedConsoleReadOnlyAccess","WorkLinkServiceRolePolicy"] \ No newline at end of file +["AccessAnalyzerServiceRolePolicy","AdministratorAccess","AdministratorAccess-Amplify","AdministratorAccess-AWSElasticBeanstalk","AlexaForBusinessDeviceSetup","AlexaForBusinessFullAccess","AlexaForBusinessGatewayExecution","AlexaForBusinessLifesizeDelegatedAccessPolicy","AlexaForBusinessNetworkProfileServicePolicy","AlexaForBusinessPolyDelegatedAccessPolicy","AlexaForBusinessReadOnlyAccess","AmazonAPIGatewayAdministrator","AmazonAPIGatewayInvokeFullAccess","AmazonAPIGatewayPushToCloudWatchLogs","AmazonAppFlowFullAccess","AmazonAppFlowReadOnlyAccess","AmazonAppStreamFullAccess","AmazonAppStreamPCAAccess","AmazonAppStreamReadOnlyAccess","AmazonAppStreamServiceAccess","AmazonAthenaFullAccess","AmazonAugmentedAIFullAccess","AmazonAugmentedAIHumanLoopFullAccess","AmazonAugmentedAIIntegratedAPIAccess","AmazonBedrockFullAccess","AmazonBedrockReadOnly","AmazonBedrockStudioPermissionsBoundary","AmazonBraketFullAccess","AmazonBraketJobsExecutionPolicy","AmazonBraketServiceRolePolicy","AmazonChimeFullAccess","AmazonChimeReadOnly","AmazonChimeSDK","AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy","AmazonChimeSDKMessagingServiceRolePolicy","AmazonChimeServiceRolePolicy","AmazonChimeTranscriptionServiceLinkedRolePolicy","AmazonChimeUserManagement","AmazonChimeVoiceConnectorServiceLinkedRolePolicy","AmazonCloudDirectoryFullAccess","AmazonCloudDirectoryReadOnlyAccess","AmazonCloudWatchEvidentlyFullAccess","AmazonCloudWatchEvidentlyReadOnlyAccess","AmazonCloudWatchEvidentlyServiceRolePolicy","AmazonCloudWatchRUMFullAccess","AmazonCloudWatchRUMReadOnlyAccess","AmazonCloudWatchRUMServiceRolePolicy","AmazonCodeCatalystFullAccess","AmazonCodeCatalystReadOnlyAccess","AmazonCodeCatalystSupportAccess","AmazonCodeGuruProfilerAgentAccess","AmazonCodeGuruProfilerFullAccess","AmazonCodeGuruProfilerReadOnlyAccess","AmazonCodeGuruReviewerFullAccess","AmazonCodeGuruReviewerReadOnlyAccess","AmazonCodeGuruReviewerServiceRolePolicy","AmazonCodeGuruSecurityFullAccess","AmazonCodeGuruSecurityScanAccess","AmazonCognitoDeveloperAuthenticatedIdentities","AmazonCognitoIdpEmailServiceRolePolicy","AmazonCognitoIdpServiceRolePolicy","AmazonCognitoPowerUser","AmazonCognitoReadOnly","AmazonCognitoUnAuthedIdentitiesSessionPolicy","AmazonCognitoUnauthenticatedIdentities","AmazonConnect_FullAccess","AmazonConnectCampaignsServiceLinkedRolePolicy","AmazonConnectReadOnlyAccess","AmazonConnectServiceLinkedRolePolicy","AmazonConnectSynchronizationServiceRolePolicy","AmazonConnectVoiceIDFullAccess","AmazonDataZoneBedrockModelConsumptionPolicy","AmazonDataZoneBedrockModelManagementPolicy","AmazonDataZoneDomainExecutionRolePolicy","AmazonDataZoneEnvironmentRolePermissionsBoundary","AmazonDataZoneFullAccess","AmazonDataZoneFullUserAccess","AmazonDataZoneGlueManageAccessRolePolicy","AmazonDataZoneRedshiftGlueProvisioningPolicy","AmazonDataZoneRedshiftManageAccessRolePolicy","AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary","AmazonDataZoneSageMakerManageAccessRolePolicy","AmazonDataZoneSageMakerProvisioningRolePolicy","AmazonDetectiveFullAccess","AmazonDetectiveInvestigatorAccess","AmazonDetectiveMemberAccess","AmazonDetectiveOrganizationsAccess","AmazonDetectiveServiceLinkedRolePolicy","AmazonDevOpsGuruConsoleFullAccess","AmazonDevOpsGuruFullAccess","AmazonDevOpsGuruOrganizationsAccess","AmazonDevOpsGuruReadOnlyAccess","AmazonDevOpsGuruServiceRolePolicy","AmazonDMSCloudWatchLogsRole","AmazonDMSRedshiftS3Role","AmazonDMSVPCManagementRole","AmazonDocDB-ElasticServiceRolePolicy","AmazonDocDBConsoleFullAccess","AmazonDocDBElasticFullAccess","AmazonDocDBElasticReadOnlyAccess","AmazonDocDBFullAccess","AmazonDocDBReadOnlyAccess","AmazonDRSVPCManagement","AmazonDynamoDBFullAccess","AmazonDynamoDBFullAccesswithDataPipeline","AmazonDynamoDBReadOnlyAccess","AmazonEBSCSIDriverPolicy","AmazonEC2ContainerRegistryFullAccess","AmazonEC2ContainerRegistryPowerUser","AmazonEC2ContainerRegistryPullOnly","AmazonEC2ContainerRegistryReadOnly","AmazonEC2ContainerServiceAutoscaleRole","AmazonEC2ContainerServiceEventsRole","AmazonEC2ContainerServiceforEC2Role","AmazonEC2ContainerServiceRole","AmazonEC2FullAccess","AmazonEC2ReadOnlyAccess","AmazonEC2RoleforAWSCodeDeploy","AmazonEC2RoleforAWSCodeDeployLimited","AmazonEC2RoleforDataPipelineRole","AmazonEC2RoleforSSM","AmazonEC2RolePolicyForLaunchWizard","AmazonEC2SpotFleetAutoscaleRole","AmazonEC2SpotFleetTaggingRole","AmazonECS_FullAccess","AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity","AmazonECSInfrastructureRolePolicyForVolumes","AmazonECSServiceRolePolicy","AmazonECSTaskExecutionRolePolicy","AmazonEFSCSIDriverPolicy","AmazonEKS_CNI_Policy","AmazonEKSBlockStoragePolicy","AmazonEKSClusterPolicy","AmazonEKSComputePolicy","AmazonEKSConnectorServiceRolePolicy","AmazonEKSFargatePodExecutionRolePolicy","AmazonEKSForFargateServiceRolePolicy","AmazonEKSLoadBalancingPolicy","AmazonEKSLocalOutpostClusterPolicy","AmazonEKSLocalOutpostServiceRolePolicy","AmazonEKSNetworkingPolicy","AmazonEKSServicePolicy","AmazonEKSServiceRolePolicy","AmazonEKSVPCResourceController","AmazonEKSWorkerNodeMinimalPolicy","AmazonEKSWorkerNodePolicy","AmazonElastiCacheFullAccess","AmazonElastiCacheReadOnlyAccess","AmazonElasticContainerRegistryPublicFullAccess","AmazonElasticContainerRegistryPublicPowerUser","AmazonElasticContainerRegistryPublicReadOnly","AmazonElasticFileSystemClientFullAccess","AmazonElasticFileSystemClientReadOnlyAccess","AmazonElasticFileSystemClientReadWriteAccess","AmazonElasticFileSystemFullAccess","AmazonElasticFileSystemReadOnlyAccess","AmazonElasticFileSystemServiceRolePolicy","AmazonElasticFileSystemsUtils","AmazonElasticMapReduceEditorsRole","AmazonElasticMapReduceforAutoScalingRole","AmazonElasticMapReduceforEC2Role","AmazonElasticMapReduceFullAccess","AmazonElasticMapReducePlacementGroupPolicy","AmazonElasticMapReduceReadOnlyAccess","AmazonElasticMapReduceRole","AmazonElasticsearchServiceRolePolicy","AmazonElasticTranscoder_FullAccess","AmazonElasticTranscoder_JobsSubmitter","AmazonElasticTranscoder_ReadOnlyAccess","AmazonElasticTranscoderRole","AmazonEMRCleanupPolicy","AmazonEMRContainersServiceRolePolicy","AmazonEMRFullAccessPolicy_v2","AmazonEMRReadOnlyAccessPolicy_v2","AmazonEMRServerlessServiceRolePolicy","AmazonEMRServicePolicy_v2","AmazonESCognitoAccess","AmazonESFullAccess","AmazonESReadOnlyAccess","AmazonEventBridgeApiDestinationsServiceRolePolicy","AmazonEventBridgeFullAccess","AmazonEventBridgePipesFullAccess","AmazonEventBridgePipesOperatorAccess","AmazonEventBridgePipesReadOnlyAccess","AmazonEventBridgeReadOnlyAccess","AmazonEventBridgeSchedulerFullAccess","AmazonEventBridgeSchedulerReadOnlyAccess","AmazonEventBridgeSchemasFullAccess","AmazonEventBridgeSchemasReadOnlyAccess","AmazonEventBridgeSchemasServiceRolePolicy","AmazonFISServiceRolePolicy","AmazonForecastFullAccess","AmazonFraudDetectorFullAccessPolicy","AmazonFreeRTOSFullAccess","AmazonFreeRTOSOTAUpdate","AmazonFSxConsoleFullAccess","AmazonFSxConsoleReadOnlyAccess","AmazonFSxFullAccess","AmazonFSxReadOnlyAccess","AmazonFSxServiceRolePolicy","AmazonGlacierFullAccess","AmazonGlacierReadOnlyAccess","AmazonGrafanaAthenaAccess","AmazonGrafanaCloudWatchAccess","AmazonGrafanaRedshiftAccess","AmazonGrafanaServiceLinkedRolePolicy","AmazonGuardDutyFullAccess","AmazonGuardDutyMalwareProtectionServiceRolePolicy","AmazonGuardDutyReadOnlyAccess","AmazonGuardDutyServiceRolePolicy","AmazonHealthLakeFullAccess","AmazonHealthLakeReadOnlyAccess","AmazonHoneycodeFullAccess","AmazonHoneycodeReadOnlyAccess","AmazonHoneycodeServiceRolePolicy","AmazonHoneycodeTeamAssociationFullAccess","AmazonHoneycodeTeamAssociationReadOnlyAccess","AmazonHoneycodeWorkbookFullAccess","AmazonHoneycodeWorkbookReadOnlyAccess","AmazonInspector2AgentlessServiceRolePolicy","AmazonInspector2FullAccess","AmazonInspector2ManagedCisPolicy","AmazonInspector2ReadOnlyAccess","AmazonInspector2ServiceRolePolicy","AmazonInspectorFullAccess","AmazonInspectorReadOnlyAccess","AmazonInspectorServiceRolePolicy","AmazonKendraFullAccess","AmazonKendraReadOnlyAccess","AmazonKeyspacesFullAccess","AmazonKeyspacesReadOnlyAccess","AmazonKeyspacesReadOnlyAccess_v2","AmazonKinesisAnalyticsFullAccess","AmazonKinesisAnalyticsReadOnly","AmazonKinesisFirehoseFullAccess","AmazonKinesisFirehoseReadOnlyAccess","AmazonKinesisFullAccess","AmazonKinesisReadOnlyAccess","AmazonKinesisVideoStreamsFullAccess","AmazonKinesisVideoStreamsReadOnlyAccess","AmazonLaunchWizardFullAccessV2","AmazonLexChannelsAccess","AmazonLexFullAccess","AmazonLexReadOnly","AmazonLexReplicationPolicy","AmazonLexRunBotsOnly","AmazonLexV2BotPolicy","AmazonLookoutEquipmentFullAccess","AmazonLookoutEquipmentReadOnlyAccess","AmazonLookoutMetricsFullAccess","AmazonLookoutMetricsReadOnlyAccess","AmazonLookoutVisionConsoleFullAccess","AmazonLookoutVisionConsoleReadOnlyAccess","AmazonLookoutVisionFullAccess","AmazonLookoutVisionReadOnlyAccess","AmazonMachineLearningBatchPredictionsAccess","AmazonMachineLearningCreateOnlyAccess","AmazonMachineLearningFullAccess","AmazonMachineLearningManageRealTimeEndpointOnlyAccess","AmazonMachineLearningReadOnlyAccess","AmazonMachineLearningRealTimePredictionOnlyAccess","AmazonMachineLearningRoleforRedshiftDataSourceV3","AmazonMacieFullAccess","AmazonMacieHandshakeRole","AmazonMacieReadOnlyAccess","AmazonMacieServiceRole","AmazonMacieServiceRolePolicy","AmazonManagedBlockchainConsoleFullAccess","AmazonManagedBlockchainFullAccess","AmazonManagedBlockchainReadOnlyAccess","AmazonManagedBlockchainServiceRolePolicy","AmazonMCSFullAccess","AmazonMCSReadOnlyAccess","AmazonMechanicalTurkFullAccess","AmazonMechanicalTurkReadOnly","AmazonMemoryDBFullAccess","AmazonMemoryDBReadOnlyAccess","AmazonMobileAnalyticsFinancialReportAccess","AmazonMobileAnalyticsFullAccess","AmazonMobileAnalyticsNon-financialReportAccess","AmazonMobileAnalyticsWriteOnlyAccess","AmazonMonitronFullAccess","AmazonMQApiFullAccess","AmazonMQApiReadOnlyAccess","AmazonMQFullAccess","AmazonMQReadOnlyAccess","AmazonMQServiceRolePolicy","AmazonMSKConnectReadOnlyAccess","AmazonMSKFullAccess","AmazonMSKReadOnlyAccess","AmazonMWAAServiceRolePolicy","AmazonNimbleStudio-LaunchProfileWorker","AmazonNimbleStudio-StudioAdmin","AmazonNimbleStudio-StudioUser","AmazonODBServiceRolePolicy","AmazonOmicsFullAccess","AmazonOmicsReadOnlyAccess","AmazonOneEnterpriseFullAccess","AmazonOneEnterpriseInstallerAccess","AmazonOneEnterpriseReadOnlyAccess","AmazonOpenSearchDashboardsServiceRolePolicy","AmazonOpenSearchDirectQueryGlueCreateAccess","AmazonOpenSearchIngestionFullAccess","AmazonOpenSearchIngestionReadOnlyAccess","AmazonOpenSearchIngestionServiceRolePolicy","AmazonOpenSearchServerlessServiceRolePolicy","AmazonOpenSearchServiceCognitoAccess","AmazonOpenSearchServiceFullAccess","AmazonOpenSearchServiceReadOnlyAccess","AmazonOpenSearchServiceRolePolicy","AmazonPersonalizeFullAccess","AmazonPollyFullAccess","AmazonPollyReadOnlyAccess","AmazonPrometheusConsoleFullAccess","AmazonPrometheusFullAccess","AmazonPrometheusQueryAccess","AmazonPrometheusRemoteWriteAccess","AmazonPrometheusScraperServiceRolePolicy","AmazonQDeveloperAccess","AmazonQFullAccess","AmazonQLDBConsoleFullAccess","AmazonQLDBFullAccess","AmazonQLDBReadOnly","AmazonRDSBetaServiceRolePolicy","AmazonRDSCustomInstanceProfileRolePolicy","AmazonRDSCustomPreviewServiceRolePolicy","AmazonRDSCustomServiceRolePolicy","AmazonRDSDataFullAccess","AmazonRDSDirectoryServiceAccess","AmazonRDSEnhancedMonitoringRole","AmazonRDSFullAccess","AmazonRDSPerformanceInsightsFullAccess","AmazonRDSPerformanceInsightsReadOnly","AmazonRDSPreviewServiceRolePolicy","AmazonRDSReadOnlyAccess","AmazonRDSServiceRolePolicy","AmazonRedshiftAllCommandsFullAccess","AmazonRedshiftDataFullAccess","AmazonRedshiftFullAccess","AmazonRedshiftQueryEditor","AmazonRedshiftQueryEditorV2FullAccess","AmazonRedshiftQueryEditorV2NoSharing","AmazonRedshiftQueryEditorV2ReadSharing","AmazonRedshiftQueryEditorV2ReadWriteSharing","AmazonRedshiftReadOnlyAccess","AmazonRedshiftServiceLinkedRolePolicy","AmazonRekognitionCustomLabelsFullAccess","AmazonRekognitionFullAccess","AmazonRekognitionReadOnlyAccess","AmazonRekognitionServiceRole","AmazonRoute53AutoNamingFullAccess","AmazonRoute53AutoNamingReadOnlyAccess","AmazonRoute53AutoNamingRegistrantAccess","AmazonRoute53DomainsFullAccess","AmazonRoute53DomainsReadOnlyAccess","AmazonRoute53FullAccess","AmazonRoute53ProfilesFullAccess","AmazonRoute53ProfilesReadOnlyAccess","AmazonRoute53ReadOnlyAccess","AmazonRoute53RecoveryClusterFullAccess","AmazonRoute53RecoveryClusterReadOnlyAccess","AmazonRoute53RecoveryControlConfigFullAccess","AmazonRoute53RecoveryControlConfigReadOnlyAccess","AmazonRoute53RecoveryReadinessFullAccess","AmazonRoute53RecoveryReadinessReadOnlyAccess","AmazonRoute53ResolverFullAccess","AmazonRoute53ResolverReadOnlyAccess","AmazonS3FullAccess","AmazonS3ObjectLambdaExecutionRolePolicy","AmazonS3OutpostsFullAccess","AmazonS3OutpostsReadOnlyAccess","AmazonS3ReadOnlyAccess","AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy","AmazonSageMakerCanvasAIServicesAccess","AmazonSageMakerCanvasBedrockAccess","AmazonSageMakerCanvasDataPrepFullAccess","AmazonSageMakerCanvasDirectDeployAccess","AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy","AmazonSageMakerCanvasForecastAccess","AmazonSageMakerCanvasFullAccess","AmazonSageMakerClusterInstanceRolePolicy","AmazonSageMakerCoreServiceRolePolicy","AmazonSageMakerEdgeDeviceFleetPolicy","AmazonSageMakerFeatureStoreAccess","AmazonSageMakerFullAccess","AmazonSageMakerGeospatialExecutionRole","AmazonSageMakerGeospatialFullAccess","AmazonSageMakerGroundTruthExecution","AmazonSageMakerHyperPodServiceRolePolicy","AmazonSageMakerMechanicalTurkAccess","AmazonSageMakerModelGovernanceUseAccess","AmazonSageMakerModelRegistryFullAccess","AmazonSageMakerNotebooksServiceRolePolicy","AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy","AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy","AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy","AmazonSageMakerPipelinesIntegrations","AmazonSageMakerReadOnly","AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy","AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy","AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy","AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy","AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy","AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy","AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy","AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy","AmazonSecurityLakeAdministrator","AmazonSecurityLakeMetastoreManager","AmazonSecurityLakePermissionsBoundary","AmazonSESFullAccess","AmazonSESReadOnlyAccess","AmazonSESServiceRolePolicy","AmazonSNSFullAccess","AmazonSNSReadOnlyAccess","AmazonSNSRole","AmazonSQSFullAccess","AmazonSQSReadOnlyAccess","AmazonSSMAutomationApproverAccess","AmazonSSMAutomationRole","AmazonSSMDirectoryServiceAccess","AmazonSSMFullAccess","AmazonSSMMaintenanceWindowRole","AmazonSSMManagedEC2InstanceDefaultPolicy","AmazonSSMManagedInstanceCore","AmazonSSMPatchAssociation","AmazonSSMReadOnlyAccess","AmazonSSMServiceRolePolicy","AmazonTextractFullAccess","AmazonTextractServiceRole","AmazonTimestreamConsoleFullAccess","AmazonTimestreamFullAccess","AmazonTimestreamInfluxDBFullAccess","AmazonTimestreamInfluxDBServiceRolePolicy","AmazonTimestreamReadOnlyAccess","AmazonTranscribeFullAccess","AmazonTranscribeReadOnlyAccess","AmazonVerifiedPermissionsFullAccess","AmazonVerifiedPermissionsReadOnlyAccess","AmazonVPCCrossAccountNetworkInterfaceOperations","AmazonVPCFullAccess","AmazonVPCNetworkAccessAnalyzerFullAccessPolicy","AmazonVPCReachabilityAnalyzerFullAccessPolicy","AmazonVPCReachabilityAnalyzerPathComponentReadPolicy","AmazonVPCReadOnlyAccess","AmazonWorkDocsFullAccess","AmazonWorkDocsReadOnlyAccess","AmazonWorkMailEventsServiceRolePolicy","AmazonWorkMailFullAccess","AmazonWorkMailMessageFlowFullAccess","AmazonWorkMailMessageFlowReadOnlyAccess","AmazonWorkMailReadOnlyAccess","AmazonWorkSpacesAdmin","AmazonWorkSpacesApplicationManagerAdminAccess","AmazonWorkspacesPCAAccess","AmazonWorkSpacesPoolServiceAccess","AmazonWorkSpacesSecureBrowserReadOnly","AmazonWorkSpacesSelfServiceAccess","AmazonWorkSpacesServiceAccess","AmazonWorkSpacesThinClientFullAccess","AmazonWorkSpacesThinClientReadOnlyAccess","AmazonWorkSpacesWebReadOnly","AmazonWorkSpacesWebServiceRolePolicy","AmazonZocaloFullAccess","AmazonZocaloReadOnlyAccess","AmplifyBackendDeployFullAccess","APIGatewayServiceRolePolicy","AppIntegrationsServiceLinkedRolePolicy","ApplicationAutoScalingForAmazonAppStreamAccess","ApplicationDiscoveryServiceContinuousExportServiceRolePolicy","AppRunnerNetworkingServiceRolePolicy","AppRunnerServiceRolePolicy","AppStudioServiceRolePolicy","AutoScalingConsoleFullAccess","AutoScalingConsoleReadOnlyAccess","AutoScalingFullAccess","AutoScalingNotificationAccessRole","AutoScalingReadOnlyAccess","AutoScalingServiceRolePolicy","AWS_ConfigRole","AWSAccountActivityAccess","AWSAccountManagementFullAccess","AWSAccountManagementReadOnlyAccess","AWSAccountUsageReportAccess","AWSAgentlessDiscoveryService","AWSAppFabricFullAccess","AWSAppFabricReadOnlyAccess","AWSAppFabricServiceRolePolicy","AWSApplicationAutoscalingAppStreamFleetPolicy","AWSApplicationAutoscalingCassandraTablePolicy","AWSApplicationAutoscalingComprehendEndpointPolicy","AWSApplicationAutoScalingCustomResourcePolicy","AWSApplicationAutoscalingDynamoDBTablePolicy","AWSApplicationAutoscalingEC2SpotFleetRequestPolicy","AWSApplicationAutoscalingECSServicePolicy","AWSApplicationAutoscalingElastiCacheRGPolicy","AWSApplicationAutoscalingEMRInstanceGroupPolicy","AWSApplicationAutoscalingKafkaClusterPolicy","AWSApplicationAutoscalingLambdaConcurrencyPolicy","AWSApplicationAutoscalingNeptuneClusterPolicy","AWSApplicationAutoscalingRDSClusterPolicy","AWSApplicationAutoscalingSageMakerEndpointPolicy","AWSApplicationAutoscalingWorkSpacesPoolPolicy","AWSApplicationDiscoveryAgentAccess","AWSApplicationDiscoveryAgentlessCollectorAccess","AWSApplicationDiscoveryServiceFullAccess","AWSApplicationMigrationAgentInstallationPolicy","AWSApplicationMigrationAgentPolicy","AWSApplicationMigrationAgentPolicy_v2","AWSApplicationMigrationConversionServerPolicy","AWSApplicationMigrationEC2Access","AWSApplicationMigrationFullAccess","AWSApplicationMigrationMGHAccess","AWSApplicationMigrationReadOnlyAccess","AWSApplicationMigrationReplicationServerPolicy","AWSApplicationMigrationServiceEc2InstancePolicy","AWSApplicationMigrationServiceRolePolicy","AWSApplicationMigrationSSMAccess","AWSApplicationMigrationVCenterClientPolicy","AWSAppMeshEnvoyAccess","AWSAppMeshFullAccess","AWSAppMeshPreviewEnvoyAccess","AWSAppMeshPreviewServiceRolePolicy","AWSAppMeshReadOnly","AWSAppMeshServiceRolePolicy","AWSAppRunnerFullAccess","AWSAppRunnerReadOnlyAccess","AWSAppRunnerServicePolicyForECRAccess","AWSAppSyncAdministrator","AWSAppSyncInvokeFullAccess","AWSAppSyncPushToCloudWatchLogs","AWSAppSyncSchemaAuthor","AWSAppSyncServiceRolePolicy","AWSArtifactAccountSync","AWSArtifactReportsReadOnlyAccess","AWSArtifactServiceRolePolicy","AWSAuditManagerAdministratorAccess","AWSAuditManagerServiceRolePolicy","AWSAutoScalingPlansEC2AutoScalingPolicy","AWSBackupAuditAccess","AWSBackupDataTransferAccess","AWSBackupFullAccess","AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync","AWSBackupOperatorAccess","AWSBackupOrganizationAdminAccess","AWSBackupRestoreAccessForSAPHANA","AWSBackupServiceLinkedRolePolicyForBackup","AWSBackupServiceLinkedRolePolicyForBackupTest","AWSBackupServiceRolePolicyForBackup","AWSBackupServiceRolePolicyForRestores","AWSBackupServiceRolePolicyForS3Backup","AWSBackupServiceRolePolicyForS3Restore","AWSBatchFullAccess","AWSBatchServiceEventTargetRole","AWSBatchServiceRole","AWSBCMDataExportsServiceRolePolicy","AWSBillingConductorFullAccess","AWSBillingConductorReadOnlyAccess","AWSBillingReadOnlyAccess","AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM","AWSBudgetsActionsWithAWSResourceControlAccess","AWSBudgetsReadOnlyAccess","AWSBugBustFullAccess","AWSBugBustPlayerAccess","AWSBugBustServiceRolePolicy","AWSCertificateManagerFullAccess","AWSCertificateManagerPrivateCAAuditor","AWSCertificateManagerPrivateCAFullAccess","AWSCertificateManagerPrivateCAPrivilegedUser","AWSCertificateManagerPrivateCAReadOnly","AWSCertificateManagerPrivateCAUser","AWSCertificateManagerReadOnly","AWSChatbotServiceLinkedRolePolicy","AWSCleanRoomsFullAccess","AWSCleanRoomsFullAccessNoQuerying","AWSCleanRoomsMLFullAccess","AWSCleanRoomsMLReadOnlyAccess","AWSCleanRoomsReadOnlyAccess","AWSCloud9Administrator","AWSCloud9EnvironmentMember","AWSCloud9ServiceRolePolicy","AWSCloud9SSMInstanceProfile","AWSCloud9User","AWSCloudFormationFullAccess","AWSCloudFormationReadOnlyAccess","AWSCloudFrontLogger","AWSCloudFrontVPCOriginServiceRolePolicy","AWSCloudHSMFullAccess","AWSCloudHSMReadOnlyAccess","AWSCloudHSMRole","AWSCloudMapDiscoverInstanceAccess","AWSCloudMapFullAccess","AWSCloudMapReadOnlyAccess","AWSCloudMapRegisterInstanceAccess","AWSCloudShellFullAccess","AWSCloudTrail_FullAccess","AWSCloudTrail_ReadOnlyAccess","AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy","AWSCodeArtifactAdminAccess","AWSCodeArtifactReadOnlyAccess","AWSCodeBuildAdminAccess","AWSCodeBuildDeveloperAccess","AWSCodeBuildReadOnlyAccess","AWSCodeCommitFullAccess","AWSCodeCommitPowerUser","AWSCodeCommitReadOnly","AWSCodeDeployDeployerAccess","AWSCodeDeployFullAccess","AWSCodeDeployReadOnlyAccess","AWSCodeDeployRole","AWSCodeDeployRoleForCloudFormation","AWSCodeDeployRoleForECS","AWSCodeDeployRoleForECSLimited","AWSCodeDeployRoleForLambda","AWSCodeDeployRoleForLambdaLimited","AWSCodePipeline_FullAccess","AWSCodePipeline_ReadOnlyAccess","AWSCodePipelineApproverAccess","AWSCodePipelineCustomActionAccess","AWSCodeStarFullAccess","AWSCodeStarNotificationsServiceRolePolicy","AWSCodeStarServiceRole","AWSCompromisedKeyQuarantine","AWSCompromisedKeyQuarantineV2","AWSCompromisedKeyQuarantineV3","AWSConfigMultiAccountSetupPolicy","AWSConfigRemediationServiceRolePolicy","AWSConfigRoleForOrganizations","AWSConfigRulesExecutionRole","AWSConfigServiceRolePolicy","AWSConfigUserAccess","AWSConnector","AWSControlTowerAccountServiceRolePolicy","AWSControlTowerServiceRolePolicy","AWSCostAndUsageReportAutomationPolicy","AWSDataExchangeDataGrantOwnerFullAccess","AWSDataExchangeDataGrantReceiverFullAccess","AWSDataExchangeFullAccess","AWSDataExchangeProviderFullAccess","AWSDataExchangeReadOnly","AWSDataExchangeServiceRolePolicyForLicenseManagement","AWSDataExchangeServiceRolePolicyForOrganizationDiscovery","AWSDataExchangeSubscriberFullAccess","AWSDataLifecycleManagerServiceRole","AWSDataLifecycleManagerServiceRoleForAMIManagement","AWSDataLifecycleManagerSSMFullAccess","AWSDataPipeline_FullAccess","AWSDataPipeline_PowerUser","AWSDataSyncDiscoveryServiceRolePolicy","AWSDataSyncFullAccess","AWSDataSyncReadOnlyAccess","AWSDataSyncServiceRolePolicy","AWSDeadlineCloud-FleetWorker","AWSDeadlineCloud-UserAccessFarms","AWSDeadlineCloud-UserAccessFleets","AWSDeadlineCloud-UserAccessJobs","AWSDeadlineCloud-UserAccessQueues","AWSDeadlineCloud-WorkerHost","AWSDeepLensLambdaFunctionAccessPolicy","AWSDeepLensServiceRolePolicy","AWSDeepRacerAccountAdminAccess","AWSDeepRacerCloudFormationAccessPolicy","AWSDeepRacerDefaultMultiUserAccess","AWSDeepRacerFullAccess","AWSDeepRacerRoboMakerAccessPolicy","AWSDeepRacerServiceRolePolicy","AWSDenyAll","AWSDeviceFarmFullAccess","AWSDeviceFarmServiceRolePolicy","AWSDeviceFarmTestGridServiceRolePolicy","AWSDirectConnectFullAccess","AWSDirectConnectReadOnlyAccess","AWSDirectConnectServiceRolePolicy","AWSDirectoryServiceDataFullAccess","AWSDirectoryServiceDataReadOnlyAccess","AWSDirectoryServiceFullAccess","AWSDirectoryServiceReadOnlyAccess","AWSDiscoveryContinuousExportFirehosePolicy","AWSDMSFleetAdvisorServiceRolePolicy","AWSDMSServerlessServiceRolePolicy","AWSEC2CapacityReservationFleetRolePolicy","AWSEC2FleetServiceRolePolicy","AWSEC2SpotFleetServiceRolePolicy","AWSEC2SpotServiceRolePolicy","AWSEC2VssSnapshotPolicy","AWSECRPullThroughCache_ServiceRolePolicy","AWSElasticBeanstalkCustomPlatformforEC2Role","AWSElasticBeanstalkEnhancedHealth","AWSElasticBeanstalkMaintenance","AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy","AWSElasticBeanstalkManagedUpdatesServiceRolePolicy","AWSElasticBeanstalkMulticontainerDocker","AWSElasticBeanstalkReadOnly","AWSElasticBeanstalkRoleCore","AWSElasticBeanstalkRoleCWL","AWSElasticBeanstalkRoleECS","AWSElasticBeanstalkRoleRDS","AWSElasticBeanstalkRoleSNS","AWSElasticBeanstalkRoleWorkerTier","AWSElasticBeanstalkService","AWSElasticBeanstalkServiceRolePolicy","AWSElasticBeanstalkWebTier","AWSElasticBeanstalkWorkerTier","AWSElasticDisasterRecoveryAgentInstallationPolicy","AWSElasticDisasterRecoveryAgentPolicy","AWSElasticDisasterRecoveryConsoleFullAccess","AWSElasticDisasterRecoveryConsoleFullAccess_v2","AWSElasticDisasterRecoveryConversionServerPolicy","AWSElasticDisasterRecoveryCrossAccountReplicationPolicy","AWSElasticDisasterRecoveryEc2InstancePolicy","AWSElasticDisasterRecoveryFailbackInstallationPolicy","AWSElasticDisasterRecoveryFailbackPolicy","AWSElasticDisasterRecoveryLaunchActionsPolicy","AWSElasticDisasterRecoveryNetworkReplicationPolicy","AWSElasticDisasterRecoveryReadOnlyAccess","AWSElasticDisasterRecoveryRecoveryInstancePolicy","AWSElasticDisasterRecoveryReplicationServerPolicy","AWSElasticDisasterRecoveryServiceRolePolicy","AWSElasticDisasterRecoveryStagingAccountPolicy","AWSElasticDisasterRecoveryStagingAccountPolicy_v2","AWSElasticLoadBalancingClassicServiceRolePolicy","AWSElasticLoadBalancingServiceRolePolicy","AWSElementalMediaConvertFullAccess","AWSElementalMediaConvertReadOnly","AWSElementalMediaLiveFullAccess","AWSElementalMediaLiveReadOnly","AWSElementalMediaPackageFullAccess","AWSElementalMediaPackageReadOnly","AWSElementalMediaPackageV2FullAccess","AWSElementalMediaPackageV2ReadOnly","AWSElementalMediaStoreFullAccess","AWSElementalMediaStoreReadOnly","AWSElementalMediaTailorFullAccess","AWSElementalMediaTailorReadOnly","AWSEnhancedClassicNetworkingMangementPolicy","AWSEntityResolutionConsoleFullAccess","AWSEntityResolutionConsoleReadOnlyAccess","AWSFaultInjectionSimulatorEC2Access","AWSFaultInjectionSimulatorECSAccess","AWSFaultInjectionSimulatorEKSAccess","AWSFaultInjectionSimulatorNetworkAccess","AWSFaultInjectionSimulatorRDSAccess","AWSFaultInjectionSimulatorSSMAccess","AWSFinSpaceServiceRolePolicy","AWSFMAdminFullAccess","AWSFMAdminReadOnlyAccess","AWSFMMemberReadOnlyAccess","AWSForWordPressPluginPolicy","AWSGitSyncServiceRolePolicy","AWSGlobalAcceleratorSLRPolicy","AWSGlueConsoleFullAccess","AWSGlueConsoleSageMakerNotebookFullAccess","AwsGlueDataBrewFullAccessPolicy","AWSGlueDataBrewServiceRole","AWSGlueSchemaRegistryFullAccess","AWSGlueSchemaRegistryReadonlyAccess","AWSGlueServiceNotebookRole","AWSGlueServiceRole","AwsGlueSessionUserRestrictedNotebookPolicy","AwsGlueSessionUserRestrictedNotebookServiceRole","AwsGlueSessionUserRestrictedPolicy","AwsGlueSessionUserRestrictedServiceRole","AWSGrafanaAccountAdministrator","AWSGrafanaConsoleReadOnlyAccess","AWSGrafanaWorkspacePermissionManagement","AWSGrafanaWorkspacePermissionManagementV2","AWSGreengrassFullAccess","AWSGreengrassReadOnlyAccess","AWSGreengrassResourceAccessRolePolicy","AWSGroundStationAgentInstancePolicy","AWSHealth_EventProcessorServiceRolePolicy","AWSHealthFullAccess","AWSHealthImagingFullAccess","AWSHealthImagingReadOnlyAccess","AWSIAMIdentityCenterAllowListForIdentityContext","AWSIdentitySyncFullAccess","AWSIdentitySyncReadOnlyAccess","AWSImageBuilderFullAccess","AWSImageBuilderReadOnlyAccess","AWSImportExportFullAccess","AWSImportExportReadOnlyAccess","AWSIncidentManagerIncidentAccessServiceRolePolicy","AWSIncidentManagerResolverAccess","AWSIncidentManagerServiceRolePolicy","AWSIoT1ClickFullAccess","AWSIoT1ClickReadOnlyAccess","AWSIoTAnalyticsFullAccess","AWSIoTAnalyticsReadOnlyAccess","AWSIoTConfigAccess","AWSIoTConfigReadOnlyAccess","AWSIoTDataAccess","AWSIoTDeviceDefenderAddThingsToThingGroupMitigationAction","AWSIoTDeviceDefenderAudit","AWSIoTDeviceDefenderEnableIoTLoggingMitigationAction","AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction","AWSIoTDeviceDefenderReplaceDefaultPolicyMitigationAction","AWSIoTDeviceDefenderUpdateCACertMitigationAction","AWSIoTDeviceDefenderUpdateDeviceCertMitigationAction","AWSIoTDeviceTesterForFreeRTOSFullAccess","AWSIoTDeviceTesterForGreengrassFullAccess","AWSIoTEventsFullAccess","AWSIoTEventsReadOnlyAccess","AWSIoTFleetHubFederationAccess","AWSIoTFleetwiseServiceRolePolicy","AWSIoTFullAccess","AWSIoTLogging","AWSIoTOTAUpdate","AWSIoTRuleActions","AWSIoTSiteWiseConsoleFullAccess","AWSIoTSiteWiseFullAccess","AWSIoTSiteWiseMonitorPortalAccess","AWSIoTSiteWiseMonitorServiceRolePolicy","AWSIoTSiteWiseReadOnlyAccess","AWSIoTThingsRegistration","AWSIoTTwinMakerServiceRolePolicy","AWSIoTWirelessDataAccess","AWSIoTWirelessFullAccess","AWSIoTWirelessFullPublishAccess","AWSIoTWirelessGatewayCertManager","AWSIoTWirelessLogging","AWSIoTWirelessReadOnlyAccess","AWSIPAMServiceRolePolicy","AWSIQContractServiceRolePolicy","AWSIQFullAccess","AWSIQPermissionServiceRolePolicy","AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy","AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy","AWSKeyManagementServicePowerUser","AWSLakeFormationCrossAccountManager","AWSLakeFormationDataAdmin","AWSLambda_FullAccess","AWSLambda_ReadOnlyAccess","AWSLambdaBasicExecutionRole","AWSLambdaDynamoDBExecutionRole","AWSLambdaENIManagementAccess","AWSLambdaExecute","AWSLambdaInvocation-DynamoDB","AWSLambdaKinesisExecutionRole","AWSLambdaMSKExecutionRole","AWSLambdaReplicator","AWSLambdaRole","AWSLambdaSQSQueueExecutionRole","AWSLambdaVPCAccessExecutionRole","AWSLicenseManagerConsumptionPolicy","AWSLicenseManagerLinuxSubscriptionsServiceRolePolicy","AWSLicenseManagerMasterAccountRolePolicy","AWSLicenseManagerMemberAccountRolePolicy","AWSLicenseManagerServiceRolePolicy","AWSLicenseManagerUserSubscriptionsServiceRolePolicy","AWSM2ServicePolicy","AWSManagedServices_ContactsServiceRolePolicy","AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy","AWSManagedServices_EventsServiceRolePolicy","AWSManagedServicesDeploymentToolkitPolicy","AWSMarketplaceAmiIngestion","AWSMarketplaceDeploymentServiceRolePolicy","AWSMarketplaceFullAccess","AWSMarketplaceGetEntitlements","AWSMarketplaceImageBuildFullAccess","AWSMarketplaceLicenseManagementServiceRolePolicy","AWSMarketplaceManageSubscriptions","AWSMarketplaceMeteringFullAccess","AWSMarketplaceMeteringRegisterUsage","AWSMarketplaceProcurementSystemAdminFullAccess","AWSMarketplacePurchaseOrdersServiceRolePolicy","AWSMarketplaceRead-only","AWSMarketplaceResaleAuthorizationServiceRolePolicy","AWSMarketplaceSellerFullAccess","AWSMarketplaceSellerProductsFullAccess","AWSMarketplaceSellerProductsReadOnly","AWSMediaConnectServicePolicy","AWSMediaTailorServiceRolePolicy","AWSMigrationHubDiscoveryAccess","AWSMigrationHubDMSAccess","AWSMigrationHubFullAccess","AWSMigrationHubOrchestratorConsoleFullAccess","AWSMigrationHubOrchestratorInstanceRolePolicy","AWSMigrationHubOrchestratorPlugin","AWSMigrationHubOrchestratorServiceRolePolicy","AWSMigrationHubRefactorSpaces-EnvironmentsWithoutBridgesFullAccess","AWSMigrationHubRefactorSpaces-SSMAutomationPolicy","AWSMigrationHubRefactorSpacesFullAccess","AWSMigrationHubRefactorSpacesServiceRolePolicy","AWSMigrationHubSMSAccess","AWSMigrationHubStrategyCollector","AWSMigrationHubStrategyConsoleFullAccess","AWSMigrationHubStrategyServiceRolePolicy","AWSMSKReplicatorExecutionRole","AWSNetworkFirewallServiceRolePolicy","AWSNetworkManagerCloudWANServiceRolePolicy","AWSNetworkManagerFullAccess","AWSNetworkManagerReadOnlyAccess","AWSNetworkManagerServiceRolePolicy","AWSOpsWorks_FullAccess","AWSOpsWorksCloudWatchLogs","AWSOpsWorksCMInstanceProfileRole","AWSOpsWorksCMServiceRole","AWSOpsWorksInstanceRegistration","AWSOpsWorksRegisterCLI_EC2","AWSOpsWorksRegisterCLI_OnPremises","AWSOrganizationsFullAccess","AWSOrganizationsReadOnlyAccess","AWSOrganizationsServiceTrustPolicy","AWSOutpostsAuthorizeServerPolicy","AWSOutpostsServiceRolePolicy","AWSPanoramaApplianceRolePolicy","AWSPanoramaApplianceServiceRolePolicy","AWSPanoramaFullAccess","AWSPanoramaGreengrassGroupRolePolicy","AWSPanoramaSageMakerRolePolicy","AWSPanoramaServiceLinkedRolePolicy","AWSPanoramaServiceRolePolicy","AWSPCSServiceRolePolicy","AWSPriceListServiceFullAccess","AWSPrivateCAAuditor","AWSPrivateCAFullAccess","AWSPrivateCAPrivilegedUser","AWSPrivateCAReadOnly","AWSPrivateCAUser","AWSPrivateMarketplaceAdminFullAccess","AWSPrivateMarketplaceRequests","AWSPrivateNetworksServiceRolePolicy","AWSProtonCodeBuildProvisioningBasicAccess","AWSProtonCodeBuildProvisioningServiceRolePolicy","AWSProtonDeveloperAccess","AWSProtonFullAccess","AWSProtonReadOnlyAccess","AWSProtonServiceGitSyncServiceRolePolicy","AWSProtonSyncServiceRolePolicy","AWSPurchaseOrdersServiceRolePolicy","AWSQuickSetupCFGCPacksPermissionsBoundary","AWSQuickSetupDeploymentRolePolicy","AWSQuickSetupDevOpsGuruPermissionsBoundary","AWSQuickSetupDistributorPermissionsBoundary","AWSQuickSetupPatchPolicyBaselineAccess","AWSQuickSetupPatchPolicyDeploymentRolePolicy","AWSQuickSetupPatchPolicyPermissionsBoundary","AWSQuickSetupSchedulerPermissionsBoundary","AWSQuickSetupSSMHostMgmtPermissionsBoundary","AWSQuickSightAssetBundleExportPolicy","AWSQuickSightAssetBundleImportPolicy","AWSQuicksightAthenaAccess","AWSQuickSightDescribeRDS","AWSQuickSightDescribeRedshift","AWSQuickSightElasticsearchPolicy","AWSQuickSightIoTAnalyticsAccess","AWSQuickSightListIAM","AWSQuicksightOpenSearchPolicy","AWSQuickSightSageMakerPolicy","AWSQuickSightTimestreamPolicy","AWSReachabilityAnalyzerServiceRolePolicy","AWSRefactoringToolkitFullAccess","AWSRefactoringToolkitSidecarPolicy","AWSrePostPrivateCloudWatchAccess","AWSRepostSpaceSupportOperationsPolicy","AWSResilienceHubAsssessmentExecutionPolicy","AWSResourceAccessManagerFullAccess","AWSResourceAccessManagerReadOnlyAccess","AWSResourceAccessManagerResourceShareParticipantAccess","AWSResourceAccessManagerServiceRolePolicy","AWSResourceExplorerFullAccess","AWSResourceExplorerOrganizationsAccess","AWSResourceExplorerReadOnlyAccess","AWSResourceExplorerServiceRolePolicy","AWSResourceGroupsReadOnlyAccess","AWSRoboMaker_FullAccess","AWSRoboMakerReadOnlyAccess","AWSRoboMakerServicePolicy","AWSRoboMakerServiceRolePolicy","AWSRolesAnywhereServicePolicy","AWSS3OnOutpostsServiceRolePolicy","AWSSavingsPlansFullAccess","AWSSavingsPlansReadOnlyAccess","AWSSecurityHubFullAccess","AWSSecurityHubOrganizationsAccess","AWSSecurityHubReadOnlyAccess","AWSSecurityHubServiceRolePolicy","AWSServiceCatalogAdminFullAccess","AWSServiceCatalogAdminReadOnlyAccess","AWSServiceCatalogAppRegistryFullAccess","AWSServiceCatalogAppRegistryReadOnlyAccess","AWSServiceCatalogAppRegistryServiceRolePolicy","AWSServiceCatalogEndUserFullAccess","AWSServiceCatalogEndUserReadOnlyAccess","AWSServiceCatalogOrgsDataSyncServiceRolePolicy","AWSServiceCatalogSyncServiceRolePolicy","AWSServiceRoleForAmazonEKSNodegroup","AWSServiceRoleForAmazonQDeveloper","AWSServiceRoleForCloudWatchAlarmsActionSSMServiceRolePolicy","AWSServiceRoleForCloudWatchMetrics_DbPerfInsightsServiceRolePolicy","AWSServiceRoleForCodeGuru-Profiler","AWSServiceRoleForCodeWhispererPolicy","AWSServiceRoleForEC2ScheduledInstances","AWSServiceRoleForGroundStationDataflowEndpointGroupPolicy","AWSServiceRoleForImageBuilder","AWSServiceRoleForIoTSiteWise","AWSServiceRoleForLogDeliveryPolicy","AWSServiceRoleForMonitronPolicy","AWSServiceRoleForNeptuneGraphPolicy","AWSServiceRoleForPrivateMarketplaceAdminPolicy","AWSServiceRoleForProcurementInsightsPolicy","AWSServiceRoleForSMS","AWSServiceRoleForUserSubscriptions","AWSServiceRolePolicyForBackupReports","AWSServiceRolePolicyForBackupRestoreTesting","AWSShieldDRTAccessPolicy","AWSShieldServiceRolePolicy","AWSSocialMessagingServiceRolePolicy","AWSSSMForSAPServiceLinkedRolePolicy","AWSSSMOpsInsightsServiceRolePolicy","AWSSSODirectoryAdministrator","AWSSSODirectoryReadOnly","AWSSSOMasterAccountAdministrator","AWSSSOMemberAccountAdministrator","AWSSSOReadOnly","AWSSSOServiceRolePolicy","AWSStepFunctionsConsoleFullAccess","AWSStepFunctionsFullAccess","AWSStepFunctionsReadOnlyAccess","AWSStorageGatewayFullAccess","AWSStorageGatewayReadOnlyAccess","AWSStorageGatewayServiceRolePolicy","AWSSupplyChainFederationAdminAccess","AWSSupportAccess","AWSSupportAppFullAccess","AWSSupportAppReadOnlyAccess","AWSSupportPlansFullAccess","AWSSupportPlansReadOnlyAccess","AWSSupportServiceRolePolicy","AWSSystemsManagerAccountDiscoveryServicePolicy","AWSSystemsManagerChangeManagementServicePolicy","AWSSystemsManagerEnableConfigRecordingExecutionPolicy","AWSSystemsManagerEnableExplorerExecutionPolicy","AWSSystemsManagerForSAPFullAccess","AWSSystemsManagerForSAPReadOnlyAccess","AWSSystemsManagerOpsDataSyncServiceRolePolicy","AWSThinkboxAssetServerPolicy","AWSThinkboxAWSPortalAdminPolicy","AWSThinkboxAWSPortalGatewayPolicy","AWSThinkboxAWSPortalWorkerPolicy","AWSThinkboxDeadlineResourceTrackerAccessPolicy","AWSThinkboxDeadlineResourceTrackerAdminPolicy","AWSThinkboxDeadlineSpotEventPluginAdminPolicy","AWSThinkboxDeadlineSpotEventPluginWorkerPolicy","AWSTransferConsoleFullAccess","AWSTransferFullAccess","AWSTransferLoggingAccess","AWSTransferReadOnlyAccess","AWSTrustedAdvisorPriorityFullAccess","AWSTrustedAdvisorPriorityReadOnlyAccess","AWSTrustedAdvisorReportingServiceRolePolicy","AWSTrustedAdvisorServiceRolePolicy","AWSUserNotificationsServiceLinkedRolePolicy","AWSVendorInsightsAssessorFullAccess","AWSVendorInsightsAssessorReadOnly","AWSVendorInsightsVendorFullAccess","AWSVendorInsightsVendorReadOnly","AWSVpcLatticeServiceRolePolicy","AWSVPCS2SVpnServiceRolePolicy","AWSVPCTransitGatewayServiceRolePolicy","AWSVPCVerifiedAccessServiceRolePolicy","AWSWAFConsoleFullAccess","AWSWAFConsoleReadOnlyAccess","AWSWAFFullAccess","AWSWAFReadOnlyAccess","AWSWellArchitectedDiscoveryServiceRolePolicy","AWSWellArchitectedOrganizationsServiceRolePolicy","AWSWickrFullAccess","AWSXrayCrossAccountSharingConfiguration","AWSXRayDaemonWriteAccess","AWSXrayFullAccess","AWSXrayReadOnlyAccess","AWSXrayWriteOnlyAccess","AWSZonalAutoshiftPracticeRunSLRPolicy","BatchServiceRolePolicy","Billing","CertificateManagerServiceRolePolicy","ClientVPNServiceConnectionsRolePolicy","ClientVPNServiceRolePolicy","CloudFormationStackSetsOrgAdminServiceRolePolicy","CloudFormationStackSetsOrgMemberServiceRolePolicy","CloudFrontFullAccess","CloudFrontReadOnlyAccess","CloudHSMServiceRolePolicy","CloudSearchFullAccess","CloudSearchReadOnlyAccess","CloudTrailServiceRolePolicy","CloudWatch-CrossAccountAccess","CloudWatchActionsEC2Access","CloudWatchAgentAdminPolicy","CloudWatchAgentServerPolicy","CloudWatchApplicationInsightsFullAccess","CloudWatchApplicationInsightsReadOnlyAccess","CloudwatchApplicationInsightsServiceLinkedRolePolicy","CloudWatchApplicationSignalsFullAccess","CloudWatchApplicationSignalsReadOnlyAccess","CloudWatchApplicationSignalsServiceRolePolicy","CloudWatchAutomaticDashboardsAccess","CloudWatchCrossAccountSharingConfiguration","CloudWatchEventsBuiltInTargetExecutionAccess","CloudWatchEventsFullAccess","CloudWatchEventsInvocationAccess","CloudWatchEventsReadOnlyAccess","CloudWatchEventsServiceRolePolicy","CloudWatchFullAccess","CloudWatchFullAccessV2","CloudWatchInternetMonitorFullAccess","CloudWatchInternetMonitorReadOnlyAccess","CloudWatchInternetMonitorServiceRolePolicy","CloudWatchLambdaApplicationSignalsExecutionRolePolicy","CloudWatchLambdaInsightsExecutionRolePolicy","CloudWatchLogsCrossAccountSharingConfiguration","CloudWatchLogsFullAccess","CloudWatchLogsReadOnlyAccess","CloudWatchNetworkMonitorServiceRolePolicy","CloudWatchReadOnlyAccess","CloudWatchSyntheticsFullAccess","CloudWatchSyntheticsReadOnlyAccess","ComprehendDataAccessRolePolicy","ComprehendFullAccess","ComprehendMedicalFullAccess","ComprehendReadOnly","ComputeOptimizerReadOnlyAccess","ComputeOptimizerServiceRolePolicy","ConfigConformsServiceRolePolicy","CostOptimizationHubAdminAccess","CostOptimizationHubReadOnlyAccess","CostOptimizationHubServiceRolePolicy","CustomerProfilesServiceLinkedRolePolicy","DatabaseAdministrator","DataScientist","DAXServiceRolePolicy","DynamoDBCloudWatchContributorInsightsServiceRolePolicy","DynamoDBKinesisReplicationServiceRolePolicy","DynamoDBReplicationServiceRolePolicy","EC2FastLaunchFullAccess","EC2FastLaunchServiceRolePolicy","EC2FleetTimeShiftableServiceRolePolicy","Ec2ImageBuilderCrossAccountDistributionAccess","EC2ImageBuilderLifecycleExecutionPolicy","EC2InstanceConnect","Ec2InstanceConnectEndpoint","EC2InstanceProfileForImageBuilder","EC2InstanceProfileForImageBuilderECRContainerBuilds","ECRReplicationServiceRolePolicy","ECRTemplateServiceRolePolicy","ElastiCacheServiceRolePolicy","ElasticLoadBalancingFullAccess","ElasticLoadBalancingReadOnly","ElementalActivationsDownloadSoftwareAccess","ElementalActivationsFullAccess","ElementalActivationsGenerateLicenses","ElementalActivationsReadOnlyAccess","ElementalAppliancesSoftwareFullAccess","ElementalAppliancesSoftwareReadOnlyAccess","ElementalSupportCenterFullAccess","EMRDescribeClusterPolicyForEMRWAL","FMSServiceRolePolicy","FSxDeleteServiceLinkedRoleAccess","GameLiftContainerFleetPolicy","GameLiftGameServerGroupPolicy","GlobalAcceleratorFullAccess","GlobalAcceleratorReadOnlyAccess","GreengrassOTAUpdateArtifactAccess","GroundTruthSyntheticConsoleFullAccess","GroundTruthSyntheticConsoleReadOnlyAccess","Health_OrganizationsServiceRolePolicy","IAMAccessAdvisorReadOnly","IAMAccessAnalyzerFullAccess","IAMAccessAnalyzerReadOnlyAccess","IAMFullAccess","IAMReadOnlyAccess","IAMSelfManageServiceSpecificCredentials","IAMUserChangePassword","IAMUserSSHKeys","IVSFullAccess","IVSReadOnlyAccess","IVSRecordToS3","KafkaConnectServiceRolePolicy","KafkaServiceRolePolicy","KeyspacesReplicationServiceRolePolicy","LakeFormationDataAccessServiceRolePolicy","LexBotPolicy","LexChannelPolicy","LightsailExportAccess","MediaConnectGatewayInstanceRolePolicy","MediaPackageServiceRolePolicy","MemoryDBServiceRolePolicy","MigrationHubDMSAccessServiceRolePolicy","MigrationHubServiceRolePolicy","MigrationHubSMSAccessServiceRolePolicy","MonitronServiceRolePolicy","NeptuneConsoleFullAccess","NeptuneFullAccess","NeptuneGraphReadOnlyAccess","NeptuneReadOnlyAccess","NetworkAdministrator","OAMFullAccess","OAMReadOnlyAccess","OpensearchIngestionSelfManagedVpcePolicy","PartnerCentralAccountManagementUserRoleAssociation","PowerUserAccess","QAppsServiceRolePolicy","QBusinessServiceRolePolicy","QuickSightAccessForS3StorageManagementAnalyticsReadOnly","RDSCloudHsmAuthorizationRole","ReadOnlyAccess","ResourceGroupsandTagEditorFullAccess","ResourceGroupsandTagEditorReadOnlyAccess","ResourceGroupsServiceRolePolicy","ResourceGroupsTaggingAPITagUntagSupportedResources","ROSAAmazonEBSCSIDriverOperatorPolicy","ROSACloudNetworkConfigOperatorPolicy","ROSAControlPlaneOperatorPolicy","ROSAImageRegistryOperatorPolicy","ROSAIngressOperatorPolicy","ROSAInstallerPolicy","ROSAKMSProviderPolicy","ROSAKubeControllerPolicy","ROSAManageSubscription","ROSANodePoolManagementPolicy","ROSASRESupportPolicy","ROSAWorkerInstancePolicy","Route53RecoveryReadinessServiceRolePolicy","Route53ResolverServiceRolePolicy","S3StorageLensServiceRolePolicy","SecretsManagerReadWrite","SecurityAudit","SecurityLakeServiceLinkedRole","ServerMigration_ServiceRole","ServerMigrationConnector","ServerMigrationServiceConsoleFullAccess","ServerMigrationServiceLaunchRole","ServerMigrationServiceRoleForInstanceValidation","ServiceQuotasFullAccess","ServiceQuotasReadOnlyAccess","ServiceQuotasServiceRolePolicy","SimpleWorkflowFullAccess","SplitCostAllocationDataServiceRolePolicy","SSMQuickSetupRolePolicy","SupportUser","SystemAdministrator","TranslateFullAccess","TranslateReadOnly","ViewOnlyAccess","VMImportExportRoleForAWSConnector","VPCLatticeFullAccess","VPCLatticeReadOnlyAccess","VPCLatticeServicesInvokeAccess","WAFLoggingServiceRolePolicy","WAFRegionalLoggingServiceRolePolicy","WAFV2LoggingServiceRolePolicy","WellArchitectedConsoleFullAccess","WellArchitectedConsoleReadOnlyAccess","WorkLinkServiceRolePolicy"] \ No newline at end of file diff --git a/lib/generated/aws-managed-policies/cdk-iam-floyd.ts b/lib/generated/aws-managed-policies/cdk-iam-floyd.ts index 97e4aa864..4b852b17b 100644 --- a/lib/generated/aws-managed-policies/cdk-iam-floyd.ts +++ b/lib/generated/aws-managed-policies/cdk-iam-floyd.ts @@ -364,6 +364,16 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonConnectVoiceIDFullAccess); } + /** Provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain. */ + public AmazonDataZoneBedrockModelConsumptionPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonDataZoneBedrockModelConsumptionPolicy); + } + + /** Provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles. */ + public AmazonDataZoneBedrockModelManagementPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonDataZoneBedrockModelManagementPolicy); + } + /** Default policy for the Amazon DataZone's DomainExecutionRole service role. This role is used by Amazon DataZone to catalog, discover, govern, share, and analyze data in the Amazon DataZone domain. */ public AmazonDataZoneDomainExecutionRolePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonDataZoneDomainExecutionRolePolicy); @@ -544,6 +554,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEC2ContainerRegistryPowerUser); } + /** Provides access to pull images from Amazon EC2 Container Registry repositories. */ + public AmazonEC2ContainerRegistryPullOnly(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEC2ContainerRegistryPullOnly); + } + /** Provides read-only access to Amazon EC2 Container Registry repositories. */ public AmazonEC2ContainerRegistryReadOnly(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEC2ContainerRegistryReadOnly); @@ -649,11 +664,21 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSCNIPolicy); } + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's block storage resources. */ + public AmazonEKSBlockStoragePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSBlockStoragePolicy); + } + /** This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces. */ public AmazonEKSClusterPolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSClusterPolicy); } + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's compute resources. */ + public AmazonEKSComputePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSComputePolicy); + } + /** This policy allows Amazon EKS to manage AWS resources for EKS connector */ public AmazonEKSConnectorServiceRolePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSConnectorServiceRolePolicy); @@ -669,6 +694,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSForFargateServiceRolePolicy); } + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's load balancing resources. */ + public AmazonEKSLoadBalancingPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSLoadBalancingPolicy); + } + /** This policy provides permissions to EKS local cluster's control-plane instances running in your account to manage resources on your behalf. */ public AmazonEKSLocalOutpostClusterPolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSLocalOutpostClusterPolicy); @@ -679,6 +709,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSLocalOutpostServiceRolePolicy); } + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's networking resources. */ + public AmazonEKSNetworkingPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSNetworkingPolicy); + } + /** This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters. */ public AmazonEKSServicePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSServicePolicy); @@ -694,6 +729,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSVPCResourceController); } + /** This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. */ + public AmazonEKSWorkerNodeMinimalPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSWorkerNodeMinimalPolicy); + } + /** This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. */ public AmazonEKSWorkerNodePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonEKSWorkerNodePolicy); @@ -1439,6 +1479,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonNimbleStudioStudioUser); } + /** Allows Oracle Database@AWS to manage AWS resources on your behalf. */ + public AmazonODBServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonODBServiceRolePolicy); + } + /** Provides full access to Amazon Omics and other required AWS Services. This policy allows the user to view and accept RAM share invitations to access resources outside of the user's AWS account. */ public AmazonOmicsFullAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonOmicsFullAccess); @@ -1904,6 +1949,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonSageMakerGroundTruthExecution); } + /** This policy grants permissions to Amazon SageMaker HyperPod to related AWS services such as Amazon EKS, Amazon CloudWatch etc. */ + public AmazonSageMakerHyperPodServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonSageMakerHyperPodServiceRolePolicy); + } + /** Provides access to create Amazon Augmented AI FlowDefinition resources against any Workteam. */ public AmazonSageMakerMechanicalTurkAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonSageMakerMechanicalTurkAccess); @@ -2139,6 +2189,16 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonTranscribeReadOnlyAccess); } + /** Provides full access to Verified Permissions */ + public AmazonVerifiedPermissionsFullAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonVerifiedPermissionsFullAccess); + } + + /** Provides read-only access to the Verified Permissions service. */ + public AmazonVerifiedPermissionsReadOnlyAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonVerifiedPermissionsReadOnlyAccess); + } + /** Provides access to create network interfaces and attach them to cross-account resources */ public AmazonVPCCrossAccountNetworkInterfaceOperations(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonVPCCrossAccountNetworkInterfaceOperations); @@ -2239,6 +2299,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonWorkSpacesServiceAccess); } + /** Provides full access to Amazon WorkSpaces Thin Client as well as limited access to required related services */ + public AmazonWorkSpacesThinClientFullAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonWorkSpacesThinClientFullAccess); + } + /** Provides read-only access to Amazon WorkSpaces Thin Client and its dependencies */ public AmazonWorkSpacesThinClientReadOnlyAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AmazonWorkSpacesThinClientReadOnlyAccess); @@ -2869,6 +2934,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSCloudFrontLogger); } + /** Allows CloudFront to manage EC2 Elastic Network Interfaces and Security Groups on your behalf. */ + public AWSCloudFrontVPCOriginServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSCloudFrontVPCOriginServiceRolePolicy); + } + /** Provides full access to all CloudHSM resources. */ public AWSCloudHSMFullAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSCloudHSMFullAccess); @@ -3054,6 +3124,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSCompromisedKeyQuarantineV2); } + /** Denies access to certain actions, applied by AWS in the event that an IAM user's credentials have been compromised or exposed publicly. The policy aims to limit the potential damage that may be caused by fraud-related activity leading to unauthorized charges, while not impacting the existing resources. Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event. */ + public AWSCompromisedKeyQuarantineV3(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSCompromisedKeyQuarantineV3); + } + /** Allows Config to call AWS services and deploy config resources across organization */ public AWSConfigMultiAccountSetupPolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSConfigMultiAccountSetupPolicy); @@ -3104,6 +3179,16 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSCostAndUsageReportAutomationPolicy); } + /** Gives Data Grant owners access to AWS Data Exchange actions using the AWS Management Console and SDK. */ + public AWSDataExchangeDataGrantOwnerFullAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeDataGrantOwnerFullAccess); + } + + /** Gives Data Grant receiver access to AWS Data Exchange actions using the AWS Management Console and SDK. */ + public AWSDataExchangeDataGrantReceiverFullAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeDataGrantReceiverFullAccess); + } + /** Grants full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. */ public AWSDataExchangeFullAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeFullAccess); @@ -3119,6 +3204,16 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeReadOnly); } + /** Allows AWS Data Exchange to access AWS Services and Resources used or managed by AWS Data Exchange for license management. */ + public AWSDataExchangeServiceRolePolicyForLicenseManagement(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeServiceRolePolicyForLicenseManagement); + } + + /** Allows AWS Data Exchange to read data about your AWS Organization to determine eligibility for AWS Data Exchange data grants license distribution. */ + public AWSDataExchangeServiceRolePolicyForOrganizationDiscovery(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeServiceRolePolicyForOrganizationDiscovery); + } + /** Grants data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. */ public AWSDataExchangeSubscriberFullAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataExchangeSubscriberFullAccess); @@ -3164,6 +3259,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataSyncReadOnlyAccess); } + /** Allows DataSync to integrate with other AWS services on your behalf */ + public AWSDataSyncServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDataSyncServiceRolePolicy); + } + /** Provides AWS Deadline Cloud workers with access to run tasks on a farm. */ public AWSDeadlineCloudFleetWorker(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDeadlineCloudFleetWorker); @@ -3269,6 +3369,16 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDirectConnectServiceRolePolicy); } + /** Provides full access to AWS Directory Service Data. */ + public AWSDirectoryServiceDataFullAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDirectoryServiceDataFullAccess); + } + + /** Provides read-only access to AWS Directory Service Data */ + public AWSDirectoryServiceDataReadOnlyAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDirectoryServiceDataReadOnlyAccess); + } + /** Provides full access to AWS Directory Service. */ public AWSDirectoryServiceFullAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSDirectoryServiceFullAccess); @@ -4454,6 +4564,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSPanoramaServiceRolePolicy); } + /** Grants permissions to PCS to manage resources on your behalf. */ + public AWSPCSServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSPCSServiceRolePolicy); + } + /** Provides full access to AWS Price List Service. */ public AWSPriceListServiceFullAccess(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSPriceListServiceFullAccess); @@ -4889,6 +5004,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSServiceRoleForPrivateMarketplaceAdminPolicy); } + /** Policy for Procurement Insights to obtain Organization Account details */ + public AWSServiceRoleForProcurementInsightsPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSServiceRoleForProcurementInsightsPolicy); + } + /** Provides access to AWS services and resources necessary to migrate service instances into AWS including EC2, S3 and Cloudformation. */ public AWSServiceRoleForSMS(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSServiceRoleForSMS); @@ -4919,6 +5039,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSShieldServiceRolePolicy); } + /** Provides access to publish metrics and provide insights for your social message sending. */ + public AWSSocialMessagingServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSSocialMessagingServiceRolePolicy); + } + /** Provides AWS Systems Manager for SAP with the permissions needed to manage and integrate SAP software with AWS. */ public AWSSSMForSAPServiceLinkedRolePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.AWSSSMForSAPServiceLinkedRolePolicy); @@ -5409,11 +5534,26 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.CloudWatchFullAccessV2); } + /** Provides full access to actions for working with Amazon CloudWatch Internet Monitor. Also provides access to other services, such as Amazon CloudWatch, Amazon EC2, Amazon CloudFront, Amazon WorkSpaces, and Elastic Load Balancing, that are necessary to use the Internet Monitor service for monitoring and storing information about application traffic. */ + public CloudWatchInternetMonitorFullAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.CloudWatchInternetMonitorFullAccess); + } + + /** Provides read only access to actions for working with Amazon CloudWatch Internet Monitor. Also provides access to other services in Amazon CloudWatch, including policies to retrieve information on CloudWatch metrics and to manage log queries, that are necessary to use the Internet Monitor service for monitoring and storing information about application traffic. */ + public CloudWatchInternetMonitorReadOnlyAccess(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.CloudWatchInternetMonitorReadOnlyAccess); + } + /** Allows Internet Monitor to access EC2, Workspaces, and CloudFront resources, and other required services on your behalf. */ public CloudWatchInternetMonitorServiceRolePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.CloudWatchInternetMonitorServiceRolePolicy); } + /** Provides write access to X-Ray and CloudWatch Application Signals log group. */ + public CloudWatchLambdaApplicationSignalsExecutionRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.CloudWatchLambdaApplicationSignalsExecutionRolePolicy); + } + /** Policy required for the Lambda Insights Extension */ public CloudWatchLambdaInsightsExecutionRolePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.CloudWatchLambdaInsightsExecutionRolePolicy); @@ -5659,6 +5799,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.FSxDeleteServiceLinkedRoleAccess); } + /** Grants the required permissions for compute actions in an Amazon GameLift container fleet, including access to dependencies such as Amazon S3. */ + public GameLiftContainerFleetPolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.GameLiftContainerFleetPolicy); + } + /** Policy to allow Gamelift GameServerGroups to manage customer resources */ public GameLiftGameServerGroupPolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.GameLiftGameServerGroupPolicy); @@ -5869,6 +6014,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.PowerUserAccess); } + /** Grants permissions to AWS Services and Resources used or managed by Amazon Q Apps. */ + public QAppsServiceRolePolicy(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.QAppsServiceRolePolicy); + } + /** Grants permissions to AWS Services and Resources used or managed by Amazon Q */ public QBusinessServiceRolePolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.QBusinessServiceRolePolicy); @@ -5904,6 +6054,11 @@ export class AwsManagedPolicy extends AwsManagedPolicyStatic { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.ResourceGroupsServiceRolePolicy); } + /** Provides permissions to tag and untag all the resources supported by Resource Groups Tagging API. This policy also grants the permissions required to retrieve all tagged, or previously tagged, resources through the Resource Groups Tagging API. */ + public ResourceGroupsTaggingAPITagUntagSupportedResources(): aws_iam.IManagedPolicy { + return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.ResourceGroupsTaggingAPITagUntagSupportedResources); + } + /** Allows the OpenShift Amazon EBS Container Storage Interface (CSI) Driver Operator to install and maintain the Amazon EBS CSI driver on a Red Hat OpenShift Service on AWS (ROSA) cluster. The Amazon EBS CSI driver allows ROSA clusters to manage the lifecycle of Amazon EBS volumes for persistent volumes. */ public ROSAAmazonEBSCSIDriverOperatorPolicy(): aws_iam.IManagedPolicy { return aws_iam.ManagedPolicy.fromAwsManagedPolicyName(AwsManagedPolicyStatic.ROSAAmazonEBSCSIDriverOperatorPolicy); diff --git a/lib/generated/aws-managed-policies/iam-floyd.ts b/lib/generated/aws-managed-policies/iam-floyd.ts index 022f13fc0..3b3a5d1e4 100644 --- a/lib/generated/aws-managed-policies/iam-floyd.ts +++ b/lib/generated/aws-managed-policies/iam-floyd.ts @@ -142,6 +142,10 @@ export class AwsManagedPolicy { public static AmazonConnectSynchronizationServiceRolePolicy = 'aws-service-role/AmazonConnectSynchronizationServiceRolePolicy'; /** Provides full access to Amazon Connect Voice ID */ public static AmazonConnectVoiceIDFullAccess = 'AmazonConnectVoiceIDFullAccess'; + /** Provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain. */ + public static AmazonDataZoneBedrockModelConsumptionPolicy = 'service-role/AmazonDataZoneBedrockModelConsumptionPolicy'; + /** Provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles. */ + public static AmazonDataZoneBedrockModelManagementPolicy = 'service-role/AmazonDataZoneBedrockModelManagementPolicy'; /** Default policy for the Amazon DataZone's DomainExecutionRole service role. This role is used by Amazon DataZone to catalog, discover, govern, share, and analyze data in the Amazon DataZone domain. */ public static AmazonDataZoneDomainExecutionRolePolicy = 'service-role/AmazonDataZoneDomainExecutionRolePolicy'; /** Amazon DataZone creates IAM roles for Environments to perform data analytics actions, and uses this policy when creating these roles to define the boundary of their permissions. */ @@ -214,6 +218,8 @@ export class AwsManagedPolicy { public static AmazonEC2ContainerRegistryFullAccess = 'AmazonEC2ContainerRegistryFullAccess'; /** Provides full access to Amazon EC2 Container Registry repositories, but does not allow repository deletion or policy changes. */ public static AmazonEC2ContainerRegistryPowerUser = 'AmazonEC2ContainerRegistryPowerUser'; + /** Provides access to pull images from Amazon EC2 Container Registry repositories. */ + public static AmazonEC2ContainerRegistryPullOnly = 'AmazonEC2ContainerRegistryPullOnly'; /** Provides read-only access to Amazon EC2 Container Registry repositories. */ public static AmazonEC2ContainerRegistryReadOnly = 'AmazonEC2ContainerRegistryReadOnly'; /** Policy to enable Task Autoscaling for Amazon EC2 Container Service */ @@ -256,18 +262,26 @@ export class AwsManagedPolicy { public static AmazonEFSCSIDriverPolicy = 'service-role/AmazonEFSCSIDriverPolicy'; /** This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set allows the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. More information on the AWS VPC CNI Plugin is available here: https://github.com/aws/amazon-vpc-cni-k8s */ public static AmazonEKSCNIPolicy = 'AmazonEKS_CNI_Policy'; + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's block storage resources. */ + public static AmazonEKSBlockStoragePolicy = 'AmazonEKSBlockStoragePolicy'; /** This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces. */ public static AmazonEKSClusterPolicy = 'AmazonEKSClusterPolicy'; + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's compute resources. */ + public static AmazonEKSComputePolicy = 'AmazonEKSComputePolicy'; /** This policy allows Amazon EKS to manage AWS resources for EKS connector */ public static AmazonEKSConnectorServiceRolePolicy = 'aws-service-role/AmazonEKSConnectorServiceRolePolicy'; /** Provides access to other AWS service resources that are required to run Amazon EKS pods on AWS Fargate */ public static AmazonEKSFargatePodExecutionRolePolicy = 'AmazonEKSFargatePodExecutionRolePolicy'; /** This policy grants necessary permissions to Amazon EKS to run fargate tasks */ public static AmazonEKSForFargateServiceRolePolicy = 'aws-service-role/AmazonEKSForFargateServiceRolePolicy'; + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's load balancing resources. */ + public static AmazonEKSLoadBalancingPolicy = 'AmazonEKSLoadBalancingPolicy'; /** This policy provides permissions to EKS local cluster's control-plane instances running in your account to manage resources on your behalf. */ public static AmazonEKSLocalOutpostClusterPolicy = 'AmazonEKSLocalOutpostClusterPolicy'; /** Allows Amazon EKS Local to call AWS services on your behalf. */ public static AmazonEKSLocalOutpostServiceRolePolicy = 'aws-service-role/AmazonEKSLocalOutpostServiceRolePolicy'; + /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's networking resources. */ + public static AmazonEKSNetworkingPolicy = 'AmazonEKSNetworkingPolicy'; /** This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters. */ public static AmazonEKSServicePolicy = 'AmazonEKSServicePolicy'; /** A Service-Linked Role required for Amazon EKS to call AWS services on your behalf. */ @@ -275,6 +289,8 @@ export class AwsManagedPolicy { /** Policy used by VPC Resource Controller to manage ENI and IPs for worker nodes. */ public static AmazonEKSVPCResourceController = 'AmazonEKSVPCResourceController'; /** This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. */ + public static AmazonEKSWorkerNodeMinimalPolicy = 'AmazonEKSWorkerNodeMinimalPolicy'; + /** This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. */ public static AmazonEKSWorkerNodePolicy = 'AmazonEKSWorkerNodePolicy'; /** Provides full access to Amazon ElastiCache via the AWS Management Console. */ public static AmazonElastiCacheFullAccess = 'AmazonElastiCacheFullAccess'; @@ -572,6 +588,8 @@ export class AwsManagedPolicy { public static AmazonNimbleStudioStudioAdmin = 'AmazonNimbleStudio-StudioAdmin'; /** This policy grants access to Amazon Nimble Studio resources associated with the studio user and related studio resources in other services. Attach this policy to the User role associated with your studio. */ public static AmazonNimbleStudioStudioUser = 'AmazonNimbleStudio-StudioUser'; + /** Allows Oracle Database@AWS to manage AWS resources on your behalf. */ + public static AmazonODBServiceRolePolicy = 'aws-service-role/AmazonODBServiceRolePolicy'; /** Provides full access to Amazon Omics and other required AWS Services. This policy allows the user to view and accept RAM share invitations to access resources outside of the user's AWS account. */ public static AmazonOmicsFullAccess = 'AmazonOmicsFullAccess'; /** Provide read only access to Amazon Omics */ @@ -758,6 +776,8 @@ export class AwsManagedPolicy { public static AmazonSageMakerGeospatialFullAccess = 'service-role/AmazonSageMakerGeospatialFullAccess'; /** Provides access to AWS services that are required to run SageMaker GroundTruth Labeling job */ public static AmazonSageMakerGroundTruthExecution = 'AmazonSageMakerGroundTruthExecution'; + /** This policy grants permissions to Amazon SageMaker HyperPod to related AWS services such as Amazon EKS, Amazon CloudWatch etc. */ + public static AmazonSageMakerHyperPodServiceRolePolicy = 'aws-service-role/AmazonSageMakerHyperPodServiceRolePolicy'; /** Provides access to create Amazon Augmented AI FlowDefinition resources against any Workteam. */ public static AmazonSageMakerMechanicalTurkAccess = 'AmazonSageMakerMechanicalTurkAccess'; /** This AWS managed policy grants permissions needed to use all Amazon SageMaker Governance features. The policy also provides select access to related services (e.g., S3, KMS). */ @@ -852,6 +872,10 @@ export class AwsManagedPolicy { public static AmazonTranscribeFullAccess = 'AmazonTranscribeFullAccess'; /** Provides access to read only operation for Amazon Transcribe */ public static AmazonTranscribeReadOnlyAccess = 'AmazonTranscribeReadOnlyAccess'; + /** Provides full access to Verified Permissions */ + public static AmazonVerifiedPermissionsFullAccess = 'AmazonVerifiedPermissionsFullAccess'; + /** Provides read-only access to the Verified Permissions service. */ + public static AmazonVerifiedPermissionsReadOnlyAccess = 'AmazonVerifiedPermissionsReadOnlyAccess'; /** Provides access to create network interfaces and attach them to cross-account resources */ public static AmazonVPCCrossAccountNetworkInterfaceOperations = 'AmazonVPCCrossAccountNetworkInterfaceOperations'; /** Provides full access to Amazon VPC via the AWS Management Console. */ @@ -892,6 +916,8 @@ export class AwsManagedPolicy { public static AmazonWorkSpacesSelfServiceAccess = 'AmazonWorkSpacesSelfServiceAccess'; /** Provides customer account access to AWS WorkSpaces service for launching a Workspace. */ public static AmazonWorkSpacesServiceAccess = 'AmazonWorkSpacesServiceAccess'; + /** Provides full access to Amazon WorkSpaces Thin Client as well as limited access to required related services */ + public static AmazonWorkSpacesThinClientFullAccess = 'AmazonWorkSpacesThinClientFullAccess'; /** Provides read-only access to Amazon WorkSpaces Thin Client and its dependencies */ public static AmazonWorkSpacesThinClientReadOnlyAccess = 'AmazonWorkSpacesThinClientReadOnlyAccess'; /** Provides read-only access to Amazon WorkSpaces Web and its dependencies through the AWS Management Console, SDK, and CLI. */ @@ -1144,6 +1170,8 @@ export class AwsManagedPolicy { public static AWSCloudFormationReadOnlyAccess = 'AWSCloudFormationReadOnlyAccess'; /** Grants CloudFront Logger write permissions to CloudWatch Logs. */ public static AWSCloudFrontLogger = 'aws-service-role/AWSCloudFrontLogger'; + /** Allows CloudFront to manage EC2 Elastic Network Interfaces and Security Groups on your behalf. */ + public static AWSCloudFrontVPCOriginServiceRolePolicy = 'aws-service-role/AWSCloudFrontVPCOriginServiceRolePolicy'; /** Provides full access to all CloudHSM resources. */ public static AWSCloudHSMFullAccess = 'AWSCloudHSMFullAccess'; /** Provides read only access to all CloudHSM resources. */ @@ -1218,6 +1246,8 @@ export class AwsManagedPolicy { public static AWSCompromisedKeyQuarantine = 'AWSCompromisedKeyQuarantine'; /** Denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly. Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event. */ public static AWSCompromisedKeyQuarantineV2 = 'AWSCompromisedKeyQuarantineV2'; + /** Denies access to certain actions, applied by AWS in the event that an IAM user's credentials have been compromised or exposed publicly. The policy aims to limit the potential damage that may be caused by fraud-related activity leading to unauthorized charges, while not impacting the existing resources. Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event. */ + public static AWSCompromisedKeyQuarantineV3 = 'AWSCompromisedKeyQuarantineV3'; /** Allows Config to call AWS services and deploy config resources across organization */ public static AWSConfigMultiAccountSetupPolicy = 'aws-service-role/AWSConfigMultiAccountSetupPolicy'; /** Allows AWS Config to remediate noncompliant resources on your behalf. */ @@ -1238,12 +1268,20 @@ export class AwsManagedPolicy { public static AWSControlTowerServiceRolePolicy = 'service-role/AWSControlTowerServiceRolePolicy'; /** Grants permissions to to describe the organization of the account, create S3 buckets for the MAP program and apply tags to it, create a Cost and Usage Report, and describe Cost and Usage Report definitions. */ public static AWSCostAndUsageReportAutomationPolicy = 'service-role/AWSCostAndUsageReportAutomationPolicy'; + /** Gives Data Grant owners access to AWS Data Exchange actions using the AWS Management Console and SDK. */ + public static AWSDataExchangeDataGrantOwnerFullAccess = 'AWSDataExchangeDataGrantOwnerFullAccess'; + /** Gives Data Grant receiver access to AWS Data Exchange actions using the AWS Management Console and SDK. */ + public static AWSDataExchangeDataGrantReceiverFullAccess = 'AWSDataExchangeDataGrantReceiverFullAccess'; /** Grants full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. */ public static AWSDataExchangeFullAccess = 'AWSDataExchangeFullAccess'; /** Grants data provider access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. */ public static AWSDataExchangeProviderFullAccess = 'AWSDataExchangeProviderFullAccess'; /** Grants read-only access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. */ public static AWSDataExchangeReadOnly = 'AWSDataExchangeReadOnly'; + /** Allows AWS Data Exchange to access AWS Services and Resources used or managed by AWS Data Exchange for license management. */ + public static AWSDataExchangeServiceRolePolicyForLicenseManagement = 'aws-service-role/AWSDataExchangeServiceRolePolicyForLicenseManagement'; + /** Allows AWS Data Exchange to read data about your AWS Organization to determine eligibility for AWS Data Exchange data grants license distribution. */ + public static AWSDataExchangeServiceRolePolicyForOrganizationDiscovery = 'aws-service-role/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery'; /** Grants data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. */ public static AWSDataExchangeSubscriberFullAccess = 'AWSDataExchangeSubscriberFullAccess'; /** Provides appropriate permissions to AWS Data Lifecycle Manager to take actions on AWS resources */ @@ -1262,6 +1300,8 @@ export class AwsManagedPolicy { public static AWSDataSyncFullAccess = 'AWSDataSyncFullAccess'; /** Provides read-only access to AWS DataSync */ public static AWSDataSyncReadOnlyAccess = 'AWSDataSyncReadOnlyAccess'; + /** Allows DataSync to integrate with other AWS services on your behalf */ + public static AWSDataSyncServiceRolePolicy = 'aws-service-role/AWSDataSyncServiceRolePolicy'; /** Provides AWS Deadline Cloud workers with access to run tasks on a farm. */ public static AWSDeadlineCloudFleetWorker = 'AWSDeadlineCloud-FleetWorker'; /** Provides user workstation access to AWS Deadline Cloud farms with limited Read-Only permissions to call other necessary services. Attach this policy to the user role associated with your studio. */ @@ -1304,6 +1344,10 @@ export class AwsManagedPolicy { public static AWSDirectConnectReadOnlyAccess = 'AWSDirectConnectReadOnlyAccess'; /** Provides AWS Direct Connect permission to create and manage AWS resources on your behalf. */ public static AWSDirectConnectServiceRolePolicy = 'aws-service-role/AWSDirectConnectServiceRolePolicy'; + /** Provides full access to AWS Directory Service Data. */ + public static AWSDirectoryServiceDataFullAccess = 'AWSDirectoryServiceDataFullAccess'; + /** Provides read-only access to AWS Directory Service Data */ + public static AWSDirectoryServiceDataReadOnlyAccess = 'AWSDirectoryServiceDataReadOnlyAccess'; /** Provides full access to AWS Directory Service. */ public static AWSDirectoryServiceFullAccess = 'AWSDirectoryServiceFullAccess'; /** Provides read only access to AWS Directory Service. */ @@ -1778,6 +1822,8 @@ export class AwsManagedPolicy { public static AWSPanoramaServiceLinkedRolePolicy = 'aws-service-role/AWSPanoramaServiceLinkedRolePolicy'; /** Allows AWS Panorama to manage resources in Amazon S3, AWS IoT, AWS IoT GreenGrass, AWS Lambda, Amazon SageMaker, and Amazon CloudWatch Logs, and to pass service roles to AWS IoT, AWS IoT GreenGrass, and Amazon SageMaker. */ public static AWSPanoramaServiceRolePolicy = 'service-role/AWSPanoramaServiceRolePolicy'; + /** Grants permissions to PCS to manage resources on your behalf. */ + public static AWSPCSServiceRolePolicy = 'aws-service-role/AWSPCSServiceRolePolicy'; /** Provides full access to AWS Price List Service. */ public static AWSPriceListServiceFullAccess = 'AWSPriceListServiceFullAccess'; /** Provides auditor access to AWS Private Certificate Authority */ @@ -1952,6 +1998,8 @@ export class AwsManagedPolicy { public static AWSServiceRoleForNeptuneGraphPolicy = 'aws-service-role/AWSServiceRoleForNeptuneGraphPolicy'; /** Provides permissions to describe and update Private Marketplace resources and describe AWS Organizations */ public static AWSServiceRoleForPrivateMarketplaceAdminPolicy = 'aws-service-role/AWSServiceRoleForPrivateMarketplaceAdminPolicy'; + /** Policy for Procurement Insights to obtain Organization Account details */ + public static AWSServiceRoleForProcurementInsightsPolicy = 'aws-service-role/AWSServiceRoleForProcurementInsightsPolicy'; /** Provides access to AWS services and resources necessary to migrate service instances into AWS including EC2, S3 and Cloudformation. */ public static AWSServiceRoleForSMS = 'aws-service-role/AWSServiceRoleForSMS'; /** Provides access to the User Subscriptions service to your Identity Center resources to automatically update your subscriptions. */ @@ -1964,6 +2012,8 @@ export class AwsManagedPolicy { public static AWSShieldDRTAccessPolicy = 'service-role/AWSShieldDRTAccessPolicy'; /** Allows AWS Shield to access AWS resources on your behalf to provide DDoS protection. */ public static AWSShieldServiceRolePolicy = 'aws-service-role/AWSShieldServiceRolePolicy'; + /** Provides access to publish metrics and provide insights for your social message sending. */ + public static AWSSocialMessagingServiceRolePolicy = 'aws-service-role/AWSSocialMessagingServiceRolePolicy'; /** Provides AWS Systems Manager for SAP with the permissions needed to manage and integrate SAP software with AWS. */ public static AWSSSMForSAPServiceLinkedRolePolicy = 'aws-service-role/AWSSSMForSAPServiceLinkedRolePolicy'; /** Policy for Service Linked Role AWSServiceRoleForAmazonSSM_OpsInsights */ @@ -2160,8 +2210,14 @@ export class AwsManagedPolicy { public static CloudWatchFullAccess = 'CloudWatchFullAccess'; /** Provides full access to CloudWatch. */ public static CloudWatchFullAccessV2 = 'CloudWatchFullAccessV2'; + /** Provides full access to actions for working with Amazon CloudWatch Internet Monitor. Also provides access to other services, such as Amazon CloudWatch, Amazon EC2, Amazon CloudFront, Amazon WorkSpaces, and Elastic Load Balancing, that are necessary to use the Internet Monitor service for monitoring and storing information about application traffic. */ + public static CloudWatchInternetMonitorFullAccess = 'CloudWatchInternetMonitorFullAccess'; + /** Provides read only access to actions for working with Amazon CloudWatch Internet Monitor. Also provides access to other services in Amazon CloudWatch, including policies to retrieve information on CloudWatch metrics and to manage log queries, that are necessary to use the Internet Monitor service for monitoring and storing information about application traffic. */ + public static CloudWatchInternetMonitorReadOnlyAccess = 'CloudWatchInternetMonitorReadOnlyAccess'; /** Allows Internet Monitor to access EC2, Workspaces, and CloudFront resources, and other required services on your behalf. */ public static CloudWatchInternetMonitorServiceRolePolicy = 'aws-service-role/CloudWatchInternetMonitorServiceRolePolicy'; + /** Provides write access to X-Ray and CloudWatch Application Signals log group. */ + public static CloudWatchLambdaApplicationSignalsExecutionRolePolicy = 'CloudWatchLambdaApplicationSignalsExecutionRolePolicy'; /** Policy required for the Lambda Insights Extension */ public static CloudWatchLambdaInsightsExecutionRolePolicy = 'CloudWatchLambdaInsightsExecutionRolePolicy'; /** Provides capabilities to manage Observability Access Manager links and establish sharing of CloudWatch Logs resources */ @@ -2260,6 +2316,8 @@ export class AwsManagedPolicy { public static FMSServiceRolePolicy = 'aws-service-role/FMSServiceRolePolicy'; /** Allows Amazon FSx to delete its Service Linked Roles for Amazon S3 access */ public static FSxDeleteServiceLinkedRoleAccess = 'aws-service-role/FSxDeleteServiceLinkedRoleAccess'; + /** Grants the required permissions for compute actions in an Amazon GameLift container fleet, including access to dependencies such as Amazon S3. */ + public static GameLiftContainerFleetPolicy = 'GameLiftContainerFleetPolicy'; /** Policy to allow Gamelift GameServerGroups to manage customer resources */ public static GameLiftGameServerGroupPolicy = 'GameLiftGameServerGroupPolicy'; /** Allow GlobalAccelerator Users full Access to all APIs */ @@ -2344,6 +2402,8 @@ export class AwsManagedPolicy { public static PartnerCentralAccountManagementUserRoleAssociation = 'PartnerCentralAccountManagementUserRoleAssociation'; /** Provides full access to AWS services and resources, but does not allow management of Users and groups. */ public static PowerUserAccess = 'PowerUserAccess'; + /** Grants permissions to AWS Services and Resources used or managed by Amazon Q Apps. */ + public static QAppsServiceRolePolicy = 'aws-service-role/QAppsServiceRolePolicy'; /** Grants permissions to AWS Services and Resources used or managed by Amazon Q */ public static QBusinessServiceRolePolicy = 'aws-service-role/QBusinessServiceRolePolicy'; /** Policy used by QuickSight team to access customer data produced by S3 Storage Management Analytics. */ @@ -2358,6 +2418,8 @@ export class AwsManagedPolicy { public static ResourceGroupsandTagEditorReadOnlyAccess = 'ResourceGroupsandTagEditorReadOnlyAccess'; /** Allows AWS Resource Groups to query the AWS services that own your resources to keep the group up-to-date */ public static ResourceGroupsServiceRolePolicy = 'aws-service-role/ResourceGroupsServiceRolePolicy'; + /** Provides permissions to tag and untag all the resources supported by Resource Groups Tagging API. This policy also grants the permissions required to retrieve all tagged, or previously tagged, resources through the Resource Groups Tagging API. */ + public static ResourceGroupsTaggingAPITagUntagSupportedResources = 'ResourceGroupsTaggingAPITagUntagSupportedResources'; /** Allows the OpenShift Amazon EBS Container Storage Interface (CSI) Driver Operator to install and maintain the Amazon EBS CSI driver on a Red Hat OpenShift Service on AWS (ROSA) cluster. The Amazon EBS CSI driver allows ROSA clusters to manage the lifecycle of Amazon EBS volumes for persistent volumes. */ public static ROSAAmazonEBSCSIDriverOperatorPolicy = 'service-role/ROSAAmazonEBSCSIDriverOperatorPolicy'; /** Allows the OpenShift Cloud Network Config Controller Operator to provision and manage networking resources for use by the Red Hat OpenShift Service on AWS (ROSA) cluster networking overlay. The OpenShift Cloud Network Operator interfaces with AWS APIs on behalf of the network plugins via CustomResourceDefinitions. The operator uses these policy permissions to manage private IP addresses for Amazon EC2 instances as part of the ROSA cluster. */