AWS IAM Policy Permissions¶
Tip
Looking for instructions on creating or updating an AWS Identity & Access Management (IAM) role for Fugue? See our tutorials Create a Fugue IAM Role and Update the Fugue IAM Role.
Note
The following policies are for reference only. We recommend using the tailored policy Fugue generates for you.
Fugue requires certain permissions to scan and enforce the infrastructure configuration in your AWS account. When you create an AWS Identity & Access Management (IAM) role for Fugue, the following policies are attached:
The AWS-managed read-only SecurityAudit policy
If needed, a supplemental inline policy granting any read or write permissions not covered by
SecurityAudit, tailored to the resource types you select
Note that the role also has a trust policy specifying an external ID. Fugue generates this unique ID for you to prevent other parties from assuming the role without the ID, even if they have your role ARN.
SecurityAudit read-only (scan) permissions¶
For reference, all SecurityAudit read-only (scan) permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"access-analyzer:GetAnalyzedResource",
"access-analyzer:GetAnalyzer",
"access-analyzer:GetArchiveRule",
"access-analyzer:GetFinding",
"access-analyzer:ListAnalyzedResources",
"access-analyzer:ListAnalyzers",
"access-analyzer:ListArchiveRules",
"access-analyzer:ListFindings",
"access-analyzer:ListTagsForResource",
"acm:Describe*",
"acm:List*",
"application-autoscaling:Describe*",
"appmesh:Describe*",
"appmesh:List*",
"appsync:List*",
"athena:GetWorkGroup",
"athena:List*",
"autoscaling:Describe*",
"batch:DescribeComputeEnvironments",
"batch:DescribeJobDefinitions",
"chime:List*",
"cloud9:Describe*",
"cloud9:ListEnvironments",
"clouddirectory:ListDirectories",
"cloudformation:DescribeStack*",
"cloudformation:GetTemplate",
"cloudformation:ListStack*",
"cloudformation:GetStackPolicy",
"cloudfront:Get*",
"cloudfront:List*",
"cloudhsm:ListHapgs",
"cloudhsm:ListHsms",
"cloudhsm:ListLunaClients",
"cloudsearch:DescribeDomains",
"cloudsearch:DescribeServiceAccessPolicies",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"codebuild:ListProjects",
"codecommit:BatchGetRepositories",
"codecommit:GetBranch",
"codecommit:GetObjectIdentifier",
"codecommit:GetRepository",
"codecommit:List*",
"codedeploy:Batch*",
"codedeploy:Get*",
"codedeploy:List*",
"codepipeline:ListPipelines",
"codestar:Describe*",
"codestar:List*",
"cognito-identity:ListIdentityPools",
"cognito-idp:ListUserPools",
"cognito-sync:Describe*",
"cognito-sync:List*",
"comprehend:Describe*",
"comprehend:List*",
"config:BatchGetAggregateResourceConfig",
"config:BatchGetResourceConfig",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"config:List*",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:EvaluateExpression",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"datapipeline:ValidatePipelineDefinition",
"datasync:Describe*",
"datasync:List*",
"dax:Describe*",
"dax:ListTags",
"directconnect:Describe*",
"dms:Describe*",
"dms:ListTagsForResource",
"ds:DescribeDirectories",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:ListBackups",
"dynamodb:ListGlobalTables",
"dynamodb:ListStreams",
"dynamodb:ListTables",
"ec2:Describe*",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayMulticastDomains",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:GetManagedPrefixListAssociations",
"ec2:GetManagedPrefixListEntries",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecs:Describe*",
"ecs:List*",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticache:Describe*",
"elasticbeanstalk:Describe*",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:Describe*",
"es:ListDomainNames",
"events:Describe*",
"events:List*",
"firehose:Describe*",
"firehose:List*",
"fms:ListComplianceStatus",
"fms:ListPolicies",
"fsx:Describe*",
"fsx:List*",
"gamelift:ListBuilds",
"gamelift:ListFleets",
"glacier:DescribeVault",
"glacier:GetVaultAccessPolicy",
"glacier:ListVaults",
"globalaccelerator:Describe*",
"globalaccelerator:List*",
"greengrass:List*",
"guardduty:Get*",
"guardduty:List*",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"inspector:Preview*",
"iot:Describe*",
"iot:GetPolicy",
"iot:GetPolicyVersion",
"iot:List*",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kinesisanalytics:ListApplications",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:GetAccountSettings",
"lambda:GetFunctionConfiguration",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:List*",
"license-manager:List*",
"lightsail:GetInstances",
"lightsail:GetLoadBalancers",
"logs:Describe*",
"logs:ListTagsLogGroup",
"machinelearning:DescribeMLModels",
"mediaconnect:Describe*",
"mediaconnect:List*",
"mediastore:GetContainerPolicy",
"mediastore:ListContainers",
"opsworks:DescribeStacks",
"opsworks-cm:DescribeServers",
"organizations:List*",
"organizations:Describe*",
"quicksight:Describe*",
"quicksight:List*",
"ram:List*",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:ListTagsForResource",
"redshift:Describe*",
"rekognition:Describe*",
"rekognition:List*",
"robomaker:Describe*",
"robomaker:List*",
"route53:Get*",
"route53:List*",
"route53domains:GetDomainDetail",
"route53domains:GetOperationDetail",
"route53domains:ListDomains",
"route53domains:ListOperations",
"route53domains:ListTagsForDomain",
"route53resolver:List*",
"route53resolver:Get*",
"s3:GetAccelerateConfiguration",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucket*",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:GetReplicationConfiguration",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"sagemaker:Describe*",
"sagemaker:List*",
"sdb:DomainMetadata",
"sdb:ListDomains",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"securityhub:Describe*",
"securityhub:Get*",
"securityhub:List*",
"serverlessrepo:GetApplicationPolicy",
"serverlessrepo:List*",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:GetIdentityVerificationAttributes",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"ses:ListVerifiedEmailAddresses",
"shield:Describe*",
"shield:List*",
"snowball:ListClusters",
"snowball:ListJobs",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListQueues",
"sqs:ListQueueTags",
"ssm:Describe*",
"ssm:GetAutomationExecution",
"ssm:ListDocuments",
"sso:DescribePermissionsPolicies",
"sso:List*",
"states:ListStateMachines",
"storagegateway:DescribeBandwidthRateLimit",
"storagegateway:DescribeCache",
"storagegateway:DescribeCachediSCSIVolumes",
"storagegateway:DescribeGatewayInformation",
"storagegateway:DescribeMaintenanceStartTime",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeSnapshotSchedule",
"storagegateway:DescribeStorediSCSIVolumes",
"storagegateway:DescribeTapeArchives",
"storagegateway:DescribeTapeRecoveryPoints",
"storagegateway:DescribeTapes",
"storagegateway:DescribeUploadBuffer",
"storagegateway:DescribeVTLDevices",
"storagegateway:DescribeWorkingStorage",
"storagegateway:List*",
"tag:GetResources",
"tag:GetTagKeys",
"transfer:Describe*",
"transfer:List*",
"translate:List*",
"trustedadvisor:Describe*",
"waf:GetWebACL",
"waf:ListWebACLs",
"waf:ListTagsForResource",
"wafv2:GetWebACL",
"wafv2:ListAvailableManagedRuleGroups",
"wafv2:ListIPSets",
"wafv2:ListLoggingConfigurations",
"wafv2:ListRegexPatternSets",
"wafv2:ListResourcesForWebACL",
"wafv2:ListRuleGroups",
"wafv2:ListTagsForResource",
"wafv2:ListWebACLs",
"waf-regional:GetWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListTagsForResource",
"waf-regional:ListWebACLs",
"workspaces:Describe*",
"cloudsearch:DescribeDomainEndpointOptions",
"cloudwatch:ListTagsForResource",
"detective:ListGraphs",
"detective:ListMembers",
"detective:GetGraphIngestState",
"dynamodb:ListTagsOfResource",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayMulticastDomains",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:GetManagedPrefixListAssociations",
"ec2:GetManagedPrefixListEntries",
"ecr:DescribeImages",
"ecr:GetLifecyclePolicy",
"ecr:ListTagsForResource",
"eks:DescribeNodeGroup",
"eks:ListNodeGroups",
"elasticache:ListTagsForResource",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:ListTagsForResource",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"es:ListElasticsearchInstanceTypeDetails",
"es:ListElasticsearchVersions",
"es:ListTags",
"events:TestEventPattern",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetDevEndpoints",
"guardduty:DescribePublishingDestination",
"secretsmanager:DescribeSecret",
"sns:ListTagsForResource",
"ssm:ListTagsForResource"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/apis",
"arn:aws:apigateway:*::/apis/*/stages",
"arn:aws:apigateway:*::/apis/*/stages/*",
"arn:aws:apigateway:*::/apis/*/routes",
"arn:aws:apigateway:*::/clientcertificates/*",
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*/authorizers",
"arn:aws:apigateway:*::/restapis/*/authorizers/*",
"arn:aws:apigateway:*::/restapis/*/documentation/versions",
"arn:aws:apigateway:*::/restapis/*/resources",
"arn:aws:apigateway:*::/restapis/*/resources/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
"arn:aws:apigateway:*::/restapis/*/stages",
"arn:aws:apigateway:*::/restapis/*/stages/*",
"arn:aws:apigateway:*::/tags/*",
"arn:aws:apigateway:*::/vpclinks"
]
}
]
}
Supplemental read-only (scan) permissions¶
For reference, all possible read-only (scan) permissions supplemental to SecurityAudit (assuming all resource types, including beta types, are selected):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Resource": "*",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"apigateway:GET",
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:ListTagsForResource",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:DescribeResourceServer",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:GetGroup",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListResourceServers",
"cognito-idp:ListUserPoolClients",
"ds:DescribeConditionalForwarders",
"ds:ListTagsForResource",
"dynamodb:ListTagsOfResource",
"ecr:ListTagsForResource",
"elasticache:ListTagsForResource",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeTags",
"glacier:GetVaultNotifications",
"glacier:ListTagsForVault",
"kinesis:DescribeStreamSummary",
"lambda:GetAlias",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"macie:ListMemberAccounts",
"macie:ListS3Resources",
"mediastore:DescribeContainer",
"mediastore:ListTagsForResource",
"secretsmanager:DescribeSecret",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"ssm:GetDocument",
"ssm:GetMaintenanceWindow",
"ssm:GetMaintenanceWindowTask",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetPatchBaseline",
"ssm:ListAssociations",
"ssm:ListResourceDataSync",
"ssm:ListTagsForResource",
"states:DescribeStateMachine",
"states:ListTagsForResource",
"waf-regional:Get*",
"waf-regional:List*",
"waf:Get*",
"waf:List*",
"wafv2:Get*",
"wafv2:List*"
]
}
]
}
Supplemental read/write permissions¶
For reference, all possible write (enforce) and read permissions supplemental to SecurityAudit (assuming all resource types, including beta types, are selected):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "0",
"Effect": "Allow",
"Resource": "*",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"acm-pca:TagCertificateAuthority",
"acm-pca:UntagCertificateAuthority",
"acm-pca:UpdateCertificateAuthority",
"apigateway:GET",
"apigateway:PutRestApi",
"apigateway:UpdateAuthorizer",
"apigateway:UpdateClientCertificate",
"apigateway:UpdateDeployment",
"apigateway:UpdateDomainName",
"apigateway:UpdateRequestValidator",
"apigateway:UpdateResource",
"apigateway:UpdateRestApi",
"apigateway:UpdateStage",
"apigateway:UpdateUsagePlan",
"apigateway:UpdateVpcLink",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:AttachLoadBalancers",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"autoscaling:DetachLoadBalancerTargetGroups",
"autoscaling:DetachLoadBalancers",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection",
"autoscaling:PutLifecycleHook",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup",
"cloudfront:UpdateDistribution",
"cloudtrail:AddTags",
"cloudtrail:PutEventSelectors",
"cloudtrail:RemoveTags",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail",
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cloudwatch:ListTagsForResource",
"cloudwatch:PutDashboard",
"cloudwatch:PutMetricAlarm",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:DescribeResourceServer",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:GetGroup",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListResourceServers",
"cognito-idp:ListUserPoolClients",
"cognito-idp:UpdateGroup",
"cognito-idp:UpdateIdentityProvider",
"cognito-idp:UpdateResourceServer",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"config:PutConfigRule",
"config:PutConfigurationAggregator",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:StartConfigurationRecorder",
"config:StopConfigurationRecorder",
"ds:DescribeConditionalForwarders",
"ds:DisableSso",
"ds:EnableSso",
"ds:ListTagsForResource",
"ds:UpdateConditionalForwarder",
"dynamodb:ListTagsOfResource",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateTable",
"dynamodb:UpdateTimeToLive",
"ec2:AcceptVpcEndpointConnections",
"ec2:AcceptVpcPeeringConnection",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateIamInstanceProfile",
"ec2:AssociateRouteTable",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateVpcCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVpnGateway",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRoute",
"ec2:CreateTags",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRoute",
"ec2:DeleteTags",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DetachVpnGateway",
"ec2:DisableVgwRoutePropagation",
"ec2:DisableVpcClassicLink",
"ec2:DisableVpcClassicLinkDnsSupport",
"ec2:DisassociateIamInstanceProfile",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateVpcCidrBlock",
"ec2:EnableVgwRoutePropagation",
"ec2:EnableVpcClassicLink",
"ec2:EnableVpcClassicLinkDnsSupport",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstanceCreditSpecification",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySpotFleetRequest",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVolume",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ModifyVpcEndpointConnectionNotification",
"ec2:ModifyVpcEndpointServiceConfiguration",
"ec2:ModifyVpcEndpointServicePermissions",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:ModifyVpcTenancy",
"ec2:MonitorInstances",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReplaceNetworkAclAssociation",
"ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:UnassignPrivateIpAddresses",
"ec2:UnmonitorInstances",
"ecr:ListTagsForResource",
"ecs:UpdateService",
"elasticache:AddTagsToResource",
"elasticache:ListTagsForResource",
"elasticache:ModifyCacheCluster",
"elasticache:ModifyCacheParameterGroup",
"elasticache:ModifyReplicationGroup",
"elasticache:ModifyReplicationGroupShardConfiguration",
"elasticache:RemoveTagsFromResource",
"elasticache:ResetCacheParameterGroup",
"elasticfilesystem:CreateTags",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:ModifyMountTargetSecurityGroups",
"elasticfilesystem:UpdateFileSystem",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerPolicy",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"events:DisableRule",
"events:EnableRule",
"events:PutRule",
"events:PutTargets",
"firehose:StartDeliveryStreamEncryption",
"firehose:StopDeliveryStreamEncryption",
"firehose:TagDeliveryStream",
"firehose:UntagDeliveryStream",
"firehose:UpdateDestination",
"glacier:AddTagsToVault",
"glacier:DeleteVaultAccessPolicy",
"glacier:DeleteVaultNotifications",
"glacier:GetVaultNotifications",
"glacier:ListTagsForVault",
"glacier:RemoveTagsFromVault",
"glacier:SetVaultAccessPolicy",
"glacier:SetVaultNotifications",
"guardduty:DisassociateMembers",
"guardduty:InviteMembers",
"guardduty:UpdateDetector",
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteUserPermissionsBoundary",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"iam:UpdateSAMLProvider",
"iam:UpdateUser",
"inspector:UpdateAssessmentTarget",
"kinesis:AddTagsToStream",
"kinesis:DecreaseStreamRetentionPeriod",
"kinesis:DescribeStreamSummary",
"kinesis:DisableEnhancedMonitoring",
"kinesis:EnableEnhancedMonitoring",
"kinesis:IncreaseStreamRetentionPeriod",
"kinesis:RemoveTagsFromStream",
"kinesis:StartStreamEncryption",
"kinesis:StopStreamEncryption",
"kinesis:UpdateShardCount",
"kms:DisableKey",
"kms:DisableKeyRotation",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"kms:TagResource",
"kms:UpdateAlias",
"kms:UpdateKeyDescription",
"lambda:DeleteFunctionConcurrency",
"lambda:GetAlias",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"lambda:PutFunctionConcurrency",
"lambda:UpdateAlias",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionConfiguration",
"logs:AssociateKmsKey",
"logs:DisassociateKmsKey",
"logs:PutDestination",
"logs:PutDestinationPolicy",
"logs:PutMetricFilter",
"logs:PutResourcePolicy",
"logs:PutRetentionPolicy",
"logs:PutSubscriptionFilter",
"logs:TagLogGroup",
"logs:UntagLogGroup",
"macie:ListMemberAccounts",
"macie:ListS3Resources",
"macie:UpdateS3Resources",
"mediastore:DescribeContainer",
"mediastore:ListTagsForResource",
"mediastore:PutContainerPolicy",
"rds:AddRoleToDBCluster",
"rds:AddTagsToResource",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyDBSubnetGroup",
"rds:ModifyEventSubscription",
"rds:ModifyOptionGroup",
"rds:PromoteReadReplica",
"rds:RemoveRoleFromDBCluster",
"rds:RemoveTagsFromResource",
"redshift:DisableLogging",
"redshift:DisableSnapshotCopy",
"redshift:EnableLogging",
"redshift:EnableSnapshotCopy",
"redshift:ModifyCluster",
"redshift:ModifyClusterIamRoles",
"redshift:ModifyClusterParameterGroup",
"redshift:ModifyClusterSubnetGroup",
"route53:AssociateVPCWithHostedZone",
"route53:ChangeResourceRecordSets",
"route53:DisassociateVPCFromHostedZone",
"route53:UpdateHealthCheck",
"route53:UpdateHostedZoneComment",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:PutAccelerateConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutReplicationConfiguration",
"secretsmanager:DeleteResourcePolicy",
"secretsmanager:DescribeSecret",
"secretsmanager:PutResourcePolicy",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"secretsmanager:UpdateSecret",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sqs:SetQueueAttributes",
"sqs:TagQueue",
"sqs:UntagQueue",
"ssm:GetDocument",
"ssm:GetMaintenanceWindow",
"ssm:GetMaintenanceWindowTask",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetPatchBaseline",
"ssm:ListAssociations",
"ssm:ListResourceDataSync",
"ssm:ListTagsForResource",
"ssm:ModifyDocumentPermission",
"ssm:PutParameter",
"ssm:UpdateAssociation",
"ssm:UpdateDocument",
"ssm:UpdateDocumentDefaultVersion",
"ssm:UpdateMaintenanceWindow",
"ssm:UpdateMaintenanceWindowTarget",
"ssm:UpdatePatchBaseline",
"states:DescribeStateMachine",
"states:ListTagsForResource",
"states:UpdateStateMachine",
"waf-regional:Get*",
"waf-regional:GetChangeToken",
"waf-regional:List*",
"waf-regional:PutLoggingConfiguration",
"waf-regional:TagResource",
"waf-regional:UntagResource",
"waf-regional:UpdateByteMatchSet",
"waf-regional:UpdateGeoMatchSet",
"waf-regional:UpdateRateBasedRule",
"waf-regional:UpdateRegexMatchSet",
"waf-regional:UpdateRegexPatternSet",
"waf-regional:UpdateRule",
"waf-regional:UpdateRuleGroup",
"waf-regional:UpdateSizeConstraintSet",
"waf-regional:UpdateSqlInjectionMatchSet",
"waf-regional:UpdateWebACL",
"waf-regional:UpdateXssMatchSet",
"waf:Get*",
"waf:GetChangeToken",
"waf:List*",
"waf:PutLoggingConfiguration",
"waf:TagResource",
"waf:UntagResource",
"waf:UpdateByteMatchSet",
"waf:UpdateGeoMatchSet",
"waf:UpdateRateBasedRule",
"waf:UpdateRegexMatchSet",
"waf:UpdateRegexPatternSet",
"waf:UpdateRule",
"waf:UpdateRuleGroup",
"waf:UpdateSizeConstraintSet",
"waf:UpdateSqlInjectionMatchSet",
"waf:UpdateWebACL",
"waf:UpdateXssMatchSet",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"wafv2:Get*",
"wafv2:List*",
"wafv2:PutLoggingConfiguration",
"wafv2:TagResource",
"wafv2:UntagResource",
"wafv2:UpdateRegexPatternSet",
"wafv2:UpdateRuleGroup",
"wafv2:UpdateWebACL"
]
}
]
}