AWS IAM Policy Permissions

Tip

Looking for instructions on creating or updating an AWS Identity & Access Management (IAM) role for Fugue? See our tutorials Create a Fugue IAM Role and Update the Fugue IAM Role.

Note

The following policies are for reference only. We recommend using the tailored policy Fugue generates for you.

Fugue requires certain permissions to scan and enforce the infrastructure configuration in your AWS account. When you create an AWS Identity & Access Management (IAM) role for Fugue, the following policies are attached:

  1. The AWS-managed read-only SecurityAudit policy

  2. If needed, a supplemental inline policy granting any read or write permissions not covered by SecurityAudit, tailored to the resource types you select

Note that the role also has a trust policy specifying an external ID. Fugue generates this unique ID for you to prevent other parties from assuming the role without the ID, even if they have your role ARN.

SecurityAudit read-only (scan) permissions

For reference, all SecurityAudit read-only (scan) permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "access-analyzer:GetAnalyzedResource",
                "access-analyzer:GetAnalyzer",
                "access-analyzer:GetArchiveRule",
                "access-analyzer:GetFinding",
                "access-analyzer:ListAnalyzedResources",
                "access-analyzer:ListAnalyzers",
                "access-analyzer:ListArchiveRules",
                "access-analyzer:ListFindings",
                "access-analyzer:ListTagsForResource",
                "acm:Describe*",
                "acm:List*",
                "application-autoscaling:Describe*",
                "appmesh:Describe*",
                "appmesh:List*",
                "appsync:List*",
                "athena:GetWorkGroup",
                "athena:List*",
                "autoscaling:Describe*",
                "batch:DescribeComputeEnvironments",
                "batch:DescribeJobDefinitions",
                "chime:List*",
                "cloud9:Describe*",
                "cloud9:ListEnvironments",
                "clouddirectory:ListDirectories",
                "cloudformation:DescribeStack*",
                "cloudformation:GetTemplate",
                "cloudformation:ListStack*",
                "cloudformation:GetStackPolicy",
                "cloudfront:Get*",
                "cloudfront:List*",
                "cloudhsm:ListHapgs",
                "cloudhsm:ListHsms",
                "cloudhsm:ListLunaClients",
                "cloudsearch:DescribeDomains",
                "cloudsearch:DescribeServiceAccessPolicies",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListTags",
                "cloudtrail:LookupEvents",
                "cloudwatch:Describe*",
                "codebuild:ListProjects",
                "codecommit:BatchGetRepositories",
                "codecommit:GetBranch",
                "codecommit:GetObjectIdentifier",
                "codecommit:GetRepository",
                "codecommit:List*",
                "codedeploy:Batch*",
                "codedeploy:Get*",
                "codedeploy:List*",
                "codepipeline:ListPipelines",
                "codestar:Describe*",
                "codestar:List*",
                "cognito-identity:ListIdentityPools",
                "cognito-idp:ListUserPools",
                "cognito-sync:Describe*",
                "cognito-sync:List*",
                "comprehend:Describe*",
                "comprehend:List*",
                "config:BatchGetAggregateResourceConfig",
                "config:BatchGetResourceConfig",
                "config:Deliver*",
                "config:Describe*",
                "config:Get*",
                "config:List*",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:EvaluateExpression",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:QueryObjects",
                "datapipeline:ValidatePipelineDefinition",
                "datasync:Describe*",
                "datasync:List*",
                "dax:Describe*",
                "dax:ListTags",
                "directconnect:Describe*",
                "dms:Describe*",
                "dms:ListTagsForResource",
                "ds:DescribeDirectories",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeTimeToLive",
                "dynamodb:ListBackups",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListStreams",
                "dynamodb:ListTables",
                "ec2:Describe*",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecs:Describe*",
                "ecs:List*",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "elasticache:Describe*",
                "elasticbeanstalk:Describe*",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "es:Describe*",
                "es:ListDomainNames",
                "events:Describe*",
                "events:List*",
                "firehose:Describe*",
                "firehose:List*",
                "fms:ListComplianceStatus",
                "fms:ListPolicies",
                "fsx:Describe*",
                "fsx:List*",
                "gamelift:ListBuilds",
                "gamelift:ListFleets",
                "glacier:DescribeVault",
                "glacier:GetVaultAccessPolicy",
                "glacier:ListVaults",
                "globalaccelerator:Describe*",
                "globalaccelerator:List*",
                "greengrass:List*",
                "guardduty:Get*",
                "guardduty:List*",
                "iam:GenerateCredentialReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "inspector:Describe*",
                "inspector:Get*",
                "inspector:List*",
                "inspector:Preview*",
                "iot:Describe*",
                "iot:GetPolicy",
                "iot:GetPolicyVersion",
                "iot:List*",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kinesis:ListTagsForStream",
                "kinesisanalytics:ListApplications",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "lambda:GetAccountSettings",
                "lambda:GetFunctionConfiguration",
                "lambda:GetLayerVersionPolicy",
                "lambda:GetPolicy",
                "lambda:List*",
                "license-manager:List*",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "logs:Describe*",
                "logs:ListTagsLogGroup",
                "machinelearning:DescribeMLModels",
                "mediaconnect:Describe*",
                "mediaconnect:List*",
                "mediastore:GetContainerPolicy",
                "mediastore:ListContainers",
                "opsworks:DescribeStacks",
                "opsworks-cm:DescribeServers",
                "organizations:List*",
                "organizations:Describe*",
                "quicksight:Describe*",
                "quicksight:List*",
                "ram:List*",
                "rds:Describe*",
                "rds:DownloadDBLogFilePortion",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "rekognition:Describe*",
                "rekognition:List*",
                "robomaker:Describe*",
                "robomaker:List*",
                "route53:Get*",
                "route53:List*",
                "route53domains:GetDomainDetail",
                "route53domains:GetOperationDetail",
                "route53domains:ListDomains",
                "route53domains:ListOperations",
                "route53domains:ListTagsForDomain",
                "route53resolver:List*",
                "route53resolver:Get*",
                "s3:GetAccelerateConfiguration",
                "s3:GetAccessPoint",
                "s3:GetAccessPointPolicy",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetAnalyticsConfiguration",
                "s3:GetBucket*",
                "s3:GetEncryptionConfiguration",
                "s3:GetInventoryConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetMetricsConfiguration",
                "s3:GetObjectAcl",
                "s3:GetObjectVersionAcl",
                "s3:GetReplicationConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "sagemaker:Describe*",
                "sagemaker:List*",
                "sdb:DomainMetadata",
                "sdb:ListDomains",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:ListSecrets",
                "secretsmanager:ListSecretVersionIds",
                "securityhub:Describe*",
                "securityhub:Get*",
                "securityhub:List*",
                "serverlessrepo:GetApplicationPolicy",
                "serverlessrepo:List*",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityPolicies",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:ListIdentityPolicies",
                "ses:ListVerifiedEmailAddresses",
                "shield:Describe*",
                "shield:List*",
                "snowball:ListClusters",
                "snowball:ListJobs",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:ListQueues",
                "sqs:ListQueueTags",
                "ssm:Describe*",
                "ssm:GetAutomationExecution",
                "ssm:ListDocuments",
                "sso:DescribePermissionsPolicies",
                "sso:List*",
                "states:ListStateMachines",
                "storagegateway:DescribeBandwidthRateLimit",
                "storagegateway:DescribeCache",
                "storagegateway:DescribeCachediSCSIVolumes",
                "storagegateway:DescribeGatewayInformation",
                "storagegateway:DescribeMaintenanceStartTime",
                "storagegateway:DescribeNFSFileShares",
                "storagegateway:DescribeSnapshotSchedule",
                "storagegateway:DescribeStorediSCSIVolumes",
                "storagegateway:DescribeTapeArchives",
                "storagegateway:DescribeTapeRecoveryPoints",
                "storagegateway:DescribeTapes",
                "storagegateway:DescribeUploadBuffer",
                "storagegateway:DescribeVTLDevices",
                "storagegateway:DescribeWorkingStorage",
                "storagegateway:List*",
                "tag:GetResources",
                "tag:GetTagKeys",
                "transfer:Describe*",
                "transfer:List*",
                "translate:List*",
                "trustedadvisor:Describe*",
                "waf:ListWebACLs",
                "waf-regional:ListWebACLs",
                "workspaces:Describe*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET"
            ],
            "Resource": [
                "arn:aws:apigateway:*::/apis",
                "arn:aws:apigateway:*::/apis/*/stages",
                "arn:aws:apigateway:*::/apis/*/stages/*",
                "arn:aws:apigateway:*::/apis/*/routes",
                "arn:aws:apigateway:*::/restapis",
                "arn:aws:apigateway:*::/restapis/*/authorizers",
                "arn:aws:apigateway:*::/restapis/*/authorizers/*",
                "arn:aws:apigateway:*::/restapis/*/documentation/versions",
                "arn:aws:apigateway:*::/restapis/*/resources",
                "arn:aws:apigateway:*::/restapis/*/resources/*",
                "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
                "arn:aws:apigateway:*::/restapis/*/stages",
                "arn:aws:apigateway:*::/restapis/*/stages/*",
                "arn:aws:apigateway:*::/vpclinks"
            ]
        }
    ]
}

Supplemental read-only (scan) permissions

For reference, all possible read-only (scan) permissions supplemental to SecurityAudit (assuming all resource types, including beta types, are selected):

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "0",
       "Effect": "Allow",
       "Resource": "*",
       "Action": [
        "acm-pca:DescribeCertificateAuthority",
        "acm-pca:GetCertificateAuthorityCertificate",
        "acm-pca:GetCertificateAuthorityCsr",
        "acm-pca:ListCertificateAuthorities",
        "acm-pca:ListTags",
        "apigateway:GET",
        "cloudwatch:GetDashboard",
        "cloudwatch:ListDashboards",
        "cloudwatch:ListTagsForResource",
        "cognito-idp:DescribeIdentityProvider",
        "cognito-idp:DescribeResourceServer",
        "cognito-idp:DescribeUserPool",
        "cognito-idp:DescribeUserPoolClient",
        "cognito-idp:DescribeUserPoolDomain",
        "cognito-idp:GetGroup",
        "cognito-idp:ListGroups",
        "cognito-idp:ListIdentityProviders",
        "cognito-idp:ListResourceServers",
        "cognito-idp:ListUserPoolClients",
        "ds:DescribeConditionalForwarders",
        "ds:ListTagsForResource",
        "dynamodb:ListTagsOfResource",
        "ecr:ListTagsForResource",
        "elasticache:ListTagsForResource",
        "elasticfilesystem:DescribeLifecycleConfiguration",
        "elasticfilesystem:DescribeTags",
        "glacier:GetVaultNotifications",
        "glacier:ListTagsForVault",
        "kinesis:DescribeStreamSummary",
        "lambda:GetAlias",
        "lambda:GetEventSourceMapping",
        "lambda:GetFunction",
        "macie:ListMemberAccounts",
        "macie:ListS3Resources",
        "mediastore:DescribeContainer",
        "mediastore:ListTagsForResource",
        "s3:ListBucket",
        "secretsmanager:DescribeSecret",
        "sns:GetSubscriptionAttributes",
        "sns:ListSubscriptions",
        "sns:ListTagsForResource",
        "ssm:GetDocument",
        "ssm:GetMaintenanceWindow",
        "ssm:GetMaintenanceWindowTask",
        "ssm:GetParameter",
        "ssm:GetParameters",
        "ssm:GetPatchBaseline",
        "ssm:ListAssociations",
        "ssm:ListResourceDataSync",
        "ssm:ListTagsForResource",
        "states:DescribeStateMachine",
        "states:ListTagsForResource",
        "waf:GetLoggingConfiguration",
        "waf:GetWebACL",
        "waf:ListTagsForResource"
       ]
     }
   ]
}

Supplemental write (enforce) permissions

For reference, all possible write (enforce) permissions supplemental to SecurityAudit (assuming all resource types, including beta types, are selected):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "0",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "acm-pca:TagCertificateAuthority",
        "acm-pca:UntagCertificateAuthority",
        "acm-pca:UpdateCertificateAuthority",
        "apigateway:PutRestApi",
        "apigateway:UpdateAuthorizer",
        "apigateway:UpdateClientCertificate",
        "apigateway:UpdateDeployment",
        "apigateway:UpdateDomainName",
        "apigateway:UpdateRequestValidator",
        "apigateway:UpdateResource",
        "apigateway:UpdateRestApi",
        "apigateway:UpdateStage",
        "apigateway:UpdateUsagePlan",
        "apigateway:UpdateVpcLink",
        "autoscaling:AttachLoadBalancerTargetGroups",
        "autoscaling:AttachLoadBalancers",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:DeleteTags",
        "autoscaling:DetachLoadBalancerTargetGroups",
        "autoscaling:DetachLoadBalancers",
        "autoscaling:DisableMetricsCollection",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:PutLifecycleHook",
        "autoscaling:PutScalingPolicy",
        "autoscaling:PutScheduledUpdateGroupAction",
        "autoscaling:ResumeProcesses",
        "autoscaling:SuspendProcesses",
        "autoscaling:UpdateAutoScalingGroup",
        "cloudfront:UpdateDistribution",
        "cloudtrail:AddTags",
        "cloudtrail:PutEventSelectors",
        "cloudtrail:RemoveTags",
        "cloudtrail:StartLogging",
        "cloudtrail:StopLogging",
        "cloudtrail:UpdateTrail",
        "cloudwatch:PutDashboard",
        "cloudwatch:PutMetricAlarm",
        "cognito-idp:UpdateGroup",
        "cognito-idp:UpdateIdentityProvider",
        "cognito-idp:UpdateResourceServer",
        "cognito-idp:UpdateUserPool",
        "cognito-idp:UpdateUserPoolClient",
        "config:PutConfigRule",
        "config:PutConfigurationAggregator",
        "config:PutConfigurationRecorder",
        "config:PutDeliveryChannel",
        "config:StartConfigurationRecorder",
        "config:StopConfigurationRecorder",
        "ds:DisableSso",
        "ds:EnableSso",
        "ds:UpdateConditionalForwarder",
        "dynamodb:TagResource",
        "dynamodb:UntagResource",
        "dynamodb:UpdateContinuousBackups",
        "dynamodb:UpdateTable",
        "dynamodb:UpdateTimeToLive",
        "ec2:AcceptVpcEndpointConnections",
        "ec2:AcceptVpcPeeringConnection",
        "ec2:AssignPrivateIpAddresses",
        "ec2:AssociateAddress",
        "ec2:AssociateDhcpOptions",
        "ec2:AssociateIamInstanceProfile",
        "ec2:AssociateRouteTable",
        "ec2:AssociateSubnetCidrBlock",
        "ec2:AssociateVpcCidrBlock",
        "ec2:AttachInternetGateway",
        "ec2:AttachNetworkInterface",
        "ec2:AttachVpnGateway",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:CreateNetworkAclEntry",
        "ec2:CreateRoute",
        "ec2:CreateTags",
        "ec2:DeleteNetworkAclEntry",
        "ec2:DeleteRoute",
        "ec2:DeleteTags",
        "ec2:DetachInternetGateway",
        "ec2:DetachNetworkInterface",
        "ec2:DetachVpnGateway",
        "ec2:DisableVgwRoutePropagation",
        "ec2:DisableVpcClassicLink",
        "ec2:DisableVpcClassicLinkDnsSupport",
        "ec2:DisassociateIamInstanceProfile",
        "ec2:DisassociateSubnetCidrBlock",
        "ec2:DisassociateVpcCidrBlock",
        "ec2:EnableVgwRoutePropagation",
        "ec2:EnableVpcClassicLink",
        "ec2:EnableVpcClassicLinkDnsSupport",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifyInstanceCreditSpecification",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:ModifySpotFleetRequest",
        "ec2:ModifySubnetAttribute",
        "ec2:ModifyVolume",
        "ec2:ModifyVpcAttribute",
        "ec2:ModifyVpcEndpoint",
        "ec2:ModifyVpcEndpointConnectionNotification",
        "ec2:ModifyVpcEndpointServiceConfiguration",
        "ec2:ModifyVpcEndpointServicePermissions",
        "ec2:ModifyVpcPeeringConnectionOptions",
        "ec2:ModifyVpcTenancy",
        "ec2:MonitorInstances",
        "ec2:ReplaceIamInstanceProfileAssociation",
        "ec2:ReplaceNetworkAclAssociation",
        "ec2:ReplaceRouteTableAssociation",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:UnassignPrivateIpAddresses",
        "ec2:UnmonitorInstances",
        "ecs:UpdateService",
        "elasticache:AddTagsToResource",
        "elasticache:ModifyCacheCluster",
        "elasticache:ModifyCacheParameterGroup",
        "elasticache:ModifyReplicationGroup",
        "elasticache:ModifyReplicationGroupShardConfiguration",
        "elasticache:RemoveTagsFromResource",
        "elasticache:ResetCacheParameterGroup",
        "elasticfilesystem:CreateTags",
        "elasticfilesystem:DeleteTags",
        "elasticfilesystem:ModifyMountTargetSecurityGroups",
        "elasticfilesystem:UpdateFileSystem",
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
        "elasticloadbalancing:AttachLoadBalancerToSubnets",
        "elasticloadbalancing:ConfigureHealthCheck",
        "elasticloadbalancing:CreateLoadBalancerListeners",
        "elasticloadbalancing:CreateLoadBalancerPolicy",
        "elasticloadbalancing:DeleteLoadBalancerListeners",
        "elasticloadbalancing:DeleteLoadBalancerPolicy",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
        "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
        "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
        "elasticloadbalancing:ModifyListener",
        "elasticloadbalancing:ModifyLoadBalancerAttributes",
        "elasticloadbalancing:ModifyRule",
        "elasticloadbalancing:ModifyTargetGroup",
        "elasticloadbalancing:ModifyTargetGroupAttributes",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
        "elasticloadbalancing:RemoveTags",
        "elasticloadbalancing:SetIpAddressType",
        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
        "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
        "elasticloadbalancing:SetRulePriorities",
        "elasticloadbalancing:SetSecurityGroups",
        "elasticloadbalancing:SetSubnets",
        "events:DisableRule",
        "events:EnableRule",
        "events:PutRule",
        "events:PutTargets",
        "firehose:StartDeliveryStreamEncryption",
        "firehose:StopDeliveryStreamEncryption",
        "firehose:TagDeliveryStream",
        "firehose:UntagDeliveryStream",
        "firehose:UpdateDestination",
        "glacier:AddTagsToVault",
        "glacier:DeleteVaultAccessPolicy",
        "glacier:DeleteVaultNotifications",
        "glacier:RemoveTagsFromVault",
        "glacier:SetVaultAccessPolicy",
        "glacier:SetVaultNotifications",
        "guardduty:DisassociateMembers",
        "guardduty:InviteMembers",
        "guardduty:UpdateDetector",
        "iam:AddRoleToInstanceProfile",
        "iam:AddUserToGroup",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion",
        "iam:DeleteRolePermissionsBoundary",
        "iam:DeleteUserPermissionsBoundary",
        "iam:PassRole",
        "iam:PutGroupPolicy",
        "iam:PutRolePermissionsBoundary",
        "iam:PutRolePolicy",
        "iam:PutUserPermissionsBoundary",
        "iam:PutUserPolicy",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:RemoveUserFromGroup",
        "iam:UpdateAccountPasswordPolicy",
        "iam:UpdateAssumeRolePolicy",
        "iam:UpdateGroup",
        "iam:UpdateOpenIDConnectProviderThumbprint",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription",
        "iam:UpdateSAMLProvider",
        "iam:UpdateUser",
        "inspector:UpdateAssessmentTarget",
        "kinesis:AddTagsToStream",
        "kinesis:DecreaseStreamRetentionPeriod",
        "kinesis:DisableEnhancedMonitoring",
        "kinesis:EnableEnhancedMonitoring",
        "kinesis:IncreaseStreamRetentionPeriod",
        "kinesis:RemoveTagsFromStream",
        "kinesis:StartStreamEncryption",
        "kinesis:StopStreamEncryption",
        "kinesis:UpdateShardCount",
        "kms:DisableKey",
        "kms:DisableKeyRotation",
        "kms:EnableKey",
        "kms:EnableKeyRotation",
        "kms:PutKeyPolicy",
        "kms:TagResource",
        "kms:UpdateAlias",
        "kms:UpdateKeyDescription",
        "lambda:DeleteFunctionConcurrency",
        "lambda:PutFunctionConcurrency",
        "lambda:UpdateAlias",
        "lambda:UpdateEventSourceMapping",
        "lambda:UpdateFunctionConfiguration",
        "logs:AssociateKmsKey",
        "logs:DisassociateKmsKey",
        "logs:PutDestination",
        "logs:PutDestinationPolicy",
        "logs:PutMetricFilter",
        "logs:PutResourcePolicy",
        "logs:PutRetentionPolicy",
        "logs:PutSubscriptionFilter",
        "logs:TagLogGroup",
        "logs:UntagLogGroup",
        "macie:UpdateS3Resources",
        "mediastore:PutContainerPolicy",
        "rds:AddRoleToDBCluster",
        "rds:AddTagsToResource",
        "rds:ModifyDBCluster",
        "rds:ModifyDBClusterParameterGroup",
        "rds:ModifyDBInstance",
        "rds:ModifyDBParameterGroup",
        "rds:ModifyDBSubnetGroup",
        "rds:ModifyEventSubscription",
        "rds:ModifyOptionGroup",
        "rds:PromoteReadReplica",
        "rds:RemoveRoleFromDBCluster",
        "rds:RemoveTagsFromResource",
        "redshift:DisableLogging",
        "redshift:DisableSnapshotCopy",
        "redshift:EnableLogging",
        "redshift:EnableSnapshotCopy",
        "redshift:ModifyCluster",
        "redshift:ModifyClusterIamRoles",
        "redshift:ModifyClusterParameterGroup",
        "redshift:ModifyClusterSubnetGroup",
        "route53:AssociateVPCWithHostedZone",
        "route53:ChangeResourceRecordSets",
        "route53:DisassociateVPCFromHostedZone",
        "route53:UpdateHealthCheck",
        "route53:UpdateHostedZoneComment",
        "s3:DeleteBucketPolicy",
        "s3:DeleteBucketWebsite",
        "s3:PutAccelerateConfiguration",
        "s3:PutBucketAcl",
        "s3:PutBucketCors",
        "s3:PutBucketLogging",
        "s3:PutBucketNotification",
        "s3:PutBucketPolicy",
        "s3:PutBucketPublicAccessBlock",
        "s3:PutBucketRequestPayment",
        "s3:PutBucketTagging",
        "s3:PutBucketVersioning",
        "s3:PutBucketWebsite",
        "s3:PutEncryptionConfiguration",
        "s3:PutInventoryConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:PutMetricsConfiguration",
        "s3:PutReplicationConfiguration",
        "secretsmanager:DeleteResourcePolicy",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:TagResource",
        "secretsmanager:UntagResource",
        "secretsmanager:UpdateSecret",
        "sns:SetSubscriptionAttributes",
        "sns:SetTopicAttributes",
        "sqs:SetQueueAttributes",
        "sqs:TagQueue",
        "sqs:UntagQueue",
        "ssm:ModifyDocumentPermission",
        "ssm:PutParameter",
        "ssm:UpdateAssociation",
        "ssm:UpdateDocument",
        "ssm:UpdateDocumentDefaultVersion",
        "ssm:UpdateMaintenanceWindow",
        "ssm:UpdateMaintenanceWindowTarget",
        "ssm:UpdatePatchBaseline",
        "states:UpdateStateMachine",
        "waf:UpdateWebACL"
      ]
    }
  ]
}