From d3684f00f350b4f80d31b40cc6237c19d171e71b Mon Sep 17 00:00:00 2001 From: Kinnaird McQuade Date: Tue, 6 Oct 2020 10:35:19 -0400 Subject: [PATCH] Removed extra unit tests - speeds up the unit tests from 3.5 minutes to less than 60 seconds --- CHANGELOG.md | 11 + cloudsplaining/__init__.py | 12 +- examples/files/example.json | 557 -- examples/files/iam-results-example.json | 576 +- tasks.py | 2 +- test/command/test_scan_policy_file.py | 4 +- test/files/data_file.json | 8076 ----------------- test/files/example-authz-details.json | 557 -- .../scanning/test_managed_policy_details.json | 3324 ------- test/scanning/test_authorization_details.py | 566 +- test/scanning/test_data_file.py | 78 - test/scanning/test_managed_policy_detail.py | 18 +- test/scanning/test_statement_detail.py | 10 + utils/example-iam-data.json | 574 -- 14 files changed, 321 insertions(+), 14044 deletions(-) delete mode 100644 test/files/data_file.json delete mode 100644 test/files/scanning/test_managed_policy_details.json delete mode 100644 test/scanning/test_data_file.py diff --git a/CHANGELOG.md b/CHANGELOG.md index cdb363e4..5a97c263 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,17 @@ ## Unreleased * Docker +## 0.2.3 (Unreleased) +* UI + * Credentials Exposure as a new finding (`#99`) + * Service Wildcard as a new finding (`#82`) + * Inline Explanation of findings (`#115`) + * Better formatting for Privilege Escalation findings (`#114`) + * Exclusions config is in its own tab in the UI (`#107`) +* Backend + * Vue components are cleaned up - less HTML, more config and JS + * Unit tests are down from 3.25 minutes to 60 seconds (Fixes #117) + ## 0.2.2 (2020-10-01) * Excluded actions no longer show up in results (Fixes #106) * Fixed issue where `*:*` policy would break results due to how the Service Wildcard finding was implemented (Fixes #109) diff --git a/cloudsplaining/__init__.py b/cloudsplaining/__init__.py index 2c1f289e..0b809e32 100644 --- a/cloudsplaining/__init__.py +++ b/cloudsplaining/__init__.py @@ -1,8 +1,18 @@ # pylint: disable=missing-module-docstring import logging - +# import sys # Set default logging handler to avoid "No handler found" warnings. from logging import NullHandler logging.getLogger(__name__).addHandler(NullHandler()) +# Uncomment to get the full debug logs. +# 2020-10-06 10:04:17,200 - root - DEBUG - Leveraging the bundled IAM Definition. +# Need to figure out how to get click_log to do this for me. +# root = logging.getLogger() +# root.setLevel(logging.DEBUG) +# handler = logging.StreamHandler(sys.stdout) +# formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') +# handler.setFormatter(formatter) +# root.addHandler(handler) + name = "cloudsplaining" # pylint: disable=invalid-name diff --git a/examples/files/example.json b/examples/files/example.json index cf6ecb8c..4847ef3b 100644 --- a/examples/files/example.json +++ b/examples/files/example.json @@ -1477,563 +1477,6 @@ } ] }, - { - "PolicyName": "ReadOnlyAccess", - "PolicyId": "ANPAILL3HVNFSB6DCOWYQ", - "Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v63", - "AttachmentCount": 4, - "PermissionsBoundaryUsageCount": null, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:48+00:00", - "UpdateDate": "2020-03-09 23:45:01+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "amplify:GetApp", - "amplify:GetBranch", - "amplify:GetJob", - "amplify:GetDomainAssociation", - "amplify:ListApps", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "apigateway:GET", - "application-autoscaling:Describe*", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "appstream:Describe*", - "appstream:Get*", - "appstream:List*", - "appsync:Get*", - "appsync:List*", - "autoscaling:Describe*", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "athena:List*", - "athena:Batch*", - "athena:Get*", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:List*", - "batch:Describe*", - "chatbot:Describe*", - "chatbot:Get*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:Estimate*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:List*", - "cloudhsm:Describe*", - "cloudhsm:Get*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "codebuild:BatchGet*", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:List*", - "codepipeline:Get*", - "codestar:List*", - "codestar:Describe*", - "codestar:Get*", - "codestar:Verify*", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar-notifications:ListTargets", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetRecommendationSummaries", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-sync:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:QueryRecords", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectResourceConfig", - "connect:List*", - "connect:Describe*", - "connect:GetFederationToken", - "dataexchange:Get*", - "dataexchange:List*", - "datasync:Describe*", - "datasync:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "directconnect:Describe*", - "detective:Get*", - "detective:List*", - "devicefarm:List*", - "devicefarm:Get*", - "discovery:Describe*", - "discovery:List*", - "discovery:Get*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:Get*", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:DescribeUpdate", - "eks:Describe*", - "eks:ListClusters", - "eks:ListUpdates", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "es:Describe*", - "es:List*", - "es:Get*", - "es:ESHttpGet", - "es:ESHttpHead", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "fsx:Describe*", - "fsx:List*", - "gamelift:List*", - "gamelift:Get*", - "gamelift:Describe*", - "gamelift:RequestUploadCredentials", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:List*", - "glacier:Describe*", - "glacier:Get*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetPartition", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlers", - "glue:GetCrawlerMetrics", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobs", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetResourcePolicy", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetTable", - "glue:GetTables", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "greengrass:Get*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "health:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:List*", - "iotanalytics:Get*", - "iotanalytics:SampleChannelData", - "kafka:Describe*", - "kafka:List*", - "kafka:Get*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:List*", - "lambda:Get*", - "lex:Get*", - "lightsail:GetActiveNames", - "lightsail:GetBlueprints", - "lightsail:GetBundles", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetDisk", - "lightsail:GetDisks", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstances", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancers", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabases", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:StartQuery", - "logs:TestMetricFilter", - "machinelearning:Describe*", - "machinelearning:Get*", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "mediapackage:List*", - "mediapackage:Describe*", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mobileanalytics:Get*", - "mobilehub:Describe*", - "mobilehub:Export*", - "mobilehub:Generate*", - "mobilehub:Get*", - "mobilehub:List*", - "mobilehub:Validate*", - "mobilehub:Verify*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "mq:Describe*", - "mq:List*", - "opsworks:Describe*", - "opsworks:Get*", - "opsworks-cm:Describe*", - "organizations:Describe*", - "organizations:List*", - "outposts:Get*", - "outposts:List*", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "qldb:ListLedgers", - "qldb:DescribeLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:DescribeJournalS3Export", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:GetBlock", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rekognition:CompareFaces", - "rekognition:Detect*", - "rekognition:List*", - "rekognition:Search*", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:View*", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53resolver:Get*", - "route53resolver:List*", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:List*", - "serverlessrepo:Get*", - "serverlessrepo:SearchApplications", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicecatalog:Describe*", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServices", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "ses:Get*", - "ses:List*", - "ses:Describe*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "snowball:Get*", - "snowball:Describe*", - "snowball:List*", - "sns:Get*", - "sns:List*", - "sns:Check*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "states:List*", - "states:Describe*", - "states:GetExecutionHistory", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:Get*", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "tag:Get*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "transcribe:Get*", - "transcribe:List*", - "trustedadvisor:Describe*", - "waf:Get*", - "waf:List*", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "waf-regional:List*", - "waf-regional:Get*", - "workdocs:Describe*", - "workdocs:Get*", - "workdocs:CheckAlias", - "worklink:Describe*", - "worklink:List*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v63", - "IsDefaultVersion": true, - "CreateDate": "2020-03-09 23:45:01+00:00" - } - ] - }, { "PolicyName": "AWSElasticLoadBalancingServiceRolePolicy", "PolicyId": "ANPAIMHWGGSRHLOQUICJQ", diff --git a/examples/files/iam-results-example.json b/examples/files/iam-results-example.json index 3284c1af..d72d92cf 100644 --- a/examples/files/iam-results-example.json +++ b/examples/files/iam-results-example.json @@ -2225,580 +2225,6 @@ ], "is_excluded": false }, - "ANPAILL3HVNFSB6DCOWYQ": { - "PolicyName": "ReadOnlyAccess", - "PolicyId": "ANPAILL3HVNFSB6DCOWYQ", - "Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v63", - "AttachmentCount": 4, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:48+00:00", - "UpdateDate": "2020-03-09 23:45:01+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "amplify:GetApp", - "amplify:GetBranch", - "amplify:GetJob", - "amplify:GetDomainAssociation", - "amplify:ListApps", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "apigateway:GET", - "application-autoscaling:Describe*", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "appstream:Describe*", - "appstream:Get*", - "appstream:List*", - "appsync:Get*", - "appsync:List*", - "autoscaling:Describe*", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "athena:List*", - "athena:Batch*", - "athena:Get*", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:List*", - "batch:Describe*", - "chatbot:Describe*", - "chatbot:Get*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:Estimate*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:List*", - "cloudhsm:Describe*", - "cloudhsm:Get*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "codebuild:BatchGet*", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:List*", - "codepipeline:Get*", - "codestar:List*", - "codestar:Describe*", - "codestar:Get*", - "codestar:Verify*", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar-notifications:ListTargets", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetRecommendationSummaries", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-sync:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:QueryRecords", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectResourceConfig", - "connect:List*", - "connect:Describe*", - "connect:GetFederationToken", - "dataexchange:Get*", - "dataexchange:List*", - "datasync:Describe*", - "datasync:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "directconnect:Describe*", - "detective:Get*", - "detective:List*", - "devicefarm:List*", - "devicefarm:Get*", - "discovery:Describe*", - "discovery:List*", - "discovery:Get*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:Get*", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:DescribeUpdate", - "eks:Describe*", - "eks:ListClusters", - "eks:ListUpdates", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "es:Describe*", - "es:List*", - "es:Get*", - "es:ESHttpGet", - "es:ESHttpHead", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "fsx:Describe*", - "fsx:List*", - "gamelift:List*", - "gamelift:Get*", - "gamelift:Describe*", - "gamelift:RequestUploadCredentials", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:List*", - "glacier:Describe*", - "glacier:Get*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetPartition", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlers", - "glue:GetCrawlerMetrics", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobs", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetResourcePolicy", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetTable", - "glue:GetTables", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "greengrass:Get*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "health:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:List*", - "iotanalytics:Get*", - "iotanalytics:SampleChannelData", - "kafka:Describe*", - "kafka:List*", - "kafka:Get*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:List*", - "lambda:Get*", - "lex:Get*", - "lightsail:GetActiveNames", - "lightsail:GetBlueprints", - "lightsail:GetBundles", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetDisk", - "lightsail:GetDisks", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstances", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancers", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabases", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:StartQuery", - "logs:TestMetricFilter", - "machinelearning:Describe*", - "machinelearning:Get*", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "mediapackage:List*", - "mediapackage:Describe*", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mobileanalytics:Get*", - "mobilehub:Describe*", - "mobilehub:Export*", - "mobilehub:Generate*", - "mobilehub:Get*", - "mobilehub:List*", - "mobilehub:Validate*", - "mobilehub:Verify*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "mq:Describe*", - "mq:List*", - "opsworks:Describe*", - "opsworks:Get*", - "opsworks-cm:Describe*", - "organizations:Describe*", - "organizations:List*", - "outposts:Get*", - "outposts:List*", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "qldb:ListLedgers", - "qldb:DescribeLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:DescribeJournalS3Export", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:GetBlock", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rekognition:CompareFaces", - "rekognition:Detect*", - "rekognition:List*", - "rekognition:Search*", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:View*", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53resolver:Get*", - "route53resolver:List*", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:List*", - "serverlessrepo:Get*", - "serverlessrepo:SearchApplications", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicecatalog:Describe*", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServices", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "ses:Get*", - "ses:List*", - "ses:Describe*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "snowball:Get*", - "snowball:Describe*", - "snowball:List*", - "sns:Get*", - "sns:List*", - "sns:Check*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "states:List*", - "states:Describe*", - "states:GetExecutionHistory", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:Get*", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "tag:Get*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "transcribe:Get*", - "transcribe:List*", - "trustedadvisor:Describe*", - "waf:Get*", - "waf:List*", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "waf-regional:List*", - "waf-regional:Get*", - "workdocs:Describe*", - "workdocs:Get*", - "workdocs:CheckAlias", - "worklink:Describe*", - "worklink:List*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v63", - "IsDefaultVersion": true, - "CreateDate": "2020-03-09 23:45:01+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "ResourceExposure": [], - "InfrastructureModification": [ - "dataexchange:GetJob", - "mobilehub:GenerateProjectParameters", - "personalize:GetPersonalizedRanking", - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "is_excluded": false - }, "ANPAIMHWGGSRHLOQUICJQ": { "PolicyName": "AWSElasticLoadBalancingServiceRolePolicy", "PolicyId": "ANPAIMHWGGSRHLOQUICJQ", @@ -13051,4 +12477,4 @@ "" ] } -} \ No newline at end of file +} diff --git a/tasks.py b/tasks.py index 37271d00..e780886c 100644 --- a/tasks.py +++ b/tasks.py @@ -130,7 +130,7 @@ def scan(c): """Integration testing: tests the scan command""" try: c.run( - "./cloudsplaining/bin/cli.py scan --input-file examples/files/example.json --exclusions-file examples/example-exclusions.yml --skip-open-report", + "./cloudsplaining/bin/cli.py scan --input-file examples/files/example.json --exclusions-file examples/example-exclusions.yml --skip-open-report -v debug", pty=True, ) except UnexpectedExit as u_e: diff --git a/test/command/test_scan_policy_file.py b/test/command/test_scan_policy_file.py index ee2dd270..2daf03b2 100644 --- a/test/command/test_scan_policy_file.py +++ b/test/command/test_scan_policy_file.py @@ -109,7 +109,7 @@ def test_excluded_actions_scan_policy_file(self): "s3:GetObject" ] } - print(json.dumps(results, indent=4)) + # print(json.dumps(results, indent=4)) self.maxDiff = None self.assertDictEqual(results, expected_results) @@ -157,7 +157,7 @@ def test_excluded_actions_scan_policy_file_v2(self): } exclusions_cfg_custom = {} results = scan_policy(test_policy, exclusions_cfg_custom) - print(json.dumps(results, indent=4)) + # print(json.dumps(results, indent=4)) self.maxDiff = None self.assertDictEqual(results, expected_results) diff --git a/test/files/data_file.json b/test/files/data_file.json deleted file mode 100644 index 3eb512a2..00000000 --- a/test/files/data_file.json +++ /dev/null @@ -1,8076 +0,0 @@ -{ - "groups": { - "admin": { - "arn": "arn:aws:iam::012345678901:group/admin", - "name": "admin", - "create_date": "2017-05-15 17:33:36+00:00", - "id": "admin", - "inline_policies": { - "ffd2b5250e18691dbd9f0fb8b36640ec574867835837f17d39f859c3193fb3f2": "InlinePolicyForAdminGroup" - }, - "path": "/", - "customer_managed_policies": { - "NotYourPolicy": "NotYourPolicy" - }, - "aws_managed_policies": { - "ANPAI6E2CYYMI4XI7AA5K": "AWSLambdaFullAccess" - }, - "is_excluded": false - }, - "biden": { - "arn": "arn:aws:iam::012345678901:group/biden", - "name": "biden", - "create_date": "2017-05-15 17:33:36+00:00", - "id": "biden", - "inline_policies": { - "e8bca32ff7d1f7990d71c64d95a04b7caa5aad5791f06f69db59653228c6853d": "InlinePolicyForBidenGroup" - }, - "path": "/", - "customer_managed_policies": { - "InsecurePolicy": "InsecurePolicy", - "NotYourPolicy": "NotYourPolicy" - }, - "aws_managed_policies": { - "ANPAI3R4QMOG6Q5A4VWVG": "AmazonRDSFullAccess" - }, - "is_excluded": false - } - }, - "users": { - "obama": { - "arn": "arn:aws:iam::012345678901:user/obama", - "create_date": "2019-12-18 19:10:08+00:00", - "id": "obama", - "name": "obama", - "inline_policies": {}, - "groups": { - "admin": { - "arn": "arn:aws:iam::012345678901:group/admin", - "name": "admin", - "create_date": "2017-05-15 17:33:36+00:00", - "id": "admin", - "inline_policies": { - "ffd2b5250e18691dbd9f0fb8b36640ec574867835837f17d39f859c3193fb3f2": "InlinePolicyForAdminGroup" - }, - "path": "/", - "customer_managed_policies": { - "NotYourPolicy": "NotYourPolicy" - }, - "aws_managed_policies": { - "ANPAI6E2CYYMI4XI7AA5K": "AWSLambdaFullAccess" - }, - "is_excluded": false - } - }, - "path": "/", - "customer_managed_policies": {}, - "aws_managed_policies": {}, - "is_excluded": true - }, - "ASIAZZUSERZZPLACEHOLDER": { - "arn": "arn:aws:iam::012345678901:user/userwithlotsofpermissions", - "create_date": "2019-12-18 19:10:08+00:00", - "id": "ASIAZZUSERZZPLACEHOLDER", - "name": "userwithlotsofpermissions", - "inline_policies": { - "354d81e1788639707f707738fb4c630cb7c5d23614cc467ff9a469a670049e3f": "InsecureUserPolicy" - }, - "groups": { - "admin": { - "arn": "arn:aws:iam::012345678901:group/admin", - "name": "admin", - "create_date": "2017-05-15 17:33:36+00:00", - "id": "admin", - "inline_policies": { - "ffd2b5250e18691dbd9f0fb8b36640ec574867835837f17d39f859c3193fb3f2": "InlinePolicyForAdminGroup" - }, - "path": "/", - "customer_managed_policies": { - "NotYourPolicy": "NotYourPolicy" - }, - "aws_managed_policies": { - "ANPAI6E2CYYMI4XI7AA5K": "AWSLambdaFullAccess" - }, - "is_excluded": false - } - }, - "path": "/", - "customer_managed_policies": { - "NotYourPolicy": "NotYourPolicy" - }, - "aws_managed_policies": { - "ANPAI3R4QMOG6Q5A4VWVG": "AmazonRDSFullAccess", - "ANPAJ2P4NXCHAT7NDPNR4": "AmazonSESFullAccess", - "ANPAI7XKCFMBPM3QQRRVQ": "IAMFullAccess", - "ANPAIKEABORKUXN6DEAZU": "CloudWatchFullAccess", - "ANPAJNPP7PPPPMJRV2SA4": "AWSKeyManagementServicePowerUser", - "ANPAIZTJ4DXE7G6AGAE6M": "AmazonS3ReadOnlyAccess" - }, - "is_excluded": false - } - }, - "roles": { - "MyRole": { - "arn": "arn:aws:iam::012345678901:role/MyRole", - "assume_role_policy": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - }, - "create_date": "2019-08-16 17:27:59+00:00", - "id": "MyRole", - "name": "MyRole", - "inline_policies": {}, - "instance_profiles": [], - "instances_count": 0, - "path": "/", - "customer_managed_policies": {}, - "aws_managed_policies": {}, - "is_excluded": true - }, - "MyOtherRole": { - "arn": "arn:aws:iam::012345678901:role/MyOtherRole", - "assume_role_policy": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - }, - "create_date": "2019-08-16 17:27:59+00:00", - "id": "MyOtherRole", - "name": "MyOtherRole", - "inline_policies": { - "0568550cb147d2434f6c04641e921f18fe1b7b1fd0b5af5acf514d33d204faca": "MyOtherRolePolicy" - }, - "instance_profiles": [], - "instances_count": 0, - "path": "/", - "customer_managed_policies": {}, - "aws_managed_policies": { - "ANPAI6E2CYYMI4XI7AA5K": "AWSLambdaFullAccess" - }, - "is_excluded": false - }, - "OverprivilegedEC2": { - "arn": "arn:aws:iam::012345678901:role/OverprivilegedEC2", - "assume_role_policy": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - }, - "create_date": "2018-08-20 18:48:00+00:00", - "id": "OverprivilegedEC2", - "name": "OverprivilegedEC2", - "inline_policies": { - "d09fe3603cd65058b6e2d9817cf37093e83e98318a56ce1e29c8491ac989e57e": "OverprivilegedEC2" - }, - "instance_profiles": [ - { - "Path": "/", - "InstanceProfileName": "OverprivilegedEC2", - "InstanceProfileId": "OverprivilegedEC2", - "Arn": "arn:aws:iam::012345678901:instance-profile/OverprivilegedEC2", - "CreateDate": "2018-08-20 18:48:00+00:00", - "Roles": [ - { - "Path": "/", - "RoleName": "OverprivilegedEC2", - "RoleId": "OverprivilegedEC2", - "Arn": "arn:aws:iam::012345678901:role/OverprivilegedEC2", - "CreateDate": "2018-08-20 18:48:00+00:00", - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] - } - } - ] - } - ], - "instances_count": 1, - "path": "/", - "customer_managed_policies": { - "InsecurePolicy": "InsecurePolicy", - "ExcessivePermissions": "ExcessivePermissions" - }, - "aws_managed_policies": {}, - "is_excluded": false - } - }, - "aws_managed_policies": { - "ANPAI4UIINUVGB5SEC57G": { - "PolicyName": "AWSCodeCommitPowerUser", - "PolicyId": "ANPAI4UIINUVGB5SEC57G", - "Arn": "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser", - "Path": "/", - "DefaultVersionId": "v11", - "AttachmentCount": 2, - "IsAttachable": true, - "CreateDate": "2015-07-09 17:06:49+00:00", - "UpdateDate": "2019-12-03 08:15:40+00:00", - "PolicyVersionList": [ - { - "CreateDate": "2019-12-03 08:15:40+00:00", - "Document": { - "Statement": [ - { - "Action": [ - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:BatchGet*", - "codecommit:BatchDescribe*", - "codecommit:Create*", - "codecommit:DeleteBranch", - "codecommit:DeleteFile", - "codecommit:Describe*", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:EvaluatePullRequestApprovalRules", - "codecommit:Get*", - "codecommit:List*", - "codecommit:Merge*", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:Put*", - "codecommit:Post*", - "codecommit:TagResource", - "codecommit:Test*", - "codecommit:UntagResource", - "codecommit:Update*", - "codecommit:GitPull", - "codecommit:GitPush" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:DisableRule", - "events:EnableRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:ListTargetsByRule" - ], - "Effect": "Allow", - "Resource": "arn:aws:events:*:*:rule/codecommit*", - "Sid": "CloudWatchEventsCodeCommitRulesAccess" - }, - { - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect": "Allow", - "Resource": "arn:aws:sns:*:*:codecommit*", - "Sid": "SNSTopicAndSubscriptionAccess" - }, - { - "Action": [ - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "sns:GetTopicAttributes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "SNSTopicAndSubscriptionReadAccess" - }, - { - "Action": [ - "lambda:ListFunctions" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "LambdaReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListUsers" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "IAMReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListAccessKeys", - "iam:ListSSHPublicKeys", - "iam:ListServiceSpecificCredentials" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMReadOnlyConsoleAccess" - }, - { - "Action": [ - "iam:DeleteSSHPublicKey", - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMUserSSHKeys" - }, - { - "Action": [ - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMSelfManageServiceSpecificCredentials" - }, - { - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" - } - }, - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsReadWriteAccess" - }, - { - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsListAccess" - }, - { - "Action": [ - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DescribeRepositoryAssociation", - "codeguru-reviewer:ListRepositoryAssociations", - "codeguru-reviewer:DisassociateRepository" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "AmazonCodeGuruReviewerFullAccess" - }, - { - "Action": "iam:CreateServiceLinkedRole", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" - } - }, - "Effect": "Allow", - "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", - "Sid": "AmazonCodeGuruReviewerSLRCreation" - }, - { - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:DeleteRule", - "events:RemoveTargets" - ], - "Condition": { - "StringEquals": { - "events:ManagedBy": "codeguru-reviewer.amazonaws.com" - } - }, - "Effect": "Allow", - "Resource": "*", - "Sid": "CloudWatchEventsManagedRules" - } - ], - "Version": "2012-10-17" - }, - "IsDefaultVersion": true, - "VersionId": "v11" - }, - { - "CreateDate": "2019-11-20 17:12:55+00:00", - "Document": { - "Statement": [ - { - "Action": [ - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:BatchGet*", - "codecommit:BatchDescribe*", - "codecommit:Create*", - "codecommit:DeleteBranch", - "codecommit:DeleteFile", - "codecommit:Describe*", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:EvaluatePullRequestApprovalRules", - "codecommit:Get*", - "codecommit:List*", - "codecommit:Merge*", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:Put*", - "codecommit:Post*", - "codecommit:TagResource", - "codecommit:Test*", - "codecommit:UntagResource", - "codecommit:Update*", - "codecommit:GitPull", - "codecommit:GitPush" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:DisableRule", - "events:EnableRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:ListTargetsByRule" - ], - "Effect": "Allow", - "Resource": "arn:aws:events:*:*:rule/codecommit*", - "Sid": "CloudWatchEventsCodeCommitRulesAccess" - }, - { - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect": "Allow", - "Resource": "arn:aws:sns:*:*:codecommit*", - "Sid": "SNSTopicAndSubscriptionAccess" - }, - { - "Action": [ - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "sns:GetTopicAttributes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "SNSTopicAndSubscriptionReadAccess" - }, - { - "Action": [ - "lambda:ListFunctions" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "LambdaReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListUsers" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "IAMReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListAccessKeys", - "iam:ListSSHPublicKeys", - "iam:ListServiceSpecificCredentials" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMReadOnlyConsoleAccess" - }, - { - "Action": [ - "iam:DeleteSSHPublicKey", - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMUserSSHKeys" - }, - { - "Action": [ - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMSelfManageServiceSpecificCredentials" - }, - { - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" - } - }, - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsReadWriteAccess" - }, - { - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsListAccess" - } - ], - "Version": "2012-10-17" - }, - "IsDefaultVersion": false, - "VersionId": "v10" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:CreateBranch", - "codecommit:CreateCommit", - "codecommit:CreatePullRequest", - "codecommit:CreatePullRequestApprovalRule", - "codecommit:CreateRepository", - "codecommit:CreateUnreferencedMergeCommit", - "codecommit:DeleteBranch", - "codecommit:DeleteFile", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:GitPush", - "codecommit:MergeBranchesByFastForward", - "codecommit:MergeBranchesBySquash", - "codecommit:MergeBranchesByThreeWay", - "codecommit:MergePullRequestByFastForward", - "codecommit:MergePullRequestBySquash", - "codecommit:MergePullRequestByThreeWay", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:PostCommentForComparedCommit", - "codecommit:PostCommentForPullRequest", - "codecommit:PostCommentReply", - "codecommit:PutCommentReaction", - "codecommit:PutFile", - "codecommit:PutRepositoryTriggers", - "codecommit:TagResource", - "codecommit:TestRepositoryTriggers", - "codecommit:UntagResource", - "codecommit:UpdateComment", - "codecommit:UpdateDefaultBranch", - "codecommit:UpdatePullRequestApprovalRuleContent", - "codecommit:UpdatePullRequestApprovalState", - "codecommit:UpdatePullRequestDescription", - "codecommit:UpdatePullRequestStatus", - "codecommit:UpdatePullRequestTitle", - "codecommit:UpdateRepositoryDescription", - "codecommit:UpdateRepositoryName", - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe", - "codestar-notifications:UpdateNotificationRule", - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DisassociateRepository", - "events:DeleteRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets" - ], - "is_excluded": false - }, - "ANPAI3R4QMOG6Q5A4VWVG": { - "PolicyName": "AmazonRDSFullAccess", - "PolicyId": "ANPAI3R4QMOG6Q5A4VWVG", - "Arn": "arn:aws:iam::aws:policy/AmazonRDSFullAccess", - "Path": "/", - "DefaultVersionId": "v6", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:52+00:00", - "UpdateDate": "2018-04-09 17:42:48+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "rds:*", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:DescribeScalableTargets", - "application-autoscaling:DescribeScalingActivities", - "application-autoscaling:DescribeScalingPolicies", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:RegisterScalableTarget", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricStatistics", - "cloudwatch:PutMetricAlarm", - "cloudwatch:DeleteAlarms", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcs", - "sns:ListSubscriptions", - "sns:ListTopics", - "sns:Publish", - "logs:DescribeLogStreams", - "logs:GetLogEvents" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "pi:*", - "Effect": "Allow", - "Resource": "arn:aws:pi:*:*:metrics/rds/*" - }, - { - "Action": "iam:CreateServiceLinkedRole", - "Effect": "Allow", - "Resource": "*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": [ - "rds.amazonaws.com", - "rds.application-autoscaling.amazonaws.com" - ] - } - } - } - ] - }, - "VersionId": "v6", - "IsDefaultVersion": true, - "CreateDate": "2018-04-09 17:42:48+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "rds:AuthorizeDBSecurityGroupIngress", - "iam:CreateServiceLinkedRole" - ], - "ServiceWildcard": [ - "pi", - "rds" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "cloudwatch:DeleteAlarms", - "cloudwatch:PutMetricAlarm", - "rds:AddRoleToDBCluster", - "rds:AddRoleToDBInstance", - "rds:AddSourceIdentifierToSubscription", - "rds:AddTagsToResource", - "rds:ApplyPendingMaintenanceAction", - "rds:AuthorizeDBSecurityGroupIngress", - "rds:BacktrackDBCluster", - "rds:CopyDBClusterParameterGroup", - "rds:CopyDBClusterSnapshot", - "rds:CopyDBParameterGroup", - "rds:CopyDBSnapshot", - "rds:CopyOptionGroup", - "rds:CreateDBCluster", - "rds:CreateDBClusterEndpoint", - "rds:CreateDBClusterParameterGroup", - "rds:CreateDBClusterSnapshot", - "rds:CreateDBInstance", - "rds:CreateDBInstanceReadReplica", - "rds:CreateDBParameterGroup", - "rds:CreateDBSecurityGroup", - "rds:CreateDBSnapshot", - "rds:CreateDBSubnetGroup", - "rds:CreateEventSubscription", - "rds:CreateGlobalCluster", - "rds:CreateOptionGroup", - "rds:DeleteDBCluster", - "rds:DeleteDBClusterEndpoint", - "rds:DeleteDBClusterParameterGroup", - "rds:DeleteDBClusterSnapshot", - "rds:DeleteDBInstance", - "rds:DeleteDBParameterGroup", - "rds:DeleteDBProxy", - "rds:DeleteDBSecurityGroup", - "rds:DeleteDBSnapshot", - "rds:DeleteDBSubnetGroup", - "rds:DeleteEventSubscription", - "rds:DeleteGlobalCluster", - "rds:DeleteOptionGroup", - "rds:DeregisterDBProxyTargets", - "rds:FailoverDBCluster", - "rds:ModifyCurrentDBClusterCapacity", - "rds:ModifyDBCluster", - "rds:ModifyDBClusterEndpoint", - "rds:ModifyDBClusterParameterGroup", - "rds:ModifyDBClusterSnapshotAttribute", - "rds:ModifyDBInstance", - "rds:ModifyDBParameterGroup", - "rds:ModifyDBProxy", - "rds:ModifyDBProxyTargetGroup", - "rds:ModifyDBSnapshot", - "rds:ModifyDBSnapshotAttribute", - "rds:ModifyDBSubnetGroup", - "rds:ModifyEventSubscription", - "rds:ModifyGlobalCluster", - "rds:ModifyOptionGroup", - "rds:PromoteReadReplica", - "rds:PromoteReadReplicaDBCluster", - "rds:PurchaseReservedDBInstancesOffering", - "rds:RebootDBInstance", - "rds:RegisterDBProxyTargets", - "rds:RemoveFromGlobalCluster", - "rds:RemoveRoleFromDBCluster", - "rds:RemoveRoleFromDBInstance", - "rds:RemoveSourceIdentifierFromSubscription", - "rds:RemoveTagsFromResource", - "rds:ResetDBClusterParameterGroup", - "rds:ResetDBParameterGroup", - "rds:RestoreDBClusterFromS3", - "rds:RestoreDBClusterFromSnapshot", - "rds:RestoreDBClusterToPointInTime", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:RestoreDBInstanceFromS3", - "rds:RestoreDBInstanceToPointInTime", - "rds:RevokeDBSecurityGroupIngress", - "rds:StartActivityStream", - "rds:StartDBCluster", - "rds:StartDBInstance", - "rds:StopActivityStream", - "rds:StopDBCluster", - "rds:StopDBInstance", - "sns:Publish", - "iam:CreateServiceLinkedRole" - ], - "is_excluded": false - }, - "ANPAI3VAJF5ZCRZ7MCQE6": { - "PolicyName": "AmazonEC2FullAccess", - "PolicyId": "ANPAI3VAJF5ZCRZ7MCQE6", - "Arn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess", - "Path": "/", - "DefaultVersionId": "v5", - "AttachmentCount": 3, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:15+00:00", - "UpdateDate": "2018-11-27 02:16:56+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "ec2:*", - "Effect": "Allow", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "elasticloadbalancing:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "cloudwatch:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "autoscaling:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": [ - "autoscaling.amazonaws.com", - "ec2scheduled.amazonaws.com", - "elasticloadbalancing.amazonaws.com", - "spot.amazonaws.com", - "spotfleet.amazonaws.com", - "transitgateway.amazonaws.com" - ] - } - } - } - ] - }, - "VersionId": "v5", - "IsDefaultVersion": true, - "CreateDate": "2018-11-27 02:16:56+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterfacePermission", - "ec2:ModifySnapshotAttribute", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ResetSnapshotAttribute", - "iam:CreateServiceLinkedRole" - ], - "ServiceWildcard": [ - "autoscaling", - "cloudwatch", - "ec2", - "elasticloadbalancing" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "ec2:AcceptTransitGatewayPeeringAttachment", - "ec2:AcceptTransitGatewayVpcAttachment", - "ec2:AcceptVpcEndpointConnections", - "ec2:AcceptVpcPeeringConnection", - "ec2:AllocateHosts", - "ec2:ApplySecurityGroupsToClientVpnTargetNetwork", - "ec2:AssociateClientVpnTargetNetwork", - "ec2:AssociateIamInstanceProfile", - "ec2:AssociateTransitGatewayMulticastDomain", - "ec2:AssociateTransitGatewayRouteTable", - "ec2:AttachClassicLinkVpc", - "ec2:AttachVolume", - "ec2:AuthorizeClientVpnIngress", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CancelCapacityReservation", - "ec2:CopySnapshot", - "ec2:CreateCapacityReservation", - "ec2:CreateCarrierGateway", - "ec2:CreateClientVpnEndpoint", - "ec2:CreateClientVpnRoute", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateFleet", - "ec2:CreateFlowLogs", - "ec2:CreateFpgaImage", - "ec2:CreateInstanceExportTask", - "ec2:CreateInternetGateway", - "ec2:CreateKeyPair", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateLocalGatewayRoute", - "ec2:CreateLocalGatewayRouteTableVpcAssociation", - "ec2:CreateManagedPrefixList", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreatePlacementGroup", - "ec2:CreateRoute", - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateSnapshots", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateTrafficMirrorFilter", - "ec2:CreateTrafficMirrorFilterRule", - "ec2:CreateTrafficMirrorSession", - "ec2:CreateTrafficMirrorTarget", - "ec2:CreateTransitGateway", - "ec2:CreateTransitGatewayMulticastDomain", - "ec2:CreateTransitGatewayPeeringAttachment", - "ec2:CreateTransitGatewayPrefixListReference", - "ec2:CreateTransitGatewayRoute", - "ec2:CreateTransitGatewayRouteTable", - "ec2:CreateTransitGatewayVpcAttachment", - "ec2:CreateVolume", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:CreateVpcPeeringConnection", - "ec2:CreateVpnConnection", - "ec2:DeleteCarrierGateway", - "ec2:DeleteClientVpnEndpoint", - "ec2:DeleteClientVpnRoute", - "ec2:DeleteCustomerGateway", - "ec2:DeleteDhcpOptions", - "ec2:DeleteFlowLogs", - "ec2:DeleteInternetGateway", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DeleteLocalGatewayRoute", - "ec2:DeleteLocalGatewayRouteTableVpcAssociation", - "ec2:DeleteManagedPrefixList", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSnapshot", - "ec2:DeleteTags", - "ec2:DeleteTrafficMirrorFilter", - "ec2:DeleteTrafficMirrorFilterRule", - "ec2:DeleteTrafficMirrorSession", - "ec2:DeleteTrafficMirrorTarget", - "ec2:DeleteTransitGateway", - "ec2:DeleteTransitGatewayMulticastDomain", - "ec2:DeleteTransitGatewayPeeringAttachment", - "ec2:DeleteTransitGatewayPrefixListReference", - "ec2:DeleteTransitGatewayRoute", - "ec2:DeleteTransitGatewayRouteTable", - "ec2:DeleteTransitGatewayVpcAttachment", - "ec2:DeleteVolume", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcPeeringConnection", - "ec2:DeregisterTransitGatewayMulticastGroupMembers", - "ec2:DeregisterTransitGatewayMulticastGroupSources", - "ec2:DetachClassicLinkVpc", - "ec2:DetachVolume", - "ec2:DisableFastSnapshotRestores", - "ec2:DisableTransitGatewayRouteTablePropagation", - "ec2:DisableVpcClassicLink", - "ec2:DisassociateClientVpnTargetNetwork", - "ec2:DisassociateIamInstanceProfile", - "ec2:DisassociateTransitGatewayMulticastDomain", - "ec2:DisassociateTransitGatewayRouteTable", - "ec2:EnableFastSnapshotRestores", - "ec2:EnableTransitGatewayRouteTablePropagation", - "ec2:EnableVpcClassicLink", - "ec2:ImportClientVpnClientCertificateRevocationList", - "ec2:ModifyCapacityReservation", - "ec2:ModifyClientVpnEndpoint", - "ec2:ModifyInstanceCreditSpecification", - "ec2:ModifyInstanceEventStartTime", - "ec2:ModifyLaunchTemplate", - "ec2:ModifyManagedPrefixList", - "ec2:ModifySnapshotAttribute", - "ec2:ModifyTrafficMirrorFilterNetworkServices", - "ec2:ModifyTrafficMirrorFilterRule", - "ec2:ModifyTrafficMirrorSession", - "ec2:ModifyTransitGateway", - "ec2:ModifyTransitGatewayPrefixListReference", - "ec2:ModifyTransitGatewayVpcAttachment", - "ec2:ModifyVpcEndpoint", - "ec2:ModifyVpcEndpointServiceConfiguration", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ModifyVpnConnection", - "ec2:ModifyVpnTunnelOptions", - "ec2:RebootInstances", - "ec2:RegisterTransitGatewayMulticastGroupMembers", - "ec2:RegisterTransitGatewayMulticastGroupSources", - "ec2:RejectTransitGatewayPeeringAttachment", - "ec2:RejectTransitGatewayVpcAttachment", - "ec2:RejectVpcEndpointConnections", - "ec2:RejectVpcPeeringConnection", - "ec2:ReplaceIamInstanceProfileAssociation", - "ec2:ReplaceRoute", - "ec2:ReplaceTransitGatewayRoute", - "ec2:RestoreManagedPrefixListVersion", - "ec2:RevokeClientVpnIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:SendDiagnosticInterrupt", - "ec2:StartInstances", - "ec2:StartVpcEndpointServicePrivateDnsVerification", - "ec2:StopInstances", - "ec2:TerminateClientVpnConnections", - "ec2:TerminateInstances", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteRule", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetRulePriorities", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "cloudwatch:DeleteAlarms", - "cloudwatch:DeleteDashboards", - "cloudwatch:DeleteInsightRules", - "cloudwatch:DisableAlarmActions", - "cloudwatch:DisableInsightRules", - "cloudwatch:EnableAlarmActions", - "cloudwatch:EnableInsightRules", - "cloudwatch:PutDashboard", - "cloudwatch:PutInsightRule", - "cloudwatch:PutMetricAlarm", - "cloudwatch:SetAlarmState", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "autoscaling:AttachInstances", - "autoscaling:AttachLoadBalancerTargetGroups", - "autoscaling:AttachLoadBalancers", - "autoscaling:BatchDeleteScheduledAction", - "autoscaling:BatchPutScheduledUpdateGroupAction", - "autoscaling:CancelInstanceRefresh", - "autoscaling:CompleteLifecycleAction", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateOrUpdateTags", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration", - "autoscaling:DeleteLifecycleHook", - "autoscaling:DeleteNotificationConfiguration", - "autoscaling:DeletePolicy", - "autoscaling:DeleteScheduledAction", - "autoscaling:DeleteTags", - "autoscaling:DetachInstances", - "autoscaling:DetachLoadBalancerTargetGroups", - "autoscaling:DetachLoadBalancers", - "autoscaling:DisableMetricsCollection", - "autoscaling:EnableMetricsCollection", - "autoscaling:EnterStandby", - "autoscaling:ExecutePolicy", - "autoscaling:ExitStandby", - "autoscaling:PutLifecycleHook", - "autoscaling:PutNotificationConfiguration", - "autoscaling:PutScalingPolicy", - "autoscaling:PutScheduledUpdateGroupAction", - "autoscaling:RecordLifecycleActionHeartbeat", - "autoscaling:ResumeProcesses", - "autoscaling:SetDesiredCapacity", - "autoscaling:SetInstanceHealth", - "autoscaling:SetInstanceProtection", - "autoscaling:StartInstanceRefresh", - "autoscaling:SuspendProcesses", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "iam:CreateServiceLinkedRole" - ], - "is_excluded": false - }, - "ANPAI4VCZ3XPIZLQ5NZV2": { - "PolicyName": "AWSCodeCommitFullAccess", - "PolicyId": "ANPAI4VCZ3XPIZLQ5NZV2", - "Arn": "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", - "Path": "/", - "DefaultVersionId": "v7", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-07-09 17:02:19+00:00", - "UpdateDate": "2020-03-26 16:23:20+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "codecommit:*" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchEventsCodeCommitRulesAccess", - "Effect": "Allow", - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:DisableRule", - "events:EnableRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:ListTargetsByRule" - ], - "Resource": "arn:aws:events:*:*:rule/codecommit*" - }, - { - "Sid": "SNSTopicAndSubscriptionAccess", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:Subscribe", - "sns:Unsubscribe", - "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:*:*:codecommit*" - }, - { - "Sid": "SNSTopicAndSubscriptionReadAccess", - "Effect": "Allow", - "Action": [ - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "sns:GetTopicAttributes" - ], - "Resource": "*" - }, - { - "Sid": "LambdaReadOnlyListAccess", - "Effect": "Allow", - "Action": [ - "lambda:ListFunctions" - ], - "Resource": "*" - }, - { - "Sid": "IAMReadOnlyListAccess", - "Effect": "Allow", - "Action": [ - "iam:ListUsers" - ], - "Resource": "*" - }, - { - "Sid": "IAMReadOnlyConsoleAccess", - "Effect": "Allow", - "Action": [ - "iam:ListAccessKeys", - "iam:ListSSHPublicKeys", - "iam:ListServiceSpecificCredentials" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "IAMUserSSHKeys", - "Effect": "Allow", - "Action": [ - "iam:DeleteSSHPublicKey", - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "IAMSelfManageServiceSpecificCredentials", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "CodeStarNotificationsReadWriteAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" - } - } - }, - { - "Sid": "CodeStarNotificationsListAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Resource": "*" - }, - { - "Sid": "CodeStarNotificationsSNSTopicCreateAccess", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:*:*:codestar-notifications*" - }, - { - "Sid": "AmazonCodeGuruReviewerFullAccess", - "Effect": "Allow", - "Action": [ - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DescribeRepositoryAssociation", - "codeguru-reviewer:ListRepositoryAssociations", - "codeguru-reviewer:DisassociateRepository" - ], - "Resource": "*" - }, - { - "Sid": "AmazonCodeGuruReviewerSLRCreation", - "Action": "iam:CreateServiceLinkedRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchEventsManagedRules", - "Effect": "Allow", - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:DeleteRule", - "events:RemoveTargets" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "events:ManagedBy": "codeguru-reviewer.amazonaws.com" - } - } - }, - { - "Sid": "CodeStarNotificationsChatbotAccess", - "Effect": "Allow", - "Action": [ - "chatbot:DescribeSlackChannelConfigurations" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v7", - "IsDefaultVersion": true, - "CreateDate": "2020-03-26 16:23:20+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "codecommit" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:CreateBranch", - "codecommit:CreateCommit", - "codecommit:CreatePullRequest", - "codecommit:CreatePullRequestApprovalRule", - "codecommit:CreateRepository", - "codecommit:CreateUnreferencedMergeCommit", - "codecommit:DeleteBranch", - "codecommit:DeleteCommentContent", - "codecommit:DeleteFile", - "codecommit:DeletePullRequestApprovalRule", - "codecommit:DeleteRepository", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:GitPush", - "codecommit:MergeBranchesByFastForward", - "codecommit:MergeBranchesBySquash", - "codecommit:MergeBranchesByThreeWay", - "codecommit:MergePullRequestByFastForward", - "codecommit:MergePullRequestBySquash", - "codecommit:MergePullRequestByThreeWay", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:PostCommentForComparedCommit", - "codecommit:PostCommentForPullRequest", - "codecommit:PostCommentReply", - "codecommit:PutCommentReaction", - "codecommit:PutFile", - "codecommit:PutRepositoryTriggers", - "codecommit:TagResource", - "codecommit:TestRepositoryTriggers", - "codecommit:UntagResource", - "codecommit:UpdateComment", - "codecommit:UpdateDefaultBranch", - "codecommit:UpdatePullRequestApprovalRuleContent", - "codecommit:UpdatePullRequestApprovalState", - "codecommit:UpdatePullRequestDescription", - "codecommit:UpdatePullRequestStatus", - "codecommit:UpdatePullRequestTitle", - "codecommit:UpdateRepositoryDescription", - "codecommit:UpdateRepositoryName", - "codecommit:UploadArchive", - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe", - "codestar-notifications:UpdateNotificationRule", - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DisassociateRepository", - "events:DeleteRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets" - ], - "is_excluded": false - }, - "ANPAI65L554VRJ33ECQS6": { - "PolicyName": "AmazonSQSFullAccess", - "PolicyId": "ANPAI65L554VRJ33ECQS6", - "Arn": "arn:aws:iam::aws:policy/AmazonSQSFullAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:07+00:00", - "UpdateDate": "2015-02-06 18:41:07+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sqs:*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:41:07+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "sqs:AddPermission", - "sqs:CreateQueue", - "sqs:RemovePermission", - "sqs:SetQueueAttributes" - ], - "ServiceWildcard": [ - "sqs" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "sqs:AddPermission", - "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", - "sqs:CreateQueue", - "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", - "sqs:DeleteQueue", - "sqs:PurgeQueue", - "sqs:RemovePermission", - "sqs:SendMessage", - "sqs:SendMessageBatch", - "sqs:SetQueueAttributes", - "sqs:TagQueue", - "sqs:UntagQueue" - ], - "is_excluded": false - }, - "ANPAI6E2CYYMI4XI7AA5K": { - "PolicyName": "AWSLambdaFullAccess", - "PolicyId": "ANPAI6E2CYYMI4XI7AA5K", - "Arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess", - "Path": "/", - "DefaultVersionId": "v8", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:45+00:00", - "UpdateDate": "2017-11-27 23:22:38+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudformation:DescribeChangeSet", - "cloudformation:DescribeStackResources", - "cloudformation:DescribeStacks", - "cloudformation:GetTemplate", - "cloudformation:ListStackResources", - "cloudwatch:*", - "cognito-identity:ListIdentityPools", - "cognito-sync:GetCognitoEvents", - "cognito-sync:SetCognitoEvents", - "dynamodb:*", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "events:*", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:PassRole", - "iot:AttachPrincipalPolicy", - "iot:AttachThingPrincipal", - "iot:CreateKeysAndCertificate", - "iot:CreatePolicy", - "iot:CreateThing", - "iot:CreateTopicRule", - "iot:DescribeEndpoint", - "iot:GetTopicRule", - "iot:ListPolicies", - "iot:ListThings", - "iot:ListTopicRules", - "iot:ReplaceTopicRule", - "kinesis:DescribeStream", - "kinesis:ListStreams", - "kinesis:PutRecord", - "kms:ListAliases", - "lambda:*", - "logs:*", - "s3:*", - "sns:ListSubscriptions", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "sns:Publish", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:ListQueues", - "sqs:SendMessage", - "tag:GetResources", - "xray:PutTelemetryRecords", - "xray:PutTraceSegments" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v8", - "IsDefaultVersion": true, - "CreateDate": "2017-11-27 23:22:38+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "PassExistingRoleToNewLambdaThenInvoke", - "actions": [ - "iam:passrole", - "lambda:createfunction", - "lambda:invokefunction" - ] - }, - { - "type": "PassExistingRoleToNewLambdaThenTriggerWithNewDynamo", - "actions": [ - "iam:passrole", - "lambda:createfunction", - "lambda:createeventsourcemapping", - "dynamodb:createtable", - "dynamodb:putitem" - ] - }, - { - "type": "PassExistingRoleToNewLambdaThenTriggerWithExistingDynamo", - "actions": [ - "iam:passrole", - "lambda:createfunction", - "lambda:createeventsourcemapping" - ] - }, - { - "type": "EditExistingLambdaFunctionWithRole", - "actions": [ - "lambda:updatefunctioncode" - ] - } - ], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "iam:PassRole", - "iot:AttachPrincipalPolicy", - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "logs:DeleteResourcePolicy", - "logs:PutResourcePolicy", - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl" - ], - "ServiceWildcard": [ - "cloudwatch", - "dynamodb", - "events", - "lambda", - "logs", - "s3" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "cloudwatch:DeleteAlarms", - "cloudwatch:DeleteDashboards", - "cloudwatch:DeleteInsightRules", - "cloudwatch:DisableAlarmActions", - "cloudwatch:DisableInsightRules", - "cloudwatch:EnableAlarmActions", - "cloudwatch:EnableInsightRules", - "cloudwatch:PutDashboard", - "cloudwatch:PutInsightRule", - "cloudwatch:PutMetricAlarm", - "cloudwatch:SetAlarmState", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "cognito-sync:SetCognitoEvents", - "dynamodb:BatchWriteItem", - "dynamodb:CreateBackup", - "dynamodb:CreateGlobalTable", - "dynamodb:CreateTable", - "dynamodb:CreateTableReplica", - "dynamodb:DeleteBackup", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DeleteTableReplica", - "dynamodb:PutItem", - "dynamodb:RestoreTableFromBackup", - "dynamodb:RestoreTableToPointInTime", - "dynamodb:TagResource", - "dynamodb:UntagResource", - "dynamodb:UpdateContinuousBackups", - "dynamodb:UpdateContributorInsights", - "dynamodb:UpdateGlobalTable", - "dynamodb:UpdateGlobalTableSettings", - "dynamodb:UpdateItem", - "dynamodb:UpdateTable", - "dynamodb:UpdateTableReplicaAutoScaling", - "dynamodb:UpdateTimeToLive", - "events:ActivateEventSource", - "events:CreateEventBus", - "events:CreatePartnerEventSource", - "events:DeactivateEventSource", - "events:DeleteEventBus", - "events:DeletePartnerEventSource", - "events:DeleteRule", - "events:DisableRule", - "events:EnableRule", - "events:PutEvents", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:TagResource", - "events:UntagResource", - "iam:PassRole", - "iot:AttachPrincipalPolicy", - "iot:CreateThing", - "iot:CreateTopicRule", - "iot:ReplaceTopicRule", - "kinesis:PutRecord", - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:CreateAlias", - "lambda:CreateFunction", - "lambda:DeleteAlias", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:DeleteFunctionEventInvokeConfig", - "lambda:DeleteLayerVersion", - "lambda:DeleteProvisionedConcurrencyConfig", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:InvokeAsync", - "lambda:InvokeFunction", - "lambda:PublishLayerVersion", - "lambda:PublishVersion", - "lambda:PutFunctionConcurrency", - "lambda:PutFunctionEventInvokeConfig", - "lambda:PutProvisionedConcurrencyConfig", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "lambda:TagResource", - "lambda:UntagResource", - "lambda:UpdateAlias", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionEventInvokeConfig", - "logs:AssociateKmsKey", - "logs:CreateExportTask", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DeleteLogGroup", - "logs:DeleteLogStream", - "logs:DeleteMetricFilter", - "logs:DeleteRetentionPolicy", - "logs:DeleteSubscriptionFilter", - "logs:DisassociateKmsKey", - "logs:PutLogEvents", - "logs:PutMetricFilter", - "logs:PutRetentionPolicy", - "logs:PutSubscriptionFilter", - "logs:TagLogGroup", - "logs:UntagLogGroup", - "s3:AbortMultipartUpload", - "s3:BypassGovernanceRetention", - "s3:CreateAccessPoint", - "s3:CreateBucket", - "s3:DeleteAccessPoint", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteBucketWebsite", - "s3:DeleteJobTagging", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAnalyticsConfiguration", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketObjectLockConfiguration", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketWebsite", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutJobTagging", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionAcl", - "s3:PutObjectVersionTagging", - "s3:PutReplicationConfiguration", - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ReplicateTags", - "s3:RestoreObject", - "s3:UpdateJobPriority", - "s3:UpdateJobStatus", - "sns:Publish", - "sns:Subscribe", - "sqs:SendMessage" - ], - "is_excluded": false - }, - "ANPAI7XKCFMBPM3QQRRVQ": { - "PolicyName": "IAMFullAccess", - "PolicyId": "ANPAI7XKCFMBPM3QQRRVQ", - "Arn": "arn:aws:iam::aws:policy/IAMFullAccess", - "Path": "/", - "DefaultVersionId": "v2", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:38+00:00", - "UpdateDate": "2019-06-21 19:40:00+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:*", - "organizations:DescribeAccount", - "organizations:DescribeOrganization", - "organizations:DescribeOrganizationalUnit", - "organizations:DescribePolicy", - "organizations:ListChildren", - "organizations:ListParents", - "organizations:ListPoliciesForTarget", - "organizations:ListRoots", - "organizations:ListPolicies", - "organizations:ListTargetsForPolicy" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v2", - "IsDefaultVersion": true, - "CreateDate": "2019-06-21 19:40:00+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "CreateAccessKey", - "actions": [ - "iam:createaccesskey" - ] - }, - { - "type": "CreateLoginProfile", - "actions": [ - "iam:createloginprofile" - ] - }, - { - "type": "UpdateLoginProfile", - "actions": [ - "iam:updateloginprofile" - ] - }, - { - "type": "CreateNewPolicyVersion", - "actions": [ - "iam:createpolicyversion" - ] - }, - { - "type": "SetExistingDefaultPolicyVersion", - "actions": [ - "iam:setdefaultpolicyversion" - ] - }, - { - "type": "AttachUserPolicy", - "actions": [ - "iam:attachuserpolicy" - ] - }, - { - "type": "AttachGroupPolicy", - "actions": [ - "iam:attachgrouppolicy" - ] - }, - { - "type": "PutUserPolicy", - "actions": [ - "iam:putuserpolicy" - ] - }, - { - "type": "PutGroupPolicy", - "actions": [ - "iam:putgrouppolicy" - ] - }, - { - "type": "AddUserToGroup", - "actions": [ - "iam:addusertogroup" - ] - } - ], - "DataExfiltration": [], - "ResourceExposure": [ - "iam:AddClientIDToOpenIDConnectProvider", - "iam:AddRoleToInstanceProfile", - "iam:AddUserToGroup", - "iam:AttachGroupPolicy", - "iam:AttachRolePolicy", - "iam:AttachUserPolicy", - "iam:ChangePassword", - "iam:CreateAccessKey", - "iam:CreateAccountAlias", - "iam:CreateGroup", - "iam:CreateInstanceProfile", - "iam:CreateLoginProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateSAMLProvider", - "iam:CreateServiceLinkedRole", - "iam:CreateServiceSpecificCredential", - "iam:CreateUser", - "iam:CreateVirtualMFADevice", - "iam:DeactivateMFADevice", - "iam:DeleteAccessKey", - "iam:DeleteAccountAlias", - "iam:DeleteAccountPasswordPolicy", - "iam:DeleteGroup", - "iam:DeleteGroupPolicy", - "iam:DeleteInstanceProfile", - "iam:DeleteLoginProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DeleteSAMLProvider", - "iam:DeleteSSHPublicKey", - "iam:DeleteServerCertificate", - "iam:DeleteServiceLinkedRole", - "iam:DeleteServiceSpecificCredential", - "iam:DeleteSigningCertificate", - "iam:DeleteUser", - "iam:DeleteUserPermissionsBoundary", - "iam:DeleteUserPolicy", - "iam:DeleteVirtualMFADevice", - "iam:DetachGroupPolicy", - "iam:DetachRolePolicy", - "iam:DetachUserPolicy", - "iam:EnableMFADevice", - "iam:PassRole", - "iam:PutGroupPolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:PutUserPermissionsBoundary", - "iam:PutUserPolicy", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:RemoveRoleFromInstanceProfile", - "iam:RemoveUserFromGroup", - "iam:ResetServiceSpecificCredential", - "iam:ResyncMFADevice", - "iam:SetDefaultPolicyVersion", - "iam:SetSecurityTokenServicePreferences", - "iam:UpdateAccessKey", - "iam:UpdateAccountPasswordPolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateGroup", - "iam:UpdateLoginProfile", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription", - "iam:UpdateSAMLProvider", - "iam:UpdateSSHPublicKey", - "iam:UpdateServerCertificate", - "iam:UpdateServiceSpecificCredential", - "iam:UpdateSigningCertificate", - "iam:UpdateUser", - "iam:UploadSSHPublicKey", - "iam:UploadServerCertificate", - "iam:UploadSigningCertificate" - ], - "ServiceWildcard": [ - "iam" - ], - "CredentialsExposure": [ - "iam:CreateAccessKey", - "iam:CreateLoginProfile", - "iam:CreateServiceSpecificCredential", - "iam:ResetServiceSpecificCredential", - "iam:UpdateAccessKey" - ], - "InfrastructureModification": [ - "iam:AddClientIDToOpenIDConnectProvider", - "iam:AddRoleToInstanceProfile", - "iam:AddUserToGroup", - "iam:AttachGroupPolicy", - "iam:AttachRolePolicy", - "iam:AttachUserPolicy", - "iam:ChangePassword", - "iam:CreateAccessKey", - "iam:CreateGroup", - "iam:CreateInstanceProfile", - "iam:CreateLoginProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateSAMLProvider", - "iam:CreateServiceLinkedRole", - "iam:CreateServiceSpecificCredential", - "iam:CreateUser", - "iam:CreateVirtualMFADevice", - "iam:DeactivateMFADevice", - "iam:DeleteAccessKey", - "iam:DeleteGroup", - "iam:DeleteGroupPolicy", - "iam:DeleteInstanceProfile", - "iam:DeleteLoginProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DeleteSAMLProvider", - "iam:DeleteSSHPublicKey", - "iam:DeleteServerCertificate", - "iam:DeleteServiceLinkedRole", - "iam:DeleteServiceSpecificCredential", - "iam:DeleteSigningCertificate", - "iam:DeleteUser", - "iam:DeleteUserPermissionsBoundary", - "iam:DeleteUserPolicy", - "iam:DeleteVirtualMFADevice", - "iam:DetachGroupPolicy", - "iam:DetachRolePolicy", - "iam:DetachUserPolicy", - "iam:EnableMFADevice", - "iam:PassRole", - "iam:PutGroupPolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:PutUserPermissionsBoundary", - "iam:PutUserPolicy", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:RemoveRoleFromInstanceProfile", - "iam:RemoveUserFromGroup", - "iam:ResetServiceSpecificCredential", - "iam:ResyncMFADevice", - "iam:SetDefaultPolicyVersion", - "iam:TagRole", - "iam:TagUser", - "iam:UntagRole", - "iam:UntagUser", - "iam:UpdateAccessKey", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateGroup", - "iam:UpdateLoginProfile", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription", - "iam:UpdateSAMLProvider", - "iam:UpdateSSHPublicKey", - "iam:UpdateServerCertificate", - "iam:UpdateServiceSpecificCredential", - "iam:UpdateSigningCertificate", - "iam:UpdateUser", - "iam:UploadSSHPublicKey", - "iam:UploadServerCertificate", - "iam:UploadSigningCertificate" - ], - "is_excluded": false - }, - "ANPAIFIR6V6BVTRAHWINE": { - "PolicyName": "AmazonS3FullAccess", - "PolicyId": "ANPAIFIR6V6BVTRAHWINE", - "Arn": "arn:aws:iam::aws:policy/AmazonS3FullAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:58+00:00", - "UpdateDate": "2015-02-06 18:40:58+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:*", - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:40:58+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl" - ], - "ServiceWildcard": [ - "s3" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:AbortMultipartUpload", - "s3:BypassGovernanceRetention", - "s3:CreateAccessPoint", - "s3:CreateBucket", - "s3:DeleteAccessPoint", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteBucketWebsite", - "s3:DeleteJobTagging", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAnalyticsConfiguration", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketObjectLockConfiguration", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketWebsite", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutJobTagging", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionAcl", - "s3:PutObjectVersionTagging", - "s3:PutReplicationConfiguration", - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ReplicateTags", - "s3:RestoreObject", - "s3:UpdateJobPriority", - "s3:UpdateJobStatus" - ], - "is_excluded": false - }, - "ANPAIICZJNOJN36GTG6CM": { - "PolicyName": "AmazonVPCReadOnlyAccess", - "PolicyId": "ANPAIICZJNOJN36GTG6CM", - "Arn": "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v6", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:17+00:00", - "UpdateDate": "2018-03-07 18:34:42+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeClassicLinkInstances", - "ec2:DescribeCustomerGateways", - "ec2:DescribeDhcpOptions", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeFlowLogs", - "ec2:DescribeInternetGateways", - "ec2:DescribeMovingAddresses", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeNetworkInterfacePermissions", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroups", - "ec2:DescribeStaleSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcEndpointConnectionNotifications", - "ec2:DescribeVpcEndpointConnections", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribeVpnConnections", - "ec2:DescribeVpnGateways" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v6", - "IsDefaultVersion": true, - "CreateDate": "2018-03-07 18:34:42+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [], - "is_excluded": false - }, - "ANPAIKEABORKUXN6DEAZU": { - "PolicyName": "CloudWatchFullAccess", - "PolicyId": "ANPAIKEABORKUXN6DEAZU", - "Arn": "arn:aws:iam::aws:policy/CloudWatchFullAccess", - "Path": "/", - "DefaultVersionId": "v3", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:00+00:00", - "UpdateDate": "2018-08-09 19:10:43+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:Describe*", - "cloudwatch:*", - "logs:*", - "sns:*", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "events.amazonaws.com" - } - } - } - ] - }, - "VersionId": "v3", - "IsDefaultVersion": true, - "CreateDate": "2018-08-09 19:10:43+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "logs:DeleteResourcePolicy", - "logs:PutResourcePolicy", - "sns:AddPermission", - "sns:CreateTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes" - ], - "ServiceWildcard": [ - "cloudwatch", - "logs", - "sns" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "cloudwatch:DeleteAlarms", - "cloudwatch:DeleteDashboards", - "cloudwatch:DeleteInsightRules", - "cloudwatch:DisableAlarmActions", - "cloudwatch:DisableInsightRules", - "cloudwatch:EnableAlarmActions", - "cloudwatch:EnableInsightRules", - "cloudwatch:PutDashboard", - "cloudwatch:PutInsightRule", - "cloudwatch:PutMetricAlarm", - "cloudwatch:SetAlarmState", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "logs:AssociateKmsKey", - "logs:CreateExportTask", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DeleteLogGroup", - "logs:DeleteLogStream", - "logs:DeleteMetricFilter", - "logs:DeleteRetentionPolicy", - "logs:DeleteSubscriptionFilter", - "logs:DisassociateKmsKey", - "logs:PutLogEvents", - "logs:PutMetricFilter", - "logs:PutRetentionPolicy", - "logs:PutSubscriptionFilter", - "logs:TagLogGroup", - "logs:UntagLogGroup", - "sns:AddPermission", - "sns:ConfirmSubscription", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:Publish", - "sns:RemovePermission", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:TagResource", - "sns:UntagResource" - ], - "is_excluded": false - }, - "ANPAILL3HVNFSB6DCOWYQ": { - "PolicyName": "ReadOnlyAccess", - "PolicyId": "ANPAILL3HVNFSB6DCOWYQ", - "Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v63", - "AttachmentCount": 4, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:48+00:00", - "UpdateDate": "2020-03-09 23:45:01+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "amplify:GetApp", - "amplify:GetBranch", - "amplify:GetJob", - "amplify:GetDomainAssociation", - "amplify:ListApps", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "apigateway:GET", - "application-autoscaling:Describe*", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "appstream:Describe*", - "appstream:Get*", - "appstream:List*", - "appsync:Get*", - "appsync:List*", - "autoscaling:Describe*", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "athena:List*", - "athena:Batch*", - "athena:Get*", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:List*", - "batch:Describe*", - "chatbot:Describe*", - "chatbot:Get*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:Estimate*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:List*", - "cloudhsm:Describe*", - "cloudhsm:Get*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "codebuild:BatchGet*", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:List*", - "codepipeline:Get*", - "codestar:List*", - "codestar:Describe*", - "codestar:Get*", - "codestar:Verify*", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar-notifications:ListTargets", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetRecommendationSummaries", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-sync:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:QueryRecords", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectResourceConfig", - "connect:List*", - "connect:Describe*", - "connect:GetFederationToken", - "dataexchange:Get*", - "dataexchange:List*", - "datasync:Describe*", - "datasync:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "directconnect:Describe*", - "detective:Get*", - "detective:List*", - "devicefarm:List*", - "devicefarm:Get*", - "discovery:Describe*", - "discovery:List*", - "discovery:Get*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:Get*", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:DescribeUpdate", - "eks:Describe*", - "eks:ListClusters", - "eks:ListUpdates", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "es:Describe*", - "es:List*", - "es:Get*", - "es:ESHttpGet", - "es:ESHttpHead", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "fsx:Describe*", - "fsx:List*", - "gamelift:List*", - "gamelift:Get*", - "gamelift:Describe*", - "gamelift:RequestUploadCredentials", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:List*", - "glacier:Describe*", - "glacier:Get*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetPartition", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlers", - "glue:GetCrawlerMetrics", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobs", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetResourcePolicy", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetTable", - "glue:GetTables", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "greengrass:Get*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "health:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:List*", - "iotanalytics:Get*", - "iotanalytics:SampleChannelData", - "kafka:Describe*", - "kafka:List*", - "kafka:Get*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:List*", - "lambda:Get*", - "lex:Get*", - "lightsail:GetActiveNames", - "lightsail:GetBlueprints", - "lightsail:GetBundles", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetDisk", - "lightsail:GetDisks", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstances", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancers", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabases", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:StartQuery", - "logs:TestMetricFilter", - "machinelearning:Describe*", - "machinelearning:Get*", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "mediapackage:List*", - "mediapackage:Describe*", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mobileanalytics:Get*", - "mobilehub:Describe*", - "mobilehub:Export*", - "mobilehub:Generate*", - "mobilehub:Get*", - "mobilehub:List*", - "mobilehub:Validate*", - "mobilehub:Verify*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "mq:Describe*", - "mq:List*", - "opsworks:Describe*", - "opsworks:Get*", - "opsworks-cm:Describe*", - "organizations:Describe*", - "organizations:List*", - "outposts:Get*", - "outposts:List*", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "qldb:ListLedgers", - "qldb:DescribeLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:DescribeJournalS3Export", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:GetBlock", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rekognition:CompareFaces", - "rekognition:Detect*", - "rekognition:List*", - "rekognition:Search*", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:View*", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53resolver:Get*", - "route53resolver:List*", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:List*", - "serverlessrepo:Get*", - "serverlessrepo:SearchApplications", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicecatalog:Describe*", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServices", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "ses:Get*", - "ses:List*", - "ses:Describe*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "snowball:Get*", - "snowball:Describe*", - "snowball:List*", - "sns:Get*", - "sns:List*", - "sns:Check*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "states:List*", - "states:Describe*", - "states:GetExecutionHistory", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:Get*", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "tag:Get*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "transcribe:Get*", - "transcribe:List*", - "trustedadvisor:Describe*", - "waf:Get*", - "waf:List*", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "waf-regional:List*", - "waf-regional:Get*", - "workdocs:Describe*", - "workdocs:Get*", - "workdocs:CheckAlias", - "worklink:Describe*", - "worklink:List*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v63", - "IsDefaultVersion": true, - "CreateDate": "2020-03-09 23:45:01+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [ - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:GetCredentialsForIdentity", - "connect:GetFederationToken", - "ecr:GetAuthorizationToken", - "gamelift:RequestUploadCredentials", - "sts:GetFederationToken", - "sts:GetSessionToken" - ], - "InfrastructureModification": [ - "codeguru-profiler:ListTagsForResource", - "dataexchange:GetJob", - "mobilehub:GenerateProjectParameters", - "personalize:GetPersonalizedRanking", - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "is_excluded": false - }, - "ANPAINAW5ANUWTH3R4ANI": { - "PolicyName": "AWSDirectoryServiceFullAccess", - "PolicyId": "ANPAINAW5ANUWTH3R4ANI", - "Arn": "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:11+00:00", - "UpdateDate": "2019-02-05 20:29:43+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "ds:*", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:DeleteNetworkInterface", - "ec2:DeleteSecurityGroup", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeSecurityGroups", - "sns:GetTopicAttributes", - "sns:ListSubscriptions", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "iam:ListRoles", - "organizations:ListAccountsForParent", - "organizations:ListRoots", - "organizations:ListAccounts", - "organizations:DescribeOrganization", - "organizations:DescribeAccount", - "organizations:ListOrganizationalUnitsForParent", - "organizations:ListAWSServiceAccessForOrganization" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect": "Allow", - "Resource": "arn:aws:sns:*:*:DirectoryMonitoring*" - }, - { - "Action": [ - "organizations:EnableAWSServiceAccess", - "organizations:DisableAWSServiceAccess" - ], - "Effect": "Allow", - "Resource": "*", - "Condition": { - "ForAllValues:StringLike": { - "organizations:ServicePrincipal": [ - "ds.amazonaws.com" - ] - } - } - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:network-interface/*", - "arn:aws:ec2:*:*:security-group/*" - ] - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2019-02-05 20:29:43+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "ds:CreateConditionalForwarder", - "ds:CreateDirectory", - "ds:CreateMicrosoftAD", - "ds:CreateTrust", - "ds:ShareDirectory" - ], - "ServiceWildcard": [ - "ds" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "ds:AcceptSharedDirectory", - "ds:AddIpRoutes", - "ds:AddTagsToResource", - "ds:AuthorizeApplication", - "ds:CancelSchemaExtension", - "ds:CreateAlias", - "ds:CreateComputer", - "ds:CreateConditionalForwarder", - "ds:CreateLogSubscription", - "ds:CreateSnapshot", - "ds:CreateTrust", - "ds:DeleteConditionalForwarder", - "ds:DeleteDirectory", - "ds:DeleteLogSubscription", - "ds:DeleteSnapshot", - "ds:DeleteTrust", - "ds:DeregisterCertificate", - "ds:DeregisterEventTopic", - "ds:DisableLDAPS", - "ds:DisableRadius", - "ds:DisableSso", - "ds:EnableLDAPS", - "ds:EnableRadius", - "ds:EnableSso", - "ds:RegisterCertificate", - "ds:RegisterEventTopic", - "ds:RejectSharedDirectory", - "ds:RemoveIpRoutes", - "ds:RemoveTagsFromResource", - "ds:ResetUserPassword", - "ds:RestoreFromSnapshot", - "ds:ShareDirectory", - "ds:StartSchemaExtension", - "ds:UnauthorizeApplication", - "ds:UnshareDirectory", - "ds:UpdateConditionalForwarder", - "ds:UpdateNumberOfDomainControllers", - "ds:UpdateRadius", - "ds:UpdateTrust", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress" - ], - "is_excluded": false - }, - "ANPAIONKN3TJZUKXCHXWC": { - "PolicyName": "AWSCodeDeployFullAccess", - "PolicyId": "ANPAIONKN3TJZUKXCHXWC", - "Arn": "arn:aws:iam::aws:policy/AWSCodeDeployFullAccess", - "Path": "/", - "DefaultVersionId": "v3", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-05-19 18:13:23+00:00", - "UpdateDate": "2020-04-02 16:14:47+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "codedeploy:*", - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "CodeStarNotificationsReadWriteAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codedeploy:*" - } - } - }, - { - "Sid": "CodeStarNotificationsListAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Resource": "*" - }, - { - "Sid": "CodeStarNotificationsSNSTopicCreateAccess", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:*:*:codestar-notifications*" - }, - { - "Sid": "CodeStarNotificationsChatbotAccess", - "Effect": "Allow", - "Action": [ - "chatbot:DescribeSlackChannelConfigurations" - ], - "Resource": "*" - }, - { - "Sid": "SNSTopicListAccess", - "Effect": "Allow", - "Action": [ - "sns:ListTopics" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v3", - "IsDefaultVersion": true, - "CreateDate": "2020-04-02 16:14:47+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "codedeploy" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "codedeploy:AddTagsToOnPremisesInstances", - "codedeploy:CreateApplication", - "codedeploy:CreateDeployment", - "codedeploy:CreateDeploymentConfig", - "codedeploy:CreateDeploymentGroup", - "codedeploy:DeleteApplication", - "codedeploy:DeleteDeploymentConfig", - "codedeploy:DeleteDeploymentGroup", - "codedeploy:DeregisterOnPremisesInstance", - "codedeploy:RegisterApplicationRevision", - "codedeploy:RegisterOnPremisesInstance", - "codedeploy:RemoveTagsFromOnPremisesInstances", - "codedeploy:TagResource", - "codedeploy:UntagResource", - "codedeploy:UpdateApplication", - "codedeploy:UpdateDeploymentGroup", - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe", - "codestar-notifications:UpdateNotificationRule" - ], - "is_excluded": false - }, - "ANPAIQNUJTQYDRJPC3BNK": { - "PolicyName": "AWSCloudTrailFullAccess", - "PolicyId": "ANPAIQNUJTQYDRJPC3BNK", - "Arn": "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess", - "Path": "/", - "DefaultVersionId": "v8", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:58+00:00", - "UpdateDate": "2019-09-12 23:08:46+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:ListTopics", - "sns:SetTopicAttributes", - "sns:GetTopicAttributes" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:ListAllMyBuckets", - "s3:PutBucketPolicy", - "s3:ListBucket", - "s3:GetObject", - "s3:GetBucketLocation", - "s3:GetBucketPolicy" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "cloudtrail:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListRoles", - "iam:GetRolePolicy", - "iam:GetUser" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "cloudtrail.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kms:ListKeys", - "kms:ListAliases" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "lambda:ListFunctions" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v8", - "IsDefaultVersion": true, - "CreateDate": "2019-09-12 23:08:46+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:SetTopicAttributes", - "s3:PutBucketPolicy", - "iam:PassRole" - ], - "ServiceWildcard": [ - "cloudtrail" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:GetObject", - "s3:PutBucketPolicy", - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:DeleteTrail", - "cloudtrail:PutEventSelectors", - "cloudtrail:PutInsightSelectors", - "cloudtrail:RemoveTags", - "cloudtrail:StartLogging", - "cloudtrail:StopLogging", - "cloudtrail:UpdateTrail", - "logs:CreateLogGroup", - "iam:PassRole" - ], - "is_excluded": false - }, - "ANPAIX2T3QCXHR2OGGCTO": { - "PolicyName": "SecurityAudit", - "PolicyId": "ANPAIX2T3QCXHR2OGGCTO", - "Arn": "arn:aws:iam::aws:policy/SecurityAudit", - "Path": "/", - "DefaultVersionId": "v32", - "AttachmentCount": 2, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:01+00:00", - "UpdateDate": "2020-02-25 16:08:50+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": "*", - "Action": [ - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:List*", - "application-autoscaling:Describe*", - "appmesh:Describe*", - "appmesh:List*", - "appsync:List*", - "athena:GetWorkGroup", - "athena:List*", - "autoscaling:Describe*", - "batch:DescribeComputeEnvironments", - "batch:DescribeJobDefinitions", - "chime:List*", - "cloud9:Describe*", - "cloud9:ListEnvironments", - "clouddirectory:ListDirectories", - "cloudformation:DescribeStack*", - "cloudformation:GetTemplate", - "cloudformation:ListStack*", - "cloudformation:GetStackPolicy", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:ListHapgs", - "cloudhsm:ListHsms", - "cloudhsm:ListLunaClients", - "cloudsearch:DescribeDomains", - "cloudsearch:DescribeServiceAccessPolicies", - "cloudtrail:DescribeTrails", - "cloudtrail:GetEventSelectors", - "cloudtrail:GetTrailStatus", - "cloudtrail:ListTags", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "codebuild:ListProjects", - "codecommit:BatchGetRepositories", - "codecommit:GetBranch", - "codecommit:GetObjectIdentifier", - "codecommit:GetRepository", - "codecommit:List*", - "codedeploy:Batch*", - "codedeploy:Get*", - "codedeploy:List*", - "codepipeline:ListPipelines", - "codestar:Describe*", - "codestar:List*", - "cognito-identity:ListIdentityPools", - "cognito-idp:ListUserPools", - "cognito-sync:Describe*", - "cognito-sync:List*", - "comprehend:Describe*", - "comprehend:List*", - "config:BatchGetAggregateResourceConfig", - "config:BatchGetResourceConfig", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "datapipeline:DescribeObjects", - "datapipeline:DescribePipelines", - "datapipeline:EvaluateExpression", - "datapipeline:GetPipelineDefinition", - "datapipeline:ListPipelines", - "datapipeline:QueryObjects", - "datapipeline:ValidatePipelineDefinition", - "datasync:Describe*", - "datasync:List*", - "dax:Describe*", - "dax:ListTags", - "directconnect:Describe*", - "dms:Describe*", - "dms:ListTagsForResource", - "ds:DescribeDirectories", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeGlobalTable", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:ListBackups", - "dynamodb:ListGlobalTables", - "dynamodb:ListStreams", - "dynamodb:ListTables", - "ec2:Describe*", - "ecr:DescribeRepositories", - "ecr:GetRepositoryPolicy", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:ListClusters", - "elasticache:Describe*", - "elasticbeanstalk:Describe*", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargetSecurityGroups", - "elasticfilesystem:DescribeMountTargets", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:ListClusters", - "elasticmapreduce:ListInstances", - "es:Describe*", - "es:ListDomainNames", - "events:Describe*", - "events:List*", - "firehose:Describe*", - "firehose:List*", - "fms:ListComplianceStatus", - "fms:ListPolicies", - "fsx:Describe*", - "fsx:List*", - "gamelift:ListBuilds", - "gamelift:ListFleets", - "glacier:DescribeVault", - "glacier:GetVaultAccessPolicy", - "glacier:ListVaults", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:Get*", - "iam:List*", - "iam:SimulateCustomPolicy", - "iam:SimulatePrincipalPolicy", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:GetPolicy", - "iot:GetPolicyVersion", - "iot:List*", - "kinesis:DescribeStream", - "kinesis:ListStreams", - "kinesis:ListTagsForStream", - "kinesisanalytics:ListApplications", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:GetAccountSettings", - "lambda:GetFunctionConfiguration", - "lambda:GetLayerVersionPolicy", - "lambda:GetPolicy", - "lambda:List*", - "license-manager:List*", - "lightsail:GetInstances", - "lightsail:GetLoadBalancers", - "logs:Describe*", - "logs:ListTagsLogGroup", - "machinelearning:DescribeMLModels", - "mediaconnect:Describe*", - "mediaconnect:List*", - "mediastore:GetContainerPolicy", - "mediastore:ListContainers", - "opsworks:DescribeStacks", - "opsworks-cm:DescribeServers", - "organizations:List*", - "organizations:Describe*", - "quicksight:Describe*", - "quicksight:List*", - "ram:List*", - "rds:Describe*", - "rds:DownloadDBLogFilePortion", - "rds:ListTagsForResource", - "redshift:Describe*", - "rekognition:Describe*", - "rekognition:List*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53domains:GetDomainDetail", - "route53domains:GetOperationDetail", - "route53domains:ListDomains", - "route53domains:ListOperations", - "route53domains:ListTagsForDomain", - "route53resolver:List*", - "route53resolver:Get*", - "s3:GetAccelerateConfiguration", - "s3:GetAccessPoint", - "s3:GetAccessPointPolicy", - "s3:GetAccessPointPolicyStatus", - "s3:GetAccountPublicAccessBlock", - "s3:GetAnalyticsConfiguration", - "s3:GetBucket*", - "s3:GetEncryptionConfiguration", - "s3:GetInventoryConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetMetricsConfiguration", - "s3:GetObjectAcl", - "s3:GetObjectVersionAcl", - "s3:GetReplicationConfiguration", - "s3:ListAccessPoints", - "s3:ListAllMyBuckets", - "sagemaker:Describe*", - "sagemaker:List*", - "sdb:DomainMetadata", - "sdb:ListDomains", - "secretsmanager:GetResourcePolicy", - "secretsmanager:ListSecrets", - "secretsmanager:ListSecretVersionIds", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:GetApplicationPolicy", - "serverlessrepo:List*", - "ses:GetIdentityDkimAttributes", - "ses:GetIdentityPolicies", - "ses:GetIdentityVerificationAttributes", - "ses:ListIdentities", - "ses:ListIdentityPolicies", - "ses:ListVerifiedEmailAddresses", - "shield:Describe*", - "shield:List*", - "snowball:ListClusters", - "snowball:ListJobs", - "sns:GetTopicAttributes", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "sqs:GetQueueAttributes", - "sqs:ListDeadLetterSourceQueues", - "sqs:ListQueues", - "sqs:ListQueueTags", - "ssm:Describe*", - "ssm:GetAutomationExecution", - "ssm:ListDocuments", - "sso:DescribePermissionsPolicies", - "sso:List*", - "states:ListStateMachines", - "storagegateway:DescribeBandwidthRateLimit", - "storagegateway:DescribeCache", - "storagegateway:DescribeCachediSCSIVolumes", - "storagegateway:DescribeGatewayInformation", - "storagegateway:DescribeMaintenanceStartTime", - "storagegateway:DescribeNFSFileShares", - "storagegateway:DescribeSnapshotSchedule", - "storagegateway:DescribeStorediSCSIVolumes", - "storagegateway:DescribeTapeArchives", - "storagegateway:DescribeTapeRecoveryPoints", - "storagegateway:DescribeTapes", - "storagegateway:DescribeUploadBuffer", - "storagegateway:DescribeVTLDevices", - "storagegateway:DescribeWorkingStorage", - "storagegateway:List*", - "tag:GetResources", - "tag:GetTagKeys", - "transfer:Describe*", - "transfer:List*", - "translate:List*", - "trustedadvisor:Describe*", - "waf:ListWebACLs", - "waf-regional:ListWebACLs", - "workspaces:Describe*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "apigateway:GET" - ], - "Resource": [ - "arn:aws:apigateway:*::/apis", - "arn:aws:apigateway:*::/apis/*/stages", - "arn:aws:apigateway:*::/apis/*/stages/*", - "arn:aws:apigateway:*::/apis/*/routes", - "arn:aws:apigateway:*::/restapis", - "arn:aws:apigateway:*::/restapis/*/authorizers", - "arn:aws:apigateway:*::/restapis/*/authorizers/*", - "arn:aws:apigateway:*::/restapis/*/documentation/versions", - "arn:aws:apigateway:*::/restapis/*/resources", - "arn:aws:apigateway:*::/restapis/*/resources/*", - "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*", - "arn:aws:apigateway:*::/restapis/*/stages", - "arn:aws:apigateway:*::/restapis/*/stages/*", - "arn:aws:apigateway:*::/vpclinks" - ] - } - ] - }, - "VersionId": "v32", - "IsDefaultVersion": true, - "CreateDate": "2020-02-25 16:08:50+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [], - "is_excluded": false - }, - "ANPAIZTJ4DXE7G6AGAE6M": { - "PolicyName": "AmazonS3ReadOnlyAccess", - "PolicyId": "ANPAIZTJ4DXE7G6AGAE6M", - "Arn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:59+00:00", - "UpdateDate": "2015-02-06 18:40:59+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:Get*", - "s3:List*" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:40:59+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:GetObject" - ], - "is_excluded": false - }, - "ANPAJ2P4NXCHAT7NDPNR4": { - "PolicyName": "AmazonSESFullAccess", - "PolicyId": "ANPAJ2P4NXCHAT7NDPNR4", - "Arn": "arn:aws:iam::aws:policy/AmazonSESFullAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:02+00:00", - "UpdateDate": "2015-02-06 18:41:02+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ses:*" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:41:02+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "ses" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "ses:SendBulkTemplatedEmail", - "ses:SendCustomVerificationEmail", - "ses:SendEmail", - "ses:SendRawEmail", - "ses:SendTemplatedEmail" - ], - "is_excluded": false - }, - "ANPAJBWPGNOVKZD3JI2P2": { - "PolicyName": "AmazonVPCFullAccess", - "PolicyId": "ANPAJBWPGNOVKZD3JI2P2", - "Arn": "arn:aws:iam::aws:policy/AmazonVPCFullAccess", - "Path": "/", - "DefaultVersionId": "v7", - "AttachmentCount": 2, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:16+00:00", - "UpdateDate": "2018-03-15 18:30:25+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AcceptVpcPeeringConnection", - "ec2:AcceptVpcEndpointConnections", - "ec2:AllocateAddress", - "ec2:AssignIpv6Addresses", - "ec2:AssignPrivateIpAddresses", - "ec2:AssociateAddress", - "ec2:AssociateDhcpOptions", - "ec2:AssociateRouteTable", - "ec2:AssociateSubnetCidrBlock", - "ec2:AssociateVpcCidrBlock", - "ec2:AttachClassicLinkVpc", - "ec2:AttachInternetGateway", - "ec2:AttachNetworkInterface", - "ec2:AttachVpnGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateCustomerGateway", - "ec2:CreateDefaultSubnet", - "ec2:CreateDefaultVpc", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateFlowLogs", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkAclEntry", - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateVpcEndpointConnectionNotification", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:CreateVpcPeeringConnection", - "ec2:CreateVpnConnection", - "ec2:CreateVpnConnectionRoute", - "ec2:CreateVpnGateway", - "ec2:DeleteCustomerGateway", - "ec2:DeleteDhcpOptions", - "ec2:DeleteEgressOnlyInternetGateway", - "ec2:DeleteFlowLogs", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteNetworkInterface", - "ec2:DeleteNetworkInterfacePermission", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteTags", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcEndpointConnectionNotifications", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DeleteVpcPeeringConnection", - "ec2:DeleteVpnConnection", - "ec2:DeleteVpnConnectionRoute", - "ec2:DeleteVpnGateway", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeClassicLinkInstances", - "ec2:DescribeCustomerGateways", - "ec2:DescribeDhcpOptions", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeFlowLogs", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeKeyPairs", - "ec2:DescribeMovingAddresses", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeNetworkInterfacePermissions", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroups", - "ec2:DescribeStaleSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpointConnectionNotifications", - "ec2:DescribeVpcEndpointConnections", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribeVpnConnections", - "ec2:DescribeVpnGateways", - "ec2:DetachClassicLinkVpc", - "ec2:DetachInternetGateway", - "ec2:DetachNetworkInterface", - "ec2:DetachVpnGateway", - "ec2:DisableVgwRoutePropagation", - "ec2:DisableVpcClassicLink", - "ec2:DisableVpcClassicLinkDnsSupport", - "ec2:DisassociateAddress", - "ec2:DisassociateRouteTable", - "ec2:DisassociateSubnetCidrBlock", - "ec2:DisassociateVpcCidrBlock", - "ec2:EnableVgwRoutePropagation", - "ec2:EnableVpcClassicLink", - "ec2:EnableVpcClassicLinkDnsSupport", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:ModifyVpcEndpointConnectionNotification", - "ec2:ModifyVpcEndpointServiceConfiguration", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ModifyVpcPeeringConnectionOptions", - "ec2:ModifyVpcTenancy", - "ec2:MoveAddressToVpc", - "ec2:RejectVpcEndpointConnections", - "ec2:RejectVpcPeeringConnection", - "ec2:ReleaseAddress", - "ec2:ReplaceNetworkAclAssociation", - "ec2:ReplaceNetworkAclEntry", - "ec2:ReplaceRoute", - "ec2:ReplaceRouteTableAssociation", - "ec2:ResetNetworkInterfaceAttribute", - "ec2:RestoreAddressToClassic", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:UnassignIpv6Addresses", - "ec2:UnassignPrivateIpAddresses", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v7", - "IsDefaultVersion": true, - "CreateDate": "2018-03-15 18:30:25+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterfacePermission", - "ec2:ModifyVpcEndpointServicePermissions" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "ec2:AcceptVpcEndpointConnections", - "ec2:AcceptVpcPeeringConnection", - "ec2:AttachClassicLinkVpc", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateFlowLogs", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreateRoute", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:CreateVpcPeeringConnection", - "ec2:CreateVpnConnection", - "ec2:DeleteCustomerGateway", - "ec2:DeleteDhcpOptions", - "ec2:DeleteFlowLogs", - "ec2:DeleteInternetGateway", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteTags", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcPeeringConnection", - "ec2:DetachClassicLinkVpc", - "ec2:DisableVpcClassicLink", - "ec2:EnableVpcClassicLink", - "ec2:ModifyVpcEndpoint", - "ec2:ModifyVpcEndpointServiceConfiguration", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:RejectVpcEndpointConnections", - "ec2:RejectVpcPeeringConnection", - "ec2:ReplaceRoute", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress" - ], - "is_excluded": false - }, - "ANPAJKSO7NDY4T57MWDSQ": { - "PolicyName": "IAMReadOnlyAccess", - "PolicyId": "ANPAJKSO7NDY4T57MWDSQ", - "Arn": "arn:aws:iam::aws:policy/IAMReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:39+00:00", - "UpdateDate": "2018-01-25 19:11:27+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:Get*", - "iam:List*", - "iam:SimulateCustomPolicy", - "iam:SimulatePrincipalPolicy" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2018-01-25 19:11:27+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [], - "is_excluded": false - }, - "ANPAJLIB4VSBVO47ZSBB6": { - "PolicyName": "AWSAccountUsageReportAccess", - "PolicyId": "ANPAJLIB4VSBVO47ZSBB6", - "Arn": "arn:aws:iam::aws:policy/AWSAccountUsageReportAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:19+00:00", - "UpdateDate": "2015-02-06 18:41:19+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "aws-portal:ViewUsage" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:41:19+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [], - "is_excluded": false - }, - "ANPAJNPP7PPPPMJRV2SA4": { - "PolicyName": "AWSKeyManagementServicePowerUser", - "PolicyId": "ANPAJNPP7PPPPMJRV2SA4", - "Arn": "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser", - "Path": "/", - "DefaultVersionId": "v2", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:40+00:00", - "UpdateDate": "2017-03-07 00:55:11+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:CreateAlias", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:Describe*", - "kms:GenerateRandom", - "kms:Get*", - "kms:List*", - "kms:TagResource", - "kms:UntagResource", - "iam:ListGroups", - "iam:ListRoles", - "iam:ListUsers" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v2", - "IsDefaultVersion": true, - "CreateDate": "2017-03-07 00:55:11+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:TagResource", - "kms:UntagResource" - ], - "is_excluded": false - }, - "ANPAJWVDLG5RPST6PHQ3A": { - "PolicyName": "AmazonRoute53FullAccess", - "PolicyId": "ANPAJWVDLG5RPST6PHQ3A", - "Arn": "arn:aws:iam::aws:policy/AmazonRoute53FullAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:54+00:00", - "UpdateDate": "2018-12-20 21:42:00+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "route53:*", - "route53domains:*", - "cloudfront:ListDistributions", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticbeanstalk:DescribeEnvironments", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetBucketWebsite", - "ec2:DescribeVpcs", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeRegions", - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricStatistics" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "apigateway:GET", - "Resource": "arn:aws:apigateway:*::/domainnames" - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2018-12-20 21:42:00+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "route53", - "route53domains" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:ChangeTagsForResource", - "route53:CreateQueryLoggingConfig", - "route53:CreateTrafficPolicyInstance", - "route53:CreateTrafficPolicyVersion", - "route53:CreateVPCAssociationAuthorization", - "route53:DeleteHealthCheck", - "route53:DeleteHostedZone", - "route53:DeleteQueryLoggingConfig", - "route53:DeleteReusableDelegationSet", - "route53:DeleteTrafficPolicy", - "route53:DeleteTrafficPolicyInstance", - "route53:DeleteVPCAssociationAuthorization", - "route53:UpdateHealthCheck", - "route53:UpdateHostedZoneComment", - "route53:UpdateTrafficPolicyComment", - "route53:UpdateTrafficPolicyInstance" - ], - "is_excluded": false - }, - "ANPAJYRXTHIB4FOVS3ZXS": { - "PolicyName": "PowerUserAccess", - "PolicyId": "ANPAJYRXTHIB4FOVS3ZXS", - "Arn": "arn:aws:iam::aws:policy/PowerUserAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:47+00:00", - "UpdateDate": "2019-03-20 22:19:03+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "NotAction": [ - "iam:*", - "organizations:*", - "account:*" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole", - "iam:DeleteServiceLinkedRole", - "iam:ListRoles", - "organizations:DescribeOrganization", - "account:ListRegions" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2019-03-20 22:19:03+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "UpdateExistingGlueDevEndpoint", - "actions": [ - "glue:updatedevendpoint" - ] - }, - { - "type": "EditExistingLambdaFunctionWithRole", - "actions": [ - "lambda:updatefunctioncode" - ] - } - ], - "DataExfiltration": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath", - "secretsmanager:GetSecretValue" - ], - "ResourceExposure": [ - "acm-pca:CreatePermission", - "acm-pca:DeletePermission", - "acm-pca:DeletePolicy", - "acm-pca:PutPolicy", - "apigateway:UpdateRestApiPolicy", - "backup:DeleteBackupVaultAccessPolicy", - "backup:PutBackupVaultAccessPolicy", - "chime:DeleteVoiceConnectorTerminationCredentials", - "chime:PutVoiceConnectorTerminationCredentials", - "cloudformation:SetStackPolicy", - "cloudsearch:UpdateServiceAccessPolicies", - "codeartifact:DeleteDomainPermissionsPolicy", - "codeartifact:DeleteRepositoryPermissionsPolicy", - "codebuild:DeleteResourcePolicy", - "codebuild:DeleteSourceCredentials", - "codebuild:ImportSourceCredentials", - "codebuild:PutResourcePolicy", - "codeguru-profiler:PutPermission", - "codeguru-profiler:RemovePermission", - "codestar:AssociateTeamMember", - "codestar:CreateProject", - "codestar:DeleteProject", - "codestar:DisassociateTeamMember", - "codestar:UpdateTeamMember", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentities", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:GetId", - "cognito-identity:MergeDeveloperIdentities", - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:UnlinkDeveloperIdentity", - "cognito-identity:UnlinkIdentity", - "cognito-identity:UpdateIdentityPool", - "deeplens:AssociateServiceRoleToAccount", - "ds:CreateConditionalForwarder", - "ds:CreateDirectory", - "ds:CreateMicrosoftAD", - "ds:CreateTrust", - "ds:ShareDirectory", - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterfacePermission", - "ec2:ModifySnapshotAttribute", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ResetSnapshotAttribute", - "ecr:DeleteRepositoryPolicy", - "ecr:SetRepositoryPolicy", - "elasticfilesystem:DeleteFileSystemPolicy", - "elasticfilesystem:PutFileSystemPolicy", - "elasticmapreduce:PutBlockPublicAccessConfiguration", - "es:CreateElasticsearchDomain", - "es:UpdateElasticsearchDomainConfig", - "glacier:AbortVaultLock", - "glacier:CompleteVaultLock", - "glacier:DeleteVaultAccessPolicy", - "glacier:InitiateVaultLock", - "glacier:SetDataRetrievalPolicy", - "glacier:SetVaultAccessPolicy", - "glue:DeleteResourcePolicy", - "glue:PutResourcePolicy", - "greengrass:AssociateServiceRoleToAccount", - "health:DisableHealthServiceAccessForOrganization", - "health:EnableHealthServiceAccessForOrganization", - "imagebuilder:PutComponentPolicy", - "imagebuilder:PutImagePolicy", - "imagebuilder:PutImageRecipePolicy", - "iot:AttachPolicy", - "iot:AttachPrincipalPolicy", - "iot:DetachPolicy", - "iot:DetachPrincipalPolicy", - "iot:SetDefaultAuthorizer", - "iot:SetDefaultPolicyVersion", - "iotsitewise:CreateAccessPolicy", - "iotsitewise:DeleteAccessPolicy", - "iotsitewise:UpdateAccessPolicy", - "kms:CreateGrant", - "kms:PutKeyPolicy", - "kms:RetireGrant", - "kms:RevokeGrant", - "lakeformation:BatchGrantPermissions", - "lakeformation:BatchRevokePermissions", - "lakeformation:GrantPermissions", - "lakeformation:PutDataLakeSettings", - "lakeformation:RevokePermissions", - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "license-manager:UpdateServiceSettings", - "lightsail:GetRelationalDatabaseMasterUserPassword", - "logs:DeleteResourcePolicy", - "logs:PutResourcePolicy", - "mediapackage:RotateIngestEndpointCredentials", - "mediastore:DeleteContainerPolicy", - "mediastore:PutContainerPolicy", - "opsworks:SetPermission", - "opsworks:UpdateUserProfile", - "quicksight:CreateAdmin", - "quicksight:CreateGroup", - "quicksight:CreateGroupMembership", - "quicksight:CreateIAMPolicyAssignment", - "quicksight:CreateUser", - "quicksight:DeleteGroup", - "quicksight:DeleteGroupMembership", - "quicksight:DeleteIAMPolicyAssignment", - "quicksight:DeleteUser", - "quicksight:DeleteUserByPrincipalId", - "quicksight:RegisterUser", - "quicksight:UpdateDashboardPermissions", - "quicksight:UpdateGroup", - "quicksight:UpdateIAMPolicyAssignment", - "quicksight:UpdateTemplatePermissions", - "quicksight:UpdateUser", - "ram:AcceptResourceShareInvitation", - "ram:AssociateResourceShare", - "ram:CreateResourceShare", - "ram:DeleteResourceShare", - "ram:DisassociateResourceShare", - "ram:EnableSharingWithAwsOrganization", - "ram:RejectResourceShareInvitation", - "ram:UpdateResourceShare", - "rds-db:connect", - "rds:AuthorizeDBSecurityGroupIngress", - "redshift:AuthorizeSnapshotAccess", - "redshift:CreateClusterUser", - "redshift:CreateSnapshotCopyGrant", - "redshift:JoinGroup", - "redshift:ModifyClusterIamRoles", - "redshift:RevokeSnapshotAccess", - "route53resolver:PutResolverRulePolicy", - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl", - "secretsmanager:DeleteResourcePolicy", - "secretsmanager:PutResourcePolicy", - "secretsmanager:ValidateResourcePolicy", - "servicecatalog:CreatePortfolioShare", - "servicecatalog:DeletePortfolioShare", - "sns:AddPermission", - "sns:CreateTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes", - "sqs:AddPermission", - "sqs:CreateQueue", - "sqs:RemovePermission", - "sqs:SetQueueAttributes", - "ssm:ModifyDocumentPermission", - "sso-directory:AddMemberToGroup", - "sso-directory:CreateAlias", - "sso-directory:CreateGroup", - "sso-directory:CreateUser", - "sso-directory:DeleteGroup", - "sso-directory:DeleteUser", - "sso-directory:DisableUser", - "sso-directory:EnableUser", - "sso-directory:RemoveMemberFromGroup", - "sso-directory:UpdateGroup", - "sso-directory:UpdatePassword", - "sso-directory:UpdateUser", - "sso-directory:VerifyEmail", - "sso:AssociateDirectory", - "sso:AssociateProfile", - "sso:CreateApplicationInstance", - "sso:CreateApplicationInstanceCertificate", - "sso:CreatePermissionSet", - "sso:CreateProfile", - "sso:CreateTrust", - "sso:DeleteApplicationInstance", - "sso:DeleteApplicationInstanceCertificate", - "sso:DeletePermissionSet", - "sso:DeletePermissionsPolicy", - "sso:DeleteProfile", - "sso:DisassociateDirectory", - "sso:DisassociateProfile", - "sso:ImportApplicationInstanceServiceProviderMetadata", - "sso:PutPermissionsPolicy", - "sso:StartSSO", - "sso:UpdateApplicationInstanceActiveCertificate", - "sso:UpdateApplicationInstanceDisplayData", - "sso:UpdateApplicationInstanceResponseConfiguration", - "sso:UpdateApplicationInstanceResponseSchemaConfiguration", - "sso:UpdateApplicationInstanceSecurityConfiguration", - "sso:UpdateApplicationInstanceServiceProviderConfiguration", - "sso:UpdateApplicationInstanceStatus", - "sso:UpdateDirectoryAssociation", - "sso:UpdatePermissionSet", - "sso:UpdateProfile", - "sso:UpdateSSOConfiguration", - "sso:UpdateTrust", - "storagegateway:DeleteChapCredentials", - "storagegateway:SetLocalConsolePassword", - "storagegateway:SetSMBGuestPassword", - "storagegateway:UpdateChapCredentials", - "waf-regional:DeletePermissionPolicy", - "waf-regional:PutPermissionPolicy", - "waf:DeletePermissionPolicy", - "waf:PutPermissionPolicy", - "wafv2:CreateWebACL", - "wafv2:DeletePermissionPolicy", - "wafv2:DeleteWebACL", - "wafv2:PutPermissionPolicy", - "wafv2:UpdateWebACL", - "worklink:UpdateDevicePolicyConfiguration", - "workmail:ResetPassword", - "workmail:ResetUserPassword", - "xray:PutEncryptionConfig", - "iam:CreateServiceLinkedRole", - "iam:DeleteServiceLinkedRole" - ], - "ServiceWildcard": [], - "CredentialsExposure": [ - "chime:CreateApiKey", - "codepipeline:PollForJobs", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:GetCredentialsForIdentity", - "connect:GetFederationToken", - "connect:GetFederationTokens", - "ecr:GetAuthorizationToken", - "gamelift:RequestUploadCredentials", - "lightsail:GetInstanceAccessDetails", - "lightsail:GetRelationalDatabaseMasterUserPassword", - "rds-db:connect", - "redshift:GetClusterCredentials", - "mediapackage:RotateIngestEndpointCredentials", - "sts:AssumeRole", - "sts:AssumeRoleWithSAML", - "sts:AssumeRoleWithWebIdentity", - "sts:GetFederationToken", - "sts:GetSessionToken" - ], - "InfrastructureModification": [ - "a4b:AssociateContactWithAddressBook", - "a4b:AssociateDeviceWithRoom", - "a4b:AssociateSkillGroupWithRoom", - "a4b:AssociateSkillWithSkillGroup", - "a4b:CreateRoom", - "a4b:CreateUser", - "a4b:DeleteAddressBook", - "a4b:DeleteBusinessReportSchedule", - "a4b:DeleteConferenceProvider", - "a4b:DeleteContact", - "a4b:DeleteDevice", - "a4b:DeleteProfile", - "a4b:DeleteRoom", - "a4b:DeleteRoomSkillParameter", - "a4b:DeleteSkillAuthorization", - "a4b:DeleteSkillGroup", - "a4b:DeleteUser", - "a4b:DisassociateContactFromAddressBook", - "a4b:DisassociateDeviceFromRoom", - "a4b:DisassociateSkillFromSkillGroup", - "a4b:DisassociateSkillFromUsers", - "a4b:DisassociateSkillGroupFromRoom", - "a4b:ForgetSmartHomeAppliances", - "a4b:PutRoomSkillParameter", - "a4b:PutSkillAuthorization", - "a4b:RevokeInvitation", - "a4b:SendInvitation", - "a4b:TagResource", - "a4b:UntagResource", - "a4b:UpdateAddressBook", - "a4b:UpdateBusinessReportSchedule", - "a4b:UpdateConferenceProvider", - "a4b:UpdateContact", - "a4b:UpdateDevice", - "a4b:UpdateProfile", - "a4b:UpdateRoom", - "a4b:UpdateSkillGroup", - "access-analyzer:CreateAnalyzer", - "access-analyzer:CreateArchiveRule", - "access-analyzer:DeleteAnalyzer", - "access-analyzer:DeleteArchiveRule", - "access-analyzer:TagResource", - "access-analyzer:UntagResource", - "access-analyzer:UpdateArchiveRule", - "acm-pca:CreateCertificateAuthorityAuditReport", - "acm-pca:CreatePermission", - "acm-pca:DeleteCertificateAuthority", - "acm-pca:DeletePermission", - "acm-pca:DeletePolicy", - "acm-pca:ImportCertificateAuthorityCertificate", - "acm-pca:IssueCertificate", - "acm-pca:PutPolicy", - "acm-pca:RestoreCertificateAuthority", - "acm-pca:RevokeCertificate", - "acm-pca:TagCertificateAuthority", - "acm-pca:UntagCertificateAuthority", - "acm-pca:UpdateCertificateAuthority", - "acm:AddTagsToCertificate", - "acm:DeleteCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:RenewCertificate", - "acm:ResendValidationEmail", - "acm:UpdateCertificateOptions", - "amplify:CreateApp", - "amplify:CreateBackendEnvironment", - "amplify:CreateBranch", - "amplify:CreateDeployment", - "amplify:CreateDomainAssociation", - "amplify:CreateWebHook", - "amplify:DeleteApp", - "amplify:DeleteBackendEnvironment", - "amplify:DeleteBranch", - "amplify:DeleteDomainAssociation", - "amplify:DeleteJob", - "amplify:DeleteWebHook", - "amplify:GenerateAccessLogs", - "amplify:StartDeployment", - "amplify:StartJob", - "amplify:StopJob", - "amplify:TagResource", - "amplify:UntagResource", - "amplify:UpdateApp", - "amplify:UpdateBranch", - "amplify:UpdateDomainAssociation", - "amplify:UpdateWebHook", - "apigateway:DELETE", - "apigateway:PATCH", - "apigateway:POST", - "apigateway:PUT", - "apigateway:SetWebACL", - "apigateway:UpdateRestApiPolicy", - "appconfig:CreateApplication", - "appconfig:CreateConfigurationProfile", - "appconfig:CreateDeploymentStrategy", - "appconfig:CreateEnvironment", - "appconfig:CreateHostedConfigurationVersion", - "appconfig:DeleteApplication", - "appconfig:DeleteConfigurationProfile", - "appconfig:DeleteDeploymentStrategy", - "appconfig:DeleteEnvironment", - "appconfig:DeleteHostedConfigurationVersion", - "appconfig:StartDeployment", - "appconfig:StopDeployment", - "appconfig:TagResource", - "appconfig:UntagResource", - "appconfig:UpdateApplication", - "appconfig:UpdateConfigurationProfile", - "appconfig:UpdateDeploymentStrategy", - "appconfig:UpdateEnvironment", - "appconfig:ValidateConfiguration", - "appflow:DeleteConnectorProfile", - "appflow:DeleteFlow", - "appflow:RunFlow", - "appflow:StartFlow", - "appflow:StopFlow", - "appflow:TagResource", - "appflow:UntagResource", - "appflow:UpdateConnectorProfile", - "appflow:UpdateFlow", - "appmesh-preview:CreateGatewayRoute", - "appmesh-preview:CreateMesh", - "appmesh-preview:CreateRoute", - "appmesh-preview:CreateVirtualGateway", - "appmesh-preview:CreateVirtualNode", - "appmesh-preview:CreateVirtualRouter", - "appmesh-preview:CreateVirtualService", - "appmesh-preview:DeleteGatewayRoute", - "appmesh-preview:DeleteMesh", - "appmesh-preview:DeleteRoute", - "appmesh-preview:DeleteVirtualGateway", - "appmesh-preview:DeleteVirtualNode", - "appmesh-preview:DeleteVirtualRouter", - "appmesh-preview:DeleteVirtualService", - "appmesh-preview:UpdateGatewayRoute", - "appmesh-preview:UpdateMesh", - "appmesh-preview:UpdateRoute", - "appmesh-preview:UpdateVirtualGateway", - "appmesh-preview:UpdateVirtualNode", - "appmesh-preview:UpdateVirtualRouter", - "appmesh-preview:UpdateVirtualService", - "appmesh:CreateGatewayRoute", - "appmesh:CreateMesh", - "appmesh:CreateRoute", - "appmesh:CreateVirtualGateway", - "appmesh:CreateVirtualNode", - "appmesh:CreateVirtualRouter", - "appmesh:CreateVirtualService", - "appmesh:DeleteGatewayRoute", - "appmesh:DeleteMesh", - "appmesh:DeleteRoute", - "appmesh:DeleteVirtualGateway", - "appmesh:DeleteVirtualNode", - "appmesh:DeleteVirtualRouter", - "appmesh:DeleteVirtualService", - "appmesh:TagResource", - "appmesh:UntagResource", - "appmesh:UpdateGatewayRoute", - "appmesh:UpdateMesh", - "appmesh:UpdateRoute", - "appmesh:UpdateVirtualGateway", - "appmesh:UpdateVirtualNode", - "appmesh:UpdateVirtualRouter", - "appmesh:UpdateVirtualService", - "appstream:AssociateFleet", - "appstream:BatchAssociateUserStack", - "appstream:BatchDisassociateUserStack", - "appstream:CopyImage", - "appstream:CreateFleet", - "appstream:CreateImageBuilder", - "appstream:CreateImageBuilderStreamingURL", - "appstream:CreateStack", - "appstream:CreateStreamingURL", - "appstream:DeleteFleet", - "appstream:DeleteImage", - "appstream:DeleteImageBuilder", - "appstream:DeleteImagePermissions", - "appstream:DeleteStack", - "appstream:DisassociateFleet", - "appstream:StartFleet", - "appstream:StartImageBuilder", - "appstream:StopFleet", - "appstream:StopImageBuilder", - "appstream:Stream", - "appstream:TagResource", - "appstream:UntagResource", - "appstream:UpdateFleet", - "appstream:UpdateImagePermissions", - "appstream:UpdateStack", - "appsync:DeleteGraphqlApi", - "appsync:GraphQL", - "appsync:TagResource", - "appsync:UntagResource", - "appsync:UpdateGraphqlApi", - "artifact:AcceptAgreement", - "artifact:TerminateAgreement", - "athena:CreateDataCatalog", - "athena:CreateNamedQuery", - "athena:CreateWorkGroup", - "athena:DeleteDataCatalog", - "athena:DeleteNamedQuery", - "athena:DeleteWorkGroup", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:TagResource", - "athena:UntagResource", - "athena:UpdateDataCatalog", - "athena:UpdateWorkGroup", - "autoscaling:AttachInstances", - "autoscaling:AttachLoadBalancerTargetGroups", - "autoscaling:AttachLoadBalancers", - "autoscaling:BatchDeleteScheduledAction", - "autoscaling:BatchPutScheduledUpdateGroupAction", - "autoscaling:CancelInstanceRefresh", - "autoscaling:CompleteLifecycleAction", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateOrUpdateTags", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration", - "autoscaling:DeleteLifecycleHook", - "autoscaling:DeleteNotificationConfiguration", - "autoscaling:DeletePolicy", - "autoscaling:DeleteScheduledAction", - "autoscaling:DeleteTags", - "autoscaling:DetachInstances", - "autoscaling:DetachLoadBalancerTargetGroups", - "autoscaling:DetachLoadBalancers", - "autoscaling:DisableMetricsCollection", - "autoscaling:EnableMetricsCollection", - "autoscaling:EnterStandby", - "autoscaling:ExecutePolicy", - "autoscaling:ExitStandby", - "autoscaling:PutLifecycleHook", - "autoscaling:PutNotificationConfiguration", - "autoscaling:PutScalingPolicy", - "autoscaling:PutScheduledUpdateGroupAction", - "autoscaling:RecordLifecycleActionHeartbeat", - "autoscaling:ResumeProcesses", - "autoscaling:SetDesiredCapacity", - "autoscaling:SetInstanceHealth", - "autoscaling:SetInstanceProtection", - "autoscaling:StartInstanceRefresh", - "autoscaling:SuspendProcesses", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "backup:CreateBackupPlan", - "backup:CreateBackupSelection", - "backup:CreateBackupVault", - "backup:DeleteBackupPlan", - "backup:DeleteBackupSelection", - "backup:DeleteBackupVault", - "backup:DeleteBackupVaultAccessPolicy", - "backup:DeleteBackupVaultNotifications", - "backup:DeleteRecoveryPoint", - "backup:PutBackupVaultAccessPolicy", - "backup:PutBackupVaultNotifications", - "backup:StartBackupJob", - "backup:StartCopyJob", - "backup:StartRestoreJob", - "backup:TagResource", - "backup:UntagResource", - "backup:UpdateBackupPlan", - "backup:UpdateRecoveryPointLifecycle", - "batch:CreateComputeEnvironment", - "batch:CreateJobQueue", - "batch:DeleteComputeEnvironment", - "batch:DeleteJobQueue", - "batch:DeregisterJobDefinition", - "batch:RegisterJobDefinition", - "batch:SubmitJob", - "batch:UpdateComputeEnvironment", - "batch:UpdateJobQueue", - "budgets:ModifyBudget", - "cassandra:Alter", - "cassandra:Create", - "cassandra:Drop", - "cassandra:Modify", - "cassandra:TagResource", - "cassandra:UntagResource", - "chime:BatchCreateAttendee", - "chime:CreateAttendee", - "chime:DeleteAttendee", - "chime:DeleteMeeting", - "chime:TagAttendee", - "chime:TagMeeting", - "chime:TagResource", - "chime:UntagAttendee", - "chime:UntagMeeting", - "chime:UntagResource", - "cloud9:CreateEnvironmentMembership", - "cloud9:DeleteEnvironment", - "cloud9:DeleteEnvironmentMembership", - "cloud9:TagResource", - "cloud9:UntagResource", - "cloud9:UpdateEnvironment", - "cloud9:UpdateEnvironmentMembership", - "clouddirectory:AddFacetToObject", - "clouddirectory:ApplySchema", - "clouddirectory:AttachObject", - "clouddirectory:AttachPolicy", - "clouddirectory:AttachToIndex", - "clouddirectory:AttachTypedLink", - "clouddirectory:BatchWrite", - "clouddirectory:CreateDirectory", - "clouddirectory:CreateFacet", - "clouddirectory:CreateIndex", - "clouddirectory:CreateObject", - "clouddirectory:CreateTypedLinkFacet", - "clouddirectory:DeleteDirectory", - "clouddirectory:DeleteFacet", - "clouddirectory:DeleteObject", - "clouddirectory:DeleteSchema", - "clouddirectory:DeleteTypedLinkFacet", - "clouddirectory:DetachFromIndex", - "clouddirectory:DetachObject", - "clouddirectory:DetachPolicy", - "clouddirectory:DetachTypedLink", - "clouddirectory:DisableDirectory", - "clouddirectory:EnableDirectory", - "clouddirectory:PublishSchema", - "clouddirectory:RemoveFacetFromObject", - "clouddirectory:TagResource", - "clouddirectory:UntagResource", - "clouddirectory:UpdateFacet", - "clouddirectory:UpdateLinkAttributes", - "clouddirectory:UpdateObjectAttributes", - "clouddirectory:UpdateSchema", - "clouddirectory:UpdateTypedLinkFacet", - "cloudformation:CancelUpdateStack", - "cloudformation:ContinueUpdateRollback", - "cloudformation:CreateChangeSet", - "cloudformation:CreateStack", - "cloudformation:CreateStackInstances", - "cloudformation:DeleteChangeSet", - "cloudformation:DeleteStack", - "cloudformation:DeleteStackInstances", - "cloudformation:DeleteStackSet", - "cloudformation:ExecuteChangeSet", - "cloudformation:SetStackPolicy", - "cloudformation:SignalResource", - "cloudformation:StopStackSetOperation", - "cloudformation:TagResource", - "cloudformation:UntagResource", - "cloudformation:UpdateStack", - "cloudformation:UpdateStackInstances", - "cloudformation:UpdateStackSet", - "cloudformation:UpdateTerminationProtection", - "cloudfront:CreateCloudFrontOriginAccessIdentity", - "cloudfront:CreateDistribution", - "cloudfront:CreateDistributionWithTags", - "cloudfront:CreateInvalidation", - "cloudfront:CreateStreamingDistribution", - "cloudfront:CreateStreamingDistributionWithTags", - "cloudfront:DeleteCloudFrontOriginAccessIdentity", - "cloudfront:DeleteDistribution", - "cloudfront:DeleteStreamingDistribution", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:UpdateCloudFrontOriginAccessIdentity", - "cloudfront:UpdateDistribution", - "cloudfront:UpdateStreamingDistribution", - "cloudhsm:CopyBackupToRegion", - "cloudhsm:CreateCluster", - "cloudhsm:CreateHsm", - "cloudhsm:DeleteBackup", - "cloudhsm:DeleteCluster", - "cloudhsm:InitializeCluster", - "cloudhsm:RestoreBackup", - "cloudhsm:TagResource", - "cloudhsm:UntagResource", - "cloudsearch:AddTags", - "cloudsearch:BuildSuggesters", - "cloudsearch:CreateDomain", - "cloudsearch:DefineAnalysisScheme", - "cloudsearch:DefineExpression", - "cloudsearch:DefineIndexField", - "cloudsearch:DefineSuggester", - "cloudsearch:DeleteAnalysisScheme", - "cloudsearch:DeleteDomain", - "cloudsearch:DeleteExpression", - "cloudsearch:DeleteIndexField", - "cloudsearch:DeleteSuggester", - "cloudsearch:IndexDocuments", - "cloudsearch:RemoveTags", - "cloudsearch:UpdateAvailabilityOptions", - "cloudsearch:UpdateDomainEndpointOptions", - "cloudsearch:UpdateScalingParameters", - "cloudsearch:UpdateServiceAccessPolicies", - "cloudsearch:document", - "cloudtrail:AddTags", - "cloudtrail:CreateTrail", - "cloudtrail:DeleteTrail", - "cloudtrail:PutEventSelectors", - "cloudtrail:PutInsightSelectors", - "cloudtrail:RemoveTags", - "cloudtrail:StartLogging", - "cloudtrail:StopLogging", - "cloudtrail:UpdateTrail", - "cloudwatch:DeleteAlarms", - "cloudwatch:DeleteDashboards", - "cloudwatch:DeleteInsightRules", - "cloudwatch:DisableAlarmActions", - "cloudwatch:DisableInsightRules", - "cloudwatch:EnableAlarmActions", - "cloudwatch:EnableInsightRules", - "cloudwatch:PutDashboard", - "cloudwatch:PutInsightRule", - "cloudwatch:PutMetricAlarm", - "cloudwatch:SetAlarmState", - "cloudwatch:TagResource", - "cloudwatch:UntagResource", - "codeartifact:AssociateExternalConnection", - "codeartifact:AssociateWithDownstreamRepository", - "codeartifact:CopyPackageVersions", - "codeartifact:CreateDomain", - "codeartifact:CreateRepository", - "codeartifact:DeleteDomain", - "codeartifact:DeleteDomainPermissionsPolicy", - "codeartifact:DeletePackageVersions", - "codeartifact:DeleteRepository", - "codeartifact:DeleteRepositoryPermissionsPolicy", - "codeartifact:DisassociateExternalConnection", - "codeartifact:DisposePackageVersions", - "codeartifact:PublishPackageVersion", - "codeartifact:PutDomainPermissionsPolicy", - "codeartifact:PutPackageMetadata", - "codeartifact:PutRepositoryPermissionsPolicy", - "codeartifact:UpdatePackageVersionsStatus", - "codeartifact:UpdateRepository", - "codebuild:BatchDeleteBuilds", - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateProject", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:CreateWebhook", - "codebuild:DeleteBuildBatch", - "codebuild:DeleteProject", - "codebuild:DeleteReport", - "codebuild:DeleteReportGroup", - "codebuild:DeleteResourcePolicy", - "codebuild:DeleteWebhook", - "codebuild:InvalidateProjectCache", - "codebuild:PutResourcePolicy", - "codebuild:RetryBuild", - "codebuild:RetryBuildBatch", - "codebuild:StartBuild", - "codebuild:StartBuildBatch", - "codebuild:StopBuild", - "codebuild:StopBuildBatch", - "codebuild:UpdateProject", - "codebuild:UpdateReport", - "codebuild:UpdateReportGroup", - "codebuild:UpdateWebhook", - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:CreateBranch", - "codecommit:CreateCommit", - "codecommit:CreatePullRequest", - "codecommit:CreatePullRequestApprovalRule", - "codecommit:CreateRepository", - "codecommit:CreateUnreferencedMergeCommit", - "codecommit:DeleteBranch", - "codecommit:DeleteCommentContent", - "codecommit:DeleteFile", - "codecommit:DeletePullRequestApprovalRule", - "codecommit:DeleteRepository", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:GitPush", - "codecommit:MergeBranchesByFastForward", - "codecommit:MergeBranchesBySquash", - "codecommit:MergeBranchesByThreeWay", - "codecommit:MergePullRequestByFastForward", - "codecommit:MergePullRequestBySquash", - "codecommit:MergePullRequestByThreeWay", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:PostCommentForComparedCommit", - "codecommit:PostCommentForPullRequest", - "codecommit:PostCommentReply", - "codecommit:PutCommentReaction", - "codecommit:PutFile", - "codecommit:PutRepositoryTriggers", - "codecommit:TagResource", - "codecommit:TestRepositoryTriggers", - "codecommit:UntagResource", - "codecommit:UpdateComment", - "codecommit:UpdateDefaultBranch", - "codecommit:UpdatePullRequestApprovalRuleContent", - "codecommit:UpdatePullRequestApprovalState", - "codecommit:UpdatePullRequestDescription", - "codecommit:UpdatePullRequestStatus", - "codecommit:UpdatePullRequestTitle", - "codecommit:UpdateRepositoryDescription", - "codecommit:UpdateRepositoryName", - "codecommit:UploadArchive", - "codedeploy:AddTagsToOnPremisesInstances", - "codedeploy:CreateApplication", - "codedeploy:CreateDeployment", - "codedeploy:CreateDeploymentConfig", - "codedeploy:CreateDeploymentGroup", - "codedeploy:DeleteApplication", - "codedeploy:DeleteDeploymentConfig", - "codedeploy:DeleteDeploymentGroup", - "codedeploy:DeregisterOnPremisesInstance", - "codedeploy:RegisterApplicationRevision", - "codedeploy:RegisterOnPremisesInstance", - "codedeploy:RemoveTagsFromOnPremisesInstances", - "codedeploy:TagResource", - "codedeploy:UntagResource", - "codedeploy:UpdateApplication", - "codedeploy:UpdateDeploymentGroup", - "codeguru-profiler:AddNotificationChannels", - "codeguru-profiler:ConfigureAgent", - "codeguru-profiler:DeleteProfilingGroup", - "codeguru-profiler:ListTagsForResource", - "codeguru-profiler:PostAgentProfile", - "codeguru-profiler:PutPermission", - "codeguru-profiler:RemoveNotificationChannel", - "codeguru-profiler:RemovePermission", - "codeguru-profiler:SubmitFeedback", - "codeguru-profiler:TagResource", - "codeguru-profiler:UntagResource", - "codeguru-profiler:UpdateProfilingGroup", - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DisassociateRepository", - "codeguru-reviewer:PutRecommendationFeedback", - "codepipeline:CreateCustomActionType", - "codepipeline:CreatePipeline", - "codepipeline:DeleteCustomActionType", - "codepipeline:DeletePipeline", - "codepipeline:DeleteWebhook", - "codepipeline:DeregisterWebhookWithThirdParty", - "codepipeline:DisableStageTransition", - "codepipeline:EnableStageTransition", - "codepipeline:PollForJobs", - "codepipeline:PutActionRevision", - "codepipeline:PutApprovalResult", - "codepipeline:PutWebhook", - "codepipeline:RegisterWebhookWithThirdParty", - "codepipeline:RetryStageExecution", - "codepipeline:StartPipelineExecution", - "codepipeline:StopPipelineExecution", - "codepipeline:TagResource", - "codepipeline:UntagResource", - "codepipeline:UpdatePipeline", - "codestar-connections:DeleteConnection", - "codestar-connections:TagResource", - "codestar-connections:UntagResource", - "codestar-connections:UpdateConnectionInstallation", - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:TagResource", - "codestar-notifications:Unsubscribe", - "codestar-notifications:UntagResource", - "codestar-notifications:UpdateNotificationRule", - "codestar:AssociateTeamMember", - "codestar:CreateUserProfile", - "codestar:DeleteExtendedAccess", - "codestar:DeleteProject", - "codestar:DeleteUserProfile", - "codestar:DisassociateTeamMember", - "codestar:PutExtendedAccess", - "codestar:TagProject", - "codestar:UntagProject", - "codestar:UpdateProject", - "codestar:UpdateTeamMember", - "codestar:UpdateUserProfile", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:MergeDeveloperIdentities", - "cognito-identity:TagResource", - "cognito-identity:UnlinkDeveloperIdentity", - "cognito-identity:UntagResource", - "cognito-identity:UpdateIdentityPool", - "cognito-idp:AddCustomAttributes", - "cognito-idp:AdminAddUserToGroup", - "cognito-idp:AdminConfirmSignUp", - "cognito-idp:AdminCreateUser", - "cognito-idp:AdminDeleteUser", - "cognito-idp:AdminDeleteUserAttributes", - "cognito-idp:AdminDisableProviderForUser", - "cognito-idp:AdminDisableUser", - "cognito-idp:AdminEnableUser", - "cognito-idp:AdminForgetDevice", - "cognito-idp:AdminInitiateAuth", - "cognito-idp:AdminLinkProviderForUser", - "cognito-idp:AdminRemoveUserFromGroup", - "cognito-idp:AdminResetUserPassword", - "cognito-idp:AdminRespondToAuthChallenge", - "cognito-idp:AdminSetUserMFAPreference", - "cognito-idp:AdminSetUserPassword", - "cognito-idp:AdminSetUserSettings", - "cognito-idp:AdminUpdateAuthEventFeedback", - "cognito-idp:AdminUpdateDeviceStatus", - "cognito-idp:AdminUpdateUserAttributes", - "cognito-idp:AdminUserGlobalSignOut", - "cognito-idp:CreateGroup", - "cognito-idp:CreateIdentityProvider", - "cognito-idp:CreateResourceServer", - "cognito-idp:CreateUserImportJob", - "cognito-idp:CreateUserPoolClient", - "cognito-idp:CreateUserPoolDomain", - "cognito-idp:DeleteGroup", - "cognito-idp:DeleteIdentityProvider", - "cognito-idp:DeleteResourceServer", - "cognito-idp:DeleteUserPool", - "cognito-idp:DeleteUserPoolClient", - "cognito-idp:DeleteUserPoolDomain", - "cognito-idp:SetRiskConfiguration", - "cognito-idp:SetUICustomization", - "cognito-idp:SetUserPoolMfaConfig", - "cognito-idp:StartUserImportJob", - "cognito-idp:StopUserImportJob", - "cognito-idp:TagResource", - "cognito-idp:UntagResource", - "cognito-idp:UpdateAuthEventFeedback", - "cognito-idp:UpdateGroup", - "cognito-idp:UpdateIdentityProvider", - "cognito-idp:UpdateResourceServer", - "cognito-idp:UpdateUserPool", - "cognito-idp:UpdateUserPoolClient", - "cognito-idp:UpdateUserPoolDomain", - "cognito-sync:BulkPublish", - "cognito-sync:DeleteDataset", - "cognito-sync:RegisterDevice", - "cognito-sync:SetCognitoEvents", - "cognito-sync:SetDatasetConfiguration", - "cognito-sync:SetIdentityPoolConfiguration", - "cognito-sync:SubscribeToDataset", - "cognito-sync:UnsubscribeFromDataset", - "cognito-sync:UpdateRecords", - "comprehend:CreateEndpoint", - "comprehend:DeleteDocumentClassifier", - "comprehend:DeleteEndpoint", - "comprehend:DeleteEntityRecognizer", - "comprehend:StartDocumentClassificationJob", - "comprehend:StartEntitiesDetectionJob", - "comprehend:StopTrainingDocumentClassifier", - "comprehend:StopTrainingEntityRecognizer", - "comprehend:TagResource", - "comprehend:UntagResource", - "comprehend:UpdateEndpoint", - "config:DeleteAggregationAuthorization", - "config:DeleteConfigRule", - "config:DeleteConfigurationAggregator", - "config:DeleteEvaluationResults", - "config:DeleteRemediationConfiguration", - "config:PutAggregationAuthorization", - "config:PutConfigRule", - "config:PutConfigurationAggregator", - "config:PutRemediationConfigurations", - "config:StartConfigRulesEvaluation", - "config:StartRemediationExecution", - "config:TagResource", - "config:UntagResource", - "connect:AssociateRoutingProfileQueues", - "connect:CreateContactFlow", - "connect:CreateRoutingProfile", - "connect:CreateUser", - "connect:DeleteUser", - "connect:DestroyInstance", - "connect:DisassociateRoutingProfileQueues", - "connect:GetFederationTokens", - "connect:ModifyInstance", - "connect:ResumeContactRecording", - "connect:StartChatContact", - "connect:StartContactRecording", - "connect:StartOutboundVoiceContact", - "connect:StopContact", - "connect:StopContactRecording", - "connect:SuspendContactRecording", - "connect:TagResource", - "connect:UntagResource", - "connect:UpdateContactAttributes", - "connect:UpdateContactFlowContent", - "connect:UpdateContactFlowName", - "connect:UpdateRoutingProfileConcurrency", - "connect:UpdateRoutingProfileDefaultOutboundQueue", - "connect:UpdateRoutingProfileName", - "connect:UpdateRoutingProfileQueues", - "connect:UpdateUserHierarchy", - "connect:UpdateUserIdentityInfo", - "connect:UpdateUserPhoneConfig", - "connect:UpdateUserRoutingProfile", - "connect:UpdateUserSecurityProfiles", - "cur:DeleteReportDefinition", - "cur:ModifyReportDefinition", - "cur:PutReportDefinition", - "dataexchange:CancelJob", - "dataexchange:CreateJob", - "dataexchange:DeleteAsset", - "dataexchange:DeleteDataSet", - "dataexchange:DeleteRevision", - "dataexchange:GetJob", - "dataexchange:StartJob", - "dataexchange:TagResource", - "dataexchange:UntagResource", - "dataexchange:UpdateAsset", - "dataexchange:UpdateDataSet", - "dataexchange:UpdateRevision", - "datasync:CancelTaskExecution", - "datasync:DeleteAgent", - "datasync:DeleteLocation", - "datasync:DeleteTask", - "datasync:StartTaskExecution", - "datasync:TagResource", - "datasync:UntagResource", - "datasync:UpdateAgent", - "datasync:UpdateTask", - "dax:BatchWriteItem", - "dax:CreateCluster", - "dax:DecreaseReplicationFactor", - "dax:DeleteCluster", - "dax:DeleteItem", - "dax:IncreaseReplicationFactor", - "dax:PutItem", - "dax:RebootNode", - "dax:TagResource", - "dax:UntagResource", - "dax:UpdateCluster", - "dax:UpdateItem", - "deepcomposer:CreateAudio", - "deepcomposer:DeleteComposition", - "deepcomposer:DeleteModel", - "deepcomposer:TagResource", - "deepcomposer:UntagResource", - "deepcomposer:UpdateComposition", - "deepcomposer:UpdateModel", - "deeplens:DeleteModel", - "deeplens:DeleteProject", - "deeplens:DeployProject", - "deeplens:DeregisterDevice", - "deeplens:RemoveProject", - "deeplens:UpdateProject", - "deepracer:CloneReinforcementLearningModel", - "deepracer:CreateLeaderboardSubmission", - "deepracer:CreateReinforcementLearningModel", - "deepracer:DeleteModel", - "deepracer:StartEvaluation", - "deepracer:StopEvaluation", - "deepracer:StopTrainingReinforcementLearningModel", - "detective:AcceptInvitation", - "detective:CreateMembers", - "detective:DeleteGraph", - "detective:DeleteMembers", - "detective:DisassociateMembership", - "detective:RejectInvitation", - "detective:StartMonitoringMember", - "devicefarm:CreateDevicePool", - "devicefarm:CreateNetworkProfile", - "devicefarm:CreateRemoteAccessSession", - "devicefarm:CreateTestGridUrl", - "devicefarm:CreateUpload", - "devicefarm:DeleteDevicePool", - "devicefarm:DeleteInstanceProfile", - "devicefarm:DeleteNetworkProfile", - "devicefarm:DeleteProject", - "devicefarm:DeleteRemoteAccessSession", - "devicefarm:DeleteRun", - "devicefarm:DeleteTestGridProject", - "devicefarm:DeleteUpload", - "devicefarm:DeleteVPCEConfiguration", - "devicefarm:InstallToRemoteAccessSession", - "devicefarm:ScheduleRun", - "devicefarm:StopJob", - "devicefarm:StopRemoteAccessSession", - "devicefarm:StopRun", - "devicefarm:TagResource", - "devicefarm:UntagResource", - "devicefarm:UpdateDeviceInstance", - "devicefarm:UpdateDevicePool", - "devicefarm:UpdateInstanceProfile", - "devicefarm:UpdateNetworkProfile", - "devicefarm:UpdateProject", - "devicefarm:UpdateTestGridProject", - "devicefarm:UpdateUpload", - "devicefarm:UpdateVPCEConfiguration", - "directconnect:AcceptDirectConnectGatewayAssociationProposal", - "directconnect:AllocateConnectionOnInterconnect", - "directconnect:AllocateHostedConnection", - "directconnect:AllocatePrivateVirtualInterface", - "directconnect:AllocatePublicVirtualInterface", - "directconnect:AllocateTransitVirtualInterface", - "directconnect:AssociateConnectionWithLag", - "directconnect:AssociateHostedConnection", - "directconnect:AssociateVirtualInterface", - "directconnect:ConfirmConnection", - "directconnect:ConfirmPrivateVirtualInterface", - "directconnect:ConfirmPublicVirtualInterface", - "directconnect:ConfirmTransitVirtualInterface", - "directconnect:CreateBGPPeer", - "directconnect:CreateConnection", - "directconnect:CreateDirectConnectGatewayAssociation", - "directconnect:CreateDirectConnectGatewayAssociationProposal", - "directconnect:CreateInterconnect", - "directconnect:CreateLag", - "directconnect:CreatePrivateVirtualInterface", - "directconnect:CreatePublicVirtualInterface", - "directconnect:CreateTransitVirtualInterface", - "directconnect:DeleteBGPPeer", - "directconnect:DeleteConnection", - "directconnect:DeleteDirectConnectGateway", - "directconnect:DeleteDirectConnectGatewayAssociation", - "directconnect:DeleteInterconnect", - "directconnect:DeleteLag", - "directconnect:DeleteVirtualInterface", - "directconnect:DisassociateConnectionFromLag", - "directconnect:StartBgpFailoverTest", - "directconnect:StopBgpFailoverTest", - "directconnect:TagResource", - "directconnect:UntagResource", - "directconnect:UpdateLag", - "directconnect:UpdateVirtualInterfaceAttributes", - "dlm:DeleteLifecyclePolicy", - "dlm:TagResource", - "dlm:UntagResource", - "dlm:UpdateLifecyclePolicy", - "dms:AddTagsToResource", - "dms:ApplyPendingMaintenanceAction", - "dms:CreateReplicationTask", - "dms:DeleteCertificate", - "dms:DeleteEndpoint", - "dms:DeleteEventSubscription", - "dms:DeleteReplicationInstance", - "dms:DeleteReplicationSubnetGroup", - "dms:DeleteReplicationTask", - "dms:ModifyEndpoint", - "dms:ModifyReplicationInstance", - "dms:ModifyReplicationTask", - "dms:RebootReplicationInstance", - "dms:RefreshSchemas", - "dms:ReloadTables", - "dms:RemoveTagsFromResource", - "dms:StartReplicationTask", - "dms:StartReplicationTaskAssessment", - "dms:StopReplicationTask", - "ds:AcceptSharedDirectory", - "ds:AddIpRoutes", - "ds:AddTagsToResource", - "ds:AuthorizeApplication", - "ds:CancelSchemaExtension", - "ds:CreateAlias", - "ds:CreateComputer", - "ds:CreateConditionalForwarder", - "ds:CreateLogSubscription", - "ds:CreateSnapshot", - "ds:CreateTrust", - "ds:DeleteConditionalForwarder", - "ds:DeleteDirectory", - "ds:DeleteLogSubscription", - "ds:DeleteSnapshot", - "ds:DeleteTrust", - "ds:DeregisterCertificate", - "ds:DeregisterEventTopic", - "ds:DisableLDAPS", - "ds:DisableRadius", - "ds:DisableSso", - "ds:EnableLDAPS", - "ds:EnableRadius", - "ds:EnableSso", - "ds:RegisterCertificate", - "ds:RegisterEventTopic", - "ds:RejectSharedDirectory", - "ds:RemoveIpRoutes", - "ds:RemoveTagsFromResource", - "ds:ResetUserPassword", - "ds:RestoreFromSnapshot", - "ds:ShareDirectory", - "ds:StartSchemaExtension", - "ds:UnauthorizeApplication", - "ds:UnshareDirectory", - "ds:UpdateConditionalForwarder", - "ds:UpdateNumberOfDomainControllers", - "ds:UpdateRadius", - "ds:UpdateTrust", - "dynamodb:BatchWriteItem", - "dynamodb:CreateBackup", - "dynamodb:CreateGlobalTable", - "dynamodb:CreateTable", - "dynamodb:CreateTableReplica", - "dynamodb:DeleteBackup", - "dynamodb:DeleteItem", - "dynamodb:DeleteTable", - "dynamodb:DeleteTableReplica", - "dynamodb:PutItem", - "dynamodb:RestoreTableFromBackup", - "dynamodb:RestoreTableToPointInTime", - "dynamodb:TagResource", - "dynamodb:UntagResource", - "dynamodb:UpdateContinuousBackups", - "dynamodb:UpdateContributorInsights", - "dynamodb:UpdateGlobalTable", - "dynamodb:UpdateGlobalTableSettings", - "dynamodb:UpdateItem", - "dynamodb:UpdateTable", - "dynamodb:UpdateTableReplicaAutoScaling", - "dynamodb:UpdateTimeToLive", - "ebs:CompleteSnapshot", - "ebs:PutSnapshotBlock", - "ebs:StartSnapshot", - "ec2-instance-connect:SendSSHPublicKey", - "ec2:AcceptTransitGatewayPeeringAttachment", - "ec2:AcceptTransitGatewayVpcAttachment", - "ec2:AcceptVpcEndpointConnections", - "ec2:AcceptVpcPeeringConnection", - "ec2:AllocateHosts", - "ec2:ApplySecurityGroupsToClientVpnTargetNetwork", - "ec2:AssociateClientVpnTargetNetwork", - "ec2:AssociateIamInstanceProfile", - "ec2:AssociateTransitGatewayMulticastDomain", - "ec2:AssociateTransitGatewayRouteTable", - "ec2:AttachClassicLinkVpc", - "ec2:AttachVolume", - "ec2:AuthorizeClientVpnIngress", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CancelCapacityReservation", - "ec2:CopySnapshot", - "ec2:CreateCapacityReservation", - "ec2:CreateCarrierGateway", - "ec2:CreateClientVpnEndpoint", - "ec2:CreateClientVpnRoute", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateFleet", - "ec2:CreateFlowLogs", - "ec2:CreateFpgaImage", - "ec2:CreateInstanceExportTask", - "ec2:CreateInternetGateway", - "ec2:CreateKeyPair", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateLocalGatewayRoute", - "ec2:CreateLocalGatewayRouteTableVpcAssociation", - "ec2:CreateManagedPrefixList", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreatePlacementGroup", - "ec2:CreateRoute", - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateSnapshots", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateTrafficMirrorFilter", - "ec2:CreateTrafficMirrorFilterRule", - "ec2:CreateTrafficMirrorSession", - "ec2:CreateTrafficMirrorTarget", - "ec2:CreateTransitGateway", - "ec2:CreateTransitGatewayMulticastDomain", - "ec2:CreateTransitGatewayPeeringAttachment", - "ec2:CreateTransitGatewayPrefixListReference", - "ec2:CreateTransitGatewayRoute", - "ec2:CreateTransitGatewayRouteTable", - "ec2:CreateTransitGatewayVpcAttachment", - "ec2:CreateVolume", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:CreateVpcPeeringConnection", - "ec2:CreateVpnConnection", - "ec2:DeleteCarrierGateway", - "ec2:DeleteClientVpnEndpoint", - "ec2:DeleteClientVpnRoute", - "ec2:DeleteCustomerGateway", - "ec2:DeleteDhcpOptions", - "ec2:DeleteFlowLogs", - "ec2:DeleteInternetGateway", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteLaunchTemplateVersions", - "ec2:DeleteLocalGatewayRoute", - "ec2:DeleteLocalGatewayRouteTableVpcAssociation", - "ec2:DeleteManagedPrefixList", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSnapshot", - "ec2:DeleteTags", - "ec2:DeleteTrafficMirrorFilter", - "ec2:DeleteTrafficMirrorFilterRule", - "ec2:DeleteTrafficMirrorSession", - "ec2:DeleteTrafficMirrorTarget", - "ec2:DeleteTransitGateway", - "ec2:DeleteTransitGatewayMulticastDomain", - "ec2:DeleteTransitGatewayPeeringAttachment", - "ec2:DeleteTransitGatewayPrefixListReference", - "ec2:DeleteTransitGatewayRoute", - "ec2:DeleteTransitGatewayRouteTable", - "ec2:DeleteTransitGatewayVpcAttachment", - "ec2:DeleteVolume", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcPeeringConnection", - "ec2:DeregisterTransitGatewayMulticastGroupMembers", - "ec2:DeregisterTransitGatewayMulticastGroupSources", - "ec2:DetachClassicLinkVpc", - "ec2:DetachVolume", - "ec2:DisableFastSnapshotRestores", - "ec2:DisableTransitGatewayRouteTablePropagation", - "ec2:DisableVpcClassicLink", - "ec2:DisassociateClientVpnTargetNetwork", - "ec2:DisassociateIamInstanceProfile", - "ec2:DisassociateTransitGatewayMulticastDomain", - "ec2:DisassociateTransitGatewayRouteTable", - "ec2:EnableFastSnapshotRestores", - "ec2:EnableTransitGatewayRouteTablePropagation", - "ec2:EnableVpcClassicLink", - "ec2:ImportClientVpnClientCertificateRevocationList", - "ec2:ModifyCapacityReservation", - "ec2:ModifyClientVpnEndpoint", - "ec2:ModifyInstanceCreditSpecification", - "ec2:ModifyInstanceEventStartTime", - "ec2:ModifyLaunchTemplate", - "ec2:ModifyManagedPrefixList", - "ec2:ModifySnapshotAttribute", - "ec2:ModifyTrafficMirrorFilterNetworkServices", - "ec2:ModifyTrafficMirrorFilterRule", - "ec2:ModifyTrafficMirrorSession", - "ec2:ModifyTransitGateway", - "ec2:ModifyTransitGatewayPrefixListReference", - "ec2:ModifyTransitGatewayVpcAttachment", - "ec2:ModifyVpcEndpoint", - "ec2:ModifyVpcEndpointServiceConfiguration", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ModifyVpnConnection", - "ec2:ModifyVpnTunnelOptions", - "ec2:RebootInstances", - "ec2:RegisterTransitGatewayMulticastGroupMembers", - "ec2:RegisterTransitGatewayMulticastGroupSources", - "ec2:RejectTransitGatewayPeeringAttachment", - "ec2:RejectTransitGatewayVpcAttachment", - "ec2:RejectVpcEndpointConnections", - "ec2:RejectVpcPeeringConnection", - "ec2:ReplaceIamInstanceProfileAssociation", - "ec2:ReplaceRoute", - "ec2:ReplaceTransitGatewayRoute", - "ec2:RestoreManagedPrefixListVersion", - "ec2:RevokeClientVpnIngress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:SendDiagnosticInterrupt", - "ec2:StartInstances", - "ec2:StartVpcEndpointServicePrivateDnsVerification", - "ec2:StopInstances", - "ec2:TerminateClientVpnConnections", - "ec2:TerminateInstances", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress", - "ecr:BatchDeleteImage", - "ecr:CompleteLayerUpload", - "ecr:CreateRepository", - "ecr:DeleteLifecyclePolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:InitiateLayerUpload", - "ecr:PutImage", - "ecr:PutImageScanningConfiguration", - "ecr:PutImageTagMutability", - "ecr:PutLifecyclePolicy", - "ecr:SetRepositoryPolicy", - "ecr:StartImageScan", - "ecr:StartLifecyclePolicyPreview", - "ecr:TagResource", - "ecr:UntagResource", - "ecr:UploadLayerPart", - "ecs:CreateService", - "ecs:DeleteAttributes", - "ecs:DeleteCapacityProvider", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeleteTaskSet", - "ecs:DeregisterContainerInstance", - "ecs:Poll", - "ecs:PutAttributes", - "ecs:PutClusterCapacityProviders", - "ecs:RegisterContainerInstance", - "ecs:RunTask", - "ecs:StartTask", - "ecs:StartTelemetrySession", - "ecs:StopTask", - "ecs:SubmitAttachmentStateChanges", - "ecs:SubmitContainerStateChange", - "ecs:SubmitTaskStateChange", - "ecs:TagResource", - "ecs:UntagResource", - "ecs:UpdateClusterSettings", - "ecs:UpdateContainerAgent", - "ecs:UpdateContainerInstancesState", - "ecs:UpdateService", - "ecs:UpdateServicePrimaryTaskSet", - "ecs:UpdateTaskSet", - "eks:CreateFargateProfile", - "eks:CreateNodegroup", - "eks:DeleteCluster", - "eks:DeleteFargateProfile", - "eks:DeleteNodegroup", - "eks:TagResource", - "eks:UntagResource", - "eks:UpdateClusterConfig", - "eks:UpdateClusterVersion", - "eks:UpdateNodegroupConfig", - "eks:UpdateNodegroupVersion", - "elastic-inference:Connect", - "elasticache:AddTagsToResource", - "elasticache:AuthorizeCacheSecurityGroupIngress", - "elasticache:BatchApplyUpdateAction", - "elasticache:BatchStopUpdateAction", - "elasticache:CompleteMigration", - "elasticache:CopySnapshot", - "elasticache:CreateCacheCluster", - "elasticache:CreateCacheParameterGroup", - "elasticache:CreateCacheSecurityGroup", - "elasticache:CreateCacheSubnetGroup", - "elasticache:CreateGlobalReplicationGroup", - "elasticache:CreateReplicationGroup", - "elasticache:CreateSnapshot", - "elasticache:DecreaseNodeGroupsInGlobalReplicationGroup", - "elasticache:DecreaseReplicaCount", - "elasticache:DeleteCacheCluster", - "elasticache:DeleteCacheParameterGroup", - "elasticache:DeleteCacheSecurityGroup", - "elasticache:DeleteCacheSubnetGroup", - "elasticache:DeleteGlobalReplicationGroup", - "elasticache:DeleteReplicationGroup", - "elasticache:DeleteSnapshot", - "elasticache:DisassociateGlobalReplicationGroup", - "elasticache:FailoverGlobalReplicationGroup", - "elasticache:IncreaseNodeGroupsInGlobalReplicationGroup", - "elasticache:IncreaseReplicaCount", - "elasticache:ModifyCacheCluster", - "elasticache:ModifyCacheParameterGroup", - "elasticache:ModifyCacheSubnetGroup", - "elasticache:ModifyGlobalReplicationGroup", - "elasticache:ModifyReplicationGroup", - "elasticache:ModifyReplicationGroupShardConfiguration", - "elasticache:PurchaseReservedCacheNodesOffering", - "elasticache:RebalanceSlotsInGlobalReplicationGroup", - "elasticache:RebootCacheCluster", - "elasticache:RemoveTagsFromResource", - "elasticache:ResetCacheParameterGroup", - "elasticache:RevokeCacheSecurityGroupIngress", - "elasticache:StartMigration", - "elasticache:TestFailover", - "elasticbeanstalk:AbortEnvironmentUpdate", - "elasticbeanstalk:AddTags", - "elasticbeanstalk:ApplyEnvironmentManagedAction", - "elasticbeanstalk:AssociateEnvironmentOperationsRole", - "elasticbeanstalk:ComposeEnvironments", - "elasticbeanstalk:CreateApplication", - "elasticbeanstalk:CreateApplicationVersion", - "elasticbeanstalk:CreateConfigurationTemplate", - "elasticbeanstalk:CreateEnvironment", - "elasticbeanstalk:CreatePlatformVersion", - "elasticbeanstalk:DeleteApplication", - "elasticbeanstalk:DeleteApplicationVersion", - "elasticbeanstalk:DeleteConfigurationTemplate", - "elasticbeanstalk:DeleteEnvironmentConfiguration", - "elasticbeanstalk:DeletePlatformVersion", - "elasticbeanstalk:DisassociateEnvironmentOperationsRole", - "elasticbeanstalk:PutInstanceStatistics", - "elasticbeanstalk:RebuildEnvironment", - "elasticbeanstalk:RemoveTags", - "elasticbeanstalk:RestartAppServer", - "elasticbeanstalk:SwapEnvironmentCNAMEs", - "elasticbeanstalk:TerminateEnvironment", - "elasticbeanstalk:UpdateApplication", - "elasticbeanstalk:UpdateApplicationResourceLifecycle", - "elasticbeanstalk:UpdateApplicationVersion", - "elasticbeanstalk:UpdateConfigurationTemplate", - "elasticbeanstalk:UpdateEnvironment", - "elasticfilesystem:Backup", - "elasticfilesystem:ClientRootAccess", - "elasticfilesystem:ClientWrite", - "elasticfilesystem:CreateAccessPoint", - "elasticfilesystem:CreateMountTarget", - "elasticfilesystem:CreateTags", - "elasticfilesystem:DeleteAccessPoint", - "elasticfilesystem:DeleteFileSystem", - "elasticfilesystem:DeleteFileSystemPolicy", - "elasticfilesystem:DeleteMountTarget", - "elasticfilesystem:DeleteTags", - "elasticfilesystem:ModifyMountTargetSecurityGroups", - "elasticfilesystem:PutBackupPolicy", - "elasticfilesystem:PutFileSystemPolicy", - "elasticfilesystem:PutLifecycleConfiguration", - "elasticfilesystem:Restore", - "elasticfilesystem:UpdateFileSystem", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteRule", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetRulePriorities", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticmapreduce:AddInstanceFleet", - "elasticmapreduce:AddInstanceGroups", - "elasticmapreduce:AddJobFlowSteps", - "elasticmapreduce:AddTags", - "elasticmapreduce:CancelSteps", - "elasticmapreduce:CreateEditor", - "elasticmapreduce:DeleteEditor", - "elasticmapreduce:ModifyCluster", - "elasticmapreduce:ModifyInstanceFleet", - "elasticmapreduce:ModifyInstanceGroups", - "elasticmapreduce:OpenEditorInConsole", - "elasticmapreduce:PutAutoScalingPolicy", - "elasticmapreduce:PutManagedScalingPolicy", - "elasticmapreduce:RemoveAutoScalingPolicy", - "elasticmapreduce:RemoveManagedScalingPolicy", - "elasticmapreduce:RemoveTags", - "elasticmapreduce:SetTerminationProtection", - "elasticmapreduce:StartEditor", - "elasticmapreduce:StopEditor", - "elasticmapreduce:TerminateJobFlows", - "elastictranscoder:CancelJob", - "elastictranscoder:CreateJob", - "elastictranscoder:CreatePipeline", - "elastictranscoder:CreatePreset", - "elastictranscoder:DeletePipeline", - "elastictranscoder:DeletePreset", - "elastictranscoder:UpdatePipeline", - "elastictranscoder:UpdatePipelineNotifications", - "elastictranscoder:UpdatePipelineStatus", - "elemental-activations:TagResource", - "elemental-activations:UntagResource", - "elemental-appliances-software:CreateQuote", - "elemental-appliances-software:TagResource", - "elemental-appliances-software:UntagResource", - "elemental-appliances-software:UpdateQuote", - "es:AddTags", - "es:CreateElasticsearchDomain", - "es:CreateOutboundCrossClusterSearchConnection", - "es:DeleteElasticsearchDomain", - "es:ESHttpDelete", - "es:ESHttpPatch", - "es:ESHttpPost", - "es:ESHttpPut", - "es:RemoveTags", - "es:UpdateElasticsearchDomainConfig", - "es:UpgradeElasticsearchDomain", - "events:ActivateEventSource", - "events:CreateEventBus", - "events:CreatePartnerEventSource", - "events:DeactivateEventSource", - "events:DeleteEventBus", - "events:DeletePartnerEventSource", - "events:DeleteRule", - "events:DisableRule", - "events:EnableRule", - "events:PutEvents", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:TagResource", - "events:UntagResource", - "execute-api:InvalidateCache", - "execute-api:Invoke", - "execute-api:ManageConnections", - "firehose:CreateDeliveryStream", - "firehose:DeleteDeliveryStream", - "firehose:PutRecord", - "firehose:PutRecordBatch", - "firehose:StartDeliveryStreamEncryption", - "firehose:StopDeliveryStreamEncryption", - "firehose:TagDeliveryStream", - "firehose:UntagDeliveryStream", - "firehose:UpdateDestination", - "fms:DeleteAppsList", - "fms:DeletePolicy", - "fms:DeleteProtocolsList", - "fms:PutAppsList", - "fms:PutPolicy", - "fms:PutProtocolsList", - "fms:TagResource", - "fms:UntagResource", - "forecast:CreateDataset", - "forecast:CreateDatasetGroup", - "forecast:CreateDatasetImportJob", - "forecast:CreateForecast", - "forecast:CreateForecastExportJob", - "forecast:CreatePredictor", - "forecast:DeleteDataset", - "forecast:DeleteDatasetGroup", - "forecast:DeleteDatasetImportJob", - "forecast:DeleteForecast", - "forecast:DeleteForecastExportJob", - "forecast:DeletePredictor", - "forecast:TagResource", - "forecast:UntagResource", - "forecast:UpdateDatasetGroup", - "frauddetector:CreateDetectorVersion", - "frauddetector:CreateModel", - "frauddetector:CreateModelVersion", - "frauddetector:CreateRule", - "frauddetector:DeleteDetector", - "frauddetector:DeleteDetectorVersion", - "frauddetector:DeleteRule", - "frauddetector:PutDetector", - "frauddetector:PutEntityType", - "frauddetector:PutEventType", - "frauddetector:PutExternalModel", - "frauddetector:PutLabel", - "frauddetector:PutOutcome", - "frauddetector:TagResource", - "frauddetector:UntagResource", - "frauddetector:UpdateDetectorVersion", - "frauddetector:UpdateDetectorVersionMetadata", - "frauddetector:UpdateDetectorVersionStatus", - "frauddetector:UpdateModel", - "frauddetector:UpdateModelVersion", - "frauddetector:UpdateRuleMetadata", - "frauddetector:UpdateRuleVersion", - "frauddetector:UpdateVariable", - "freertos:CreateSoftwareConfiguration", - "freertos:DeleteSoftwareConfiguration", - "freertos:UpdateSoftwareConfiguration", - "fsx:CancelDataRepositoryTask", - "fsx:CreateBackup", - "fsx:CreateDataRepositoryTask", - "fsx:CreateFileSystem", - "fsx:CreateFileSystemFromBackup", - "fsx:DeleteBackup", - "fsx:DeleteFileSystem", - "fsx:TagResource", - "fsx:UntagResource", - "fsx:UpdateFileSystem", - "gamelift:ClaimGameServer", - "gamelift:DeleteAlias", - "gamelift:DeleteBuild", - "gamelift:DeleteFleet", - "gamelift:DeleteGameServerGroup", - "gamelift:DeleteGameSessionQueue", - "gamelift:DeleteMatchmakingConfiguration", - "gamelift:DeleteMatchmakingRuleSet", - "gamelift:DeleteScalingPolicy", - "gamelift:DeleteScript", - "gamelift:DeregisterGameServer", - "gamelift:PutScalingPolicy", - "gamelift:RegisterGameServer", - "gamelift:ResumeGameServerGroup", - "gamelift:StartFleetActions", - "gamelift:StartGameSessionPlacement", - "gamelift:StopFleetActions", - "gamelift:SuspendGameServerGroup", - "gamelift:TagResource", - "gamelift:UntagResource", - "gamelift:UpdateAlias", - "gamelift:UpdateBuild", - "gamelift:UpdateFleetAttributes", - "gamelift:UpdateFleetCapacity", - "gamelift:UpdateFleetPortSettings", - "gamelift:UpdateGameServer", - "gamelift:UpdateGameServerGroup", - "gamelift:UpdateGameSessionQueue", - "gamelift:UpdateMatchmakingConfiguration", - "gamelift:UpdateRuntimeConfiguration", - "gamelift:UpdateScript", - "glacier:AbortMultipartUpload", - "glacier:AbortVaultLock", - "glacier:AddTagsToVault", - "glacier:CompleteMultipartUpload", - "glacier:CompleteVaultLock", - "glacier:CreateVault", - "glacier:DeleteArchive", - "glacier:DeleteVault", - "glacier:DeleteVaultAccessPolicy", - "glacier:DeleteVaultNotifications", - "glacier:InitiateJob", - "glacier:InitiateMultipartUpload", - "glacier:InitiateVaultLock", - "glacier:RemoveTagsFromVault", - "glacier:SetVaultAccessPolicy", - "glacier:SetVaultNotifications", - "glacier:UploadArchive", - "glacier:UploadMultipartPart", - "globalaccelerator:CreateEndpointGroup", - "globalaccelerator:CreateListener", - "globalaccelerator:DeleteAccelerator", - "globalaccelerator:DeleteEndpointGroup", - "globalaccelerator:DeleteListener", - "globalaccelerator:TagResource", - "globalaccelerator:UntagResource", - "globalaccelerator:UpdateAccelerator", - "globalaccelerator:UpdateAcceleratorAttributes", - "globalaccelerator:UpdateEndpointGroup", - "globalaccelerator:UpdateListener", - "glue:BatchCreatePartition", - "glue:BatchDeleteConnection", - "glue:BatchDeletePartition", - "glue:BatchDeleteTable", - "glue:CancelMLTaskRun", - "glue:CreateConnection", - "glue:CreateDatabase", - "glue:CreatePartition", - "glue:CreateTable", - "glue:CreateUserDefinedFunction", - "glue:DeleteConnection", - "glue:DeleteDatabase", - "glue:DeleteMLTransform", - "glue:DeletePartition", - "glue:DeleteResourcePolicy", - "glue:DeleteTable", - "glue:DeleteUserDefinedFunction", - "glue:ImportCatalogToGlue", - "glue:PutResourcePolicy", - "glue:StartExportLabelsTaskRun", - "glue:StartImportLabelsTaskRun", - "glue:StartMLEvaluationTaskRun", - "glue:StartMLLabelingSetGenerationTaskRun", - "glue:TagResource", - "glue:UntagResource", - "glue:UpdateConnection", - "glue:UpdateDatabase", - "glue:UpdateMLTransform", - "glue:UpdatePartition", - "glue:UpdateTable", - "glue:UpdateUserDefinedFunction", - "glue:UseMLTransforms", - "greengrass:AssociateRoleToGroup", - "greengrass:CreateConnectorDefinitionVersion", - "greengrass:CreateCoreDefinitionVersion", - "greengrass:CreateDeployment", - "greengrass:CreateDeviceDefinitionVersion", - "greengrass:CreateFunctionDefinitionVersion", - "greengrass:CreateGroupCertificateAuthority", - "greengrass:CreateGroupVersion", - "greengrass:CreateLoggerDefinitionVersion", - "greengrass:CreateResourceDefinitionVersion", - "greengrass:CreateSubscriptionDefinitionVersion", - "greengrass:DeleteConnectorDefinition", - "greengrass:DeleteCoreDefinition", - "greengrass:DeleteDeviceDefinition", - "greengrass:DeleteFunctionDefinition", - "greengrass:DeleteGroup", - "greengrass:DeleteLoggerDefinition", - "greengrass:DeleteResourceDefinition", - "greengrass:DeleteSubscriptionDefinition", - "greengrass:DisassociateRoleFromGroup", - "greengrass:ResetDeployments", - "greengrass:StopBulkDeployment", - "greengrass:TagResource", - "greengrass:UntagResource", - "greengrass:UpdateConnectivityInfo", - "greengrass:UpdateConnectorDefinition", - "greengrass:UpdateCoreDefinition", - "greengrass:UpdateDeviceDefinition", - "greengrass:UpdateFunctionDefinition", - "greengrass:UpdateGroup", - "greengrass:UpdateGroupCertificateConfiguration", - "greengrass:UpdateLoggerDefinition", - "greengrass:UpdateResourceDefinition", - "greengrass:UpdateSubscriptionDefinition", - "groundstation:CancelContact", - "groundstation:DeleteConfig", - "groundstation:DeleteDataflowEndpointGroup", - "groundstation:DeleteMissionProfile", - "groundstation:TagResource", - "groundstation:UntagResource", - "groundstation:UpdateConfig", - "groundstation:UpdateMissionProfile", - "guardduty:AcceptInvitation", - "guardduty:ArchiveFindings", - "guardduty:CreateFilter", - "guardduty:CreateIPSet", - "guardduty:CreateMembers", - "guardduty:CreatePublishingDestination", - "guardduty:CreateSampleFindings", - "guardduty:CreateThreatIntelSet", - "guardduty:DeleteDetector", - "guardduty:DeleteFilter", - "guardduty:DeleteIPSet", - "guardduty:DeleteMembers", - "guardduty:DeletePublishingDestination", - "guardduty:DeleteThreatIntelSet", - "guardduty:DisassociateFromMasterAccount", - "guardduty:DisassociateMembers", - "guardduty:InviteMembers", - "guardduty:StartMonitoringMembers", - "guardduty:StopMonitoringMembers", - "guardduty:TagResource", - "guardduty:UnarchiveFindings", - "guardduty:UntagResource", - "guardduty:UpdateDetector", - "guardduty:UpdateFilter", - "guardduty:UpdateFindingsFeedback", - "guardduty:UpdateIPSet", - "guardduty:UpdateOrganizationConfiguration", - "guardduty:UpdatePublishingDestination", - "guardduty:UpdateThreatIntelSet", - "honeycode:InvokeScreenAutomation", - "imagebuilder:CancelImageCreation", - "imagebuilder:CreateComponent", - "imagebuilder:CreateDistributionConfiguration", - "imagebuilder:CreateImage", - "imagebuilder:CreateImagePipeline", - "imagebuilder:CreateImageRecipe", - "imagebuilder:CreateInfrastructureConfiguration", - "imagebuilder:DeleteComponent", - "imagebuilder:DeleteDistributionConfiguration", - "imagebuilder:DeleteImage", - "imagebuilder:DeleteImagePipeline", - "imagebuilder:DeleteImageRecipe", - "imagebuilder:DeleteInfrastructureConfiguration", - "imagebuilder:PutComponentPolicy", - "imagebuilder:PutImagePolicy", - "imagebuilder:PutImageRecipePolicy", - "imagebuilder:StartImagePipelineExecution", - "imagebuilder:TagResource", - "imagebuilder:UntagResource", - "imagebuilder:UpdateDistributionConfiguration", - "imagebuilder:UpdateImagePipeline", - "imagebuilder:UpdateInfrastructureConfiguration", - "iot1click:AssociateDeviceWithPlacement", - "iot1click:CreatePlacement", - "iot1click:CreateProject", - "iot1click:DeletePlacement", - "iot1click:DeleteProject", - "iot1click:DisassociateDeviceFromPlacement", - "iot1click:InvokeDeviceMethod", - "iot1click:TagResource", - "iot1click:UntagResource", - "iot1click:UpdateDeviceState", - "iot1click:UpdatePlacement", - "iot1click:UpdateProject", - "iot:AddThingToBillingGroup", - "iot:AddThingToThingGroup", - "iot:AssociateTargetsWithJob", - "iot:AttachPolicy", - "iot:AttachPrincipalPolicy", - "iot:AttachSecurityProfile", - "iot:CancelJob", - "iot:CancelJobExecution", - "iot:CloseTunnel", - "iot:Connect", - "iot:CreateAuthorizer", - "iot:CreateBillingGroup", - "iot:CreateDimension", - "iot:CreateDynamicThingGroup", - "iot:CreateJob", - "iot:CreateMitigationAction", - "iot:CreateOTAUpdate", - "iot:CreatePolicyVersion", - "iot:CreateProvisioningClaim", - "iot:CreateProvisioningTemplate", - "iot:CreateProvisioningTemplateVersion", - "iot:CreateRoleAlias", - "iot:CreateScheduledAudit", - "iot:CreateSecurityProfile", - "iot:CreateStream", - "iot:CreateThing", - "iot:CreateThingGroup", - "iot:CreateThingType", - "iot:CreateTopicRule", - "iot:DeleteAuthorizer", - "iot:DeleteBillingGroup", - "iot:DeleteCACertificate", - "iot:DeleteCertificate", - "iot:DeleteDimension", - "iot:DeleteDomainConfiguration", - "iot:DeleteDynamicThingGroup", - "iot:DeleteJob", - "iot:DeleteJobExecution", - "iot:DeleteMitigationAction", - "iot:DeleteOTAUpdate", - "iot:DeletePolicy", - "iot:DeletePolicyVersion", - "iot:DeleteProvisioningTemplate", - "iot:DeleteProvisioningTemplateVersion", - "iot:DeleteRoleAlias", - "iot:DeleteScheduledAudit", - "iot:DeleteSecurityProfile", - "iot:DeleteStream", - "iot:DeleteThing", - "iot:DeleteThingGroup", - "iot:DeleteThingShadow", - "iot:DeleteThingType", - "iot:DeleteTopicRule", - "iot:DeprecateThingType", - "iot:DetachPolicy", - "iot:DetachPrincipalPolicy", - "iot:DetachSecurityProfile", - "iot:DisableTopicRule", - "iot:EnableTopicRule", - "iot:Publish", - "iot:Receive", - "iot:RejectCertificateTransfer", - "iot:RemoveThingFromBillingGroup", - "iot:RemoveThingFromThingGroup", - "iot:ReplaceTopicRule", - "iot:SetDefaultAuthorizer", - "iot:SetDefaultPolicyVersion", - "iot:StartNextPendingJobExecution", - "iot:Subscribe", - "iot:TagResource", - "iot:TransferCertificate", - "iot:UntagResource", - "iot:UpdateAuthorizer", - "iot:UpdateBillingGroup", - "iot:UpdateCACertificate", - "iot:UpdateCertificate", - "iot:UpdateDimension", - "iot:UpdateDomainConfiguration", - "iot:UpdateDynamicThingGroup", - "iot:UpdateJob", - "iot:UpdateJobExecution", - "iot:UpdateMitigationAction", - "iot:UpdateProvisioningTemplate", - "iot:UpdateRoleAlias", - "iot:UpdateScheduledAudit", - "iot:UpdateSecurityProfile", - "iot:UpdateStream", - "iot:UpdateThing", - "iot:UpdateThingGroup", - "iot:UpdateThingGroupsForThing", - "iot:UpdateThingShadow", - "iotanalytics:BatchPutMessage", - "iotanalytics:CancelPipelineReprocessing", - "iotanalytics:CreateChannel", - "iotanalytics:CreateDataset", - "iotanalytics:CreateDatasetContent", - "iotanalytics:CreateDatastore", - "iotanalytics:CreatePipeline", - "iotanalytics:DeleteChannel", - "iotanalytics:DeleteDataset", - "iotanalytics:DeleteDatasetContent", - "iotanalytics:DeleteDatastore", - "iotanalytics:DeletePipeline", - "iotanalytics:StartPipelineReprocessing", - "iotanalytics:TagResource", - "iotanalytics:UntagResource", - "iotanalytics:UpdateChannel", - "iotanalytics:UpdateDataset", - "iotanalytics:UpdateDatastore", - "iotanalytics:UpdatePipeline", - "iotevents:BatchPutMessage", - "iotevents:BatchUpdateDetector", - "iotevents:CreateDetectorModel", - "iotevents:CreateInput", - "iotevents:DeleteDetectorModel", - "iotevents:DeleteInput", - "iotevents:TagResource", - "iotevents:UntagResource", - "iotevents:UpdateDetectorModel", - "iotevents:UpdateInput", - "iotevents:UpdateInputRouting", - "iotsitewise:AssociateAssets", - "iotsitewise:BatchAssociateProjectAssets", - "iotsitewise:BatchDisassociateProjectAssets", - "iotsitewise:BatchPutAssetPropertyValue", - "iotsitewise:CreateAccessPolicy", - "iotsitewise:CreateAsset", - "iotsitewise:CreateDashboard", - "iotsitewise:CreateProject", - "iotsitewise:DeleteAccessPolicy", - "iotsitewise:DeleteAsset", - "iotsitewise:DeleteAssetModel", - "iotsitewise:DeleteDashboard", - "iotsitewise:DeleteGateway", - "iotsitewise:DeletePortal", - "iotsitewise:DeleteProject", - "iotsitewise:DisassociateAssets", - "iotsitewise:TagResource", - "iotsitewise:UntagResource", - "iotsitewise:UpdateAccessPolicy", - "iotsitewise:UpdateAsset", - "iotsitewise:UpdateAssetModel", - "iotsitewise:UpdateAssetProperty", - "iotsitewise:UpdateDashboard", - "iotsitewise:UpdateGateway", - "iotsitewise:UpdateGatewayCapabilityConfiguration", - "iotsitewise:UpdatePortal", - "iotsitewise:UpdateProject", - "iotthingsgraph:DeleteFlowTemplate", - "iotthingsgraph:DeleteSystemInstance", - "iotthingsgraph:DeleteSystemTemplate", - "iotthingsgraph:DeploySystemInstance", - "iotthingsgraph:DeprecateFlowTemplate", - "iotthingsgraph:DeprecateSystemTemplate", - "iotthingsgraph:TagResource", - "iotthingsgraph:UndeploySystemInstance", - "iotthingsgraph:UntagResource", - "iotthingsgraph:UpdateFlowTemplate", - "iotthingsgraph:UpdateSystemTemplate", - "ivs:CreateChannel", - "ivs:CreateStreamKey", - "ivs:DeleteChannel", - "ivs:DeletePlaybackKeyPair", - "ivs:DeleteStreamKey", - "ivs:ImportPlaybackKeyPair", - "ivs:ListTagsForResource", - "ivs:PutMetadata", - "ivs:StopStream", - "ivs:TagResource", - "ivs:UntagResource", - "ivs:UpdateChannel", - "kafka:TagResource", - "kafka:UntagResource", - "kendra:BatchDeleteDocument", - "kendra:BatchPutDocument", - "kendra:CreateDataSource", - "kendra:CreateFaq", - "kendra:DeleteDataSource", - "kendra:DeleteFaq", - "kendra:DeleteIndex", - "kendra:StartDataSourceSyncJob", - "kendra:StopDataSourceSyncJob", - "kendra:SubmitFeedback", - "kendra:TagResource", - "kendra:UntagResource", - "kendra:UpdateDataSource", - "kendra:UpdateIndex", - "kinesis:AddTagsToStream", - "kinesis:CreateStream", - "kinesis:DecreaseStreamRetentionPeriod", - "kinesis:DeleteStream", - "kinesis:DeregisterStreamConsumer", - "kinesis:IncreaseStreamRetentionPeriod", - "kinesis:MergeShards", - "kinesis:PutRecord", - "kinesis:PutRecords", - "kinesis:RegisterStreamConsumer", - "kinesis:RemoveTagsFromStream", - "kinesis:SplitShard", - "kinesis:StartStreamEncryption", - "kinesis:StopStreamEncryption", - "kinesisanalytics:AddApplicationCloudWatchLoggingOption", - "kinesisanalytics:AddApplicationInput", - "kinesisanalytics:AddApplicationInputProcessingConfiguration", - "kinesisanalytics:AddApplicationOutput", - "kinesisanalytics:AddApplicationReferenceDataSource", - "kinesisanalytics:AddApplicationVpcConfiguration", - "kinesisanalytics:CreateApplicationSnapshot", - "kinesisanalytics:DeleteApplication", - "kinesisanalytics:DeleteApplicationCloudWatchLoggingOption", - "kinesisanalytics:DeleteApplicationInputProcessingConfiguration", - "kinesisanalytics:DeleteApplicationOutput", - "kinesisanalytics:DeleteApplicationReferenceDataSource", - "kinesisanalytics:DeleteApplicationSnapshot", - "kinesisanalytics:DeleteApplicationVpcConfiguration", - "kinesisanalytics:StartApplication", - "kinesisanalytics:StopApplication", - "kinesisanalytics:TagResource", - "kinesisanalytics:UntagResource", - "kinesisanalytics:UpdateApplication", - "kinesisvideo:ConnectAsMaster", - "kinesisvideo:ConnectAsViewer", - "kinesisvideo:CreateSignalingChannel", - "kinesisvideo:CreateStream", - "kinesisvideo:DeleteSignalingChannel", - "kinesisvideo:DeleteStream", - "kinesisvideo:PutMedia", - "kinesisvideo:SendAlexaOfferToMaster", - "kinesisvideo:TagResource", - "kinesisvideo:TagStream", - "kinesisvideo:UntagResource", - "kinesisvideo:UntagStream", - "kinesisvideo:UpdateDataRetention", - "kinesisvideo:UpdateSignalingChannel", - "kinesisvideo:UpdateStream", - "kms:CancelKeyDeletion", - "kms:CreateAlias", - "kms:CreateGrant", - "kms:Decrypt", - "kms:DeleteAlias", - "kms:DeleteImportedKeyMaterial", - "kms:DisableKey", - "kms:DisableKeyRotation", - "kms:EnableKey", - "kms:EnableKeyRotation", - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:ImportKeyMaterial", - "kms:PutKeyPolicy", - "kms:ReEncryptFrom", - "kms:ReEncryptTo", - "kms:RetireGrant", - "kms:RevokeGrant", - "kms:ScheduleKeyDeletion", - "kms:Sign", - "kms:TagResource", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateKeyDescription", - "kms:Verify", - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:CreateAlias", - "lambda:CreateFunction", - "lambda:DeleteAlias", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:DeleteFunctionEventInvokeConfig", - "lambda:DeleteLayerVersion", - "lambda:DeleteProvisionedConcurrencyConfig", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:InvokeAsync", - "lambda:InvokeFunction", - "lambda:PublishLayerVersion", - "lambda:PublishVersion", - "lambda:PutFunctionConcurrency", - "lambda:PutFunctionEventInvokeConfig", - "lambda:PutProvisionedConcurrencyConfig", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "lambda:TagResource", - "lambda:UntagResource", - "lambda:UpdateAlias", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionEventInvokeConfig", - "lex:CreateBotVersion", - "lex:CreateIntentVersion", - "lex:CreateSlotTypeVersion", - "lex:DeleteBot", - "lex:DeleteBotAlias", - "lex:DeleteBotChannelAssociation", - "lex:DeleteBotVersion", - "lex:DeleteIntent", - "lex:DeleteIntentVersion", - "lex:DeleteSession", - "lex:DeleteSlotType", - "lex:DeleteSlotTypeVersion", - "lex:DeleteUtterances", - "lex:PostContent", - "lex:PostText", - "lex:PutBot", - "lex:PutBotAlias", - "lex:PutIntent", - "lex:PutSession", - "lex:PutSlotType", - "lex:TagResource", - "lex:UntagResource", - "license-manager:DeleteLicenseConfiguration", - "license-manager:TagResource", - "license-manager:UntagResource", - "license-manager:UpdateLicenseConfiguration", - "license-manager:UpdateLicenseSpecificationsForResource", - "lightsail:AllocateStaticIp", - "lightsail:AttachDisk", - "lightsail:AttachInstancesToLoadBalancer", - "lightsail:AttachLoadBalancerTlsCertificate", - "lightsail:AttachStaticIp", - "lightsail:CloseInstancePublicPorts", - "lightsail:CreateCloudFormationStack", - "lightsail:CreateDisk", - "lightsail:CreateDiskFromSnapshot", - "lightsail:CreateDiskSnapshot", - "lightsail:CreateDomain", - "lightsail:CreateDomainEntry", - "lightsail:CreateInstanceSnapshot", - "lightsail:CreateInstances", - "lightsail:CreateInstancesFromSnapshot", - "lightsail:CreateKeyPair", - "lightsail:CreateLoadBalancer", - "lightsail:CreateLoadBalancerTlsCertificate", - "lightsail:CreateRelationalDatabase", - "lightsail:CreateRelationalDatabaseFromSnapshot", - "lightsail:CreateRelationalDatabaseSnapshot", - "lightsail:DeleteDisk", - "lightsail:DeleteDiskSnapshot", - "lightsail:DeleteDomain", - "lightsail:DeleteDomainEntry", - "lightsail:DeleteInstance", - "lightsail:DeleteInstanceSnapshot", - "lightsail:DeleteKeyPair", - "lightsail:DeleteKnownHostKeys", - "lightsail:DeleteLoadBalancer", - "lightsail:DeleteLoadBalancerTlsCertificate", - "lightsail:DeleteRelationalDatabase", - "lightsail:DeleteRelationalDatabaseSnapshot", - "lightsail:DetachDisk", - "lightsail:DetachInstancesFromLoadBalancer", - "lightsail:DetachStaticIp", - "lightsail:DownloadDefaultKeyPair", - "lightsail:GetInstanceAccessDetails", - "lightsail:ImportKeyPair", - "lightsail:OpenInstancePublicPorts", - "lightsail:PutInstancePublicPorts", - "lightsail:RebootInstance", - "lightsail:RebootRelationalDatabase", - "lightsail:ReleaseStaticIp", - "lightsail:StartInstance", - "lightsail:StartRelationalDatabase", - "lightsail:StopInstance", - "lightsail:StopRelationalDatabase", - "lightsail:TagResource", - "lightsail:UntagResource", - "lightsail:UpdateDomainEntry", - "lightsail:UpdateLoadBalancerAttribute", - "lightsail:UpdateRelationalDatabase", - "logs:AssociateKmsKey", - "logs:CreateExportTask", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DeleteLogGroup", - "logs:DeleteLogStream", - "logs:DeleteMetricFilter", - "logs:DeleteRetentionPolicy", - "logs:DeleteSubscriptionFilter", - "logs:DisassociateKmsKey", - "logs:PutLogEvents", - "logs:PutMetricFilter", - "logs:PutRetentionPolicy", - "logs:PutSubscriptionFilter", - "logs:TagLogGroup", - "logs:UntagLogGroup", - "machinelearning:AddTags", - "machinelearning:CreateBatchPrediction", - "machinelearning:CreateDataSourceFromRDS", - "machinelearning:CreateDataSourceFromRedshift", - "machinelearning:CreateDataSourceFromS3", - "machinelearning:CreateEvaluation", - "machinelearning:CreateMLModel", - "machinelearning:CreateRealtimeEndpoint", - "machinelearning:DeleteBatchPrediction", - "machinelearning:DeleteDataSource", - "machinelearning:DeleteEvaluation", - "machinelearning:DeleteMLModel", - "machinelearning:DeleteRealtimeEndpoint", - "machinelearning:DeleteTags", - "machinelearning:Predict", - "machinelearning:UpdateBatchPrediction", - "machinelearning:UpdateDataSource", - "machinelearning:UpdateEvaluation", - "machinelearning:UpdateMLModel", - "macie2:CreateClassificationJob", - "macie2:CreateCustomDataIdentifier", - "macie2:CreateFindingsFilter", - "macie2:CreateMember", - "macie2:DeleteCustomDataIdentifier", - "macie2:DeleteFindingsFilter", - "macie2:DeleteMember", - "macie2:DisassociateMember", - "macie2:UpdateClassificationJob", - "macie2:UpdateFindingsFilter", - "managedblockchain:CreateMember", - "managedblockchain:CreateNode", - "managedblockchain:CreateProposal", - "managedblockchain:DeleteMember", - "managedblockchain:DeleteNode", - "managedblockchain:RejectInvitation", - "managedblockchain:UpdateMember", - "managedblockchain:UpdateNode", - "managedblockchain:VoteOnProposal", - "mediaconvert:CancelJob", - "mediaconvert:CreateJob", - "mediaconvert:CreateJobTemplate", - "mediaconvert:DeleteJobTemplate", - "mediaconvert:DeletePreset", - "mediaconvert:DeleteQueue", - "mediaconvert:TagResource", - "mediaconvert:UntagResource", - "mediaconvert:UpdateJobTemplate", - "mediaconvert:UpdatePreset", - "mediaconvert:UpdateQueue", - "medialive:BatchUpdateSchedule", - "medialive:CreateChannel", - "medialive:CreateInput", - "medialive:CreateInputSecurityGroup", - "medialive:CreateMultiplex", - "medialive:CreateTags", - "medialive:DeleteChannel", - "medialive:DeleteInput", - "medialive:DeleteInputSecurityGroup", - "medialive:DeleteMultiplex", - "medialive:DeleteReservation", - "medialive:DeleteTags", - "medialive:PurchaseOffering", - "medialive:StartChannel", - "medialive:StartMultiplex", - "medialive:StopChannel", - "medialive:StopMultiplex", - "medialive:UpdateChannel", - "medialive:UpdateChannelClass", - "medialive:UpdateInput", - "medialive:UpdateInputDevice", - "medialive:UpdateInputSecurityGroup", - "medialive:UpdateMultiplex", - "medialive:UpdateReservation", - "mediapackage-vod:DeleteAsset", - "mediapackage-vod:DeletePackagingConfiguration", - "mediapackage-vod:DeletePackagingGroup", - "mediapackage-vod:TagResource", - "mediapackage-vod:UntagResource", - "mediapackage:DeleteChannel", - "mediapackage:DeleteOriginEndpoint", - "mediapackage:RotateIngestEndpointCredentials", - "mediapackage:TagResource", - "mediapackage:UntagResource", - "mediapackage:UpdateChannel", - "mediapackage:UpdateOriginEndpoint", - "mediatailor:DeletePlaybackConfiguration", - "mediatailor:PutPlaybackConfiguration", - "mgh:AssociateCreatedArtifact", - "mgh:AssociateDiscoveredResource", - "mgh:CreateProgressUpdateStream", - "mgh:DeleteProgressUpdateStream", - "mgh:DisassociateCreatedArtifact", - "mgh:DisassociateDiscoveredResource", - "mgh:ImportMigrationTask", - "mgh:NotifyMigrationTaskState", - "mgh:PutResourceAttributes", - "mobilehub:DeleteProject", - "mobilehub:GenerateProjectParameters", - "mobilehub:SynchronizeProject", - "mobilehub:UpdateProject", - "mobiletargeting:CreateCampaign", - "mobiletargeting:CreateExportJob", - "mobiletargeting:CreateImportJob", - "mobiletargeting:CreateJourney", - "mobiletargeting:CreateSegment", - "mobiletargeting:DeleteAdmChannel", - "mobiletargeting:DeleteApnsChannel", - "mobiletargeting:DeleteApnsSandboxChannel", - "mobiletargeting:DeleteApnsVoipChannel", - "mobiletargeting:DeleteApnsVoipSandboxChannel", - "mobiletargeting:DeleteApp", - "mobiletargeting:DeleteBaiduChannel", - "mobiletargeting:DeleteCampaign", - "mobiletargeting:DeleteEmailChannel", - "mobiletargeting:DeleteEmailTemplate", - "mobiletargeting:DeleteEndpoint", - "mobiletargeting:DeleteEventStream", - "mobiletargeting:DeleteGcmChannel", - "mobiletargeting:DeleteJourney", - "mobiletargeting:DeletePushTemplate", - "mobiletargeting:DeleteRecommenderConfiguration", - "mobiletargeting:DeleteSegment", - "mobiletargeting:DeleteSmsChannel", - "mobiletargeting:DeleteSmsTemplate", - "mobiletargeting:DeleteUserEndpoints", - "mobiletargeting:DeleteVoiceChannel", - "mobiletargeting:DeleteVoiceTemplate", - "mobiletargeting:PutEventStream", - "mobiletargeting:PutEvents", - "mobiletargeting:RemoveAttributes", - "mobiletargeting:SendMessages", - "mobiletargeting:SendUsersMessages", - "mobiletargeting:TagResource", - "mobiletargeting:UntagResource", - "mobiletargeting:UpdateAdmChannel", - "mobiletargeting:UpdateApnsChannel", - "mobiletargeting:UpdateApnsSandboxChannel", - "mobiletargeting:UpdateApnsVoipChannel", - "mobiletargeting:UpdateApnsVoipSandboxChannel", - "mobiletargeting:UpdateApplicationSettings", - "mobiletargeting:UpdateBaiduChannel", - "mobiletargeting:UpdateCampaign", - "mobiletargeting:UpdateEmailChannel", - "mobiletargeting:UpdateEmailTemplate", - "mobiletargeting:UpdateEndpoint", - "mobiletargeting:UpdateEndpointsBatch", - "mobiletargeting:UpdateGcmChannel", - "mobiletargeting:UpdateJourney", - "mobiletargeting:UpdateJourneyState", - "mobiletargeting:UpdatePushTemplate", - "mobiletargeting:UpdateRecommenderConfiguration", - "mobiletargeting:UpdateSegment", - "mobiletargeting:UpdateSmsChannel", - "mobiletargeting:UpdateSmsTemplate", - "mobiletargeting:UpdateTemplateActiveVersion", - "mobiletargeting:UpdateVoiceChannel", - "mobiletargeting:UpdateVoiceTemplate", - "mq:CreateTags", - "mq:CreateUser", - "mq:DeleteBroker", - "mq:DeleteTags", - "mq:DeleteUser", - "mq:RebootBroker", - "mq:UpdateBroker", - "mq:UpdateConfiguration", - "mq:UpdateUser", - "neptune-db:connect", - "networkmanager:AssociateCustomerGateway", - "networkmanager:AssociateLink", - "networkmanager:CreateDevice", - "networkmanager:CreateLink", - "networkmanager:CreateSite", - "networkmanager:DeleteDevice", - "networkmanager:DeleteGlobalNetwork", - "networkmanager:DeleteLink", - "networkmanager:DeleteSite", - "networkmanager:DeregisterTransitGateway", - "networkmanager:DisassociateCustomerGateway", - "networkmanager:DisassociateLink", - "networkmanager:RegisterTransitGateway", - "networkmanager:TagResource", - "networkmanager:UntagResource", - "networkmanager:UpdateDevice", - "networkmanager:UpdateGlobalNetwork", - "networkmanager:UpdateLink", - "networkmanager:UpdateSite", - "opsworks:AssignInstance", - "opsworks:AssignVolume", - "opsworks:AssociateElasticIp", - "opsworks:AttachElasticLoadBalancer", - "opsworks:CloneStack", - "opsworks:CreateApp", - "opsworks:CreateDeployment", - "opsworks:CreateInstance", - "opsworks:CreateLayer", - "opsworks:DeleteApp", - "opsworks:DeleteInstance", - "opsworks:DeleteLayer", - "opsworks:DeleteStack", - "opsworks:DeregisterEcsCluster", - "opsworks:DeregisterElasticIp", - "opsworks:DeregisterInstance", - "opsworks:DeregisterRdsDbInstance", - "opsworks:DeregisterVolume", - "opsworks:DetachElasticLoadBalancer", - "opsworks:DisassociateElasticIp", - "opsworks:GrantAccess", - "opsworks:RebootInstance", - "opsworks:RegisterEcsCluster", - "opsworks:RegisterElasticIp", - "opsworks:RegisterInstance", - "opsworks:RegisterRdsDbInstance", - "opsworks:RegisterVolume", - "opsworks:SetLoadBasedAutoScaling", - "opsworks:SetPermission", - "opsworks:SetTimeBasedAutoScaling", - "opsworks:StartInstance", - "opsworks:StartStack", - "opsworks:StopInstance", - "opsworks:StopStack", - "opsworks:TagResource", - "opsworks:UnassignInstance", - "opsworks:UnassignVolume", - "opsworks:UntagResource", - "opsworks:UpdateApp", - "opsworks:UpdateElasticIp", - "opsworks:UpdateInstance", - "opsworks:UpdateLayer", - "opsworks:UpdateRdsDbInstance", - "opsworks:UpdateStack", - "opsworks:UpdateVolume", - "personalize:CreateBatchInferenceJob", - "personalize:CreateCampaign", - "personalize:CreateDataset", - "personalize:CreateDatasetGroup", - "personalize:CreateDatasetImportJob", - "personalize:CreateEventTracker", - "personalize:CreateFilter", - "personalize:CreateSchema", - "personalize:CreateSolution", - "personalize:CreateSolutionVersion", - "personalize:DeleteCampaign", - "personalize:DeleteDataset", - "personalize:DeleteDatasetGroup", - "personalize:DeleteEventTracker", - "personalize:DeleteFilter", - "personalize:DeleteSchema", - "personalize:DeleteSolution", - "personalize:GetPersonalizedRanking", - "personalize:PutEvents", - "personalize:UpdateCampaign", - "polly:DeleteLexicon", - "polly:StartSpeechSynthesisTask", - "qldb:CancelJournalKinesisStream", - "qldb:CreateLedger", - "qldb:DeleteLedger", - "qldb:ExecuteStatement", - "qldb:ExportJournalToS3", - "qldb:InsertSampleData", - "qldb:SendCommand", - "qldb:ShowCatalog", - "qldb:StreamJournalToKinesis", - "qldb:TagResource", - "qldb:UntagResource", - "qldb:UpdateLedger", - "quicksight:CreateAdmin", - "quicksight:CreateDashboard", - "quicksight:CreateGroup", - "quicksight:CreateGroupMembership", - "quicksight:CreateIAMPolicyAssignment", - "quicksight:CreateReader", - "quicksight:CreateTemplate", - "quicksight:CreateTemplateAlias", - "quicksight:CreateTheme", - "quicksight:CreateThemeAlias", - "quicksight:CreateUser", - "quicksight:DeleteDashboard", - "quicksight:DeleteGroup", - "quicksight:DeleteGroupMembership", - "quicksight:DeleteIAMPolicyAssignment", - "quicksight:DeleteTemplate", - "quicksight:DeleteTemplateAlias", - "quicksight:DeleteTheme", - "quicksight:DeleteThemeAlias", - "quicksight:DeleteUser", - "quicksight:DeleteUserByPrincipalId", - "quicksight:RegisterUser", - "quicksight:TagResource", - "quicksight:UntagResource", - "quicksight:UpdateDashboard", - "quicksight:UpdateDashboardPermissions", - "quicksight:UpdateDashboardPublishedVersion", - "quicksight:UpdateGroup", - "quicksight:UpdateIAMPolicyAssignment", - "quicksight:UpdateTemplate", - "quicksight:UpdateTemplateAlias", - "quicksight:UpdateTemplatePermissions", - "quicksight:UpdateTheme", - "quicksight:UpdateThemeAlias", - "quicksight:UpdateThemePermissions", - "quicksight:UpdateUser", - "ram:AcceptResourceShareInvitation", - "ram:AssociateResourceShare", - "ram:AssociateResourceSharePermission", - "ram:DeleteResourceShare", - "ram:DisassociateResourceShare", - "ram:DisassociateResourceSharePermission", - "ram:RejectResourceShareInvitation", - "ram:TagResource", - "ram:UntagResource", - "ram:UpdateResourceShare", - "rds-db:connect", - "rds:AddRoleToDBCluster", - "rds:AddRoleToDBInstance", - "rds:AddSourceIdentifierToSubscription", - "rds:AddTagsToResource", - "rds:ApplyPendingMaintenanceAction", - "rds:AuthorizeDBSecurityGroupIngress", - "rds:BacktrackDBCluster", - "rds:CopyDBClusterParameterGroup", - "rds:CopyDBClusterSnapshot", - "rds:CopyDBParameterGroup", - "rds:CopyDBSnapshot", - "rds:CopyOptionGroup", - "rds:CreateDBCluster", - "rds:CreateDBClusterEndpoint", - "rds:CreateDBClusterParameterGroup", - "rds:CreateDBClusterSnapshot", - "rds:CreateDBInstance", - "rds:CreateDBInstanceReadReplica", - "rds:CreateDBParameterGroup", - "rds:CreateDBSecurityGroup", - "rds:CreateDBSnapshot", - "rds:CreateDBSubnetGroup", - "rds:CreateEventSubscription", - "rds:CreateGlobalCluster", - "rds:CreateOptionGroup", - "rds:DeleteDBCluster", - "rds:DeleteDBClusterEndpoint", - "rds:DeleteDBClusterParameterGroup", - "rds:DeleteDBClusterSnapshot", - "rds:DeleteDBInstance", - "rds:DeleteDBParameterGroup", - "rds:DeleteDBProxy", - "rds:DeleteDBSecurityGroup", - "rds:DeleteDBSnapshot", - "rds:DeleteDBSubnetGroup", - "rds:DeleteEventSubscription", - "rds:DeleteGlobalCluster", - "rds:DeleteOptionGroup", - "rds:DeregisterDBProxyTargets", - "rds:FailoverDBCluster", - "rds:ModifyCurrentDBClusterCapacity", - "rds:ModifyDBCluster", - "rds:ModifyDBClusterEndpoint", - "rds:ModifyDBClusterParameterGroup", - "rds:ModifyDBClusterSnapshotAttribute", - "rds:ModifyDBInstance", - "rds:ModifyDBParameterGroup", - "rds:ModifyDBProxy", - "rds:ModifyDBProxyTargetGroup", - "rds:ModifyDBSnapshot", - "rds:ModifyDBSnapshotAttribute", - "rds:ModifyDBSubnetGroup", - "rds:ModifyEventSubscription", - "rds:ModifyGlobalCluster", - "rds:ModifyOptionGroup", - "rds:PromoteReadReplica", - "rds:PromoteReadReplicaDBCluster", - "rds:PurchaseReservedDBInstancesOffering", - "rds:RebootDBInstance", - "rds:RegisterDBProxyTargets", - "rds:RemoveFromGlobalCluster", - "rds:RemoveRoleFromDBCluster", - "rds:RemoveRoleFromDBInstance", - "rds:RemoveSourceIdentifierFromSubscription", - "rds:RemoveTagsFromResource", - "rds:ResetDBClusterParameterGroup", - "rds:ResetDBParameterGroup", - "rds:RestoreDBClusterFromS3", - "rds:RestoreDBClusterFromSnapshot", - "rds:RestoreDBClusterToPointInTime", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:RestoreDBInstanceFromS3", - "rds:RestoreDBInstanceToPointInTime", - "rds:RevokeDBSecurityGroupIngress", - "rds:StartActivityStream", - "rds:StartDBCluster", - "rds:StartDBInstance", - "rds:StopActivityStream", - "rds:StopDBCluster", - "rds:StopDBInstance", - "redshift:AuthorizeClusterSecurityGroupIngress", - "redshift:AuthorizeSnapshotAccess", - "redshift:BatchDeleteClusterSnapshots", - "redshift:BatchModifyClusterSnapshots", - "redshift:CancelResize", - "redshift:CopyClusterSnapshot", - "redshift:CreateCluster", - "redshift:CreateClusterParameterGroup", - "redshift:CreateClusterSecurityGroup", - "redshift:CreateClusterSnapshot", - "redshift:CreateClusterSubnetGroup", - "redshift:CreateClusterUser", - "redshift:CreateEventSubscription", - "redshift:CreateHsmClientCertificate", - "redshift:CreateHsmConfiguration", - "redshift:CreateSnapshotCopyGrant", - "redshift:CreateSnapshotSchedule", - "redshift:CreateTags", - "redshift:DeleteCluster", - "redshift:DeleteClusterParameterGroup", - "redshift:DeleteClusterSecurityGroup", - "redshift:DeleteClusterSnapshot", - "redshift:DeleteClusterSubnetGroup", - "redshift:DeleteEventSubscription", - "redshift:DeleteHsmClientCertificate", - "redshift:DeleteHsmConfiguration", - "redshift:DeleteSnapshotCopyGrant", - "redshift:DeleteSnapshotSchedule", - "redshift:DeleteTags", - "redshift:DisableLogging", - "redshift:DisableSnapshotCopy", - "redshift:EnableLogging", - "redshift:EnableSnapshotCopy", - "redshift:GetClusterCredentials", - "redshift:JoinGroup", - "redshift:ModifyCluster", - "redshift:ModifyClusterDbRevision", - "redshift:ModifyClusterIamRoles", - "redshift:ModifyClusterParameterGroup", - "redshift:ModifyClusterSnapshot", - "redshift:ModifyClusterSnapshotSchedule", - "redshift:ModifyClusterSubnetGroup", - "redshift:ModifyEventSubscription", - "redshift:ModifySnapshotCopyRetentionPeriod", - "redshift:ModifySnapshotSchedule", - "redshift:PauseCluster", - "redshift:RebootCluster", - "redshift:ResetClusterParameterGroup", - "redshift:ResizeCluster", - "redshift:RestoreFromClusterSnapshot", - "redshift:RestoreTableFromClusterSnapshot", - "redshift:ResumeCluster", - "redshift:RevokeClusterSecurityGroupIngress", - "redshift:RevokeSnapshotAccess", - "redshift:RotateEncryptionKey", - "rekognition:CreateCollection", - "rekognition:CreateProject", - "rekognition:CreateProjectVersion", - "rekognition:CreateStreamProcessor", - "rekognition:DeleteCollection", - "rekognition:DeleteFaces", - "rekognition:DeleteProject", - "rekognition:DeleteProjectVersion", - "rekognition:DeleteStreamProcessor", - "rekognition:IndexFaces", - "rekognition:StartFaceSearch", - "rekognition:StartProjectVersion", - "rekognition:StartStreamProcessor", - "rekognition:StopProjectVersion", - "rekognition:StopStreamProcessor", - "resource-groups:DeleteGroup", - "resource-groups:Tag", - "resource-groups:Untag", - "resource-groups:UpdateGroup", - "resource-groups:UpdateGroupQuery", - "robomaker:CancelDeploymentJob", - "robomaker:CancelSimulationJob", - "robomaker:CancelSimulationJobBatch", - "robomaker:CreateRobotApplicationVersion", - "robomaker:CreateSimulationApplicationVersion", - "robomaker:DeleteFleet", - "robomaker:DeleteRobot", - "robomaker:DeleteRobotApplication", - "robomaker:DeleteSimulationApplication", - "robomaker:DeregisterRobot", - "robomaker:RegisterRobot", - "robomaker:RestartSimulationJob", - "robomaker:SyncDeploymentJob", - "robomaker:TagResource", - "robomaker:UntagResource", - "robomaker:UpdateRobotApplication", - "robomaker:UpdateSimulationApplication", - "route53:AssociateVPCWithHostedZone", - "route53:ChangeResourceRecordSets", - "route53:ChangeTagsForResource", - "route53:CreateQueryLoggingConfig", - "route53:CreateTrafficPolicyInstance", - "route53:CreateTrafficPolicyVersion", - "route53:CreateVPCAssociationAuthorization", - "route53:DeleteHealthCheck", - "route53:DeleteHostedZone", - "route53:DeleteQueryLoggingConfig", - "route53:DeleteReusableDelegationSet", - "route53:DeleteTrafficPolicy", - "route53:DeleteTrafficPolicyInstance", - "route53:DeleteVPCAssociationAuthorization", - "route53:UpdateHealthCheck", - "route53:UpdateHostedZoneComment", - "route53:UpdateTrafficPolicyComment", - "route53:UpdateTrafficPolicyInstance", - "route53resolver:AssociateResolverEndpointIpAddress", - "route53resolver:AssociateResolverQueryLogConfig", - "route53resolver:AssociateResolverRule", - "route53resolver:CreateResolverEndpoint", - "route53resolver:CreateResolverQueryLogConfig", - "route53resolver:CreateResolverRule", - "route53resolver:DeleteResolverEndpoint", - "route53resolver:DeleteResolverQueryLogConfig", - "route53resolver:DeleteResolverRule", - "route53resolver:DisassociateResolverEndpointIpAddress", - "route53resolver:DisassociateResolverQueryLogConfig", - "route53resolver:DisassociateResolverRule", - "route53resolver:PutResolverQueryLogConfigPolicy", - "route53resolver:PutResolverRulePolicy", - "route53resolver:TagResource", - "route53resolver:UntagResource", - "route53resolver:UpdateResolverEndpoint", - "route53resolver:UpdateResolverRule", - "s3:AbortMultipartUpload", - "s3:BypassGovernanceRetention", - "s3:CreateAccessPoint", - "s3:CreateBucket", - "s3:DeleteAccessPoint", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteBucketWebsite", - "s3:DeleteJobTagging", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAnalyticsConfiguration", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketObjectLockConfiguration", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketWebsite", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutJobTagging", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionAcl", - "s3:PutObjectVersionTagging", - "s3:PutReplicationConfiguration", - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ReplicateTags", - "s3:RestoreObject", - "s3:UpdateJobPriority", - "s3:UpdateJobStatus", - "sagemaker:AddTags", - "sagemaker:AssociateTrialComponent", - "sagemaker:BatchPutMetrics", - "sagemaker:CreateAlgorithm", - "sagemaker:CreateApp", - "sagemaker:CreateAutoMLJob", - "sagemaker:CreateCodeRepository", - "sagemaker:CreateCompilationJob", - "sagemaker:CreateDomain", - "sagemaker:CreateEndpoint", - "sagemaker:CreateEndpointConfig", - "sagemaker:CreateExperiment", - "sagemaker:CreateFlowDefinition", - "sagemaker:CreateHumanTaskUi", - "sagemaker:CreateHyperParameterTuningJob", - "sagemaker:CreateLabelingJob", - "sagemaker:CreateModel", - "sagemaker:CreateModelPackage", - "sagemaker:CreateMonitoringSchedule", - "sagemaker:CreateNotebookInstance", - "sagemaker:CreateNotebookInstanceLifecycleConfig", - "sagemaker:CreatePresignedDomainUrl", - "sagemaker:CreatePresignedNotebookInstanceUrl", - "sagemaker:CreateProcessingJob", - "sagemaker:CreateTrainingJob", - "sagemaker:CreateTransformJob", - "sagemaker:CreateTrial", - "sagemaker:CreateTrialComponent", - "sagemaker:CreateUserProfile", - "sagemaker:CreateWorkforce", - "sagemaker:CreateWorkteam", - "sagemaker:DeleteAlgorithm", - "sagemaker:DeleteApp", - "sagemaker:DeleteCodeRepository", - "sagemaker:DeleteDomain", - "sagemaker:DeleteEndpoint", - "sagemaker:DeleteEndpointConfig", - "sagemaker:DeleteExperiment", - "sagemaker:DeleteFlowDefinition", - "sagemaker:DeleteHumanLoop", - "sagemaker:DeleteModel", - "sagemaker:DeleteModelPackage", - "sagemaker:DeleteMonitoringSchedule", - "sagemaker:DeleteNotebookInstance", - "sagemaker:DeleteNotebookInstanceLifecycleConfig", - "sagemaker:DeleteTags", - "sagemaker:DeleteTrial", - "sagemaker:DeleteTrialComponent", - "sagemaker:DeleteUserProfile", - "sagemaker:DeleteWorkforce", - "sagemaker:DeleteWorkteam", - "sagemaker:DisassociateTrialComponent", - "sagemaker:StartHumanLoop", - "sagemaker:StartMonitoringSchedule", - "sagemaker:StartNotebookInstance", - "sagemaker:StopAutoMLJob", - "sagemaker:StopCompilationJob", - "sagemaker:StopHumanLoop", - "sagemaker:StopHyperParameterTuningJob", - "sagemaker:StopLabelingJob", - "sagemaker:StopMonitoringSchedule", - "sagemaker:StopNotebookInstance", - "sagemaker:StopProcessingJob", - "sagemaker:StopTrainingJob", - "sagemaker:StopTransformJob", - "sagemaker:UpdateCodeRepository", - "sagemaker:UpdateDomain", - "sagemaker:UpdateEndpoint", - "sagemaker:UpdateEndpointWeightsAndCapacities", - "sagemaker:UpdateExperiment", - "sagemaker:UpdateMonitoringSchedule", - "sagemaker:UpdateNotebookInstance", - "sagemaker:UpdateNotebookInstanceLifecycleConfig", - "sagemaker:UpdateTrial", - "sagemaker:UpdateTrialComponent", - "sagemaker:UpdateUserProfile", - "sagemaker:UpdateWorkforce", - "sagemaker:UpdateWorkteam", - "savingsplans:DeleteQueuedSavingsPlan", - "savingsplans:TagResource", - "savingsplans:UntagResource", - "schemas:CreateDiscoverer", - "schemas:CreateRegistry", - "schemas:CreateSchema", - "schemas:DeleteDiscoverer", - "schemas:DeleteRegistry", - "schemas:DeleteResourcePolicy", - "schemas:DeleteSchema", - "schemas:DeleteSchemaVersion", - "schemas:PutCodeBinding", - "schemas:PutResourcePolicy", - "schemas:StartDiscoverer", - "schemas:StopDiscoverer", - "schemas:TagResource", - "schemas:UntagResource", - "schemas:UpdateDiscoverer", - "schemas:UpdateRegistry", - "schemas:UpdateSchema", - "sdb:BatchDeleteAttributes", - "sdb:BatchPutAttributes", - "sdb:CreateDomain", - "sdb:DeleteAttributes", - "sdb:DeleteDomain", - "sdb:PutAttributes", - "secretsmanager:CancelRotateSecret", - "secretsmanager:CreateSecret", - "secretsmanager:DeleteResourcePolicy", - "secretsmanager:DeleteSecret", - "secretsmanager:GetSecretValue", - "secretsmanager:PutResourcePolicy", - "secretsmanager:PutSecretValue", - "secretsmanager:RestoreSecret", - "secretsmanager:RotateSecret", - "secretsmanager:TagResource", - "secretsmanager:UntagResource", - "secretsmanager:UpdateSecret", - "secretsmanager:UpdateSecretVersionStage", - "secretsmanager:ValidateResourcePolicy", - "securityhub:AcceptInvitation", - "securityhub:BatchDisableStandards", - "securityhub:BatchEnableStandards", - "securityhub:BatchImportFindings", - "securityhub:BatchUpdateFindings", - "securityhub:CreateActionTarget", - "securityhub:CreateInsight", - "securityhub:CreateMembers", - "securityhub:DeclineInvitations", - "securityhub:DeleteActionTarget", - "securityhub:DeleteInsight", - "securityhub:DeleteInvitations", - "securityhub:DeleteMembers", - "securityhub:DisableImportFindingsForProduct", - "securityhub:DisableSecurityHub", - "securityhub:DisassociateFromMasterAccount", - "securityhub:DisassociateMembers", - "securityhub:EnableImportFindingsForProduct", - "securityhub:EnableSecurityHub", - "securityhub:InviteMembers", - "securityhub:TagResource", - "securityhub:UntagResource", - "securityhub:UpdateActionTarget", - "securityhub:UpdateFindings", - "securityhub:UpdateInsight", - "securityhub:UpdateSecurityHubConfiguration", - "securityhub:UpdateStandardsControl", - "serverlessrepo:CreateApplicationVersion", - "serverlessrepo:CreateCloudFormationChangeSet", - "serverlessrepo:CreateCloudFormationTemplate", - "serverlessrepo:DeleteApplication", - "serverlessrepo:PutApplicationPolicy", - "serverlessrepo:UnshareApplication", - "serverlessrepo:UpdateApplication", - "servicecatalog:AcceptPortfolioShare", - "servicecatalog:AssociatePrincipalWithPortfolio", - "servicecatalog:AssociateServiceActionWithProvisioningArtifact", - "servicecatalog:AssociateTagOptionWithResource", - "servicecatalog:CreateConstraint", - "servicecatalog:CreatePortfolio", - "servicecatalog:CreatePortfolioShare", - "servicecatalog:CreateProduct", - "servicecatalog:CreateProvisioningArtifact", - "servicecatalog:DeletePortfolio", - "servicecatalog:DeletePortfolioShare", - "servicecatalog:DeleteProduct", - "servicecatalog:DeleteProvisioningArtifact", - "servicecatalog:DisassociatePrincipalFromPortfolio", - "servicecatalog:DisassociateServiceActionFromProvisioningArtifact", - "servicecatalog:DisassociateTagOptionFromResource", - "servicecatalog:ProvisionProduct", - "servicecatalog:RejectPortfolioShare", - "servicecatalog:UpdatePortfolio", - "servicecatalog:UpdateProduct", - "servicecatalog:UpdateProvisioningArtifact", - "servicediscovery:CreateService", - "servicediscovery:DeleteNamespace", - "servicediscovery:DeleteService", - "servicediscovery:DeregisterInstance", - "servicediscovery:RegisterInstance", - "servicediscovery:UpdateService", - "servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate", - "servicequotas:RequestServiceQuotaIncrease", - "ses:SendBulkTemplatedEmail", - "ses:SendCustomVerificationEmail", - "ses:SendEmail", - "ses:SendRawEmail", - "ses:SendTemplatedEmail", - "shield:CreateProtection", - "shield:DeleteProtection", - "signer:CancelSigningProfile", - "signer:StartSigningJob", - "signer:TagResource", - "signer:UntagResource", - "sns:AddPermission", - "sns:ConfirmSubscription", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:Publish", - "sns:RemovePermission", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:TagResource", - "sns:UntagResource", - "sqs:AddPermission", - "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", - "sqs:CreateQueue", - "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", - "sqs:DeleteQueue", - "sqs:PurgeQueue", - "sqs:RemovePermission", - "sqs:SendMessage", - "sqs:SendMessageBatch", - "sqs:SetQueueAttributes", - "sqs:TagQueue", - "sqs:UntagQueue", - "ssm:AddTagsToResource", - "ssm:CreateAssociation", - "ssm:CreateAssociationBatch", - "ssm:CreateDocument", - "ssm:CreateResourceDataSync", - "ssm:DeleteAssociation", - "ssm:DeleteDocument", - "ssm:DeleteMaintenanceWindow", - "ssm:DeleteParameter", - "ssm:DeleteParameters", - "ssm:DeletePatchBaseline", - "ssm:DeleteResourceDataSync", - "ssm:DeregisterManagedInstance", - "ssm:DeregisterPatchBaselineForPatchGroup", - "ssm:DeregisterTargetFromMaintenanceWindow", - "ssm:DeregisterTaskFromMaintenanceWindow", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath", - "ssm:LabelParameterVersion", - "ssm:ModifyDocumentPermission", - "ssm:PutComplianceItems", - "ssm:PutParameter", - "ssm:RegisterDefaultPatchBaseline", - "ssm:RegisterPatchBaselineForPatchGroup", - "ssm:RegisterTargetWithMaintenanceWindow", - "ssm:RegisterTaskWithMaintenanceWindow", - "ssm:RemoveTagsFromResource", - "ssm:ResetServiceSetting", - "ssm:ResumeSession", - "ssm:SendCommand", - "ssm:StartAssociationsOnce", - "ssm:StartAutomationExecution", - "ssm:StartSession", - "ssm:TerminateSession", - "ssm:UpdateAssociation", - "ssm:UpdateAssociationStatus", - "ssm:UpdateDocument", - "ssm:UpdateDocumentDefaultVersion", - "ssm:UpdateInstanceAssociationStatus", - "ssm:UpdateMaintenanceWindow", - "ssm:UpdateMaintenanceWindowTarget", - "ssm:UpdateMaintenanceWindowTask", - "ssm:UpdateManagedInstanceRole", - "ssm:UpdatePatchBaseline", - "ssm:UpdateResourceDataSync", - "ssm:UpdateServiceSetting", - "sso:AttachManagedPolicyToPermissionSet", - "sso:CreateAccountAssignment", - "sso:CreatePermissionSet", - "sso:DeleteAccountAssignment", - "sso:DeleteInlinePolicyFromPermissionSet", - "sso:DeletePermissionSet", - "sso:DetachManagedPolicyFromPermissionSet", - "sso:ProvisionPermissionSet", - "sso:PutInlinePolicyToPermissionSet", - "sso:TagResource", - "sso:UntagResource", - "sso:UpdatePermissionSet", - "states:CreateActivity", - "states:CreateStateMachine", - "states:DeleteActivity", - "states:DeleteStateMachine", - "states:GetActivityTask", - "states:StartExecution", - "states:StopExecution", - "states:TagResource", - "states:UntagResource", - "states:UpdateStateMachine", - "storagegateway:AddCache", - "storagegateway:AddTagsToResource", - "storagegateway:AddUploadBuffer", - "storagegateway:AddWorkingStorage", - "storagegateway:AttachVolume", - "storagegateway:CancelArchival", - "storagegateway:CancelRetrieval", - "storagegateway:CreateCachediSCSIVolume", - "storagegateway:CreateNFSFileShare", - "storagegateway:CreateSMBFileShare", - "storagegateway:CreateSnapshot", - "storagegateway:CreateSnapshotFromVolumeRecoveryPoint", - "storagegateway:CreateStorediSCSIVolume", - "storagegateway:CreateTapeWithBarcode", - "storagegateway:CreateTapes", - "storagegateway:DeleteBandwidthRateLimit", - "storagegateway:DeleteChapCredentials", - "storagegateway:DeleteFileShare", - "storagegateway:DeleteGateway", - "storagegateway:DeleteSnapshotSchedule", - "storagegateway:DeleteTape", - "storagegateway:DeleteVolume", - "storagegateway:DetachVolume", - "storagegateway:DisableGateway", - "storagegateway:JoinDomain", - "storagegateway:NotifyWhenUploaded", - "storagegateway:RefreshCache", - "storagegateway:RemoveTagsFromResource", - "storagegateway:ResetCache", - "storagegateway:RetrieveTapeArchive", - "storagegateway:RetrieveTapeRecoveryPoint", - "storagegateway:SetLocalConsolePassword", - "storagegateway:SetSMBGuestPassword", - "storagegateway:ShutdownGateway", - "storagegateway:StartGateway", - "storagegateway:UpdateBandwidthRateLimit", - "storagegateway:UpdateChapCredentials", - "storagegateway:UpdateGatewayInformation", - "storagegateway:UpdateGatewaySoftwareNow", - "storagegateway:UpdateMaintenanceStartTime", - "storagegateway:UpdateNFSFileShare", - "storagegateway:UpdateSMBFileShare", - "storagegateway:UpdateSnapshotSchedule", - "storagegateway:UpdateVTLDeviceType", - "sts:AssumeRole", - "sts:AssumeRoleWithSAML", - "sts:AssumeRoleWithWebIdentity", - "sts:TagSession", - "swf:CancelTimer", - "swf:CancelWorkflowExecution", - "swf:CompleteWorkflowExecution", - "swf:ContinueAsNewWorkflowExecution", - "swf:DeprecateActivityType", - "swf:DeprecateDomain", - "swf:DeprecateWorkflowType", - "swf:FailWorkflowExecution", - "swf:PollForActivityTask", - "swf:PollForDecisionTask", - "swf:RecordActivityTaskHeartbeat", - "swf:RecordMarker", - "swf:RegisterActivityType", - "swf:RegisterWorkflowType", - "swf:RequestCancelActivityTask", - "swf:RequestCancelExternalWorkflowExecution", - "swf:RequestCancelWorkflowExecution", - "swf:RespondActivityTaskCanceled", - "swf:RespondActivityTaskCompleted", - "swf:RespondActivityTaskFailed", - "swf:RespondDecisionTaskCompleted", - "swf:ScheduleActivityTask", - "swf:SignalExternalWorkflowExecution", - "swf:SignalWorkflowExecution", - "swf:StartChildWorkflowExecution", - "swf:StartTimer", - "swf:StartWorkflowExecution", - "swf:TagResource", - "swf:TerminateWorkflowExecution", - "swf:UntagResource", - "synthetics:DeleteCanary", - "synthetics:StartCanary", - "synthetics:StopCanary", - "synthetics:TagResource", - "synthetics:UntagResource", - "synthetics:UpdateCanary", - "transfer:CreateUser", - "transfer:DeleteServer", - "transfer:DeleteSshPublicKey", - "transfer:DeleteUser", - "transfer:ImportSshPublicKey", - "transfer:StartServer", - "transfer:StopServer", - "transfer:TagResource", - "transfer:UntagResource", - "transfer:UpdateServer", - "transfer:UpdateUser", - "trustedadvisor:ExcludeCheckItems", - "trustedadvisor:IncludeCheckItems", - "trustedadvisor:RefreshCheck", - "waf-regional:AssociateWebACL", - "waf-regional:CreateByteMatchSet", - "waf-regional:CreateGeoMatchSet", - "waf-regional:CreateIPSet", - "waf-regional:CreateRateBasedRule", - "waf-regional:CreateRegexMatchSet", - "waf-regional:CreateRegexPatternSet", - "waf-regional:CreateRule", - "waf-regional:CreateRuleGroup", - "waf-regional:CreateSizeConstraintSet", - "waf-regional:CreateSqlInjectionMatchSet", - "waf-regional:CreateWebACL", - "waf-regional:CreateWebACLMigrationStack", - "waf-regional:CreateXssMatchSet", - "waf-regional:DeleteByteMatchSet", - "waf-regional:DeleteGeoMatchSet", - "waf-regional:DeleteIPSet", - "waf-regional:DeleteLoggingConfiguration", - "waf-regional:DeletePermissionPolicy", - "waf-regional:DeleteRateBasedRule", - "waf-regional:DeleteRegexMatchSet", - "waf-regional:DeleteRegexPatternSet", - "waf-regional:DeleteRule", - "waf-regional:DeleteRuleGroup", - "waf-regional:DeleteSizeConstraintSet", - "waf-regional:DeleteSqlInjectionMatchSet", - "waf-regional:DeleteWebACL", - "waf-regional:DeleteXssMatchSet", - "waf-regional:DisassociateWebACL", - "waf-regional:PutLoggingConfiguration", - "waf-regional:PutPermissionPolicy", - "waf-regional:TagResource", - "waf-regional:UntagResource", - "waf-regional:UpdateByteMatchSet", - "waf-regional:UpdateGeoMatchSet", - "waf-regional:UpdateIPSet", - "waf-regional:UpdateRateBasedRule", - "waf-regional:UpdateRegexMatchSet", - "waf-regional:UpdateRegexPatternSet", - "waf-regional:UpdateRule", - "waf-regional:UpdateRuleGroup", - "waf-regional:UpdateSizeConstraintSet", - "waf-regional:UpdateSqlInjectionMatchSet", - "waf-regional:UpdateWebACL", - "waf-regional:UpdateXssMatchSet", - "waf:CreateByteMatchSet", - "waf:CreateGeoMatchSet", - "waf:CreateIPSet", - "waf:CreateRateBasedRule", - "waf:CreateRegexMatchSet", - "waf:CreateRegexPatternSet", - "waf:CreateRule", - "waf:CreateRuleGroup", - "waf:CreateSizeConstraintSet", - "waf:CreateSqlInjectionMatchSet", - "waf:CreateWebACL", - "waf:CreateWebACLMigrationStack", - "waf:CreateXssMatchSet", - "waf:DeleteByteMatchSet", - "waf:DeleteGeoMatchSet", - "waf:DeleteIPSet", - "waf:DeleteLoggingConfiguration", - "waf:DeletePermissionPolicy", - "waf:DeleteRateBasedRule", - "waf:DeleteRegexMatchSet", - "waf:DeleteRegexPatternSet", - "waf:DeleteRule", - "waf:DeleteRuleGroup", - "waf:DeleteSizeConstraintSet", - "waf:DeleteSqlInjectionMatchSet", - "waf:DeleteWebACL", - "waf:DeleteXssMatchSet", - "waf:PutLoggingConfiguration", - "waf:PutPermissionPolicy", - "waf:TagResource", - "waf:UntagResource", - "waf:UpdateByteMatchSet", - "waf:UpdateGeoMatchSet", - "waf:UpdateIPSet", - "waf:UpdateRateBasedRule", - "waf:UpdateRegexMatchSet", - "waf:UpdateRegexPatternSet", - "waf:UpdateRule", - "waf:UpdateRuleGroup", - "waf:UpdateSizeConstraintSet", - "waf:UpdateSqlInjectionMatchSet", - "waf:UpdateWebACL", - "waf:UpdateXssMatchSet", - "wafv2:AssociateWebACL", - "wafv2:CreateIPSet", - "wafv2:CreateRegexPatternSet", - "wafv2:CreateRuleGroup", - "wafv2:CreateWebACL", - "wafv2:DeleteFirewallManagerRuleGroups", - "wafv2:DeleteIPSet", - "wafv2:DeleteLoggingConfiguration", - "wafv2:DeletePermissionPolicy", - "wafv2:DeleteRegexPatternSet", - "wafv2:DeleteRuleGroup", - "wafv2:DeleteWebACL", - "wafv2:DisassociateFirewallManager", - "wafv2:DisassociateWebACL", - "wafv2:PutFirewallManagerRuleGroups", - "wafv2:PutLoggingConfiguration", - "wafv2:PutPermissionPolicy", - "wafv2:TagResource", - "wafv2:UntagResource", - "wafv2:UpdateIPSet", - "wafv2:UpdateRegexPatternSet", - "wafv2:UpdateRuleGroup", - "wafv2:UpdateWebACL", - "wellarchitected:CreateWorkloadShare", - "wellarchitected:DeleteWorkload", - "worklink:AssociateDomain", - "worklink:AssociateWebsiteAuthorizationProvider", - "worklink:AssociateWebsiteCertificateAuthority", - "worklink:DeleteFleet", - "worklink:DisassociateDomain", - "worklink:DisassociateWebsiteAuthorizationProvider", - "worklink:DisassociateWebsiteCertificateAuthority", - "worklink:RestoreDomainAccess", - "worklink:RevokeDomainAccess", - "worklink:SignOutUser", - "worklink:TagResource", - "worklink:UntagResource", - "worklink:UpdateAuditStreamConfiguration", - "worklink:UpdateCompanyNetworkConfiguration", - "worklink:UpdateDevicePolicyConfiguration", - "worklink:UpdateDomainMetadata", - "worklink:UpdateFleetMetadata", - "worklink:UpdateIdentityProviderConfiguration", - "workmail:AddMembersToGroup", - "workmail:AssociateDelegateToResource", - "workmail:AssociateMemberToGroup", - "workmail:CreateAlias", - "workmail:CreateGroup", - "workmail:CreateInboundMailFlowRule", - "workmail:CreateMailDomain", - "workmail:CreateMailUser", - "workmail:CreateOutboundMailFlowRule", - "workmail:CreateResource", - "workmail:CreateSmtpGateway", - "workmail:CreateUser", - "workmail:DeleteAccessControlRule", - "workmail:DeleteAlias", - "workmail:DeleteGroup", - "workmail:DeleteInboundMailFlowRule", - "workmail:DeleteMailDomain", - "workmail:DeleteMailboxPermissions", - "workmail:DeleteMobileDevice", - "workmail:DeleteOrganization", - "workmail:DeleteOutboundMailFlowRule", - "workmail:DeleteResource", - "workmail:DeleteRetentionPolicy", - "workmail:DeleteSmtpGateway", - "workmail:DeleteUser", - "workmail:DeregisterFromWorkMail", - "workmail:DisableMailGroups", - "workmail:DisableMailUsers", - "workmail:DisassociateDelegateFromResource", - "workmail:DisassociateMemberFromGroup", - "workmail:EnableMailDomain", - "workmail:EnableMailGroups", - "workmail:EnableMailUsers", - "workmail:PutAccessControlRule", - "workmail:PutMailboxPermissions", - "workmail:PutRetentionPolicy", - "workmail:RegisterToWorkMail", - "workmail:RemoveMembersFromGroup", - "workmail:ResetPassword", - "workmail:ResetUserPassword", - "workmail:SetAdmin", - "workmail:SetDefaultMailDomain", - "workmail:SetJournalingRules", - "workmail:SetMailGroupDetails", - "workmail:SetMailUserDetails", - "workmail:SetMobilePolicyDetails", - "workmail:TagResource", - "workmail:TestInboundMailFlowRules", - "workmail:TestOutboundMailFlowRules", - "workmail:UntagResource", - "workmail:UpdateInboundMailFlowRule", - "workmail:UpdateMailboxQuota", - "workmail:UpdateOutboundMailFlowRule", - "workmail:UpdatePrimaryEmailAddress", - "workmail:UpdateResource", - "workmail:UpdateSmtpGateway", - "workmail:WipeMobileDevice", - "workspaces:AuthorizeIpRules", - "workspaces:CreateWorkspaces", - "workspaces:DeleteIpGroup", - "workspaces:ModifyClientProperties", - "workspaces:ModifyWorkspaceProperties", - "workspaces:ModifyWorkspaceState", - "workspaces:RebootWorkspaces", - "workspaces:RebuildWorkspaces", - "workspaces:RevokeIpRules", - "workspaces:StartWorkspaces", - "workspaces:StopWorkspaces", - "workspaces:TerminateWorkspaces", - "workspaces:UpdateRulesOfIpGroup", - "xray:CreateGroup", - "xray:CreateSamplingRule", - "xray:DeleteGroup", - "xray:DeleteSamplingRule", - "xray:TagResource", - "xray:UntagResource", - "xray:UpdateGroup", - "xray:UpdateSamplingRule", - "iam:CreateServiceLinkedRole", - "iam:DeleteServiceLinkedRole" - ], - "is_excluded": false - } - }, - "customer_managed_policies": { - "NotYourPolicy": { - "PolicyName": "NotYourPolicy", - "PolicyId": "NotYourPolicy", - "Arn": "arn:aws:iam::012345678901:policy/NotYourPolicy", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl" - ], - "Resource": [ - "arn:aws:s3:::mybucket/*", - "arn:aws:s3:::mybucket" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": true, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [], - "is_excluded": false - }, - "InsecurePolicy": { - "PolicyName": "InsecurePolicy", - "PolicyId": "InsecurePolicy", - "Arn": "arn:aws:iam::012345678901:policy/InsecurePolicy", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": true, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "s3:PutObjectAcl" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:PutObject", - "s3:PutObjectAcl" - ], - "is_excluded": false - }, - "ExcessivePermissions": { - "PolicyName": "ExcessivePermissions", - "PolicyId": "ExcessivePermissions", - "Arn": "arn:aws:iam::012345678901:policy/ExcessivePermissions", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:*", - "secretsmanager:*", - "lambda:*" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": true, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "EditExistingLambdaFunctionWithRole", - "actions": [ - "lambda:updatefunctioncode" - ] - } - ], - "DataExfiltration": [ - "s3:GetObject", - "secretsmanager:GetSecretValue" - ], - "ResourceExposure": [ - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl", - "secretsmanager:DeleteResourcePolicy", - "secretsmanager:PutResourcePolicy", - "secretsmanager:ValidateResourcePolicy" - ], - "ServiceWildcard": [ - "lambda", - "s3", - "secretsmanager" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:CreateAlias", - "lambda:CreateFunction", - "lambda:DeleteAlias", - "lambda:DeleteEventSourceMapping", - "lambda:DeleteFunction", - "lambda:DeleteFunctionConcurrency", - "lambda:DeleteFunctionEventInvokeConfig", - "lambda:DeleteLayerVersion", - "lambda:DeleteProvisionedConcurrencyConfig", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:InvokeAsync", - "lambda:InvokeFunction", - "lambda:PublishLayerVersion", - "lambda:PublishVersion", - "lambda:PutFunctionConcurrency", - "lambda:PutFunctionEventInvokeConfig", - "lambda:PutProvisionedConcurrencyConfig", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "lambda:TagResource", - "lambda:UntagResource", - "lambda:UpdateAlias", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration", - "lambda:UpdateFunctionEventInvokeConfig", - "s3:AbortMultipartUpload", - "s3:BypassGovernanceRetention", - "s3:CreateAccessPoint", - "s3:CreateBucket", - "s3:DeleteAccessPoint", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteBucketWebsite", - "s3:DeleteJobTagging", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAnalyticsConfiguration", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketObjectLockConfiguration", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketWebsite", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutJobTagging", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionAcl", - "s3:PutObjectVersionTagging", - "s3:PutReplicationConfiguration", - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ReplicateTags", - "s3:RestoreObject", - "s3:UpdateJobPriority", - "s3:UpdateJobStatus", - "secretsmanager:CancelRotateSecret", - "secretsmanager:CreateSecret", - "secretsmanager:DeleteResourcePolicy", - "secretsmanager:DeleteSecret", - "secretsmanager:GetSecretValue", - "secretsmanager:PutResourcePolicy", - "secretsmanager:PutSecretValue", - "secretsmanager:RestoreSecret", - "secretsmanager:RotateSecret", - "secretsmanager:TagResource", - "secretsmanager:UntagResource", - "secretsmanager:UpdateSecret", - "secretsmanager:UpdateSecretVersionStage", - "secretsmanager:ValidateResourcePolicy" - ], - "is_excluded": false - } - }, - "inline_policies": { - "ffd2b5250e18691dbd9f0fb8b36640ec574867835837f17d39f859c3193fb3f2": { - "PolicyName": "InlinePolicyForAdminGroup", - "PolicyId": "ffd2b5250e18691dbd9f0fb8b36640ec574867835837f17d39f859c3193fb3f2", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:*" - ], - "Resource": "*" - } - ] - }, - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl" - ], - "ServiceWildcard": [ - "s3" - ], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:AbortMultipartUpload", - "s3:BypassGovernanceRetention", - "s3:CreateAccessPoint", - "s3:CreateBucket", - "s3:DeleteAccessPoint", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteBucketWebsite", - "s3:DeleteJobTagging", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging", - "s3:GetObject", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAnalyticsConfiguration", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketObjectLockConfiguration", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketWebsite", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutJobTagging", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionAcl", - "s3:PutObjectVersionTagging", - "s3:PutReplicationConfiguration", - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ReplicateTags", - "s3:RestoreObject", - "s3:UpdateJobPriority", - "s3:UpdateJobStatus" - ], - "is_excluded": false - }, - "e8bca32ff7d1f7990d71c64d95a04b7caa5aad5791f06f69db59653228c6853d": { - "PolicyName": "InlinePolicyForBidenGroup", - "PolicyId": "e8bca32ff7d1f7990d71c64d95a04b7caa5aad5791f06f69db59653228c6853d", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:PutObjectAcl" - ], - "Resource": "*" - } - ] - }, - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "s3:PutObjectAcl" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:GetObject", - "s3:PutObjectAcl" - ], - "is_excluded": false - }, - "0568550cb147d2434f6c04641e921f18fe1b7b1fd0b5af5acf514d33d204faca": { - "PolicyName": "MyOtherRolePolicy", - "PolicyId": "0568550cb147d2434f6c04641e921f18fe1b7b1fd0b5af5acf514d33d204faca", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "iam:CreateInstanceProfile", - "iam:ListInstanceProfilesForRole", - "iam:PassRole", - "ec2:DescribeIamInstanceProfileAssociations", - "iam:GetInstanceProfile", - "ec2:DisassociateIamInstanceProfile", - "ec2:AssociateIamInstanceProfile", - "iam:AddRoleToInstanceProfile" - ], - "Resource": "*" - } - ] - }, - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:PassRole" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "ec2:AssociateIamInstanceProfile", - "ec2:DisassociateIamInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:PassRole" - ], - "is_excluded": false - }, - "d09fe3603cd65058b6e2d9817cf37093e83e98318a56ce1e29c8491ac989e57e": { - "PolicyName": "OverprivilegedEC2", - "PolicyId": "d09fe3603cd65058b6e2d9817cf37093e83e98318a56ce1e29c8491ac989e57e", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue", - "s3:GetObject", - "iam:CreateAccessKey" - ], - "Resource": "*" - } - ] - }, - "PrivilegeEscalation": [ - { - "type": "CreateAccessKey", - "actions": [ - "iam:createaccesskey" - ] - } - ], - "DataExfiltration": [ - "s3:GetObject", - "secretsmanager:GetSecretValue" - ], - "ResourceExposure": [ - "iam:CreateAccessKey" - ], - "ServiceWildcard": [], - "CredentialsExposure": [ - "iam:CreateAccessKey" - ], - "InfrastructureModification": [ - "iam:CreateAccessKey", - "s3:GetObject", - "secretsmanager:GetSecretValue" - ], - "is_excluded": false - }, - "354d81e1788639707f707738fb4c630cb7c5d23614cc467ff9a469a670049e3f": { - "PolicyName": "InsecureUserPolicy", - "PolicyId": "354d81e1788639707f707738fb4c630cb7c5d23614cc467ff9a469a670049e3f", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:GetObject" - ], - "Resource": [ - "*" - ] - } - ] - }, - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "s3:PutObjectAcl" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:GetObject", - "s3:PutObject", - "s3:PutObjectAcl" - ], - "is_excluded": false - } - }, - "exclusions": { - "policies": [ - "AWSServiceRoleFor*", - "*ServiceRolePolicy", - "*ServiceLinkedRolePolicy", - "AdministratorAccess", - "service-role*", - "aws-service-role*", - "/service-role*", - "/aws-service-role*", - "MyRole" - ], - "roles": [ - "service-role*", - "aws-service-role*", - "/service-role*", - "/aws-service-role*", - "MyRole" - ], - "users": [ - "obama" - ], - "groups": [ - "" - ], - "include-actions": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath", - "secretsmanager:GetSecretValue", - "rds:CopyDBSnapshot", - "rds:CreateDBSnapshot" - ], - "exclude-actions": [ - "" - ] - } -} diff --git a/test/files/example-authz-details.json b/test/files/example-authz-details.json index 6ed44f97..4e67b588 100644 --- a/test/files/example-authz-details.json +++ b/test/files/example-authz-details.json @@ -1364,563 +1364,6 @@ } ] }, - { - "PolicyName": "ReadOnlyAccess", - "PolicyId": "ANPAILL3HVNFSB6DCOWYQ", - "Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v63", - "AttachmentCount": 4, - "PermissionsBoundaryUsageCount": null, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:48+00:00", - "UpdateDate": "2020-03-09 23:45:01+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "amplify:GetApp", - "amplify:GetBranch", - "amplify:GetJob", - "amplify:GetDomainAssociation", - "amplify:ListApps", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "apigateway:GET", - "application-autoscaling:Describe*", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "appstream:Describe*", - "appstream:Get*", - "appstream:List*", - "appsync:Get*", - "appsync:List*", - "autoscaling:Describe*", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "athena:List*", - "athena:Batch*", - "athena:Get*", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:List*", - "batch:Describe*", - "chatbot:Describe*", - "chatbot:Get*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:Estimate*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:List*", - "cloudhsm:Describe*", - "cloudhsm:Get*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "codebuild:BatchGet*", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:List*", - "codepipeline:Get*", - "codestar:List*", - "codestar:Describe*", - "codestar:Get*", - "codestar:Verify*", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar-notifications:ListTargets", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetRecommendationSummaries", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-sync:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:QueryRecords", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectResourceConfig", - "connect:List*", - "connect:Describe*", - "connect:GetFederationToken", - "dataexchange:Get*", - "dataexchange:List*", - "datasync:Describe*", - "datasync:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "directconnect:Describe*", - "detective:Get*", - "detective:List*", - "devicefarm:List*", - "devicefarm:Get*", - "discovery:Describe*", - "discovery:List*", - "discovery:Get*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:Get*", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:DescribeUpdate", - "eks:Describe*", - "eks:ListClusters", - "eks:ListUpdates", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "es:Describe*", - "es:List*", - "es:Get*", - "es:ESHttpGet", - "es:ESHttpHead", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "fsx:Describe*", - "fsx:List*", - "gamelift:List*", - "gamelift:Get*", - "gamelift:Describe*", - "gamelift:RequestUploadCredentials", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:List*", - "glacier:Describe*", - "glacier:Get*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetPartition", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlers", - "glue:GetCrawlerMetrics", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobs", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetResourcePolicy", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetTable", - "glue:GetTables", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "greengrass:Get*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "health:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:List*", - "iotanalytics:Get*", - "iotanalytics:SampleChannelData", - "kafka:Describe*", - "kafka:List*", - "kafka:Get*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:List*", - "lambda:Get*", - "lex:Get*", - "lightsail:GetActiveNames", - "lightsail:GetBlueprints", - "lightsail:GetBundles", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetDisk", - "lightsail:GetDisks", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstances", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancers", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabases", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:StartQuery", - "logs:TestMetricFilter", - "machinelearning:Describe*", - "machinelearning:Get*", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "mediapackage:List*", - "mediapackage:Describe*", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mobileanalytics:Get*", - "mobilehub:Describe*", - "mobilehub:Export*", - "mobilehub:Generate*", - "mobilehub:Get*", - "mobilehub:List*", - "mobilehub:Validate*", - "mobilehub:Verify*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "mq:Describe*", - "mq:List*", - "opsworks:Describe*", - "opsworks:Get*", - "opsworks-cm:Describe*", - "organizations:Describe*", - "organizations:List*", - "outposts:Get*", - "outposts:List*", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "qldb:ListLedgers", - "qldb:DescribeLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:DescribeJournalS3Export", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:GetBlock", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rekognition:CompareFaces", - "rekognition:Detect*", - "rekognition:List*", - "rekognition:Search*", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:View*", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53resolver:Get*", - "route53resolver:List*", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:List*", - "serverlessrepo:Get*", - "serverlessrepo:SearchApplications", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicecatalog:Describe*", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServices", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "ses:Get*", - "ses:List*", - "ses:Describe*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "snowball:Get*", - "snowball:Describe*", - "snowball:List*", - "sns:Get*", - "sns:List*", - "sns:Check*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "states:List*", - "states:Describe*", - "states:GetExecutionHistory", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:Get*", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "tag:Get*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "transcribe:Get*", - "transcribe:List*", - "trustedadvisor:Describe*", - "waf:Get*", - "waf:List*", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "waf-regional:List*", - "waf-regional:Get*", - "workdocs:Describe*", - "workdocs:Get*", - "workdocs:CheckAlias", - "worklink:Describe*", - "worklink:List*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v63", - "IsDefaultVersion": true, - "CreateDate": "2020-03-09 23:45:01+00:00" - } - ] - }, { "PolicyName": "AWSElasticLoadBalancingServiceRolePolicy", "PolicyId": "ANPAIMHWGGSRHLOQUICJQ", diff --git a/test/files/scanning/test_managed_policy_details.json b/test/files/scanning/test_managed_policy_details.json deleted file mode 100644 index c6f16a36..00000000 --- a/test/files/scanning/test_managed_policy_details.json +++ /dev/null @@ -1,3324 +0,0 @@ -{ - "NotYourPolicy": { - "PolicyName": "NotYourPolicy", - "PolicyId": "NotYourPolicy", - "Arn": "arn:aws:iam::012345678901:policy/NotYourPolicy", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl" - ], - "Resource": [ - "arn:aws:s3:::mybucket/*", - "arn:aws:s3:::mybucket" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": true, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "InsecurePolicy": { - "PolicyName": "InsecurePolicy", - "PolicyId": "InsecurePolicy", - "Arn": "arn:aws:iam::012345678901:policy/InsecurePolicy", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": true, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "s3:PutObjectAcl" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI4UIINUVGB5SEC57G": { - "PolicyName": "AWSCodeCommitPowerUser", - "PolicyId": "ANPAI4UIINUVGB5SEC57G", - "Arn": "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser", - "Path": "/", - "DefaultVersionId": "v11", - "AttachmentCount": 2, - "IsAttachable": true, - "CreateDate": "2015-07-09 17:06:49+00:00", - "UpdateDate": "2019-12-03 08:15:40+00:00", - "PolicyVersionList": [ - { - "CreateDate": "2019-12-03 08:15:40+00:00", - "Document": { - "Statement": [ - { - "Action": [ - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:BatchGet*", - "codecommit:BatchDescribe*", - "codecommit:Create*", - "codecommit:DeleteBranch", - "codecommit:DeleteFile", - "codecommit:Describe*", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:EvaluatePullRequestApprovalRules", - "codecommit:Get*", - "codecommit:List*", - "codecommit:Merge*", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:Put*", - "codecommit:Post*", - "codecommit:TagResource", - "codecommit:Test*", - "codecommit:UntagResource", - "codecommit:Update*", - "codecommit:GitPull", - "codecommit:GitPush" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:DisableRule", - "events:EnableRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:ListTargetsByRule" - ], - "Effect": "Allow", - "Resource": "arn:aws:events:*:*:rule/codecommit*", - "Sid": "CloudWatchEventsCodeCommitRulesAccess" - }, - { - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect": "Allow", - "Resource": "arn:aws:sns:*:*:codecommit*", - "Sid": "SNSTopicAndSubscriptionAccess" - }, - { - "Action": [ - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "sns:GetTopicAttributes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "SNSTopicAndSubscriptionReadAccess" - }, - { - "Action": [ - "lambda:ListFunctions" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "LambdaReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListUsers" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "IAMReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListAccessKeys", - "iam:ListSSHPublicKeys", - "iam:ListServiceSpecificCredentials" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMReadOnlyConsoleAccess" - }, - { - "Action": [ - "iam:DeleteSSHPublicKey", - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMUserSSHKeys" - }, - { - "Action": [ - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMSelfManageServiceSpecificCredentials" - }, - { - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" - } - }, - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsReadWriteAccess" - }, - { - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsListAccess" - }, - { - "Action": [ - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DescribeRepositoryAssociation", - "codeguru-reviewer:ListRepositoryAssociations", - "codeguru-reviewer:DisassociateRepository" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "AmazonCodeGuruReviewerFullAccess" - }, - { - "Action": "iam:CreateServiceLinkedRole", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" - } - }, - "Effect": "Allow", - "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", - "Sid": "AmazonCodeGuruReviewerSLRCreation" - }, - { - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:DeleteRule", - "events:RemoveTargets" - ], - "Condition": { - "StringEquals": { - "events:ManagedBy": "codeguru-reviewer.amazonaws.com" - } - }, - "Effect": "Allow", - "Resource": "*", - "Sid": "CloudWatchEventsManagedRules" - } - ], - "Version": "2012-10-17" - }, - "IsDefaultVersion": true, - "VersionId": "v11" - }, - { - "CreateDate": "2019-11-20 17:12:55+00:00", - "Document": { - "Statement": [ - { - "Action": [ - "codecommit:AssociateApprovalRuleTemplateWithRepository", - "codecommit:BatchAssociateApprovalRuleTemplateWithRepositories", - "codecommit:BatchDisassociateApprovalRuleTemplateFromRepositories", - "codecommit:BatchGet*", - "codecommit:BatchDescribe*", - "codecommit:Create*", - "codecommit:DeleteBranch", - "codecommit:DeleteFile", - "codecommit:Describe*", - "codecommit:DisassociateApprovalRuleTemplateFromRepository", - "codecommit:EvaluatePullRequestApprovalRules", - "codecommit:Get*", - "codecommit:List*", - "codecommit:Merge*", - "codecommit:OverridePullRequestApprovalRules", - "codecommit:Put*", - "codecommit:Post*", - "codecommit:TagResource", - "codecommit:Test*", - "codecommit:UntagResource", - "codecommit:Update*", - "codecommit:GitPull", - "codecommit:GitPush" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:DisableRule", - "events:EnableRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:ListTargetsByRule" - ], - "Effect": "Allow", - "Resource": "arn:aws:events:*:*:rule/codecommit*", - "Sid": "CloudWatchEventsCodeCommitRulesAccess" - }, - { - "Action": [ - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect": "Allow", - "Resource": "arn:aws:sns:*:*:codecommit*", - "Sid": "SNSTopicAndSubscriptionAccess" - }, - { - "Action": [ - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "sns:GetTopicAttributes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "SNSTopicAndSubscriptionReadAccess" - }, - { - "Action": [ - "lambda:ListFunctions" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "LambdaReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListUsers" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "IAMReadOnlyListAccess" - }, - { - "Action": [ - "iam:ListAccessKeys", - "iam:ListSSHPublicKeys", - "iam:ListServiceSpecificCredentials" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMReadOnlyConsoleAccess" - }, - { - "Action": [ - "iam:DeleteSSHPublicKey", - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMUserSSHKeys" - }, - { - "Action": [ - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential" - ], - "Effect": "Allow", - "Resource": "arn:aws:iam::*:user/${aws:username}", - "Sid": "IAMSelfManageServiceSpecificCredentials" - }, - { - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" - } - }, - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsReadWriteAccess" - }, - { - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Effect": "Allow", - "Resource": "*", - "Sid": "CodeStarNotificationsListAccess" - } - ], - "Version": "2012-10-17" - }, - "IsDefaultVersion": false, - "VersionId": "v10" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI3R4QMOG6Q5A4VWVG": { - "PolicyName": "AmazonRDSFullAccess", - "PolicyId": "ANPAI3R4QMOG6Q5A4VWVG", - "Arn": "arn:aws:iam::aws:policy/AmazonRDSFullAccess", - "Path": "/", - "DefaultVersionId": "v6", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:52+00:00", - "UpdateDate": "2018-04-09 17:42:48+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "rds:*", - "application-autoscaling:DeleteScalingPolicy", - "application-autoscaling:DeregisterScalableTarget", - "application-autoscaling:DescribeScalableTargets", - "application-autoscaling:DescribeScalingActivities", - "application-autoscaling:DescribeScalingPolicies", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:RegisterScalableTarget", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricStatistics", - "cloudwatch:PutMetricAlarm", - "cloudwatch:DeleteAlarms", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcs", - "sns:ListSubscriptions", - "sns:ListTopics", - "sns:Publish", - "logs:DescribeLogStreams", - "logs:GetLogEvents" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "pi:*", - "Effect": "Allow", - "Resource": "arn:aws:pi:*:*:metrics/rds/*" - }, - { - "Action": "iam:CreateServiceLinkedRole", - "Effect": "Allow", - "Resource": "*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": [ - "rds.amazonaws.com", - "rds.application-autoscaling.amazonaws.com" - ] - } - } - } - ] - }, - "VersionId": "v6", - "IsDefaultVersion": true, - "CreateDate": "2018-04-09 17:42:48+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "rds:AuthorizeDBSecurityGroupIngress", - "iam:CreateServiceLinkedRole" - ], - "ServiceWildcard": [ - "pi", - "rds" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI3VAJF5ZCRZ7MCQE6": { - "PolicyName": "AmazonEC2FullAccess", - "PolicyId": "ANPAI3VAJF5ZCRZ7MCQE6", - "Arn": "arn:aws:iam::aws:policy/AmazonEC2FullAccess", - "Path": "/", - "DefaultVersionId": "v5", - "AttachmentCount": 3, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:15+00:00", - "UpdateDate": "2018-11-27 02:16:56+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "ec2:*", - "Effect": "Allow", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "elasticloadbalancing:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "cloudwatch:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "autoscaling:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": [ - "autoscaling.amazonaws.com", - "ec2scheduled.amazonaws.com", - "elasticloadbalancing.amazonaws.com", - "spot.amazonaws.com", - "spotfleet.amazonaws.com", - "transitgateway.amazonaws.com" - ] - } - } - } - ] - }, - "VersionId": "v5", - "IsDefaultVersion": true, - "CreateDate": "2018-11-27 02:16:56+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterfacePermission", - "ec2:ModifySnapshotAttribute", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ResetSnapshotAttribute", - "iam:CreateServiceLinkedRole" - ], - "ServiceWildcard": [ - "autoscaling", - "cloudwatch", - "ec2", - "elasticloadbalancing" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI4VCZ3XPIZLQ5NZV2": { - "PolicyName": "AWSCodeCommitFullAccess", - "PolicyId": "ANPAI4VCZ3XPIZLQ5NZV2", - "Arn": "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", - "Path": "/", - "DefaultVersionId": "v7", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-07-09 17:02:19+00:00", - "UpdateDate": "2020-03-26 16:23:20+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "codecommit:*" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchEventsCodeCommitRulesAccess", - "Effect": "Allow", - "Action": [ - "events:DeleteRule", - "events:DescribeRule", - "events:DisableRule", - "events:EnableRule", - "events:PutRule", - "events:PutTargets", - "events:RemoveTargets", - "events:ListTargetsByRule" - ], - "Resource": "arn:aws:events:*:*:rule/codecommit*" - }, - { - "Sid": "SNSTopicAndSubscriptionAccess", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:Subscribe", - "sns:Unsubscribe", - "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:*:*:codecommit*" - }, - { - "Sid": "SNSTopicAndSubscriptionReadAccess", - "Effect": "Allow", - "Action": [ - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "sns:GetTopicAttributes" - ], - "Resource": "*" - }, - { - "Sid": "LambdaReadOnlyListAccess", - "Effect": "Allow", - "Action": [ - "lambda:ListFunctions" - ], - "Resource": "*" - }, - { - "Sid": "IAMReadOnlyListAccess", - "Effect": "Allow", - "Action": [ - "iam:ListUsers" - ], - "Resource": "*" - }, - { - "Sid": "IAMReadOnlyConsoleAccess", - "Effect": "Allow", - "Action": [ - "iam:ListAccessKeys", - "iam:ListSSHPublicKeys", - "iam:ListServiceSpecificCredentials" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "IAMUserSSHKeys", - "Effect": "Allow", - "Action": [ - "iam:DeleteSSHPublicKey", - "iam:GetSSHPublicKey", - "iam:ListSSHPublicKeys", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "IAMSelfManageServiceSpecificCredentials", - "Effect": "Allow", - "Action": [ - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "CodeStarNotificationsReadWriteAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codecommit:*" - } - } - }, - { - "Sid": "CodeStarNotificationsListAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Resource": "*" - }, - { - "Sid": "CodeStarNotificationsSNSTopicCreateAccess", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:*:*:codestar-notifications*" - }, - { - "Sid": "AmazonCodeGuruReviewerFullAccess", - "Effect": "Allow", - "Action": [ - "codeguru-reviewer:AssociateRepository", - "codeguru-reviewer:DescribeRepositoryAssociation", - "codeguru-reviewer:ListRepositoryAssociations", - "codeguru-reviewer:DisassociateRepository" - ], - "Resource": "*" - }, - { - "Sid": "AmazonCodeGuruReviewerSLRCreation", - "Action": "iam:CreateServiceLinkedRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::*:role/aws-service-role/codeguru-reviewer.amazonaws.com/AWSServiceRoleForAmazonCodeGuruReviewer", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "codeguru-reviewer.amazonaws.com" - } - } - }, - { - "Sid": "CloudWatchEventsManagedRules", - "Effect": "Allow", - "Action": [ - "events:PutRule", - "events:PutTargets", - "events:DeleteRule", - "events:RemoveTargets" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "events:ManagedBy": "codeguru-reviewer.amazonaws.com" - } - } - }, - { - "Sid": "CodeStarNotificationsChatbotAccess", - "Effect": "Allow", - "Action": [ - "chatbot:DescribeSlackChannelConfigurations" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v7", - "IsDefaultVersion": true, - "CreateDate": "2020-03-26 16:23:20+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "codecommit" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI65L554VRJ33ECQS6": { - "PolicyName": "AmazonSQSFullAccess", - "PolicyId": "ANPAI65L554VRJ33ECQS6", - "Arn": "arn:aws:iam::aws:policy/AmazonSQSFullAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:07+00:00", - "UpdateDate": "2015-02-06 18:41:07+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sqs:*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:41:07+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "sqs:AddPermission", - "sqs:CreateQueue", - "sqs:RemovePermission", - "sqs:SetQueueAttributes" - ], - "ServiceWildcard": [ - "sqs" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI6E2CYYMI4XI7AA5K": { - "PolicyName": "AWSLambdaFullAccess", - "PolicyId": "ANPAI6E2CYYMI4XI7AA5K", - "Arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess", - "Path": "/", - "DefaultVersionId": "v8", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:45+00:00", - "UpdateDate": "2017-11-27 23:22:38+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudformation:DescribeChangeSet", - "cloudformation:DescribeStackResources", - "cloudformation:DescribeStacks", - "cloudformation:GetTemplate", - "cloudformation:ListStackResources", - "cloudwatch:*", - "cognito-identity:ListIdentityPools", - "cognito-sync:GetCognitoEvents", - "cognito-sync:SetCognitoEvents", - "dynamodb:*", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "events:*", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:PassRole", - "iot:AttachPrincipalPolicy", - "iot:AttachThingPrincipal", - "iot:CreateKeysAndCertificate", - "iot:CreatePolicy", - "iot:CreateThing", - "iot:CreateTopicRule", - "iot:DescribeEndpoint", - "iot:GetTopicRule", - "iot:ListPolicies", - "iot:ListThings", - "iot:ListTopicRules", - "iot:ReplaceTopicRule", - "kinesis:DescribeStream", - "kinesis:ListStreams", - "kinesis:PutRecord", - "kms:ListAliases", - "lambda:*", - "logs:*", - "s3:*", - "sns:ListSubscriptions", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "sns:Publish", - "sns:Subscribe", - "sns:Unsubscribe", - "sqs:ListQueues", - "sqs:SendMessage", - "tag:GetResources", - "xray:PutTelemetryRecords", - "xray:PutTraceSegments" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v8", - "IsDefaultVersion": true, - "CreateDate": "2017-11-27 23:22:38+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "PassExistingRoleToNewLambdaThenInvoke", - "actions": [ - "iam:passrole", - "lambda:createfunction", - "lambda:invokefunction" - ] - }, - { - "type": "PassExistingRoleToNewLambdaThenTriggerWithNewDynamo", - "actions": [ - "iam:passrole", - "lambda:createfunction", - "lambda:createeventsourcemapping", - "dynamodb:createtable", - "dynamodb:putitem" - ] - }, - { - "type": "PassExistingRoleToNewLambdaThenTriggerWithExistingDynamo", - "actions": [ - "iam:passrole", - "lambda:createfunction", - "lambda:createeventsourcemapping" - ] - }, - { - "type": "EditExistingLambdaFunctionWithRole", - "actions": [ - "lambda:updatefunctioncode" - ] - } - ], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "iam:PassRole", - "iot:AttachPrincipalPolicy", - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "logs:DeleteResourcePolicy", - "logs:PutResourcePolicy", - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl" - ], - "ServiceWildcard": [ - "cloudwatch", - "dynamodb", - "events", - "lambda", - "logs", - "s3" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAI7XKCFMBPM3QQRRVQ": { - "PolicyName": "IAMFullAccess", - "PolicyId": "ANPAI7XKCFMBPM3QQRRVQ", - "Arn": "arn:aws:iam::aws:policy/IAMFullAccess", - "Path": "/", - "DefaultVersionId": "v2", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:38+00:00", - "UpdateDate": "2019-06-21 19:40:00+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:*", - "organizations:DescribeAccount", - "organizations:DescribeOrganization", - "organizations:DescribeOrganizationalUnit", - "organizations:DescribePolicy", - "organizations:ListChildren", - "organizations:ListParents", - "organizations:ListPoliciesForTarget", - "organizations:ListRoots", - "organizations:ListPolicies", - "organizations:ListTargetsForPolicy" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v2", - "IsDefaultVersion": true, - "CreateDate": "2019-06-21 19:40:00+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "CreateAccessKey", - "actions": [ - "iam:createaccesskey" - ] - }, - { - "type": "CreateLoginProfile", - "actions": [ - "iam:createloginprofile" - ] - }, - { - "type": "UpdateLoginProfile", - "actions": [ - "iam:updateloginprofile" - ] - }, - { - "type": "CreateNewPolicyVersion", - "actions": [ - "iam:createpolicyversion" - ] - }, - { - "type": "SetExistingDefaultPolicyVersion", - "actions": [ - "iam:setdefaultpolicyversion" - ] - }, - { - "type": "AttachUserPolicy", - "actions": [ - "iam:attachuserpolicy" - ] - }, - { - "type": "AttachGroupPolicy", - "actions": [ - "iam:attachgrouppolicy" - ] - }, - { - "type": "PutUserPolicy", - "actions": [ - "iam:putuserpolicy" - ] - }, - { - "type": "PutGroupPolicy", - "actions": [ - "iam:putgrouppolicy" - ] - }, - { - "type": "AddUserToGroup", - "actions": [ - "iam:addusertogroup" - ] - } - ], - "DataExfiltration": [], - "ResourceExposure": [ - "iam:AddClientIDToOpenIDConnectProvider", - "iam:AddRoleToInstanceProfile", - "iam:AddUserToGroup", - "iam:AttachGroupPolicy", - "iam:AttachRolePolicy", - "iam:AttachUserPolicy", - "iam:ChangePassword", - "iam:CreateAccessKey", - "iam:CreateAccountAlias", - "iam:CreateGroup", - "iam:CreateInstanceProfile", - "iam:CreateLoginProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateSAMLProvider", - "iam:CreateServiceLinkedRole", - "iam:CreateServiceSpecificCredential", - "iam:CreateUser", - "iam:CreateVirtualMFADevice", - "iam:DeactivateMFADevice", - "iam:DeleteAccessKey", - "iam:DeleteAccountAlias", - "iam:DeleteAccountPasswordPolicy", - "iam:DeleteGroup", - "iam:DeleteGroupPolicy", - "iam:DeleteInstanceProfile", - "iam:DeleteLoginProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteRolePermissionsBoundary", - "iam:DeleteRolePolicy", - "iam:DeleteSAMLProvider", - "iam:DeleteSSHPublicKey", - "iam:DeleteServerCertificate", - "iam:DeleteServiceLinkedRole", - "iam:DeleteServiceSpecificCredential", - "iam:DeleteSigningCertificate", - "iam:DeleteUser", - "iam:DeleteUserPermissionsBoundary", - "iam:DeleteUserPolicy", - "iam:DeleteVirtualMFADevice", - "iam:DetachGroupPolicy", - "iam:DetachRolePolicy", - "iam:DetachUserPolicy", - "iam:EnableMFADevice", - "iam:PassRole", - "iam:PutGroupPolicy", - "iam:PutRolePermissionsBoundary", - "iam:PutRolePolicy", - "iam:PutUserPermissionsBoundary", - "iam:PutUserPolicy", - "iam:RemoveClientIDFromOpenIDConnectProvider", - "iam:RemoveRoleFromInstanceProfile", - "iam:RemoveUserFromGroup", - "iam:ResetServiceSpecificCredential", - "iam:ResyncMFADevice", - "iam:SetDefaultPolicyVersion", - "iam:SetSecurityTokenServicePreferences", - "iam:UpdateAccessKey", - "iam:UpdateAccountPasswordPolicy", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateGroup", - "iam:UpdateLoginProfile", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription", - "iam:UpdateSAMLProvider", - "iam:UpdateSSHPublicKey", - "iam:UpdateServerCertificate", - "iam:UpdateServiceSpecificCredential", - "iam:UpdateSigningCertificate", - "iam:UpdateUser", - "iam:UploadSSHPublicKey", - "iam:UploadServerCertificate", - "iam:UploadSigningCertificate" - ], - "ServiceWildcard": [ - "iam" - ], - "CredentialsExposure": [ - "iam:CreateAccessKey", - "iam:CreateLoginProfile", - "iam:CreateServiceSpecificCredential", - "iam:ResetServiceSpecificCredential", - "iam:UpdateAccessKey" - ], - "is_excluded": false - }, - "ANPAIFIR6V6BVTRAHWINE": { - "PolicyName": "AmazonS3FullAccess", - "PolicyId": "ANPAIFIR6V6BVTRAHWINE", - "Arn": "arn:aws:iam::aws:policy/AmazonS3FullAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:58+00:00", - "UpdateDate": "2015-02-06 18:40:58+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "s3:*", - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:40:58+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl" - ], - "ServiceWildcard": [ - "s3" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAIICZJNOJN36GTG6CM": { - "PolicyName": "AmazonVPCReadOnlyAccess", - "PolicyId": "ANPAIICZJNOJN36GTG6CM", - "Arn": "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v6", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:17+00:00", - "UpdateDate": "2018-03-07 18:34:42+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeClassicLinkInstances", - "ec2:DescribeCustomerGateways", - "ec2:DescribeDhcpOptions", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeFlowLogs", - "ec2:DescribeInternetGateways", - "ec2:DescribeMovingAddresses", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeNetworkInterfacePermissions", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroups", - "ec2:DescribeStaleSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcEndpointConnectionNotifications", - "ec2:DescribeVpcEndpointConnections", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribeVpnConnections", - "ec2:DescribeVpnGateways" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v6", - "IsDefaultVersion": true, - "CreateDate": "2018-03-07 18:34:42+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAIKEABORKUXN6DEAZU": { - "PolicyName": "CloudWatchFullAccess", - "PolicyId": "ANPAIKEABORKUXN6DEAZU", - "Arn": "arn:aws:iam::aws:policy/CloudWatchFullAccess", - "Path": "/", - "DefaultVersionId": "v3", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:00+00:00", - "UpdateDate": "2018-08-09 19:10:43+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:Describe*", - "cloudwatch:*", - "logs:*", - "sns:*", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "events.amazonaws.com" - } - } - } - ] - }, - "VersionId": "v3", - "IsDefaultVersion": true, - "CreateDate": "2018-08-09 19:10:43+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "logs:DeleteResourcePolicy", - "logs:PutResourcePolicy", - "sns:AddPermission", - "sns:CreateTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes" - ], - "ServiceWildcard": [ - "cloudwatch", - "logs", - "sns" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAILL3HVNFSB6DCOWYQ": { - "PolicyName": "ReadOnlyAccess", - "PolicyId": "ANPAILL3HVNFSB6DCOWYQ", - "Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v63", - "AttachmentCount": 4, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:48+00:00", - "UpdateDate": "2020-03-09 23:45:01+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "amplify:GetApp", - "amplify:GetBranch", - "amplify:GetJob", - "amplify:GetDomainAssociation", - "amplify:ListApps", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "apigateway:GET", - "application-autoscaling:Describe*", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "appstream:Describe*", - "appstream:Get*", - "appstream:List*", - "appsync:Get*", - "appsync:List*", - "autoscaling:Describe*", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "athena:List*", - "athena:Batch*", - "athena:Get*", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:List*", - "batch:Describe*", - "chatbot:Describe*", - "chatbot:Get*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:Estimate*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:List*", - "cloudhsm:Describe*", - "cloudhsm:Get*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "codebuild:BatchGet*", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:List*", - "codepipeline:Get*", - "codestar:List*", - "codestar:Describe*", - "codestar:Get*", - "codestar:Verify*", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar-notifications:ListTargets", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetRecommendationSummaries", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-sync:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:QueryRecords", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectResourceConfig", - "connect:List*", - "connect:Describe*", - "connect:GetFederationToken", - "dataexchange:Get*", - "dataexchange:List*", - "datasync:Describe*", - "datasync:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "directconnect:Describe*", - "detective:Get*", - "detective:List*", - "devicefarm:List*", - "devicefarm:Get*", - "discovery:Describe*", - "discovery:List*", - "discovery:Get*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:Get*", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:DescribeUpdate", - "eks:Describe*", - "eks:ListClusters", - "eks:ListUpdates", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "es:Describe*", - "es:List*", - "es:Get*", - "es:ESHttpGet", - "es:ESHttpHead", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "fsx:Describe*", - "fsx:List*", - "gamelift:List*", - "gamelift:Get*", - "gamelift:Describe*", - "gamelift:RequestUploadCredentials", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:List*", - "glacier:Describe*", - "glacier:Get*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetPartition", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlers", - "glue:GetCrawlerMetrics", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobs", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetResourcePolicy", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetTable", - "glue:GetTables", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "greengrass:Get*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "health:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:List*", - "iotanalytics:Get*", - "iotanalytics:SampleChannelData", - "kafka:Describe*", - "kafka:List*", - "kafka:Get*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:List*", - "lambda:Get*", - "lex:Get*", - "lightsail:GetActiveNames", - "lightsail:GetBlueprints", - "lightsail:GetBundles", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetDisk", - "lightsail:GetDisks", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstances", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancers", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabases", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:StartQuery", - "logs:TestMetricFilter", - "machinelearning:Describe*", - "machinelearning:Get*", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "mediapackage:List*", - "mediapackage:Describe*", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mobileanalytics:Get*", - "mobilehub:Describe*", - "mobilehub:Export*", - "mobilehub:Generate*", - "mobilehub:Get*", - "mobilehub:List*", - "mobilehub:Validate*", - "mobilehub:Verify*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "mq:Describe*", - "mq:List*", - "opsworks:Describe*", - "opsworks:Get*", - "opsworks-cm:Describe*", - "organizations:Describe*", - "organizations:List*", - "outposts:Get*", - "outposts:List*", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "qldb:ListLedgers", - "qldb:DescribeLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:DescribeJournalS3Export", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:GetBlock", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rekognition:CompareFaces", - "rekognition:Detect*", - "rekognition:List*", - "rekognition:Search*", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:View*", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53resolver:Get*", - "route53resolver:List*", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:List*", - "serverlessrepo:Get*", - "serverlessrepo:SearchApplications", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicecatalog:Describe*", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServices", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "ses:Get*", - "ses:List*", - "ses:Describe*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "snowball:Get*", - "snowball:Describe*", - "snowball:List*", - "sns:Get*", - "sns:List*", - "sns:Check*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "states:List*", - "states:Describe*", - "states:GetExecutionHistory", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:Get*", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "tag:Get*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "transcribe:Get*", - "transcribe:List*", - "trustedadvisor:Describe*", - "waf:Get*", - "waf:List*", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "waf-regional:List*", - "waf-regional:Get*", - "workdocs:Describe*", - "workdocs:Get*", - "workdocs:CheckAlias", - "worklink:Describe*", - "worklink:List*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v63", - "IsDefaultVersion": true, - "CreateDate": "2020-03-09 23:45:01+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [ - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:GetCredentialsForIdentity", - "connect:GetFederationToken", - "ecr:GetAuthorizationToken", - "gamelift:RequestUploadCredentials", - "sts:GetFederationToken", - "sts:GetSessionToken" - ], - "is_excluded": false - }, - "ANPAINAW5ANUWTH3R4ANI": { - "PolicyName": "AWSDirectoryServiceFullAccess", - "PolicyId": "ANPAINAW5ANUWTH3R4ANI", - "Arn": "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:11+00:00", - "UpdateDate": "2019-02-05 20:29:43+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "ds:*", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:DeleteNetworkInterface", - "ec2:DeleteSecurityGroup", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeSecurityGroups", - "sns:GetTopicAttributes", - "sns:ListSubscriptions", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "iam:ListRoles", - "organizations:ListAccountsForParent", - "organizations:ListRoots", - "organizations:ListAccounts", - "organizations:DescribeOrganization", - "organizations:DescribeAccount", - "organizations:ListOrganizationalUnitsForParent", - "organizations:ListAWSServiceAccessForOrganization" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect": "Allow", - "Resource": "arn:aws:sns:*:*:DirectoryMonitoring*" - }, - { - "Action": [ - "organizations:EnableAWSServiceAccess", - "organizations:DisableAWSServiceAccess" - ], - "Effect": "Allow", - "Resource": "*", - "Condition": { - "ForAllValues:StringLike": { - "organizations:ServicePrincipal": [ - "ds.amazonaws.com" - ] - } - } - }, - { - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:ec2:*:*:network-interface/*", - "arn:aws:ec2:*:*:security-group/*" - ] - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2019-02-05 20:29:43+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "ds:CreateConditionalForwarder", - "ds:CreateDirectory", - "ds:CreateMicrosoftAD", - "ds:CreateTrust", - "ds:ShareDirectory" - ], - "ServiceWildcard": [ - "ds" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAIONKN3TJZUKXCHXWC": { - "PolicyName": "AWSCodeDeployFullAccess", - "PolicyId": "ANPAIONKN3TJZUKXCHXWC", - "Arn": "arn:aws:iam::aws:policy/AWSCodeDeployFullAccess", - "Path": "/", - "DefaultVersionId": "v3", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-05-19 18:13:23+00:00", - "UpdateDate": "2020-04-02 16:14:47+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "codedeploy:*", - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "CodeStarNotificationsReadWriteAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:CreateNotificationRule", - "codestar-notifications:DescribeNotificationRule", - "codestar-notifications:UpdateNotificationRule", - "codestar-notifications:DeleteNotificationRule", - "codestar-notifications:Subscribe", - "codestar-notifications:Unsubscribe" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "codestar-notifications:NotificationsForResource": "arn:aws:codedeploy:*" - } - } - }, - { - "Sid": "CodeStarNotificationsListAccess", - "Effect": "Allow", - "Action": [ - "codestar-notifications:ListNotificationRules", - "codestar-notifications:ListTargets", - "codestar-notifications:ListTagsforResource", - "codestar-notifications:ListEventTypes" - ], - "Resource": "*" - }, - { - "Sid": "CodeStarNotificationsSNSTopicCreateAccess", - "Effect": "Allow", - "Action": [ - "sns:CreateTopic", - "sns:SetTopicAttributes" - ], - "Resource": "arn:aws:sns:*:*:codestar-notifications*" - }, - { - "Sid": "CodeStarNotificationsChatbotAccess", - "Effect": "Allow", - "Action": [ - "chatbot:DescribeSlackChannelConfigurations" - ], - "Resource": "*" - }, - { - "Sid": "SNSTopicListAccess", - "Effect": "Allow", - "Action": [ - "sns:ListTopics" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v3", - "IsDefaultVersion": true, - "CreateDate": "2020-04-02 16:14:47+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "codedeploy" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAIQNUJTQYDRJPC3BNK": { - "PolicyName": "AWSCloudTrailFullAccess", - "PolicyId": "ANPAIQNUJTQYDRJPC3BNK", - "Arn": "arn:aws:iam::aws:policy/AWSCloudTrailFullAccess", - "Path": "/", - "DefaultVersionId": "v8", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:58+00:00", - "UpdateDate": "2019-09-12 23:08:46+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:ListTopics", - "sns:SetTopicAttributes", - "sns:GetTopicAttributes" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:ListAllMyBuckets", - "s3:PutBucketPolicy", - "s3:ListBucket", - "s3:GetObject", - "s3:GetBucketLocation", - "s3:GetBucketPolicy" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "cloudtrail:*", - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:ListRoles", - "iam:GetRolePolicy", - "iam:GetUser" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "cloudtrail.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "kms:ListKeys", - "kms:ListAliases" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "lambda:ListFunctions" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v8", - "IsDefaultVersion": true, - "CreateDate": "2019-09-12 23:08:46+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [ - "sns:AddPermission", - "sns:CreateTopic", - "sns:SetTopicAttributes", - "s3:PutBucketPolicy", - "iam:PassRole" - ], - "ServiceWildcard": [ - "cloudtrail" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAIX2T3QCXHR2OGGCTO": { - "PolicyName": "SecurityAudit", - "PolicyId": "ANPAIX2T3QCXHR2OGGCTO", - "Arn": "arn:aws:iam::aws:policy/SecurityAudit", - "Path": "/", - "DefaultVersionId": "v32", - "AttachmentCount": 2, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:01+00:00", - "UpdateDate": "2020-02-25 16:08:50+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Resource": "*", - "Action": [ - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:List*", - "application-autoscaling:Describe*", - "appmesh:Describe*", - "appmesh:List*", - "appsync:List*", - "athena:GetWorkGroup", - "athena:List*", - "autoscaling:Describe*", - "batch:DescribeComputeEnvironments", - "batch:DescribeJobDefinitions", - "chime:List*", - "cloud9:Describe*", - "cloud9:ListEnvironments", - "clouddirectory:ListDirectories", - "cloudformation:DescribeStack*", - "cloudformation:GetTemplate", - "cloudformation:ListStack*", - "cloudformation:GetStackPolicy", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:ListHapgs", - "cloudhsm:ListHsms", - "cloudhsm:ListLunaClients", - "cloudsearch:DescribeDomains", - "cloudsearch:DescribeServiceAccessPolicies", - "cloudtrail:DescribeTrails", - "cloudtrail:GetEventSelectors", - "cloudtrail:GetTrailStatus", - "cloudtrail:ListTags", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "codebuild:ListProjects", - "codecommit:BatchGetRepositories", - "codecommit:GetBranch", - "codecommit:GetObjectIdentifier", - "codecommit:GetRepository", - "codecommit:List*", - "codedeploy:Batch*", - "codedeploy:Get*", - "codedeploy:List*", - "codepipeline:ListPipelines", - "codestar:Describe*", - "codestar:List*", - "cognito-identity:ListIdentityPools", - "cognito-idp:ListUserPools", - "cognito-sync:Describe*", - "cognito-sync:List*", - "comprehend:Describe*", - "comprehend:List*", - "config:BatchGetAggregateResourceConfig", - "config:BatchGetResourceConfig", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "datapipeline:DescribeObjects", - "datapipeline:DescribePipelines", - "datapipeline:EvaluateExpression", - "datapipeline:GetPipelineDefinition", - "datapipeline:ListPipelines", - "datapipeline:QueryObjects", - "datapipeline:ValidatePipelineDefinition", - "datasync:Describe*", - "datasync:List*", - "dax:Describe*", - "dax:ListTags", - "directconnect:Describe*", - "dms:Describe*", - "dms:ListTagsForResource", - "ds:DescribeDirectories", - "dynamodb:DescribeContinuousBackups", - "dynamodb:DescribeGlobalTable", - "dynamodb:DescribeTable", - "dynamodb:DescribeTimeToLive", - "dynamodb:ListBackups", - "dynamodb:ListGlobalTables", - "dynamodb:ListStreams", - "dynamodb:ListTables", - "ec2:Describe*", - "ecr:DescribeRepositories", - "ecr:GetRepositoryPolicy", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:ListClusters", - "elasticache:Describe*", - "elasticbeanstalk:Describe*", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargetSecurityGroups", - "elasticfilesystem:DescribeMountTargets", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:ListClusters", - "elasticmapreduce:ListInstances", - "es:Describe*", - "es:ListDomainNames", - "events:Describe*", - "events:List*", - "firehose:Describe*", - "firehose:List*", - "fms:ListComplianceStatus", - "fms:ListPolicies", - "fsx:Describe*", - "fsx:List*", - "gamelift:ListBuilds", - "gamelift:ListFleets", - "glacier:DescribeVault", - "glacier:GetVaultAccessPolicy", - "glacier:ListVaults", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:Get*", - "iam:List*", - "iam:SimulateCustomPolicy", - "iam:SimulatePrincipalPolicy", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:GetPolicy", - "iot:GetPolicyVersion", - "iot:List*", - "kinesis:DescribeStream", - "kinesis:ListStreams", - "kinesis:ListTagsForStream", - "kinesisanalytics:ListApplications", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:GetAccountSettings", - "lambda:GetFunctionConfiguration", - "lambda:GetLayerVersionPolicy", - "lambda:GetPolicy", - "lambda:List*", - "license-manager:List*", - "lightsail:GetInstances", - "lightsail:GetLoadBalancers", - "logs:Describe*", - "logs:ListTagsLogGroup", - "machinelearning:DescribeMLModels", - "mediaconnect:Describe*", - "mediaconnect:List*", - "mediastore:GetContainerPolicy", - "mediastore:ListContainers", - "opsworks:DescribeStacks", - "opsworks-cm:DescribeServers", - "organizations:List*", - "organizations:Describe*", - "quicksight:Describe*", - "quicksight:List*", - "ram:List*", - "rds:Describe*", - "rds:DownloadDBLogFilePortion", - "rds:ListTagsForResource", - "redshift:Describe*", - "rekognition:Describe*", - "rekognition:List*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53domains:GetDomainDetail", - "route53domains:GetOperationDetail", - "route53domains:ListDomains", - "route53domains:ListOperations", - "route53domains:ListTagsForDomain", - "route53resolver:List*", - "route53resolver:Get*", - "s3:GetAccelerateConfiguration", - "s3:GetAccessPoint", - "s3:GetAccessPointPolicy", - "s3:GetAccessPointPolicyStatus", - "s3:GetAccountPublicAccessBlock", - "s3:GetAnalyticsConfiguration", - "s3:GetBucket*", - "s3:GetEncryptionConfiguration", - "s3:GetInventoryConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetMetricsConfiguration", - "s3:GetObjectAcl", - "s3:GetObjectVersionAcl", - "s3:GetReplicationConfiguration", - "s3:ListAccessPoints", - "s3:ListAllMyBuckets", - "sagemaker:Describe*", - "sagemaker:List*", - "sdb:DomainMetadata", - "sdb:ListDomains", - "secretsmanager:GetResourcePolicy", - "secretsmanager:ListSecrets", - "secretsmanager:ListSecretVersionIds", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:GetApplicationPolicy", - "serverlessrepo:List*", - "ses:GetIdentityDkimAttributes", - "ses:GetIdentityPolicies", - "ses:GetIdentityVerificationAttributes", - "ses:ListIdentities", - "ses:ListIdentityPolicies", - "ses:ListVerifiedEmailAddresses", - "shield:Describe*", - "shield:List*", - "snowball:ListClusters", - "snowball:ListJobs", - "sns:GetTopicAttributes", - "sns:ListSubscriptionsByTopic", - "sns:ListTopics", - "sqs:GetQueueAttributes", - "sqs:ListDeadLetterSourceQueues", - "sqs:ListQueues", - "sqs:ListQueueTags", - "ssm:Describe*", - "ssm:GetAutomationExecution", - "ssm:ListDocuments", - "sso:DescribePermissionsPolicies", - "sso:List*", - "states:ListStateMachines", - "storagegateway:DescribeBandwidthRateLimit", - "storagegateway:DescribeCache", - "storagegateway:DescribeCachediSCSIVolumes", - "storagegateway:DescribeGatewayInformation", - "storagegateway:DescribeMaintenanceStartTime", - "storagegateway:DescribeNFSFileShares", - "storagegateway:DescribeSnapshotSchedule", - "storagegateway:DescribeStorediSCSIVolumes", - "storagegateway:DescribeTapeArchives", - "storagegateway:DescribeTapeRecoveryPoints", - "storagegateway:DescribeTapes", - "storagegateway:DescribeUploadBuffer", - "storagegateway:DescribeVTLDevices", - "storagegateway:DescribeWorkingStorage", - "storagegateway:List*", - "tag:GetResources", - "tag:GetTagKeys", - "transfer:Describe*", - "transfer:List*", - "translate:List*", - "trustedadvisor:Describe*", - "waf:ListWebACLs", - "waf-regional:ListWebACLs", - "workspaces:Describe*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "apigateway:GET" - ], - "Resource": [ - "arn:aws:apigateway:*::/apis", - "arn:aws:apigateway:*::/apis/*/stages", - "arn:aws:apigateway:*::/apis/*/stages/*", - "arn:aws:apigateway:*::/apis/*/routes", - "arn:aws:apigateway:*::/restapis", - "arn:aws:apigateway:*::/restapis/*/authorizers", - "arn:aws:apigateway:*::/restapis/*/authorizers/*", - "arn:aws:apigateway:*::/restapis/*/documentation/versions", - "arn:aws:apigateway:*::/restapis/*/resources", - "arn:aws:apigateway:*::/restapis/*/resources/*", - "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*", - "arn:aws:apigateway:*::/restapis/*/stages", - "arn:aws:apigateway:*::/restapis/*/stages/*", - "arn:aws:apigateway:*::/vpclinks" - ] - } - ] - }, - "VersionId": "v32", - "IsDefaultVersion": true, - "CreateDate": "2020-02-25 16:08:50+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAIZTJ4DXE7G6AGAE6M": { - "PolicyName": "AmazonS3ReadOnlyAccess", - "PolicyId": "ANPAIZTJ4DXE7G6AGAE6M", - "Arn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:59+00:00", - "UpdateDate": "2015-02-06 18:40:59+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:Get*", - "s3:List*" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:40:59+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJ2P4NXCHAT7NDPNR4": { - "PolicyName": "AmazonSESFullAccess", - "PolicyId": "ANPAJ2P4NXCHAT7NDPNR4", - "Arn": "arn:aws:iam::aws:policy/AmazonSESFullAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:02+00:00", - "UpdateDate": "2015-02-06 18:41:02+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ses:*" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:41:02+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "ses" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJBWPGNOVKZD3JI2P2": { - "PolicyName": "AmazonVPCFullAccess", - "PolicyId": "ANPAJBWPGNOVKZD3JI2P2", - "Arn": "arn:aws:iam::aws:policy/AmazonVPCFullAccess", - "Path": "/", - "DefaultVersionId": "v7", - "AttachmentCount": 2, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:16+00:00", - "UpdateDate": "2018-03-15 18:30:25+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AcceptVpcPeeringConnection", - "ec2:AcceptVpcEndpointConnections", - "ec2:AllocateAddress", - "ec2:AssignIpv6Addresses", - "ec2:AssignPrivateIpAddresses", - "ec2:AssociateAddress", - "ec2:AssociateDhcpOptions", - "ec2:AssociateRouteTable", - "ec2:AssociateSubnetCidrBlock", - "ec2:AssociateVpcCidrBlock", - "ec2:AttachClassicLinkVpc", - "ec2:AttachInternetGateway", - "ec2:AttachNetworkInterface", - "ec2:AttachVpnGateway", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateCustomerGateway", - "ec2:CreateDefaultSubnet", - "ec2:CreateDefaultVpc", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateFlowLogs", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkAclEntry", - "ec2:CreateNetworkInterface", - "ec2:CreateNetworkInterfacePermission", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateVpcEndpointConnectionNotification", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:CreateVpcPeeringConnection", - "ec2:CreateVpnConnection", - "ec2:CreateVpnConnectionRoute", - "ec2:CreateVpnGateway", - "ec2:DeleteCustomerGateway", - "ec2:DeleteDhcpOptions", - "ec2:DeleteEgressOnlyInternetGateway", - "ec2:DeleteFlowLogs", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteNetworkInterface", - "ec2:DeleteNetworkInterfacePermission", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteTags", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DeleteVpcEndpointConnectionNotifications", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DeleteVpcPeeringConnection", - "ec2:DeleteVpnConnection", - "ec2:DeleteVpnConnectionRoute", - "ec2:DeleteVpnGateway", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeClassicLinkInstances", - "ec2:DescribeCustomerGateways", - "ec2:DescribeDhcpOptions", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeFlowLogs", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeKeyPairs", - "ec2:DescribeMovingAddresses", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeNetworkInterfacePermissions", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroups", - "ec2:DescribeStaleSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpointConnectionNotifications", - "ec2:DescribeVpcEndpointConnections", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribeVpnConnections", - "ec2:DescribeVpnGateways", - "ec2:DetachClassicLinkVpc", - "ec2:DetachInternetGateway", - "ec2:DetachNetworkInterface", - "ec2:DetachVpnGateway", - "ec2:DisableVgwRoutePropagation", - "ec2:DisableVpcClassicLink", - "ec2:DisableVpcClassicLinkDnsSupport", - "ec2:DisassociateAddress", - "ec2:DisassociateRouteTable", - "ec2:DisassociateSubnetCidrBlock", - "ec2:DisassociateVpcCidrBlock", - "ec2:EnableVgwRoutePropagation", - "ec2:EnableVpcClassicLink", - "ec2:EnableVpcClassicLinkDnsSupport", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ModifyVpcEndpoint", - "ec2:ModifyVpcEndpointConnectionNotification", - "ec2:ModifyVpcEndpointServiceConfiguration", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ModifyVpcPeeringConnectionOptions", - "ec2:ModifyVpcTenancy", - "ec2:MoveAddressToVpc", - "ec2:RejectVpcEndpointConnections", - "ec2:RejectVpcPeeringConnection", - "ec2:ReleaseAddress", - "ec2:ReplaceNetworkAclAssociation", - "ec2:ReplaceNetworkAclEntry", - "ec2:ReplaceRoute", - "ec2:ReplaceRouteTableAssociation", - "ec2:ResetNetworkInterfaceAttribute", - "ec2:RestoreAddressToClassic", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:UnassignIpv6Addresses", - "ec2:UnassignPrivateIpAddresses", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v7", - "IsDefaultVersion": true, - "CreateDate": "2018-03-15 18:30:25+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [ - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterfacePermission", - "ec2:ModifyVpcEndpointServicePermissions" - ], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJKSO7NDY4T57MWDSQ": { - "PolicyName": "IAMReadOnlyAccess", - "PolicyId": "ANPAJKSO7NDY4T57MWDSQ", - "Arn": "arn:aws:iam::aws:policy/IAMReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:39+00:00", - "UpdateDate": "2018-01-25 19:11:27+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:Get*", - "iam:List*", - "iam:SimulateCustomPolicy", - "iam:SimulatePrincipalPolicy" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2018-01-25 19:11:27+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJLIB4VSBVO47ZSBB6": { - "PolicyName": "AWSAccountUsageReportAccess", - "PolicyId": "ANPAJLIB4VSBVO47ZSBB6", - "Arn": "arn:aws:iam::aws:policy/AWSAccountUsageReportAccess", - "Path": "/", - "DefaultVersionId": "v1", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:41:19+00:00", - "UpdateDate": "2015-02-06 18:41:19+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "aws-portal:ViewUsage" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v1", - "IsDefaultVersion": true, - "CreateDate": "2015-02-06 18:41:19+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJNPP7PPPPMJRV2SA4": { - "PolicyName": "AWSKeyManagementServicePowerUser", - "PolicyId": "ANPAJNPP7PPPPMJRV2SA4", - "Arn": "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser", - "Path": "/", - "DefaultVersionId": "v2", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:40+00:00", - "UpdateDate": "2017-03-07 00:55:11+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "kms:CreateAlias", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:Describe*", - "kms:GenerateRandom", - "kms:Get*", - "kms:List*", - "kms:TagResource", - "kms:UntagResource", - "iam:ListGroups", - "iam:ListRoles", - "iam:ListUsers" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v2", - "IsDefaultVersion": true, - "CreateDate": "2017-03-07 00:55:11+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJWVDLG5RPST6PHQ3A": { - "PolicyName": "AmazonRoute53FullAccess", - "PolicyId": "ANPAJWVDLG5RPST6PHQ3A", - "Arn": "arn:aws:iam::aws:policy/AmazonRoute53FullAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:40:54+00:00", - "UpdateDate": "2018-12-20 21:42:00+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "route53:*", - "route53domains:*", - "cloudfront:ListDistributions", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticbeanstalk:DescribeEnvironments", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetBucketWebsite", - "ec2:DescribeVpcs", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeRegions", - "sns:ListTopics", - "sns:ListSubscriptionsByTopic", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricStatistics" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "apigateway:GET", - "Resource": "arn:aws:apigateway:*::/domainnames" - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2018-12-20 21:42:00+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [ - "route53", - "route53domains" - ], - "CredentialsExposure": [], - "is_excluded": false - }, - "ANPAJYRXTHIB4FOVS3ZXS": { - "PolicyName": "PowerUserAccess", - "PolicyId": "ANPAJYRXTHIB4FOVS3ZXS", - "Arn": "arn:aws:iam::aws:policy/PowerUserAccess", - "Path": "/", - "DefaultVersionId": "v4", - "AttachmentCount": 1, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:47+00:00", - "UpdateDate": "2019-03-20 22:19:03+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "NotAction": [ - "iam:*", - "organizations:*", - "account:*" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole", - "iam:DeleteServiceLinkedRole", - "iam:ListRoles", - "organizations:DescribeOrganization", - "account:ListRegions" - ], - "Resource": "*" - } - ] - }, - "VersionId": "v4", - "IsDefaultVersion": true, - "CreateDate": "2019-03-20 22:19:03+00:00" - } - ], - "PrivilegeEscalation": [ - { - "type": "UpdateExistingGlueDevEndpoint", - "actions": [ - "glue:updatedevendpoint" - ] - }, - { - "type": "EditExistingLambdaFunctionWithRole", - "actions": [ - "lambda:updatefunctioncode" - ] - } - ], - "DataExfiltration": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath", - "secretsmanager:GetSecretValue" - ], - "ResourceExposure": [ - "acm-pca:CreatePermission", - "acm-pca:DeletePermission", - "apigateway:UpdateRestApiPolicy", - "backup:DeleteBackupVaultAccessPolicy", - "backup:PutBackupVaultAccessPolicy", - "chime:DeleteVoiceConnectorTerminationCredentials", - "chime:PutVoiceConnectorTerminationCredentials", - "cloudformation:SetStackPolicy", - "cloudsearch:UpdateServiceAccessPolicies", - "codeartifact:DeleteDomainPermissionsPolicy", - "codeartifact:DeleteRepositoryPermissionsPolicy", - "codebuild:DeleteResourcePolicy", - "codebuild:DeleteSourceCredentials", - "codebuild:ImportSourceCredentials", - "codebuild:PutResourcePolicy", - "codeguru-profiler:PutPermission", - "codeguru-profiler:RemovePermission", - "codestar:AssociateTeamMember", - "codestar:CreateProject", - "codestar:DeleteProject", - "codestar:DisassociateTeamMember", - "codestar:UpdateTeamMember", - "cognito-identity:CreateIdentityPool", - "cognito-identity:DeleteIdentities", - "cognito-identity:DeleteIdentityPool", - "cognito-identity:GetId", - "cognito-identity:MergeDeveloperIdentities", - "cognito-identity:SetIdentityPoolRoles", - "cognito-identity:UnlinkDeveloperIdentity", - "cognito-identity:UnlinkIdentity", - "cognito-identity:UpdateIdentityPool", - "deeplens:AssociateServiceRoleToAccount", - "ds:CreateConditionalForwarder", - "ds:CreateDirectory", - "ds:CreateMicrosoftAD", - "ds:CreateTrust", - "ds:ShareDirectory", - "ec2:CreateNetworkInterfacePermission", - "ec2:DeleteNetworkInterfacePermission", - "ec2:ModifySnapshotAttribute", - "ec2:ModifyVpcEndpointServicePermissions", - "ec2:ResetSnapshotAttribute", - "ecr:DeleteRepositoryPolicy", - "ecr:SetRepositoryPolicy", - "elasticfilesystem:DeleteFileSystemPolicy", - "elasticfilesystem:PutFileSystemPolicy", - "elasticmapreduce:PutBlockPublicAccessConfiguration", - "es:CreateElasticsearchDomain", - "es:UpdateElasticsearchDomainConfig", - "glacier:AbortVaultLock", - "glacier:CompleteVaultLock", - "glacier:DeleteVaultAccessPolicy", - "glacier:InitiateVaultLock", - "glacier:SetDataRetrievalPolicy", - "glacier:SetVaultAccessPolicy", - "glue:DeleteResourcePolicy", - "glue:PutResourcePolicy", - "greengrass:AssociateServiceRoleToAccount", - "health:DisableHealthServiceAccessForOrganization", - "health:EnableHealthServiceAccessForOrganization", - "imagebuilder:PutComponentPolicy", - "imagebuilder:PutImagePolicy", - "imagebuilder:PutImageRecipePolicy", - "iot:AttachPolicy", - "iot:AttachPrincipalPolicy", - "iot:DetachPolicy", - "iot:DetachPrincipalPolicy", - "iot:SetDefaultAuthorizer", - "iot:SetDefaultPolicyVersion", - "iotsitewise:CreateAccessPolicy", - "iotsitewise:DeleteAccessPolicy", - "iotsitewise:UpdateAccessPolicy", - "kms:CreateGrant", - "kms:PutKeyPolicy", - "kms:RetireGrant", - "kms:RevokeGrant", - "lakeformation:BatchGrantPermissions", - "lakeformation:BatchRevokePermissions", - "lakeformation:GrantPermissions", - "lakeformation:PutDataLakeSettings", - "lakeformation:RevokePermissions", - "lambda:AddLayerVersionPermission", - "lambda:AddPermission", - "lambda:DisableReplication", - "lambda:EnableReplication", - "lambda:RemoveLayerVersionPermission", - "lambda:RemovePermission", - "license-manager:UpdateServiceSettings", - "lightsail:GetRelationalDatabaseMasterUserPassword", - "logs:DeleteResourcePolicy", - "logs:PutResourcePolicy", - "mediapackage:RotateIngestEndpointCredentials", - "mediastore:DeleteContainerPolicy", - "mediastore:PutContainerPolicy", - "opsworks:SetPermission", - "opsworks:UpdateUserProfile", - "quicksight:CreateAdmin", - "quicksight:CreateGroup", - "quicksight:CreateGroupMembership", - "quicksight:CreateIAMPolicyAssignment", - "quicksight:CreateUser", - "quicksight:DeleteGroup", - "quicksight:DeleteGroupMembership", - "quicksight:DeleteIAMPolicyAssignment", - "quicksight:DeleteUser", - "quicksight:DeleteUserByPrincipalId", - "quicksight:RegisterUser", - "quicksight:UpdateDashboardPermissions", - "quicksight:UpdateGroup", - "quicksight:UpdateIAMPolicyAssignment", - "quicksight:UpdateTemplatePermissions", - "quicksight:UpdateUser", - "ram:AcceptResourceShareInvitation", - "ram:AssociateResourceShare", - "ram:CreateResourceShare", - "ram:DeleteResourceShare", - "ram:DisassociateResourceShare", - "ram:EnableSharingWithAwsOrganization", - "ram:RejectResourceShareInvitation", - "ram:UpdateResourceShare", - "rds-db:connect", - "rds:AuthorizeDBSecurityGroupIngress", - "redshift:AuthorizeSnapshotAccess", - "redshift:CreateClusterUser", - "redshift:CreateSnapshotCopyGrant", - "redshift:JoinGroup", - "redshift:ModifyClusterIamRoles", - "redshift:RevokeSnapshotAccess", - "route53resolver:PutResolverRulePolicy", - "s3:BypassGovernanceRetention", - "s3:DeleteAccessPointPolicy", - "s3:DeleteBucketPolicy", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutBucketAcl", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutObjectAcl", - "s3:PutObjectVersionAcl", - "secretsmanager:DeleteResourcePolicy", - "secretsmanager:PutResourcePolicy", - "servicecatalog:CreatePortfolioShare", - "servicecatalog:DeletePortfolioShare", - "sns:AddPermission", - "sns:CreateTopic", - "sns:RemovePermission", - "sns:SetTopicAttributes", - "sqs:AddPermission", - "sqs:CreateQueue", - "sqs:RemovePermission", - "sqs:SetQueueAttributes", - "ssm:ModifyDocumentPermission", - "sso-directory:AddMemberToGroup", - "sso-directory:CreateAlias", - "sso-directory:CreateGroup", - "sso-directory:CreateUser", - "sso-directory:DeleteGroup", - "sso-directory:DeleteUser", - "sso-directory:DisableUser", - "sso-directory:EnableUser", - "sso-directory:RemoveMemberFromGroup", - "sso-directory:UpdateGroup", - "sso-directory:UpdatePassword", - "sso-directory:UpdateUser", - "sso-directory:VerifyEmail", - "sso:AssociateDirectory", - "sso:AssociateProfile", - "sso:CreateApplicationInstance", - "sso:CreateApplicationInstanceCertificate", - "sso:CreatePermissionSet", - "sso:CreateProfile", - "sso:CreateTrust", - "sso:DeleteApplicationInstance", - "sso:DeleteApplicationInstanceCertificate", - "sso:DeletePermissionSet", - "sso:DeletePermissionsPolicy", - "sso:DeleteProfile", - "sso:DisassociateDirectory", - "sso:DisassociateProfile", - "sso:ImportApplicationInstanceServiceProviderMetadata", - "sso:PutPermissionsPolicy", - "sso:StartSSO", - "sso:UpdateApplicationInstanceActiveCertificate", - "sso:UpdateApplicationInstanceDisplayData", - "sso:UpdateApplicationInstanceResponseConfiguration", - "sso:UpdateApplicationInstanceResponseSchemaConfiguration", - "sso:UpdateApplicationInstanceSecurityConfiguration", - "sso:UpdateApplicationInstanceServiceProviderConfiguration", - "sso:UpdateApplicationInstanceStatus", - "sso:UpdateDirectoryAssociation", - "sso:UpdatePermissionSet", - "sso:UpdateProfile", - "sso:UpdateSSOConfiguration", - "sso:UpdateTrust", - "storagegateway:DeleteChapCredentials", - "storagegateway:SetLocalConsolePassword", - "storagegateway:SetSMBGuestPassword", - "storagegateway:UpdateChapCredentials", - "waf-regional:DeletePermissionPolicy", - "waf-regional:PutPermissionPolicy", - "waf:DeletePermissionPolicy", - "waf:PutPermissionPolicy", - "wafv2:CreateWebACL", - "wafv2:DeletePermissionPolicy", - "wafv2:DeleteWebACL", - "wafv2:PutPermissionPolicy", - "wafv2:UpdateWebACL", - "worklink:UpdateDevicePolicyConfiguration", - "workmail:ResetPassword", - "workmail:ResetUserPassword", - "xray:PutEncryptionConfig", - "iam:CreateServiceLinkedRole", - "iam:DeleteServiceLinkedRole" - ], - "ServiceWildcard": [], - "CredentialsExposure": [ - "chime:CreateApiKey", - "codepipeline:PollForJobs", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:GetCredentialsForIdentity", - "connect:GetFederationToken", - "connect:GetFederationTokens", - "ecr:GetAuthorizationToken", - "gamelift:RequestUploadCredentials", - "lightsail:GetInstanceAccessDetails", - "lightsail:GetRelationalDatabaseMasterUserPassword", - "rds-db:connect", - "redshift:GetClusterCredentials", - "mediapackage:RotateIngestEndpointCredentials", - "sts:AssumeRole", - "sts:AssumeRoleWithSAML", - "sts:AssumeRoleWithWebIdentity", - "sts:GetFederationToken", - "sts:GetSessionToken" - ], - "is_excluded": false - } -} diff --git a/test/scanning/test_authorization_details.py b/test/scanning/test_authorization_details.py index 197c9c14..9b0ff2a4 100644 --- a/test/scanning/test_authorization_details.py +++ b/test/scanning/test_authorization_details.py @@ -33,286 +33,286 @@ example_authz_v2 = json.loads(contents_2) -class TestAuthorizationFileDetails(unittest.TestCase): - def test_authorization_file_details_missing_constraints(self): - authz_file = { - "UserDetailList": [ - { - "Path": "/", - "UserName": "BlakeBortles", - "UserId": "BlakeBortles", - "Arn": "arn:aws:iam::012345678901:user/BlakeBortles", - "CreateDate": "2019-12-18 19:10:08+00:00", - "GroupList": [ - "GOAT" - ], - "AttachedManagedPolicies": [ - { - "PolicyArn": "arn:aws:iam::012345678901:policy/PolicyForTestingOverrides", - "PolicyName": "PolicyForTestingOverrides" - },{ - "PolicyArn": "arn:aws:iam::012345678901:policy/NotYourPolicy", - "PolicyName": "NotYourPolicy" - } - ], - "Tags": [] - } - ], - "GroupDetailList": [], - "RoleDetailList": [], - "Policies": [ - { - "PolicyName": "NotYourPolicy", - "PolicyId": "YAAAAASSQUEEEN", - "Arn": "arn:aws:iam::012345678901:policy/NotYourPolicy", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "PermissionsBoundaryUsageCount": 0, - "IsAttachable": True, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "ecr:PutImage" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": True, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ] - }, - { - "PolicyName": "PolicyForTestingOverrides", - "PolicyId": "PolicyForTestingOverrides", - "Arn": "arn:aws:iam::012345678901:policy/PolicyForTestingOverrides", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "PermissionsBoundaryUsageCount": 0, - "IsAttachable": True, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:CreateBucket" - ], - "Resource": [ - "arn:aws:s3:::mybucket" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": True, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ] - } - ] - } - authorization_details = AuthorizationDetails(authz_file) - results = authorization_details.results - expected_results = { - "groups": {}, - "users": { - "BlakeBortles": { - "arn": "arn:aws:iam::012345678901:user/BlakeBortles", - "create_date": "2019-12-18 19:10:08+00:00", - "id": "BlakeBortles", - "name": "BlakeBortles", - "inline_policies": {}, - "groups": {}, - "path": "/", - "customer_managed_policies": { - "PolicyForTestingOverrides": "PolicyForTestingOverrides", - "YAAAAASSQUEEEN": "NotYourPolicy" - }, - "aws_managed_policies": {}, - "is_excluded": False - } - }, - "roles": {}, - "aws_managed_policies": {}, - "customer_managed_policies": { - "YAAAAASSQUEEEN": { - "PolicyName": "NotYourPolicy", - "PolicyId": "YAAAAASSQUEEEN", - "Arn": "arn:aws:iam::012345678901:policy/NotYourPolicy", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": True, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "ecr:GetAuthorizationToken", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", - "ecr:PutImage" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": True, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [ - "ecr:GetAuthorizationToken" - ], - "InfrastructureModification": [ - "ecr:CompleteLayerUpload", - "ecr:PutImage", - "ecr:UploadLayerPart" - ], - "is_excluded": False - }, - "PolicyForTestingOverrides": { - "PolicyName": "PolicyForTestingOverrides", - "PolicyId": "PolicyForTestingOverrides", - "Arn": "arn:aws:iam::012345678901:policy/PolicyForTestingOverrides", - "Path": "/", - "DefaultVersionId": "v9", - "AttachmentCount": 1, - "IsAttachable": True, - "CreateDate": "2020-01-29 21:24:20+00:00", - "UpdateDate": "2020-01-29 23:23:12+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ - "s3:CreateBucket" - ], - "Resource": [ - "arn:aws:s3:::mybucket" - ] - }, - { - "Sid": "VisualEditor1", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject" - ], - "Resource": [ - "*" - ] - } - ] - }, - "VersionId": "v9", - "IsDefaultVersion": True, - "CreateDate": "2020-01-29 23:23:12+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject" - ], - "ResourceExposure": [], - "ServiceWildcard": [], - "CredentialsExposure": [], - "InfrastructureModification": [ - "s3:GetObject", - "s3:PutObject" - ], - "is_excluded": False - } - }, - "inline_policies": {}, - "exclusions": { - "policies": [ - "AWSServiceRoleFor*", - "*ServiceRolePolicy", - "*ServiceLinkedRolePolicy", - "AdministratorAccess", - "service-role*", - "aws-service-role*", - "/service-role*", - "/aws-service-role*", - "MyRole" - ], - "roles": [ - "service-role*", - "aws-service-role*" - ], - "users": [ - "" - ], - "groups": [ - "" - ], - "include-actions": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath", - "secretsmanager:GetSecretValue", - "rds:CopyDBSnapshot", - "rds:CreateDBSnapshot" - ], - "exclude-actions": [ - "" - ] - } - } - - # print(json.dumps(results, indent=4)) - self.maxDiff = None - self.assertDictEqual(results, expected_results) +# class TestAuthorizationFileDetails(unittest.TestCase): +# def test_authorization_file_details_missing_constraints(self): +# authz_file = { +# "UserDetailList": [ +# { +# "Path": "/", +# "UserName": "BlakeBortles", +# "UserId": "BlakeBortles", +# "Arn": "arn:aws:iam::012345678901:user/BlakeBortles", +# "CreateDate": "2019-12-18 19:10:08+00:00", +# "GroupList": [ +# "GOAT" +# ], +# "AttachedManagedPolicies": [ +# { +# "PolicyArn": "arn:aws:iam::012345678901:policy/PolicyForTestingOverrides", +# "PolicyName": "PolicyForTestingOverrides" +# },{ +# "PolicyArn": "arn:aws:iam::012345678901:policy/NotYourPolicy", +# "PolicyName": "NotYourPolicy" +# } +# ], +# "Tags": [] +# } +# ], +# "GroupDetailList": [], +# "RoleDetailList": [], +# "Policies": [ +# { +# "PolicyName": "NotYourPolicy", +# "PolicyId": "YAAAAASSQUEEEN", +# "Arn": "arn:aws:iam::012345678901:policy/NotYourPolicy", +# "Path": "/", +# "DefaultVersionId": "v9", +# "AttachmentCount": 1, +# "PermissionsBoundaryUsageCount": 0, +# "IsAttachable": True, +# "CreateDate": "2020-01-29 21:24:20+00:00", +# "UpdateDate": "2020-01-29 23:23:12+00:00", +# "PolicyVersionList": [ +# { +# "Document": { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Sid": "VisualEditor0", +# "Effect": "Allow", +# "Action": [ +# "ecr:GetAuthorizationToken", +# "ecr:UploadLayerPart", +# "ecr:CompleteLayerUpload", +# "ecr:PutImage" +# ], +# "Resource": [ +# "*" +# ] +# } +# ] +# }, +# "VersionId": "v9", +# "IsDefaultVersion": True, +# "CreateDate": "2020-01-29 23:23:12+00:00" +# } +# ] +# }, +# { +# "PolicyName": "PolicyForTestingOverrides", +# "PolicyId": "PolicyForTestingOverrides", +# "Arn": "arn:aws:iam::012345678901:policy/PolicyForTestingOverrides", +# "Path": "/", +# "DefaultVersionId": "v9", +# "AttachmentCount": 1, +# "PermissionsBoundaryUsageCount": 0, +# "IsAttachable": True, +# "CreateDate": "2020-01-29 21:24:20+00:00", +# "UpdateDate": "2020-01-29 23:23:12+00:00", +# "PolicyVersionList": [ +# { +# "Document": { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Sid": "VisualEditor0", +# "Effect": "Allow", +# "Action": [ +# "s3:CreateBucket" +# ], +# "Resource": [ +# "arn:aws:s3:::mybucket" +# ] +# }, +# { +# "Sid": "VisualEditor1", +# "Effect": "Allow", +# "Action": [ +# "s3:PutObject", +# "s3:GetObject" +# ], +# "Resource": [ +# "*" +# ] +# } +# ] +# }, +# "VersionId": "v9", +# "IsDefaultVersion": True, +# "CreateDate": "2020-01-29 23:23:12+00:00" +# } +# ] +# } +# ] +# } +# authorization_details = AuthorizationDetails(authz_file) +# results = authorization_details.results +# expected_results = { +# "groups": {}, +# "users": { +# "BlakeBortles": { +# "arn": "arn:aws:iam::012345678901:user/BlakeBortles", +# "create_date": "2019-12-18 19:10:08+00:00", +# "id": "BlakeBortles", +# "name": "BlakeBortles", +# "inline_policies": {}, +# "groups": {}, +# "path": "/", +# "customer_managed_policies": { +# "PolicyForTestingOverrides": "PolicyForTestingOverrides", +# "YAAAAASSQUEEEN": "NotYourPolicy" +# }, +# "aws_managed_policies": {}, +# "is_excluded": False +# } +# }, +# "roles": {}, +# "aws_managed_policies": {}, +# "customer_managed_policies": { +# "YAAAAASSQUEEEN": { +# "PolicyName": "NotYourPolicy", +# "PolicyId": "YAAAAASSQUEEEN", +# "Arn": "arn:aws:iam::012345678901:policy/NotYourPolicy", +# "Path": "/", +# "DefaultVersionId": "v9", +# "AttachmentCount": 1, +# "IsAttachable": True, +# "CreateDate": "2020-01-29 21:24:20+00:00", +# "UpdateDate": "2020-01-29 23:23:12+00:00", +# "PolicyVersionList": [ +# { +# "Document": { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Sid": "VisualEditor0", +# "Effect": "Allow", +# "Action": [ +# "ecr:GetAuthorizationToken", +# "ecr:UploadLayerPart", +# "ecr:CompleteLayerUpload", +# "ecr:PutImage" +# ], +# "Resource": [ +# "*" +# ] +# } +# ] +# }, +# "VersionId": "v9", +# "IsDefaultVersion": True, +# "CreateDate": "2020-01-29 23:23:12+00:00" +# } +# ], +# "PrivilegeEscalation": [], +# "DataExfiltration": [], +# "ResourceExposure": [], +# "ServiceWildcard": [], +# "CredentialsExposure": [ +# "ecr:GetAuthorizationToken" +# ], +# "InfrastructureModification": [ +# "ecr:CompleteLayerUpload", +# "ecr:PutImage", +# "ecr:UploadLayerPart" +# ], +# "is_excluded": False +# }, +# "PolicyForTestingOverrides": { +# "PolicyName": "PolicyForTestingOverrides", +# "PolicyId": "PolicyForTestingOverrides", +# "Arn": "arn:aws:iam::012345678901:policy/PolicyForTestingOverrides", +# "Path": "/", +# "DefaultVersionId": "v9", +# "AttachmentCount": 1, +# "IsAttachable": True, +# "CreateDate": "2020-01-29 21:24:20+00:00", +# "UpdateDate": "2020-01-29 23:23:12+00:00", +# "PolicyVersionList": [ +# { +# "Document": { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Sid": "VisualEditor0", +# "Effect": "Allow", +# "Action": [ +# "s3:CreateBucket" +# ], +# "Resource": [ +# "arn:aws:s3:::mybucket" +# ] +# }, +# { +# "Sid": "VisualEditor1", +# "Effect": "Allow", +# "Action": [ +# "s3:PutObject", +# "s3:GetObject" +# ], +# "Resource": [ +# "*" +# ] +# } +# ] +# }, +# "VersionId": "v9", +# "IsDefaultVersion": True, +# "CreateDate": "2020-01-29 23:23:12+00:00" +# } +# ], +# "PrivilegeEscalation": [], +# "DataExfiltration": [ +# "s3:GetObject" +# ], +# "ResourceExposure": [], +# "ServiceWildcard": [], +# "CredentialsExposure": [], +# "InfrastructureModification": [ +# "s3:GetObject", +# "s3:PutObject" +# ], +# "is_excluded": False +# } +# }, +# "inline_policies": {}, +# "exclusions": { +# "policies": [ +# "AWSServiceRoleFor*", +# "*ServiceRolePolicy", +# "*ServiceLinkedRolePolicy", +# "AdministratorAccess", +# "service-role*", +# "aws-service-role*", +# "/service-role*", +# "/aws-service-role*", +# "MyRole" +# ], +# "roles": [ +# "service-role*", +# "aws-service-role*" +# ], +# "users": [ +# "" +# ], +# "groups": [ +# "" +# ], +# "include-actions": [ +# "s3:GetObject", +# "ssm:GetParameter", +# "ssm:GetParameters", +# "ssm:GetParametersByPath", +# "secretsmanager:GetSecretValue", +# "rds:CopyDBSnapshot", +# "rds:CreateDBSnapshot" +# ], +# "exclude-actions": [ +# "" +# ] +# } +# } +# +# # print(json.dumps(results, indent=4)) +# self.maxDiff = None +# self.assertDictEqual(results, expected_results) diff --git a/test/scanning/test_data_file.py b/test/scanning/test_data_file.py deleted file mode 100644 index f40ed6b6..00000000 --- a/test/scanning/test_data_file.py +++ /dev/null @@ -1,78 +0,0 @@ -import os -import unittest -import json -from cloudsplaining.scan.authorization_details import AuthorizationDetails -from cloudsplaining.shared.exclusions import DEFAULT_EXCLUSIONS, Exclusions - -example_authz_details_file = os.path.abspath( - os.path.join( - os.path.dirname(__file__), - os.path.pardir, - os.path.pardir, - "examples", - "files", - "example.json", - ) -) -# print(example_authz_details_file) -with open(example_authz_details_file, "r") as json_file: - cfg = json.load(json_file) - -example_data_file = os.path.abspath( - os.path.join( - os.path.dirname(__file__), - os.path.pardir, - "files", - "data_file.json", - ) -) -with open(example_data_file, 'r') as json_file: - expected_data_file = json.load(json_file) - -exclusions_cfg = { - "policies": [ - "AWSServiceRoleFor*", - "*ServiceRolePolicy", - "*ServiceLinkedRolePolicy", - "AdministratorAccess", - "service-role*", - "aws-service-role*", - "/service-role*", - "/aws-service-role*", - "MyRole" - ], - "roles": [ - "service-role*", - "aws-service-role*", - "/service-role*", - "/aws-service-role*", - "MyRole" - ], - "users": [ - "obama" - ], - "groups": [ - "" - ], - "include-actions": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath", - "secretsmanager:GetSecretValue", - "rds:CopyDBSnapshot", - "rds:CreateDBSnapshot" - ], - "exclude-actions": [ - "" - ] -} -exclusions = Exclusions(exclusions_cfg) - - -# class TestNewDataFileFormat(unittest.TestCase): -# def test_new_data_file_format(self): -# authorization_details = AuthorizationDetails(cfg, exclusions) -# results = authorization_details.results -# print(json.dumps(results)) -# self.assertDictEqual(expected_data_file, results) diff --git a/test/scanning/test_managed_policy_detail.py b/test/scanning/test_managed_policy_detail.py index 9faabd51..9cec13eb 100644 --- a/test/scanning/test_managed_policy_detail.py +++ b/test/scanning/test_managed_policy_detail.py @@ -20,7 +20,7 @@ class TestManagedPolicyDetail(unittest.TestCase): def test_managed_policies(self): policy_details = ManagedPolicyDetails(auth_details_json.get("Policies")) results = policy_details.json - print(json.dumps(results)) + # print(json.dumps(results)) # Just going to check what the keys look like. If we try to match all the contents, # we'll have to change the test results every time Policy Sentry updates its IAM database expected_keys = [ @@ -36,7 +36,7 @@ def test_managed_policies(self): "ANPAIFIR6V6BVTRAHWINE", "ANPAIICZJNOJN36GTG6CM", "ANPAIKEABORKUXN6DEAZU", - "ANPAILL3HVNFSB6DCOWYQ", + # "ANPAILL3HVNFSB6DCOWYQ", # ReadOnlyAccess slows the scan down a lot "ANPAINAW5ANUWTH3R4ANI", "ANPAIONKN3TJZUKXCHXWC", "ANPAIQNUJTQYDRJPC3BNK", @@ -51,17 +51,3 @@ def test_managed_policies(self): "ANPAJYRXTHIB4FOVS3ZXS" ] self.assertListEqual(list(results.keys()), expected_keys) - - # expected_policy_details_results_file = os.path.abspath( - # os.path.join( - # os.path.dirname(__file__), - # os.path.pardir, - # "files", - # "scanning", - # "test_managed_policy_details.json", - # ) - # ) - # with open(expected_policy_details_results_file) as f: - # contents = f.read() - # expected_results = json.loads(contents) - # self.assertDictEqual(results, expected_results) diff --git a/test/scanning/test_statement_detail.py b/test/scanning/test_statement_detail.py index cc01caf2..a7861d00 100644 --- a/test/scanning/test_statement_detail.py +++ b/test/scanning/test_statement_detail.py @@ -107,6 +107,16 @@ def test_missing_resource_constraints_for_modify_actions(self): self.assertListEqual(result, ['s3:GetObject', 'secretsmanager:PutSecretValue']) def test_missing_resource_constraints_for_modify_actions_with_override(self): + import logging + import sys + logger = logging.getLogger(__name__) + root = logging.getLogger() + root.setLevel(logging.DEBUG) + handler = logging.StreamHandler(sys.stdout) + handler.setLevel(logging.DEBUG) + formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + handler.setFormatter(formatter) + root.addHandler(handler) this_statement = { "Sid": "VisualEditor0", "Effect": "Allow", diff --git a/utils/example-iam-data.json b/utils/example-iam-data.json index c7cfac9f..bffd3eea 100644 --- a/utils/example-iam-data.json +++ b/utils/example-iam-data.json @@ -2225,580 +2225,6 @@ ], "is_excluded": false }, - "ANPAILL3HVNFSB6DCOWYQ": { - "PolicyName": "ReadOnlyAccess", - "PolicyId": "ANPAILL3HVNFSB6DCOWYQ", - "Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess", - "Path": "/", - "DefaultVersionId": "v63", - "AttachmentCount": 4, - "IsAttachable": true, - "CreateDate": "2015-02-06 18:39:48+00:00", - "UpdateDate": "2020-03-09 23:45:01+00:00", - "PolicyVersionList": [ - { - "Document": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "a4b:Get*", - "a4b:List*", - "a4b:Search*", - "access-analyzer:GetAnalyzedResource", - "access-analyzer:GetAnalyzer", - "access-analyzer:GetArchiveRule", - "access-analyzer:GetFinding", - "access-analyzer:ListAnalyzedResources", - "access-analyzer:ListAnalyzers", - "access-analyzer:ListArchiveRules", - "access-analyzer:ListFindings", - "access-analyzer:ListTagsForResource", - "acm:Describe*", - "acm:Get*", - "acm:List*", - "acm-pca:Describe*", - "acm-pca:Get*", - "acm-pca:List*", - "amplify:GetApp", - "amplify:GetBranch", - "amplify:GetJob", - "amplify:GetDomainAssociation", - "amplify:ListApps", - "amplify:ListBranches", - "amplify:ListDomainAssociations", - "amplify:ListJobs", - "apigateway:GET", - "application-autoscaling:Describe*", - "applicationinsights:Describe*", - "applicationinsights:List*", - "appmesh:Describe*", - "appmesh:List*", - "appstream:Describe*", - "appstream:Get*", - "appstream:List*", - "appsync:Get*", - "appsync:List*", - "autoscaling:Describe*", - "autoscaling-plans:Describe*", - "autoscaling-plans:GetScalingPlanResourceForecastData", - "athena:List*", - "athena:Batch*", - "athena:Get*", - "backup:Describe*", - "backup:Get*", - "backup:List*", - "batch:List*", - "batch:Describe*", - "chatbot:Describe*", - "chatbot:Get*", - "chime:Get*", - "chime:List*", - "chime:Retrieve*", - "chime:Search*", - "chime:Validate*", - "cloud9:Describe*", - "cloud9:List*", - "clouddirectory:List*", - "clouddirectory:BatchRead", - "clouddirectory:Get*", - "clouddirectory:LookupPolicy", - "cloudformation:Describe*", - "cloudformation:Detect*", - "cloudformation:Get*", - "cloudformation:List*", - "cloudformation:Estimate*", - "cloudfront:Get*", - "cloudfront:List*", - "cloudhsm:List*", - "cloudhsm:Describe*", - "cloudhsm:Get*", - "cloudsearch:Describe*", - "cloudsearch:List*", - "cloudtrail:Describe*", - "cloudtrail:Get*", - "cloudtrail:List*", - "cloudtrail:LookupEvents", - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*", - "codebuild:BatchGet*", - "codebuild:DescribeTestCases", - "codebuild:List*", - "codecommit:BatchGet*", - "codecommit:Describe*", - "codecommit:Get*", - "codecommit:GitPull", - "codecommit:List*", - "codedeploy:BatchGet*", - "codedeploy:Get*", - "codedeploy:List*", - "codeguru-profiler:Describe*", - "codeguru-profiler:Get*", - "codeguru-profiler:List*", - "codeguru-reviewer:Describe*", - "codeguru-reviewer:Get*", - "codeguru-reviewer:List*", - "codepipeline:List*", - "codepipeline:Get*", - "codestar:List*", - "codestar:Describe*", - "codestar:Get*", - "codestar:Verify*", - "codestar-notifications:describeNotificationRule", - "codestar-notifications:listEventTypes", - "codestar-notifications:listNotificationRules", - "codestar-notifications:listTagsForResource", - "codestar-notifications:ListTargets", - "compute-optimizer:GetAutoScalingGroupRecommendations", - "compute-optimizer:GetEC2InstanceRecommendations", - "compute-optimizer:GetEC2RecommendationProjectedMetrics", - "compute-optimizer:GetEnrollmentStatus", - "compute-optimizer:GetRecommendationSummaries", - "cognito-identity:Describe*", - "cognito-identity:GetCredentialsForIdentity", - "cognito-identity:GetIdentityPoolRoles", - "cognito-identity:GetOpenIdToken", - "cognito-identity:GetOpenIdTokenForDeveloperIdentity", - "cognito-identity:List*", - "cognito-identity:Lookup*", - "cognito-sync:List*", - "cognito-sync:Describe*", - "cognito-sync:Get*", - "cognito-sync:QueryRecords", - "cognito-idp:AdminGet*", - "cognito-idp:AdminList*", - "cognito-idp:List*", - "cognito-idp:Describe*", - "cognito-idp:Get*", - "config:Deliver*", - "config:Describe*", - "config:Get*", - "config:List*", - "config:SelectResourceConfig", - "connect:List*", - "connect:Describe*", - "connect:GetFederationToken", - "dataexchange:Get*", - "dataexchange:List*", - "datasync:Describe*", - "datasync:List*", - "datapipeline:Describe*", - "datapipeline:EvaluateExpression", - "datapipeline:Get*", - "datapipeline:List*", - "datapipeline:QueryObjects", - "datapipeline:Validate*", - "dax:BatchGetItem", - "dax:Describe*", - "dax:GetItem", - "dax:ListTags", - "dax:Query", - "dax:Scan", - "directconnect:Describe*", - "detective:Get*", - "detective:List*", - "devicefarm:List*", - "devicefarm:Get*", - "discovery:Describe*", - "discovery:List*", - "discovery:Get*", - "dlm:Get*", - "dms:Describe*", - "dms:List*", - "dms:Test*", - "ds:Check*", - "ds:Describe*", - "ds:Get*", - "ds:List*", - "ds:Verify*", - "dynamodb:BatchGet*", - "dynamodb:Describe*", - "dynamodb:Get*", - "dynamodb:List*", - "dynamodb:Query", - "dynamodb:Scan", - "ec2:Describe*", - "ec2:Get*", - "ec2:SearchTransitGatewayRoutes", - "ec2messages:Get*", - "ecr:BatchCheck*", - "ecr:BatchGet*", - "ecr:Describe*", - "ecr:Get*", - "ecr:List*", - "ecs:Describe*", - "ecs:List*", - "eks:DescribeCluster", - "eks:DescribeUpdate", - "eks:Describe*", - "eks:ListClusters", - "eks:ListUpdates", - "eks:List*", - "elasticache:Describe*", - "elasticache:List*", - "elasticbeanstalk:Check*", - "elasticbeanstalk:Describe*", - "elasticbeanstalk:List*", - "elasticbeanstalk:Request*", - "elasticbeanstalk:Retrieve*", - "elasticbeanstalk:Validate*", - "elasticfilesystem:Describe*", - "elasticloadbalancing:Describe*", - "elasticmapreduce:Describe*", - "elasticmapreduce:List*", - "elasticmapreduce:View*", - "elastictranscoder:List*", - "elastictranscoder:Read*", - "elemental-appliances-software:Get*", - "elemental-appliances-software:List*", - "es:Describe*", - "es:List*", - "es:Get*", - "es:ESHttpGet", - "es:ESHttpHead", - "events:Describe*", - "events:List*", - "events:Test*", - "firehose:Describe*", - "firehose:List*", - "fsx:Describe*", - "fsx:List*", - "gamelift:List*", - "gamelift:Get*", - "gamelift:Describe*", - "gamelift:RequestUploadCredentials", - "gamelift:ResolveAlias", - "gamelift:Search*", - "glacier:List*", - "glacier:Describe*", - "glacier:Get*", - "globalaccelerator:Describe*", - "globalaccelerator:List*", - "glue:BatchGetPartition", - "glue:GetCatalogImportStatus", - "glue:GetClassifier", - "glue:GetClassifiers", - "glue:GetCrawler", - "glue:GetCrawlers", - "glue:GetCrawlerMetrics", - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetDataCatalogEncryptionSettings", - "glue:GetDataflowGraph", - "glue:GetDevEndpoint", - "glue:GetDevEndpoints", - "glue:GetJob", - "glue:GetJobs", - "glue:GetJobRun", - "glue:GetJobRuns", - "glue:GetPartition", - "glue:GetPartitions", - "glue:GetPlan", - "glue:GetResourcePolicy", - "glue:GetSecurityConfiguration", - "glue:GetSecurityConfigurations", - "glue:GetTable", - "glue:GetTables", - "glue:GetTableVersion", - "glue:GetTableVersions", - "glue:GetTags", - "glue:GetTrigger", - "glue:GetTriggers", - "glue:GetUserDefinedFunction", - "glue:GetUserDefinedFunctions", - "greengrass:Get*", - "greengrass:List*", - "guardduty:Get*", - "guardduty:List*", - "health:Describe*", - "health:List*", - "iam:Generate*", - "iam:Get*", - "iam:List*", - "iam:Simulate*", - "imagebuilder:Get*", - "imagebuilder:List*", - "importexport:Get*", - "importexport:List*", - "inspector:Describe*", - "inspector:Get*", - "inspector:List*", - "inspector:Preview*", - "iot:Describe*", - "iot:Get*", - "iot:List*", - "iotanalytics:Describe*", - "iotanalytics:List*", - "iotanalytics:Get*", - "iotanalytics:SampleChannelData", - "kafka:Describe*", - "kafka:List*", - "kafka:Get*", - "kinesisanalytics:Describe*", - "kinesisanalytics:Discover*", - "kinesisanalytics:Get*", - "kinesisanalytics:List*", - "kinesisvideo:Describe*", - "kinesisvideo:Get*", - "kinesisvideo:List*", - "kinesis:Describe*", - "kinesis:Get*", - "kinesis:List*", - "kms:Describe*", - "kms:Get*", - "kms:List*", - "lambda:List*", - "lambda:Get*", - "lex:Get*", - "lightsail:GetActiveNames", - "lightsail:GetBlueprints", - "lightsail:GetBundles", - "lightsail:GetCloudFormationStackRecords", - "lightsail:GetDisk", - "lightsail:GetDisks", - "lightsail:GetDiskSnapshot", - "lightsail:GetDiskSnapshots", - "lightsail:GetDomain", - "lightsail:GetDomains", - "lightsail:GetExportSnapshotRecords", - "lightsail:GetInstance", - "lightsail:GetInstanceMetricData", - "lightsail:GetInstancePortStates", - "lightsail:GetInstances", - "lightsail:GetInstanceSnapshot", - "lightsail:GetInstanceSnapshots", - "lightsail:GetInstanceState", - "lightsail:GetKeyPair", - "lightsail:GetKeyPairs", - "lightsail:GetLoadBalancer", - "lightsail:GetLoadBalancerMetricData", - "lightsail:GetLoadBalancers", - "lightsail:GetLoadBalancerTlsCertificates", - "lightsail:GetOperation", - "lightsail:GetOperations", - "lightsail:GetOperationsForResource", - "lightsail:GetRegions", - "lightsail:GetRelationalDatabase", - "lightsail:GetRelationalDatabaseBlueprints", - "lightsail:GetRelationalDatabaseBundles", - "lightsail:GetRelationalDatabaseEvents", - "lightsail:GetRelationalDatabaseLogEvents", - "lightsail:GetRelationalDatabaseLogStreams", - "lightsail:GetRelationalDatabaseMetricData", - "lightsail:GetRelationalDatabaseParameters", - "lightsail:GetRelationalDatabases", - "lightsail:GetRelationalDatabaseSnapshot", - "lightsail:GetRelationalDatabaseSnapshots", - "lightsail:GetStaticIp", - "lightsail:GetStaticIps", - "lightsail:Is*", - "logs:Describe*", - "logs:Get*", - "logs:FilterLogEvents", - "logs:ListTagsLogGroup", - "logs:StartQuery", - "logs:TestMetricFilter", - "machinelearning:Describe*", - "machinelearning:Get*", - "mediaconvert:DescribeEndpoints", - "mediaconvert:Get*", - "mediaconvert:List*", - "mediapackage:List*", - "mediapackage:Describe*", - "mgh:Describe*", - "mgh:GetHomeRegion", - "mgh:List*", - "mobileanalytics:Get*", - "mobilehub:Describe*", - "mobilehub:Export*", - "mobilehub:Generate*", - "mobilehub:Get*", - "mobilehub:List*", - "mobilehub:Validate*", - "mobilehub:Verify*", - "mobiletargeting:Get*", - "mobiletargeting:List*", - "mq:Describe*", - "mq:List*", - "opsworks:Describe*", - "opsworks:Get*", - "opsworks-cm:Describe*", - "organizations:Describe*", - "organizations:List*", - "outposts:Get*", - "outposts:List*", - "personalize:Describe*", - "personalize:Get*", - "personalize:List*", - "pi:DescribeDimensionKeys", - "pi:GetResourceMetrics", - "polly:Describe*", - "polly:Get*", - "polly:List*", - "polly:SynthesizeSpeech", - "qldb:ListLedgers", - "qldb:DescribeLedger", - "qldb:ListJournalS3Exports", - "qldb:ListJournalS3ExportsForLedger", - "qldb:DescribeJournalS3Export", - "qldb:GetBlock", - "qldb:GetDigest", - "qldb:GetRevision", - "qldb:GetBlock", - "qldb:ListTagsForResource", - "ram:Get*", - "ram:List*", - "rekognition:CompareFaces", - "rekognition:Detect*", - "rekognition:List*", - "rekognition:Search*", - "rds:Describe*", - "rds:List*", - "rds:Download*", - "redshift:Describe*", - "redshift:GetReservedNodeExchangeOfferings", - "redshift:View*", - "resource-groups:Get*", - "resource-groups:List*", - "resource-groups:Search*", - "robomaker:BatchDescribe*", - "robomaker:Describe*", - "robomaker:List*", - "route53:Get*", - "route53:List*", - "route53:Test*", - "route53domains:Check*", - "route53domains:Get*", - "route53domains:List*", - "route53domains:View*", - "route53resolver:Get*", - "route53resolver:List*", - "s3:Get*", - "s3:List*", - "sagemaker:Describe*", - "sagemaker:GetSearchSuggestions", - "sagemaker:List*", - "sagemaker:Search", - "schemas:Describe*", - "schemas:Get*", - "schemas:List*", - "schemas:Search*", - "sdb:Get*", - "sdb:List*", - "sdb:Select*", - "secretsmanager:List*", - "secretsmanager:Describe*", - "secretsmanager:GetResourcePolicy", - "securityhub:Describe*", - "securityhub:Get*", - "securityhub:List*", - "serverlessrepo:List*", - "serverlessrepo:Get*", - "serverlessrepo:SearchApplications", - "servicecatalog:List*", - "servicecatalog:Scan*", - "servicecatalog:Search*", - "servicecatalog:Describe*", - "servicediscovery:Get*", - "servicediscovery:List*", - "servicequotas:GetAssociationForServiceQuotaTemplate", - "servicequotas:GetAWSDefaultServiceQuota", - "servicequotas:GetRequestedServiceQuotaChange", - "servicequotas:GetServiceQuota", - "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", - "servicequotas:ListAWSDefaultServiceQuotas", - "servicequotas:ListRequestedServiceQuotaChangeHistory", - "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", - "servicequotas:ListServices", - "servicequotas:ListServiceQuotas", - "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", - "ses:Get*", - "ses:List*", - "ses:Describe*", - "shield:Describe*", - "shield:Get*", - "shield:List*", - "snowball:Get*", - "snowball:Describe*", - "snowball:List*", - "sns:Get*", - "sns:List*", - "sns:Check*", - "sqs:Get*", - "sqs:List*", - "sqs:Receive*", - "ssm:Describe*", - "ssm:Get*", - "ssm:List*", - "states:List*", - "states:Describe*", - "states:GetExecutionHistory", - "storagegateway:Describe*", - "storagegateway:List*", - "sts:Get*", - "swf:Count*", - "swf:Describe*", - "swf:Get*", - "swf:List*", - "synthetics:Describe*", - "synthetics:Get*", - "tag:Get*", - "transfer:Describe*", - "transfer:List*", - "transfer:TestIdentityProvider", - "transcribe:Get*", - "transcribe:List*", - "trustedadvisor:Describe*", - "waf:Get*", - "waf:List*", - "wafv2:Describe*", - "wafv2:Get*", - "wafv2:List*", - "waf-regional:List*", - "waf-regional:Get*", - "workdocs:Describe*", - "workdocs:Get*", - "workdocs:CheckAlias", - "worklink:Describe*", - "worklink:List*", - "workmail:Describe*", - "workmail:Get*", - "workmail:List*", - "workmail:Search*", - "workspaces:Describe*", - "xray:BatchGet*", - "xray:Get*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }, - "VersionId": "v63", - "IsDefaultVersion": true, - "CreateDate": "2020-03-09 23:45:01+00:00" - } - ], - "PrivilegeEscalation": [], - "DataExfiltration": [ - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "ResourceExposure": [], - "InfrastructureModification": [ - "dataexchange:GetJob", - "mobilehub:GenerateProjectParameters", - "personalize:GetPersonalizedRanking", - "s3:GetObject", - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:GetParametersByPath" - ], - "is_excluded": false - }, "ANPAIMHWGGSRHLOQUICJQ": { "PolicyName": "AWSElasticLoadBalancingServiceRolePolicy", "PolicyId": "ANPAIMHWGGSRHLOQUICJQ",