| Account name | Account ID | Collection date |
|---|---|---|
| NCCGroup-BascWorkshop | XXXXXXXXXXXX | 2020-03-27 |
S3 buckets |
EC2 instances |
ELBs |
ELBv2s |
RDS instances |
Redshift clusters |
ElasticSearch domains |
Elasticache clusters |
SNS topics |
SQS queues |
CloudFronts |
Autoscaling groups |
ElasticBeanstalks |
Firehose streams |
Glacier vaults |
KMS keys |
Lambda functions |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NCCGroup-BascWorkshop | 9 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 1 | 5 | 0 |
This table shows whether a region contains the resources being counted. Currently all S3 buckets, no matter their location, and CloudFronts, are identified as being in us-east-1.
eu-north-1 |
ap-south-1 |
eu-west-3 |
eu-west-2 |
eu-west-1 |
ap-northeast-2 |
ap-northeast-1 |
sa-east-1 |
ca-central-1 |
ap-southeast-1 |
ap-southeast-2 |
eu-central-1 |
us-east-1 |
us-east-2 |
us-west-1 |
us-west-2 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NCCGroup-BascWorkshop | YS3 buckets:9 EC2 instances:1 ELBs:1 ELBv2s:1 RDS instances:1 Redshift clusters:1 ElasticSearch domains:1 SNS topics:1 SQS queues:1 Glacier vaults:1 KMS keys:5 |
ec2 |
elb |
elbv2 |
rds |
redshift |
ecs |
autoscaling |
cloudfront |
apigateway |
|
|---|---|---|---|---|---|---|---|---|---|
| NCCGroup-BascWorkshop | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Severity: Medium
Issue ID: GUARDDUTY_OFF
GuardDuty is an AWS threat detection service that detects compromised access keys, EC2 instances, and more. It should be enabled in all regions.
Severity: High
Issue ID: S3_PUBLIC_ACL
Access to S3 buckets should be controlled by policies, not ACL. ACLs result in overly permissive privileges to list the contents of the bucket.
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
}
Severity: Info
Issue ID: S3_PUBLIC_POLICY_GETOBJECT_ONLY
This is the right way to make an S3 bucket public when you don't want to put CloudFront in front of it. This may be done when a third-party caching service is being used and you don't care about direct access to the S3 bucket.
Severity: High
Issue ID: S3_PUBLIC_POLICY
This S3 bucket allows more public access than simply GetObject. These public privileges should be reduced.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::sadcloudhetonlys320200327155801216200000006/*\",\"arn:aws:s3:::sadcloudhetonlys320200327155801216200000006\"]}]}"
Severity: Low
Issue ID: S3_ACCESS_BLOCK_OFF
This control prevents S3 buckets from being made public. If there are no public S3 buckets in the account this should be turned on.
Severity: Low
Issue ID: IAM_CUSTOM_POLICY_ALLOWS_ADMIN
Instead of using the AdministratorAccess policy, a custom policy was created that does the same thing, or allows escalation to the same thing.
{
"policy": {
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"policy": {
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"comment": "Role has custom policy allowing admin",
"policy": {
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"ec2:Describe*"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"comment": "Group has custom policy allowing admin",
"policy": {
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"ec2:*"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"comment": "User has custom policy allowing admin",
"policy": {
"Statement": [
{
"Effect": "Allow",
"NotAction": "s3:DeleteBucket",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
Severity: Low
Issue ID: IAM_LINTER
Issues identified by the IAM linter Parliament
{
"issue": "UNKNOWN_PREFIX",
"severity": "",
"location": "{'statement': {'Action': ['a4b:Get*', 'a4b:List*', 'a4b:Search*', 'access-analyzer:GetAnalyzedResource', 'access-analyzer:GetAnalyzer', 'access-analyzer:GetArchiveRule', 'access-analyzer:GetFinding', 'access-analyzer:ListAnalyzedResources', 'access-analyzer:ListAnalyzers', 'access-analyzer:ListArchiveRules', 'access-analyzer:ListFindings', 'access-analyzer:ListTagsForResource', 'acm:Describe*', 'acm:Get*', 'acm:List*', 'acm-pca:Describe*', 'acm-pca:Get*', 'acm-pca:List*', 'amplify:GetApp', 'amplify:GetBranch', 'amplify:GetJob', 'amplify:GetDomainAssociation', 'amplify:ListApps', 'amplify:ListBranches', 'amplify:ListDomainAssociations', 'amplify:ListJobs', 'apigateway:GET', 'application-autoscaling:Describe*', 'applicationinsights:Describe*', 'applicationinsights:List*', 'appmesh:Describe*', 'appmesh:List*', 'appstream:Describe*', 'appstream:Get*', 'appstream:List*', 'appsync:Get*', 'appsync:List*', 'autoscaling:Describe*', 'autoscaling-plans:Describe*', 'autoscaling-plans:GetScalingPlanResourceForecastData', 'athena:List*', 'athena:Batch*', 'athena:Get*', 'backup:Describe*', 'backup:Get*', 'backup:List*', 'batch:List*', 'batch:Describe*', 'chatbot:Describe*', 'chatbot:Get*', 'chime:Get*', 'chime:List*', 'chime:Retrieve*', 'chime:Search*', 'chime:Validate*', 'cloud9:Describe*', 'cloud9:List*', 'clouddirectory:List*', 'clouddirectory:BatchRead', 'clouddirectory:Get*', 'clouddirectory:LookupPolicy', 'cloudformation:Describe*', 'cloudformation:Detect*', 'cloudformation:Get*', 'cloudformation:List*', 'cloudformation:Estimate*', 'cloudfront:Get*', 'cloudfront:List*', 'cloudhsm:List*', 'cloudhsm:Describe*', 'cloudhsm:Get*', 'cloudsearch:Describe*', 'cloudsearch:List*', 'cloudtrail:Describe*', 'cloudtrail:Get*', 'cloudtrail:List*', 'cloudtrail:LookupEvents', 'cloudwatch:Describe*', 'cloudwatch:Get*', 'cloudwatch:List*', 'codebuild:BatchGet*', 'codebuild:DescribeTestCases', 'codebuild:List*', 'codecommit:BatchGet*', 'codecommit:Describe*', 'codecommit:Get*', 'codecommit:GitPull', 'codecommit:List*', 'codedeploy:BatchGet*', 'codedeploy:Get*', 'codedeploy:List*', 'codeguru-profiler:Describe*', 'codeguru-profiler:Get*', 'codeguru-profiler:List*', 'codeguru-reviewer:Describe*', 'codeguru-reviewer:Get*', 'codeguru-reviewer:List*', 'codepipeline:List*', 'codepipeline:Get*', 'codestar:List*', 'codestar:Describe*', 'codestar:Get*', 'codestar:Verify*', 'codestar-notifications:describeNotificationRule', 'codestar-notifications:listEventTypes', 'codestar-notifications:listNotificationRules', 'codestar-notifications:listTagsForResource', 'codestar-notifications:ListTargets', 'compute-optimizer:GetAutoScalingGroupRecommendations', 'compute-optimizer:GetEC2InstanceRecommendations', 'compute-optimizer:GetEC2RecommendationProjectedMetrics', 'compute-optimizer:GetEnrollmentStatus', 'compute-optimizer:GetRecommendationSummaries', 'cognito-identity:Describe*', 'cognito-identity:GetCredentialsForIdentity', 'cognito-identity:GetIdentityPoolRoles', 'cognito-identity:GetOpenIdToken', 'cognito-identity:GetOpenIdTokenForDeveloperIdentity', 'cognito-identity:List*', 'cognito-identity:Lookup*', 'cognito-sync:List*', 'cognito-sync:Describe*', 'cognito-sync:Get*', 'cognito-sync:QueryRecords', 'cognito-idp:AdminGet*', 'cognito-idp:AdminList*', 'cognito-idp:List*', 'cognito-idp:Describe*', 'cognito-idp:Get*', 'config:Deliver*', 'config:Describe*', 'config:Get*', 'config:List*', 'config:SelectResourceConfig', 'connect:List*', 'connect:Describe*', 'connect:GetFederationToken', 'dataexchange:Get*', 'dataexchange:List*', 'datasync:Describe*', 'datasync:List*', 'datapipeline:Describe*', 'datapipeline:EvaluateExpression', 'datapipeline:Get*', 'datapipeline:List*', 'datapipeline:QueryObjects', 'datapipeline:Validate*', 'dax:BatchGetItem', 'dax:Describe*', 'dax:GetItem', 'dax:ListTags', 'dax:Query', 'dax:Scan', 'directconnect:Describe*', 'detective:Get*', 'detective:List*', 'devicefarm:List*', 'devicefarm:Get*', 'discovery:Describe*', 'discovery:List*', 'discovery:Get*', 'dlm:Get*', 'dms:Describe*', 'dms:List*', 'dms:Test*', 'ds:Check*', 'ds:Describe*', 'ds:Get*', 'ds:List*', 'ds:Verify*', 'dynamodb:BatchGet*', 'dynamodb:Describe*', 'dynamodb:Get*', 'dynamodb:List*', 'dynamodb:Query', 'dynamodb:Scan', 'ec2:Describe*', 'ec2:Get*', 'ec2:SearchTransitGatewayRoutes', 'ec2messages:Get*', 'ecr:BatchCheck*', 'ecr:BatchGet*', 'ecr:Describe*', 'ecr:Get*', 'ecr:List*', 'ecs:Describe*', 'ecs:List*', 'eks:DescribeCluster', 'eks:DescribeUpdate', 'eks:Describe*', 'eks:ListClusters', 'eks:ListUpdates', 'eks:List*', 'elasticache:Describe*', 'elasticache:List*', 'elasticbeanstalk:Check*', 'elasticbeanstalk:Describe*', 'elasticbeanstalk:List*', 'elasticbeanstalk:Request*', 'elasticbeanstalk:Retrieve*', 'elasticbeanstalk:Validate*', 'elasticfilesystem:Describe*', 'elasticloadbalancing:Describe*', 'elasticmapreduce:Describe*', 'elasticmapreduce:List*', 'elasticmapreduce:View*', 'elastictranscoder:List*', 'elastictranscoder:Read*', 'elemental-appliances-software:Get*', 'elemental-appliances-software:List*', 'es:Describe*', 'es:List*', 'es:Get*', 'es:ESHttpGet', 'es:ESHttpHead', 'events:Describe*', 'events:List*', 'events:Test*', 'firehose:Describe*', 'firehose:List*', 'fsx:Describe*', 'fsx:List*', 'gamelift:List*', 'gamelift:Get*', 'gamelift:Describe*', 'gamelift:RequestUploadCredentials', 'gamelift:ResolveAlias', 'gamelift:Search*', 'glacier:List*', 'glacier:Describe*', 'glacier:Get*', 'globalaccelerator:Describe*', 'globalaccelerator:List*', 'glue:BatchGetPartition', 'glue:GetCatalogImportStatus', 'glue:GetClassifier', 'glue:GetClassifiers', 'glue:GetCrawler', 'glue:GetCrawlers', 'glue:GetCrawlerMetrics', 'glue:GetDatabase', 'glue:GetDatabases', 'glue:GetDataCatalogEncryptionSettings', 'glue:GetDataflowGraph', 'glue:GetDevEndpoint', 'glue:GetDevEndpoints', 'glue:GetJob', 'glue:GetJobs', 'glue:GetJobRun', 'glue:GetJobRuns', 'glue:GetPartition', 'glue:GetPartitions', 'glue:GetPlan', 'glue:GetResourcePolicy', 'glue:GetSecurityConfiguration', 'glue:GetSecurityConfigurations', 'glue:GetTable', 'glue:GetTables', 'glue:GetTableVersion', 'glue:GetTableVersions', 'glue:GetTags', 'glue:GetTrigger', 'glue:GetTriggers', 'glue:GetUserDefinedFunction', 'glue:GetUserDefinedFunctions', 'greengrass:Get*', 'greengrass:List*', 'guardduty:Get*', 'guardduty:List*', 'health:Describe*', 'health:List*', 'iam:Generate*', 'iam:Get*', 'iam:List*', 'iam:Simulate*', 'imagebuilder:Get*', 'imagebuilder:List*', 'importexport:Get*', 'importexport:List*', 'inspector:Describe*', 'inspector:Get*', 'inspector:List*', 'inspector:Preview*', 'iot:Describe*', 'iot:Get*', 'iot:List*', 'iotanalytics:Describe*', 'iotanalytics:List*', 'iotanalytics:Get*', 'iotanalytics:SampleChannelData', 'kafka:Describe*', 'kafka:List*', 'kafka:Get*', 'kinesisanalytics:Describe*', 'kinesisanalytics:Discover*', 'kinesisanalytics:Get*', 'kinesisanalytics:List*', 'kinesisvideo:Describe*', 'kinesisvideo:Get*', 'kinesisvideo:List*', 'kinesis:Describe*', 'kinesis:Get*', 'kinesis:List*', 'kms:Describe*', 'kms:Get*', 'kms:List*', 'lambda:List*', 'lambda:Get*', 'lex:Get*', 'lightsail:GetActiveNames', 'lightsail:GetBlueprints', 'lightsail:GetBundles', 'lightsail:GetCloudFormationStackRecords', 'lightsail:GetDisk', 'lightsail:GetDisks', 'lightsail:GetDiskSnapshot', 'lightsail:GetDiskSnapshots', 'lightsail:GetDomain', 'lightsail:GetDomains', 'lightsail:GetExportSnapshotRecords', 'lightsail:GetInstance', 'lightsail:GetInstanceMetricData', 'lightsail:GetInstancePortStates', 'lightsail:GetInstances', 'lightsail:GetInstanceSnapshot', 'lightsail:GetInstanceSnapshots', 'lightsail:GetInstanceState', 'lightsail:GetKeyPair', 'lightsail:GetKeyPairs', 'lightsail:GetLoadBalancer', 'lightsail:GetLoadBalancerMetricData', 'lightsail:GetLoadBalancers', 'lightsail:GetLoadBalancerTlsCertificates', 'lightsail:GetOperation', 'lightsail:GetOperations', 'lightsail:GetOperationsForResource', 'lightsail:GetRegions', 'lightsail:GetRelationalDatabase', 'lightsail:GetRelationalDatabaseBlueprints', 'lightsail:GetRelationalDatabaseBundles', 'lightsail:GetRelationalDatabaseEvents', 'lightsail:GetRelationalDatabaseLogEvents', 'lightsail:GetRelationalDatabaseLogStreams', 'lightsail:GetRelationalDatabaseMetricData', 'lightsail:GetRelationalDatabaseParameters', 'lightsail:GetRelationalDatabases', 'lightsail:GetRelationalDatabaseSnapshot', 'lightsail:GetRelationalDatabaseSnapshots', 'lightsail:GetStaticIp', 'lightsail:GetStaticIps', 'lightsail:Is*', 'logs:Describe*', 'logs:Get*', 'logs:FilterLogEvents', 'logs:ListTagsLogGroup', 'logs:StartQuery', 'logs:TestMetricFilter', 'machinelearning:Describe*', 'machinelearning:Get*', 'mediaconvert:DescribeEndpoints', 'mediaconvert:Get*', 'mediaconvert:List*', 'mediapackage:List*', 'mediapackage:Describe*', 'mgh:Describe*', 'mgh:GetHomeRegion', 'mgh:List*', 'mobileanalytics:Get*', 'mobilehub:Describe*', 'mobilehub:Export*', 'mobilehub:Generate*', 'mobilehub:Get*', 'mobilehub:List*', 'mobilehub:Validate*', 'mobilehub:Verify*', 'mobiletargeting:Get*', 'mobiletargeting:List*', 'mq:Describe*', 'mq:List*', 'opsworks:Describe*', 'opsworks:Get*', 'opsworks-cm:Describe*', 'organizations:Describe*', 'organizations:List*', 'outposts:Get*', 'outposts:List*', 'personalize:Describe*', 'personalize:Get*', 'personalize:List*', 'pi:DescribeDimensionKeys', 'pi:GetResourceMetrics', 'polly:Describe*', 'polly:Get*', 'polly:List*', 'polly:SynthesizeSpeech', 'qldb:ListLedgers', 'qldb:DescribeLedger', 'qldb:ListJournalS3Exports', 'qldb:ListJournalS3ExportsForLedger', 'qldb:DescribeJournalS3Export', 'qldb:GetBlock', 'qldb:GetDigest', 'qldb:GetRevision', 'qldb:GetBlock', 'qldb:ListTagsForResource', 'ram:Get*', 'ram:List*', 'rekognition:CompareFaces', 'rekognition:Detect*', 'rekognition:List*', 'rekognition:Search*', 'rds:Describe*', 'rds:List*', 'rds:Download*', 'redshift:Describe*', 'redshift:GetReservedNodeExchangeOfferings', 'redshift:View*', 'resource-groups:Get*', 'resource-groups:List*', 'resource-groups:Search*', 'robomaker:BatchDescribe*', 'robomaker:Describe*', 'robomaker:List*', 'route53:Get*', 'route53:List*', 'route53:Test*', 'route53domains:Check*', 'route53domains:Get*', 'route53domains:List*', 'route53domains:View*', 'route53resolver:Get*', 'route53resolver:List*', 's3:Get*', 's3:List*', 'sagemaker:Describe*', 'sagemaker:GetSearchSuggestions', 'sagemaker:List*', 'sagemaker:Search', 'schemas:Describe*', 'schemas:Get*', 'schemas:List*', 'schemas:Search*', 'sdb:Get*', 'sdb:List*', 'sdb:Select*', 'secretsmanager:List*', 'secretsmanager:Describe*', 'secretsmanager:GetResourcePolicy', 'securityhub:Describe*', 'securityhub:Get*', 'securityhub:List*', 'serverlessrepo:List*', 'serverlessrepo:Get*', 'serverlessrepo:SearchApplications', 'servicecatalog:List*', 'servicecatalog:Scan*', 'servicecatalog:Search*', 'servicecatalog:Describe*', 'servicediscovery:Get*', 'servicediscovery:List*', 'servicequotas:GetAssociationForServiceQuotaTemplate', 'servicequotas:GetAWSDefaultServiceQuota', 'servicequotas:GetRequestedServiceQuotaChange', 'servicequotas:GetServiceQuota', 'servicequotas:GetServiceQuotaIncreaseRequestFromTemplate', 'servicequotas:ListAWSDefaultServiceQuotas', 'servicequotas:ListRequestedServiceQuotaChangeHistory', 'servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota', 'servicequotas:ListServices', 'servicequotas:ListServiceQuotas', 'servicequotas:ListServiceQuotaIncreaseRequestsInTemplate', 'ses:Get*', 'ses:List*', 'ses:Describe*', 'shield:Describe*', 'shield:Get*', 'shield:List*', 'snowball:Get*', 'snowball:Describe*', 'snowball:List*', 'sns:Get*', 'sns:List*', 'sns:Check*', 'sqs:Get*', 'sqs:List*', 'sqs:Receive*', 'ssm:Describe*', 'ssm:Get*', 'ssm:List*', 'states:List*', 'states:Describe*', 'states:GetExecutionHistory', 'storagegateway:Describe*', 'storagegateway:List*', 'sts:Get*', 'swf:Count*', 'swf:Describe*', 'swf:Get*', 'swf:List*', 'synthetics:Describe*', 'synthetics:Get*', 'tag:Get*', 'transfer:Describe*', 'transfer:List*', 'transfer:TestIdentityProvider', 'transcribe:Get*', 'transcribe:List*', 'trustedadvisor:Describe*', 'waf:Get*', 'waf:List*', 'wafv2:Describe*', 'wafv2:Get*', 'wafv2:List*', 'waf-regional:List*', 'waf-regional:Get*', 'workdocs:Describe*', 'workdocs:Get*', 'workdocs:CheckAlias', 'worklink:Describe*', 'worklink:List*', 'workmail:Describe*', 'workmail:Get*', 'workmail:List*', 'workmail:Search*', 'workspaces:Describe*', 'xray:BatchGet*', 'xray:Get*'], 'Effect': 'Allow', 'Resource': '*'}, 'filepath': None}",
"policy": {
"Statement": [
{
"Action": [
"a4b:Get*",
"a4b:List*",
"a4b:Search*",
"access-analyzer:GetAnalyzedResource",
"access-analyzer:GetAnalyzer",
"access-analyzer:GetArchiveRule",
"access-analyzer:GetFinding",
"access-analyzer:ListAnalyzedResources",
"access-analyzer:ListAnalyzers",
"access-analyzer:ListArchiveRules",
"access-analyzer:ListFindings",
"access-analyzer:ListTagsForResource",
"acm:Describe*",
"acm:Get*",
"acm:List*",
"acm-pca:Describe*",
"acm-pca:Get*",
"acm-pca:List*",
"amplify:GetApp",
"amplify:GetBranch",
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:ListApps",
"amplify:ListBranches",
"amplify:ListDomainAssociations",
"amplify:ListJobs",
"apigateway:GET",
"application-autoscaling:Describe*",
"applicationinsights:Describe*",
"applicationinsights:List*",
"appmesh:Describe*",
"appmesh:List*",
"appstream:Describe*",
"appstream:Get*",
"appstream:List*",
"appsync:Get*",
"appsync:List*",
"autoscaling:Describe*",
"autoscaling-plans:Describe*",
"autoscaling-plans:GetScalingPlanResourceForecastData",
"athena:List*",
"athena:Batch*",
"athena:Get*",
"backup:Describe*",
"backup:Get*",
"backup:List*",
"batch:List*",
"batch:Describe*",
"chatbot:Describe*",
"chatbot:Get*",
"chime:Get*",
"chime:List*",
"chime:Retrieve*",
"chime:Search*",
"chime:Validate*",
"cloud9:Describe*",
"cloud9:List*",
"clouddirectory:List*",
"clouddirectory:BatchRead",
"clouddirectory:Get*",
"clouddirectory:LookupPolicy",
"cloudformation:Describe*",
"cloudformation:Detect*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Estimate*",
"cloudfront:Get*",
"cloudfront:List*",
"cloudhsm:List*",
"cloudhsm:Describe*",
"cloudhsm:Get*",
"cloudsearch:Describe*",
"cloudsearch:List*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"cloudtrail:List*",
"cloudtrail:LookupEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"codebuild:BatchGet*",
"codebuild:DescribeTestCases",
"codebuild:List*",
"codecommit:BatchGet*",
"codecommit:Describe*",
"codecommit:Get*",
"codecommit:GitPull",
"codecommit:List*",
"codedeploy:BatchGet*",
"codedeploy:Get*",
"codedeploy:List*",
"codeguru-profiler:Describe*",
"codeguru-profiler:Get*",
"codeguru-profiler:List*",
"codeguru-reviewer:Describe*",
"codeguru-reviewer:Get*",
"codeguru-reviewer:List*",
"codepipeline:List*",
"codepipeline:Get*",
"codestar:List*",
"codestar:Describe*",
"codestar:Get*",
"codestar:Verify*",
"codestar-notifications:describeNotificationRule",
"codestar-notifications:listEventTypes",
"codestar-notifications:listNotificationRules",
"codestar-notifications:listTagsForResource",
"codestar-notifications:ListTargets",
"compute-optimizer:GetAutoScalingGroupRecommendations",
"compute-optimizer:GetEC2InstanceRecommendations",
"compute-optimizer:GetEC2RecommendationProjectedMetrics",
"compute-optimizer:GetEnrollmentStatus",
"compute-optimizer:GetRecommendationSummaries",
"cognito-identity:Describe*",
"cognito-identity:GetCredentialsForIdentity",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetOpenIdToken",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:List*",
"cognito-identity:Lookup*",
"cognito-sync:List*",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:QueryRecords",
"cognito-idp:AdminGet*",
"cognito-idp:AdminList*",
"cognito-idp:List*",
"cognito-idp:Describe*",
"cognito-idp:Get*",
"config:Deliver*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:SelectResourceConfig",
"connect:List*",
"connect:Describe*",
"connect:GetFederationToken",
"dataexchange:Get*",
"dataexchange:List*",
"datasync:Describe*",
"datasync:List*",
"datapipeline:Describe*",
"datapipeline:EvaluateExpression",
"datapipeline:Get*",
"datapipeline:List*",
"datapipeline:QueryObjects",
"datapipeline:Validate*",
"dax:BatchGetItem",
"dax:Describe*",
"dax:GetItem",
"dax:ListTags",
"dax:Query",
"dax:Scan",
"directconnect:Describe*",
"detective:Get*",
"detective:List*",
"devicefarm:List*",
"devicefarm:Get*",
"discovery:Describe*",
"discovery:List*",
"discovery:Get*",
"dlm:Get*",
"dms:Describe*",
"dms:List*",
"dms:Test*",
"ds:Check*",
"ds:Describe*",
"ds:Get*",
"ds:List*",
"ds:Verify*",
"dynamodb:BatchGet*",
"dynamodb:Describe*",
"dynamodb:Get*",
"dynamodb:List*",
"dynamodb:Query",
"dynamodb:Scan",
"ec2:Describe*",
"ec2:Get*",
"ec2:SearchTransitGatewayRoutes",
"ec2messages:Get*",
"ecr:BatchCheck*",
"ecr:BatchGet*",
"ecr:Describe*",
"ecr:Get*",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:DescribeCluster",
"eks:DescribeUpdate",
"eks:Describe*",
"eks:ListClusters",
"eks:ListUpdates",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:Request*",
"elasticbeanstalk:Retrieve*",
"elasticbeanstalk:Validate*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"elasticmapreduce:View*",
"elastictranscoder:List*",
"elastictranscoder:Read*",
"elemental-appliances-software:Get*",
"elemental-appliances-software:List*",
"es:Describe*",
"es:List*",
"es:Get*",
"es:ESHttpGet",
"es:ESHttpHead",
"events:Describe*",
"events:List*",
"events:Test*",
"firehose:Describe*",
"firehose:List*",
"fsx:Describe*",
"fsx:List*",
"gamelift:List*",
"gamelift:Get*",
"gamelift:Describe*",
"gamelift:RequestUploadCredentials",
"gamelift:ResolveAlias",
"gamelift:Search*",
"glacier:List*",
"glacier:Describe*",
"glacier:Get*",
"globalaccelerator:Describe*",
"globalaccelerator:List*",
"glue:BatchGetPartition",
"glue:GetCatalogImportStatus",
"glue:GetClassifier",
"glue:GetClassifiers",
"glue:GetCrawler",
"glue:GetCrawlers",
"glue:GetCrawlerMetrics",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetDataflowGraph",
"glue:GetDevEndpoint",
"glue:GetDevEndpoints",
"glue:GetJob",
"glue:GetJobs",
"glue:GetJobRun",
"glue:GetJobRuns",
"glue:GetPartition",
"glue:GetPartitions",
"glue:GetPlan",
"glue:GetResourcePolicy",
"glue:GetSecurityConfiguration",
"glue:GetSecurityConfigurations",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetTags",
"glue:GetTrigger",
"glue:GetTriggers",
"glue:GetUserDefinedFunction",
"glue:GetUserDefinedFunctions",
"greengrass:Get*",
"greengrass:List*",
"guardduty:Get*",
"guardduty:List*",
"health:Describe*",
"health:List*",
"iam:Generate*",
"iam:Get*",
"iam:List*",
"iam:Simulate*",
"imagebuilder:Get*",
"imagebuilder:List*",
"importexport:Get*",
"importexport:List*",
"inspector:Describe*",
"inspector:Get*",
"inspector:List*",
"inspector:Preview*",
"iot:Describe*",
"iot:Get*",
"iot:List*",
"iotanalytics:Describe*",
"iotanalytics:List*",
"iotanalytics:Get*",
"iotanalytics:SampleChannelData",
"kafka:Describe*",
"kafka:List*",
"kafka:Get*",
"kinesisanalytics:Describe*",
"kinesisanalytics:Discover*",
"kinesisanalytics:Get*",
"kinesisanalytics:List*",
"kinesisvideo:Describe*",
"kinesisvideo:Get*",
"kinesisvideo:List*",
"kinesis:Describe*",
"kinesis:Get*",
"kinesis:List*",
"kms:Describe*",
"kms:Get*",
"kms:List*",
"lambda:List*",
"lambda:Get*",
"lex:Get*",
"lightsail:GetActiveNames",
"lightsail:GetBlueprints",
"lightsail:GetBundles",
"lightsail:GetCloudFormationStackRecords",
"lightsail:GetDisk",
"lightsail:GetDisks",
"lightsail:GetDiskSnapshot",
"lightsail:GetDiskSnapshots",
"lightsail:GetDomain",
"lightsail:GetDomains",
"lightsail:GetExportSnapshotRecords",
"lightsail:GetInstance",
"lightsail:GetInstanceMetricData",
"lightsail:GetInstancePortStates",
"lightsail:GetInstances",
"lightsail:GetInstanceSnapshot",
"lightsail:GetInstanceSnapshots",
"lightsail:GetInstanceState",
"lightsail:GetKeyPair",
"lightsail:GetKeyPairs",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancerMetricData",
"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetOperation",
"lightsail:GetOperations",
"lightsail:GetOperationsForResource",
"lightsail:GetRegions",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseBlueprints",
"lightsail:GetRelationalDatabaseBundles",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseLogEvents",
"lightsail:GetRelationalDatabaseLogStreams",
"lightsail:GetRelationalDatabaseMetricData",
"lightsail:GetRelationalDatabaseParameters",
"lightsail:GetRelationalDatabases",
"lightsail:GetRelationalDatabaseSnapshot",
"lightsail:GetRelationalDatabaseSnapshots",
"lightsail:GetStaticIp",
"lightsail:GetStaticIps",
"lightsail:Is*",
"logs:Describe*",
"logs:Get*",
"logs:FilterLogEvents",
"logs:ListTagsLogGroup",
"logs:StartQuery",
"logs:TestMetricFilter",
"machinelearning:Describe*",
"machinelearning:Get*",
"mediaconvert:DescribeEndpoints",
"mediaconvert:Get*",
"mediaconvert:List*",
"mediapackage:List*",
"mediapackage:Describe*",
"mgh:Describe*",
"mgh:GetHomeRegion",
"mgh:List*",
"mobileanalytics:Get*",
"mobilehub:Describe*",
"mobilehub:Export*",
"mobilehub:Generate*",
"mobilehub:Get*",
"mobilehub:List*",
"mobilehub:Validate*",
"mobilehub:Verify*",
"mobiletargeting:Get*",
"mobiletargeting:List*",
"mq:Describe*",
"mq:List*",
"opsworks:Describe*",
"opsworks:Get*",
"opsworks-cm:Describe*",
"organizations:Describe*",
"organizations:List*",
"outposts:Get*",
"outposts:List*",
"personalize:Describe*",
"personalize:Get*",
"personalize:List*",
"pi:DescribeDimensionKeys",
"pi:GetResourceMetrics",
"polly:Describe*",
"polly:Get*",
"polly:List*",
"polly:SynthesizeSpeech",
"qldb:ListLedgers",
"qldb:DescribeLedger",
"qldb:ListJournalS3Exports",
"qldb:ListJournalS3ExportsForLedger",
"qldb:DescribeJournalS3Export",
"qldb:GetBlock",
"qldb:GetDigest",
"qldb:GetRevision",
"qldb:GetBlock",
"qldb:ListTagsForResource",
"ram:Get*",
"ram:List*",
"rekognition:CompareFaces",
"rekognition:Detect*",
"rekognition:List*",
"rekognition:Search*",
"rds:Describe*",
"rds:List*",
"rds:Download*",
"redshift:Describe*",
"redshift:GetReservedNodeExchangeOfferings",
"redshift:View*",
"resource-groups:Get*",
"resource-groups:List*",
"resource-groups:Search*",
"robomaker:BatchDescribe*",
"robomaker:Describe*",
"robomaker:List*",
"route53:Get*",
"route53:List*",
"route53:Test*",
"route53domains:Check*",
"route53domains:Get*",
"route53domains:List*",
"route53domains:View*",
"route53resolver:Get*",
"route53resolver:List*",
"s3:Get*",
"s3:List*",
"sagemaker:Describe*",
"sagemaker:GetSearchSuggestions",
"sagemaker:List*",
"sagemaker:Search",
"schemas:Describe*",
"schemas:Get*",
"schemas:List*",
"schemas:Search*",
"sdb:Get*",
"sdb:List*",
"sdb:Select*",
"secretsmanager:List*",
"secretsmanager:Describe*",
"secretsmanager:GetResourcePolicy",
"securityhub:Describe*",
"securityhub:Get*",
"securityhub:List*",
"serverlessrepo:List*",
"serverlessrepo:Get*",
"serverlessrepo:SearchApplications",
"servicecatalog:List*",
"servicecatalog:Scan*",
"servicecatalog:Search*",
"servicecatalog:Describe*",
"servicediscovery:Get*",
"servicediscovery:List*",
"servicequotas:GetAssociationForServiceQuotaTemplate",
"servicequotas:GetAWSDefaultServiceQuota",
"servicequotas:GetRequestedServiceQuotaChange",
"servicequotas:GetServiceQuota",
"servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
"servicequotas:ListAWSDefaultServiceQuotas",
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
"servicequotas:ListServices",
"servicequotas:ListServiceQuotas",
"servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
"ses:Get*",
"ses:List*",
"ses:Describe*",
"shield:Describe*",
"shield:Get*",
"shield:List*",
"snowball:Get*",
"snowball:Describe*",
"snowball:List*",
"sns:Get*",
"sns:List*",
"sns:Check*",
"sqs:Get*",
"sqs:List*",
"sqs:Receive*",
"ssm:Describe*",
"ssm:Get*",
"ssm:List*",
"states:List*",
"states:Describe*",
"states:GetExecutionHistory",
"storagegateway:Describe*",
"storagegateway:List*",
"sts:Get*",
"swf:Count*",
"swf:Describe*",
"swf:Get*",
"swf:List*",
"synthetics:Describe*",
"synthetics:Get*",
"tag:Get*",
"transfer:Describe*",
"transfer:List*",
"transfer:TestIdentityProvider",
"transcribe:Get*",
"transcribe:List*",
"trustedadvisor:Describe*",
"waf:Get*",
"waf:List*",
"wafv2:Describe*",
"wafv2:Get*",
"wafv2:List*",
"waf-regional:List*",
"waf-regional:Get*",
"workdocs:Describe*",
"workdocs:Get*",
"workdocs:CheckAlias",
"worklink:Describe*",
"worklink:List*",
"workmail:Describe*",
"workmail:Get*",
"workmail:List*",
"workmail:Search*",
"workspaces:Describe*",
"xray:BatchGet*",
"xray:Get*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
{
"issue": "RESOURCE_MISMATCH",
"severity": "",
"location": "{'actions': ['logs:CreateLogGroup'], 'filepath': None}",
"policy": {
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sns:Publish"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*"
]
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*"
]
},
{
"Action": [
"kinesis:CreateStream",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStream",
"kinesis:SplitShard",
"kinesis:MergeShards",
"kinesis:DeleteStream",
"kinesis:UpdateShardCount"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kinesis:*:*:stream/aws-rds-das-*"
]
}
],
"Version": "2012-10-17"
}
}
{
"issue": "RESOURCE_MISMATCH",
"severity": "",
"location": "{'actions': ['logs:CreateLogStream', 'logs:PutLogEvents', 'logs:DescribeLogStreams'], 'filepath': None}",
"policy": {
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sns:Publish"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*"
]
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*"
]
},
{
"Action": [
"kinesis:CreateStream",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStream",
"kinesis:SplitShard",
"kinesis:MergeShards",
"kinesis:DeleteStream",
"kinesis:UpdateShardCount"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kinesis:*:*:stream/aws-rds-das-*"
]
}
],
"Version": "2012-10-17"
}
}
{
"issue": "RESOURCE_MISMATCH",
"severity": "",
"location": "{'actions': ['kinesis:CreateStream', 'kinesis:PutRecord', 'kinesis:PutRecords', 'kinesis:DescribeStream', 'kinesis:SplitShard', 'kinesis:MergeShards', 'kinesis:DeleteStream', 'kinesis:UpdateShardCount'], 'filepath': None}",
"policy": {
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateVpcEndpoint",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteVpcEndpoints",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"sns:Publish"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*"
]
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*",
"arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*"
]
},
{
"Action": [
"kinesis:CreateStream",
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStream",
"kinesis:SplitShard",
"kinesis:MergeShards",
"kinesis:DeleteStream",
"kinesis:UpdateShardCount"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kinesis:*:*:stream/aws-rds-das-*"
]
}
],
"Version": "2012-10-17"
}
}
{
"issue": "UNKNOWN_ACTION",
"severity": "",
"location": "{'unknown_action': 'guardduty:listIPSets', 'statement': {'Action': ['a4b:getDevice', 'a4b:getProfile', 'a4b:getRoom', 'a4b:getRoomSkillParameter', 'a4b:getSkillGroup', 'a4b:searchDevices', 'a4b:searchProfiles', 'a4b:searchRooms', 'a4b:searchSkillGroups', 'access-analyzer:getFinding', 'access-analyzer:listAnalyzers', 'access-analyzer:listArchiveRules', 'access-analyzer:listFindings', 'acm-pca:describeCertificateAuthority', 'acm-pca:describeCertificateAuthorityAuditReport', 'acm-pca:getCertificate', 'acm-pca:getCertificateAuthorityCertificate', 'acm-pca:getCertificateAuthorityCsr', 'acm-pca:listCertificateAuthorities', 'acm-pca:listTags', 'acm:describeCertificate', 'acm:getCertificate', 'acm:listCertificates', 'acm:listTagsForCertificate', 'application-autoscaling:describeScalableTargets', 'application-autoscaling:describeScalingActivities', 'application-autoscaling:describeScalingPolicies', 'application-autoscaling:describeScheduledActions', 'appstream:describeDirectoryConfigs', 'appstream:describeFleets', 'appstream:describeImageBuilders', 'appstream:describeImages', 'appstream:describeSessions', 'appstream:describeStacks', 'appstream:listAssociatedFleets', 'appstream:listAssociatedStacks', 'appstream:listTagsForResource', 'appsync:getFunction', 'appsync:getGraphqlApi', 'appsync:getIntrospectionSchema', 'appsync:getResolver', 'appsync:getSchemaCreationStatus', 'appsync:getType', 'appsync:listDataSources', 'appsync:listFunctions', 'appsync:listGraphqlApis', 'appsync:listResolvers', 'appsync:listTypes', 'athena:batchGetNamedQuery', 'athena:batchGetQueryExecution', 'athena:getNamedQuery', 'athena:getQueryExecution', 'athena:getWorkGroup', 'athena:listNamedQueries', 'athena:listQueryExecutions', 'athena:listTagsForResource', 'athena:listWorkGroups', 'autoscaling-plans:describeScalingPlanResources', 'autoscaling-plans:describeScalingPlans', 'autoscaling-plans:getScalingPlanResourceForecastData', 'autoscaling:describeAccountLimits', 'autoscaling:describeAdjustmentTypes', 'autoscaling:describeAutoScalingGroups', 'autoscaling:describeAutoScalingInstances', 'autoscaling:describeAutoScalingNotificationTypes', 'autoscaling:describeLaunchConfigurations', 'autoscaling:describeLifecycleHookTypes', 'autoscaling:describeLifecycleHooks', 'autoscaling:describeLoadBalancerTargetGroups', 'autoscaling:describeLoadBalancers', 'autoscaling:describeMetricCollectionTypes', 'autoscaling:describeNotificationConfigurations', 'autoscaling:describePolicies', 'autoscaling:describeScalingActivities', 'autoscaling:describeScalingProcessTypes', 'autoscaling:describeScheduledActions', 'autoscaling:describeTags', 'autoscaling:describeTerminationPolicyTypes', 'backup:describeBackupJob', 'backup:describeBackupVault', 'backup:describeProtectedResource', 'backup:describeRecoveryPoint', 'backup:describeRestoreJob', 'backup:getBackupPlan', 'backup:getBackupPlanFromJSON', 'backup:getBackupPlanFromTemplate', 'backup:getBackupSelection', 'backup:getBackupVaultAccessPolicy', 'backup:getBackupVaultNotifications', 'backup:getRecoveryPointRestoreMetadata', 'backup:getSupportedResourceTypes', 'backup:listBackupJobs', 'backup:listBackupPlanTemplates', 'backup:listBackupPlanVersions', 'backup:listBackupPlans', 'backup:listBackupSelections', 'backup:listBackupVaults', 'backup:listProtectedResources', 'backup:listRecoveryPointsByBackupVault', 'backup:listRecoveryPointsByResource', 'backup:listRestoreJobs', 'backup:listTags', 'batch:describeComputeEnvironments', 'batch:describeJobDefinitions', 'batch:describeJobQueues', 'batch:describeJobs', 'batch:listJobs', 'ce:getCostAndUsage', 'ce:getDimensionValues', 'ce:getReservationCoverage', 'ce:getReservationUtilization', 'ce:getTags', 'cloud9:describeEnvironmentMemberships', 'cloud9:describeEnvironments', 'cloud9:listEnvironments', 'clouddirectory:getDirectory', 'clouddirectory:listDirectories', 'cloudformation:describeAccountLimits', 'cloudformation:describeChangeSet', 'cloudformation:describeStackEvents', 'cloudformation:describeStackInstance', 'cloudformation:describeStackResource', 'cloudformation:describeStackResources', 'cloudformation:describeStackSet', 'cloudformation:describeStackSetOperation', 'cloudformation:describeStacks', 'cloudformation:estimateTemplateCost', 'cloudformation:getStackPolicy', 'cloudformation:getTemplate', 'cloudformation:getTemplateSummary', 'cloudformation:listChangeSets', 'cloudformation:listExports', 'cloudformation:listImports', 'cloudformation:listStackInstances', 'cloudformation:listStackResources', 'cloudformation:listStackSetOperationResults', 'cloudformation:listStackSetOperations', 'cloudformation:listStackSets', 'cloudformation:listStacks', 'cloudfront:getCloudFrontOriginAccessIdentity', 'cloudfront:getCloudFrontOriginAccessIdentityConfig', 'cloudfront:getDistribution', 'cloudfront:getDistributionConfig', 'cloudfront:getInvalidation', 'cloudfront:getStreamingDistribution', 'cloudfront:getStreamingDistributionConfig', 'cloudfront:listCloudFrontOriginAccessIdentities', 'cloudfront:listDistributions', 'cloudfront:listDistributionsByWebACLId', 'cloudfront:listInvalidations', 'cloudfront:listStreamingDistributions', 'cloudhsm:describeBackups', 'cloudhsm:describeClusters', 'cloudsearch:describeAnalysisSchemes', 'cloudsearch:describeAvailabilityOptions', 'cloudsearch:describeDomains', 'cloudsearch:describeExpressions', 'cloudsearch:describeIndexFields', 'cloudsearch:describeScalingParameters', 'cloudsearch:describeServiceAccessPolicies', 'cloudsearch:describeSuggesters', 'cloudsearch:listDomainNames', 'cloudtrail:describeTrails', 'cloudtrail:getEventSelectors', 'cloudtrail:getInsightSelectors', 'cloudtrail:getTrail', 'cloudtrail:getTrailStatus', 'cloudtrail:listPublicKeys', 'cloudtrail:listTags', 'cloudtrail:listTrails', 'cloudtrail:lookupEvents', 'cloudwatch:describeAlarmHistory', 'cloudwatch:describeAlarms', 'cloudwatch:describeAlarmsForMetric', 'cloudwatch:getDashboard', 'cloudwatch:getMetricData', 'cloudwatch:getMetricStatistics', 'cloudwatch:listDashboards', 'cloudwatch:listMetrics', 'codebuild:batchGetBuilds', 'codebuild:batchGetProjects', 'codebuild:listBuilds', 'codebuild:listBuildsForProject', 'codebuild:listCuratedEnvironmentImages', 'codebuild:listProjects', 'codebuild:listSourceCredentials', 'codecommit:batchGetRepositories', 'codecommit:getBranch', 'codecommit:getRepository', 'codecommit:getRepositoryTriggers', 'codecommit:listBranches', 'codecommit:listRepositories', 'codedeploy:batchGetApplicationRevisions', 'codedeploy:batchGetApplications', 'codedeploy:batchGetDeploymentGroups', 'codedeploy:batchGetDeploymentInstances', 'codedeploy:batchGetDeployments', 'codedeploy:batchGetOnPremisesInstances', 'codedeploy:getApplication', 'codedeploy:getApplicationRevision', 'codedeploy:getDeployment', 'codedeploy:getDeploymentConfig', 'codedeploy:getDeploymentGroup', 'codedeploy:getDeploymentInstance', 'codedeploy:getOnPremisesInstance', 'codedeploy:listApplicationRevisions', 'codedeploy:listApplications', 'codedeploy:listDeploymentConfigs', 'codedeploy:listDeploymentGroups', 'codedeploy:listDeploymentInstances', 'codedeploy:listDeployments', 'codedeploy:listOnPremisesInstances', 'codepipeline:getJobDetails', 'codepipeline:getPipeline', 'codepipeline:getPipelineExecution', 'codepipeline:getPipelineState', 'codepipeline:listActionTypes', 'codepipeline:listPipelines', 'codestar:describeProject', 'codestar:listProjects', 'codestar:listResources', 'codestar:listTeamMembers', 'codestar:listUserProfiles', 'cognito-identity:describeIdentityPool', 'cognito-identity:getIdentityPoolRoles', 'cognito-identity:listIdentities', 'cognito-identity:listIdentityPools', 'cognito-idp:adminGetUser', 'cognito-idp:describeIdentityProvider', 'cognito-idp:describeResourceServer', 'cognito-idp:describeRiskConfiguration', 'cognito-idp:describeUserImportJob', 'cognito-idp:describeUserPool', 'cognito-idp:describeUserPoolClient', 'cognito-idp:describeUserPoolDomain', 'cognito-idp:getGroup', 'cognito-idp:getUICustomization', 'cognito-idp:getUser', 'cognito-idp:getUserPoolMfaConfig', 'cognito-idp:listGroups', 'cognito-idp:listIdentityProviders', 'cognito-idp:listResourceServers', 'cognito-idp:listUserImportJobs', 'cognito-idp:listUserPoolClients', 'cognito-idp:listUserPools', 'cognito-sync:describeDataset', 'cognito-sync:describeIdentityPoolUsage', 'cognito-sync:describeIdentityUsage', 'cognito-sync:getCognitoEvents', 'cognito-sync:getIdentityPoolConfiguration', 'cognito-sync:listDatasets', 'cognito-sync:listIdentityPoolUsage', 'config:describeConfigRuleEvaluationStatus', 'config:describeConfigRules', 'config:describeConfigurationRecorderStatus', 'config:describeConfigurationRecorders', 'config:describeDeliveryChannelStatus', 'config:describeDeliveryChannels', 'config:getResourceConfigHistory', 'config:listDiscoveredResources', 'connect:describeUser', 'connect:getCurrentMetricData', 'connect:getMetricData', 'connect:listRoutingProfiles', 'connect:listSecurityProfiles', 'connect:listUsers', 'datapipeline:describeObjects', 'datapipeline:describePipelines', 'datapipeline:getPipelineDefinition', 'datapipeline:listPipelines', 'datapipeline:queryObjects', 'datasync:describeAgent', 'datasync:describeLocationEfs', 'datasync:describeLocationNfs', 'datasync:describeLocationS3', 'datasync:describeTask', 'datasync:describeTaskExecution', 'datasync:listAgents', 'datasync:listLocations', 'datasync:listTaskExecutions', 'datasync:listTasks', 'dax:describeClusters', 'dax:describeDefaultParameters', 'dax:describeEvents', 'dax:describeParameterGroups', 'dax:describeParameters', 'dax:describeSubnetGroups', 'devicefarm:getAccountSettings', 'devicefarm:getDevice', 'devicefarm:getDevicePool', 'devicefarm:getDevicePoolCompatibility', 'devicefarm:getJob', 'devicefarm:getProject', 'devicefarm:getRemoteAccessSession', 'devicefarm:getRun', 'devicefarm:getSuite', 'devicefarm:getTest', 'devicefarm:getUpload', 'devicefarm:listArtifacts', 'devicefarm:listDevicePools', 'devicefarm:listDevices', 'devicefarm:listJobs', 'devicefarm:listProjects', 'devicefarm:listRemoteAccessSessions', 'devicefarm:listRuns', 'devicefarm:listSamples', 'devicefarm:listSuites', 'devicefarm:listTests', 'devicefarm:listUniqueProblems', 'devicefarm:listUploads', 'directconnect:describeConnections', 'directconnect:describeConnectionsOnInterconnect', 'directconnect:describeInterconnects', 'directconnect:describeLocations', 'directconnect:describeVirtualGateways', 'directconnect:describeVirtualInterfaces', 'dlm:getLifecyclePolicies', 'dlm:getLifecyclePolicy', 'dms:describeAccountAttributes', 'dms:describeConnections', 'dms:describeEndpointTypes', 'dms:describeEndpoints', 'dms:describeOrderableReplicationInstances', 'dms:describeRefreshSchemasStatus', 'dms:describeReplicationInstances', 'dms:describeReplicationSubnetGroups', 'ds:describeConditionalForwarders', 'ds:describeDirectories', 'ds:describeEventTopics', 'ds:describeSnapshots', 'ds:describeTrusts', 'ds:getDirectoryLimits', 'ds:getSnapshotLimits', 'ds:listIpRoutes', 'ds:listSchemaExtensions', 'ds:listTagsForResource', 'dynamodb:describeBackup', 'dynamodb:describeContinuousBackups', 'dynamodb:describeGlobalTable', 'dynamodb:describeLimits', 'dynamodb:describeStream', 'dynamodb:describeTable', 'dynamodb:describeTimeToLive', 'dynamodb:listBackups', 'dynamodb:listGlobalTables', 'dynamodb:listStreams', 'dynamodb:listTables', 'dynamodb:listTagsOfResource', 'ec2:acceptReservedInstancesExchangeQuote', 'ec2:cancelReservedInstancesListing', 'ec2:createReservedInstancesListing', 'ec2:describeAccountAttributes', 'ec2:describeAddresses', 'ec2:describeAvailabilityZones', 'ec2:describeBundleTasks', 'ec2:describeByoipCidrs', 'ec2:describeCapacityReservations', 'ec2:describeClassicLinkInstances', 'ec2:describeClientVpnAuthorizationRules', 'ec2:describeClientVpnConnections', 'ec2:describeClientVpnEndpoints', 'ec2:describeClientVpnRoutes', 'ec2:describeClientVpnTargetNetworks', 'ec2:describeConversionTasks', 'ec2:describeCustomerGateways', 'ec2:describeDhcpOptions', 'ec2:describeElasticGpus', 'ec2:describeExportTasks', 'ec2:describeFastSnapshotRestores', 'ec2:describeFleetHistory', 'ec2:describeFleetInstances', 'ec2:describeFleets', 'ec2:describeFlowLogs', 'ec2:describeHostReservationOfferings', 'ec2:describeHostReservations', 'ec2:describeHosts', 'ec2:describeIdFormat', 'ec2:describeIdentityIdFormat', 'ec2:describeImageAttribute', 'ec2:describeImages', 'ec2:describeImportImageTasks', 'ec2:describeImportSnapshotTasks', 'ec2:describeInstanceAttribute', 'ec2:describeInstanceStatus', 'ec2:describeInstances', 'ec2:describeInternetGateways', 'ec2:describeKeyPairs', 'ec2:describeLaunchTemplateVersions', 'ec2:describeLaunchTemplates', 'ec2:describeMovingAddresses', 'ec2:describeNatGateways', 'ec2:describeNetworkAcls', 'ec2:describeNetworkInterfaceAttribute', 'ec2:describeNetworkInterfaces', 'ec2:describePlacementGroups', 'ec2:describePrefixLists', 'ec2:describePublicIpv4Pools', 'ec2:describeRegions', 'ec2:describeReservedInstances', 'ec2:describeReservedInstancesListings', 'ec2:describeReservedInstancesModifications', 'ec2:describeReservedInstancesOfferings', 'ec2:describeRouteTables', 'ec2:describeScheduledInstances', 'ec2:describeSecurityGroups', 'ec2:describeSnapshotAttribute', 'ec2:describeSnapshots', 'ec2:describeSpotDatafeedSubscription', 'ec2:describeSpotFleetInstances', 'ec2:describeSpotFleetRequestHistory', 'ec2:describeSpotFleetRequests', 'ec2:describeSpotInstanceRequests', 'ec2:describeSpotPriceHistory', 'ec2:describeSubnets', 'ec2:describeTags', 'ec2:describeTrafficMirrorFilters', 'ec2:describeTrafficMirrorSessions', 'ec2:describeTrafficMirrorTargets', 'ec2:describeTransitGatewayAttachments', 'ec2:describeTransitGatewayRouteTables', 'ec2:describeTransitGatewayVpcAttachments', 'ec2:describeTransitGateways', 'ec2:describeVolumeAttribute', 'ec2:describeVolumeStatus', 'ec2:describeVolumes', 'ec2:describeVolumesModifications', 'ec2:describeVpcAttribute', 'ec2:describeVpcClassicLink', 'ec2:describeVpcClassicLinkDnsSupport', 'ec2:describeVpcEndpointConnectionNotifications', 'ec2:describeVpcEndpointConnections', 'ec2:describeVpcEndpointServiceConfigurations', 'ec2:describeVpcEndpointServicePermissions', 'ec2:describeVpcEndpointServices', 'ec2:describeVpcEndpoints', 'ec2:describeVpcPeeringConnections', 'ec2:describeVpcs', 'ec2:describeVpnConnections', 'ec2:describeVpnGateways', 'ec2:getConsoleScreenshot', 'ec2:getReservedInstancesExchangeQuote', 'ec2:getTransitGatewayAttachmentPropagations', 'ec2:getTransitGatewayRouteTableAssociations', 'ec2:getTransitGatewayRouteTablePropagations', 'ec2:modifyReservedInstances', 'ec2:purchaseReservedInstancesOffering', 'ecr:batchCheckLayerAvailability', 'ecr:describeImages', 'ecr:describeRepositories', 'ecr:getRepositoryPolicy', 'ecr:listImages', 'ecs:describeClusters', 'ecs:describeContainerInstances', 'ecs:describeServices', 'ecs:describeTaskDefinition', 'ecs:describeTasks', 'ecs:listClusters', 'ecs:listContainerInstances', 'ecs:listServices', 'ecs:listTaskDefinitions', 'ecs:listTasks', 'eks:describeCluster', 'eks:describeUpdate', 'eks:listClusters', 'eks:listUpdates', 'elasticache:describeCacheClusters', 'elasticache:describeCacheEngineVersions', 'elasticache:describeCacheParameterGroups', 'elasticache:describeCacheParameters', 'elasticache:describeCacheSecurityGroups', 'elasticache:describeCacheSubnetGroups', 'elasticache:describeEngineDefaultParameters', 'elasticache:describeEvents', 'elasticache:describeReplicationGroups', 'elasticache:describeReservedCacheNodes', 'elasticache:describeReservedCacheNodesOfferings', 'elasticache:describeSnapshots', 'elasticache:listAllowedNodeTypeModifications', 'elasticache:listTagsForResource', 'elasticbeanstalk:checkDNSAvailability', 'elasticbeanstalk:describeApplicationVersions', 'elasticbeanstalk:describeApplications', 'elasticbeanstalk:describeConfigurationOptions', 'elasticbeanstalk:describeConfigurationSettings', 'elasticbeanstalk:describeEnvironmentHealth', 'elasticbeanstalk:describeEnvironmentManagedActionHistory', 'elasticbeanstalk:describeEnvironmentManagedActions', 'elasticbeanstalk:describeEnvironmentResources', 'elasticbeanstalk:describeEnvironments', 'elasticbeanstalk:describeEvents', 'elasticbeanstalk:describeInstancesHealth', 'elasticbeanstalk:describePlatformVersion', 'elasticbeanstalk:listAvailableSolutionStacks', 'elasticbeanstalk:listPlatformVersions', 'elasticbeanstalk:validateConfigurationSettings', 'elasticfilesystem:describeFileSystems', 'elasticfilesystem:describeLifecycleConfiguration', 'elasticfilesystem:describeMountTargetSecurityGroups', 'elasticfilesystem:describeMountTargets', 'elasticfilesystem:describeTags', 'elasticloadbalancing:describeInstanceHealth', 'elasticloadbalancing:describeListenerCertificates', 'elasticloadbalancing:describeListeners', 'elasticloadbalancing:describeLoadBalancerAttributes', 'elasticloadbalancing:describeLoadBalancerPolicies', 'elasticloadbalancing:describeLoadBalancerPolicyTypes', 'elasticloadbalancing:describeLoadBalancers', 'elasticloadbalancing:describeRules', 'elasticloadbalancing:describeSSLPolicies', 'elasticloadbalancing:describeTags', 'elasticloadbalancing:describeTargetGroupAttributes', 'elasticloadbalancing:describeTargetGroups', 'elasticloadbalancing:describeTargetHealth', 'elasticmapreduce:describeCluster', 'elasticmapreduce:describeSecurityConfiguration', 'elasticmapreduce:describeStep', 'elasticmapreduce:listBootstrapActions', 'elasticmapreduce:listClusters', 'elasticmapreduce:listInstanceGroups', 'elasticmapreduce:listInstances', 'elasticmapreduce:listSecurityConfigurations', 'elasticmapreduce:listSteps', 'elastictranscoder:listJobsByPipeline', 'elastictranscoder:listJobsByStatus', 'elastictranscoder:listPipelines', 'elastictranscoder:listPresets', 'elastictranscoder:readPipeline', 'elastictranscoder:readPreset', 'es:describeElasticsearchDomain', 'es:describeElasticsearchDomainConfig', 'es:describeElasticsearchDomains', 'es:listDomainNames', 'es:listTags', 'events:describeEventBus', 'events:describeRule', 'events:listRuleNamesByTarget', 'events:listRules', 'events:listTargetsByRule', 'events:testEventPattern', 'firehose:describeDeliveryStream', 'firehose:listDeliveryStreams', 'forecast:describeDataset', 'forecast:describeDatasetGroup', 'forecast:describeDatasetImportJob', 'forecast:describeForecast', 'forecast:describeForecastExportJob', 'forecast:describePredictor', 'forecast:getAccuracyMetrics', 'forecast:listDatasetGroups', 'forecast:listDatasetImportJobs', 'forecast:listDatasets', 'forecast:listForecastExportJobs', 'forecast:listForecasts', 'forecast:listPredictors', 'fsx:describeBackups', 'fsx:describeFileSystems', 'fsx:listTagsForResource', 'glacier:describeJob', 'glacier:describeVault', 'glacier:getDataRetrievalPolicy', 'glacier:getVaultAccessPolicy', 'glacier:getVaultLock', 'glacier:getVaultNotifications', 'glacier:listJobs', 'glacier:listTagsForVault', 'glacier:listVaults', 'globalaccelerator:describeAccelerator', 'globalaccelerator:describeAcceleratorAttributes', 'globalaccelerator:describeEndpointGroup', 'globalaccelerator:describeListener', 'globalaccelerator:listAccelerators', 'globalaccelerator:listEndpointGroups', 'globalaccelerator:listListeners', 'glue:batchGetPartition', 'glue:getCatalogImportStatus', 'glue:getClassifier', 'glue:getClassifiers', 'glue:getCrawler', 'glue:getCrawlerMetrics', 'glue:getCrawlers', 'glue:getDatabase', 'glue:getDatabases', 'glue:getDataflowGraph', 'glue:getDevEndpoint', 'glue:getDevEndpoints', 'glue:getJob', 'glue:getJobRun', 'glue:getJobRuns', 'glue:getJobs', 'glue:getMapping', 'glue:getPartition', 'glue:getPartitions', 'glue:getTable', 'glue:getTableVersions', 'glue:getTables', 'glue:getTrigger', 'glue:getTriggers', 'glue:getUserDefinedFunction', 'glue:getUserDefinedFunctions', 'greengrass:getConnectivityInfo', 'greengrass:getCoreDefinition', 'greengrass:getCoreDefinitionVersion', 'greengrass:getDeploymentStatus', 'greengrass:getDeviceDefinition', 'greengrass:getDeviceDefinitionVersion', 'greengrass:getFunctionDefinition', 'greengrass:getFunctionDefinitionVersion', 'greengrass:getGroup', 'greengrass:getGroupCertificateAuthority', 'greengrass:getGroupVersion', 'greengrass:getLoggerDefinition', 'greengrass:getLoggerDefinitionVersion', 'greengrass:getResourceDefinitionVersion', 'greengrass:getServiceRoleForAccount', 'greengrass:getSubscriptionDefinition', 'greengrass:getSubscriptionDefinitionVersion', 'greengrass:listCoreDefinitionVersions', 'greengrass:listCoreDefinitions', 'greengrass:listDeployments', 'greengrass:listDeviceDefinitionVersions', 'greengrass:listDeviceDefinitions', 'greengrass:listFunctionDefinitionVersions', 'greengrass:listFunctionDefinitions', 'greengrass:listGroupVersions', 'greengrass:listGroups', 'greengrass:listLoggerDefinitionVersions', 'greengrass:listLoggerDefinitions', 'greengrass:listResourceDefinitionVersions', 'greengrass:listResourceDefinitions', 'greengrass:listSubscriptionDefinitionVersions', 'greengrass:listSubscriptionDefinitions', 'guardduty:getDetector', 'guardduty:getFindings', 'guardduty:getFindingsStatistics', 'guardduty:getIPSet', 'guardduty:getInvitationsCount', 'guardduty:getMasterAccount', 'guardduty:getMembers', 'guardduty:getThreatIntelSet', 'guardduty:listDetectors', 'guardduty:listFindings', 'guardduty:listIPSets', 'guardduty:listInvitations', 'guardduty:listMembers', 'guardduty:listThreatIntelSets', 'health:describeAffectedEntities', 'health:describeEntityAggregates', 'health:describeEventAggregates', 'health:describeEventDetails', 'health:describeEventTypes', 'health:describeEvents', 'iam:getAccessKeyLastUsed', 'iam:getAccountAuthorizationDetails', 'iam:getAccountPasswordPolicy', 'iam:getAccountSummary', 'iam:getContextKeysForCustomPolicy', 'iam:getContextKeysForPrincipalPolicy', 'iam:getCredentialReport', 'iam:getGroup', 'iam:getGroupPolicy', 'iam:getInstanceProfile', 'iam:getLoginProfile', 'iam:getOpenIDConnectProvider', 'iam:getPolicy', 'iam:getPolicyVersion', 'iam:getRole', 'iam:getRolePolicy', 'iam:getSAMLProvider', 'iam:getSSHPublicKey', 'iam:getServerCertificate', 'iam:getUser', 'iam:getUserPolicy', 'iam:listAccessKeys', 'iam:listAccountAliases', 'iam:listAttachedGroupPolicies', 'iam:listAttachedRolePolicies', 'iam:listAttachedUserPolicies', 'iam:listEntitiesForPolicy', 'iam:listGroupPolicies', 'iam:listGroups', 'iam:listGroupsForUser', 'iam:listInstanceProfiles', 'iam:listInstanceProfilesForRole', 'iam:listMFADevices', 'iam:listOpenIDConnectProviders', 'iam:listPolicies', 'iam:listPolicyVersions', 'iam:listRolePolicies', 'iam:listRoles', 'iam:listSAMLProviders', 'iam:listSSHPublicKeys', 'iam:listServerCertificates', 'iam:listSigningCertificates', 'iam:listUserPolicies', 'iam:listUsers', 'iam:listVirtualMFADevices', 'iam:simulateCustomPolicy', 'iam:simulatePrincipalPolicy', 'importexport:getStatus', 'importexport:listJobs', 'inspector:describeAssessmentRuns', 'inspector:describeAssessmentTargets', 'inspector:describeAssessmentTemplates', 'inspector:describeCrossAccountAccessRole', 'inspector:describeResourceGroups', 'inspector:describeRulesPackages', 'inspector:getTelemetryMetadata', 'inspector:listAssessmentRunAgents', 'inspector:listAssessmentRuns', 'inspector:listAssessmentTargets', 'inspector:listAssessmentTemplates', 'inspector:listEventSubscriptions', 'inspector:listRulesPackages', 'inspector:listTagsForResource', 'iot:describeAuthorizer', 'iot:describeCACertificate', 'iot:describeCertificate', 'iot:describeDefaultAuthorizer', 'iot:describeEndpoint', 'iot:describeIndex', 'iot:describeJobExecution', 'iot:describeThing', 'iot:describeThingGroup', 'iot:getEffectivePolicies', 'iot:getIndexingConfiguration', 'iot:getLoggingOptions', 'iot:getPolicy', 'iot:getPolicyVersion', 'iot:getTopicRule', 'iot:getV2LoggingOptions', 'iot:listAttachedPolicies', 'iot:listAuthorizers', 'iot:listCACertificates', 'iot:listCertificates', 'iot:listCertificatesByCA', 'iot:listJobExecutionsForJob', 'iot:listJobExecutionsForThing', 'iot:listJobs', 'iot:listOutgoingCertificates', 'iot:listPolicies', 'iot:listPolicyPrincipals', 'iot:listPolicyVersions', 'iot:listPrincipalPolicies', 'iot:listPrincipalThings', 'iot:listRoleAliases', 'iot:listTargetsForPolicy', 'iot:listThingGroups', 'iot:listThingGroupsForThing', 'iot:listThingPrincipals', 'iot:listThingRegistrationTasks', 'iot:listThingTypes', 'iot:listThings', 'iot:listTopicRules', 'iot:listV2LoggingLevels', 'iotevents:describeDetector', 'iotevents:describeDetectorModel', 'iotevents:describeInput', 'iotevents:describeLoggingOptions', 'iotevents:listDetectorModelVersions', 'iotevents:listDetectorModels', 'iotevents:listDetectors', 'iotevents:listInputs', 'kafka:describeCluster', 'kafka:getBootstrapBrokers', 'kafka:listClusters', 'kafka:listNodes', 'kinesis:describeStream', 'kinesis:listStreams', 'kinesis:listTagsForStream', 'kinesisanalytics:describeApplication', 'kinesisanalytics:listApplications', 'kms:describeKey', 'kms:getKeyPolicy', 'kms:getKeyRotationStatus', 'kms:listAliases', 'kms:listGrants', 'kms:listKeyPolicies', 'kms:listKeys', 'kms:listResourceTags', 'kms:listRetirableGrants', 'lambda:getAccountSettings', 'lambda:getAlias', 'lambda:getEventSourceMapping', 'lambda:getFunction', 'lambda:getFunctionConfiguration', 'lambda:getLayerVersion', 'lambda:getLayerVersionPolicy', 'lambda:getPolicy', 'lambda:listAliases', 'lambda:listEventSourceMappings', 'lambda:listFunctions', 'lambda:listLayerVersions', 'lambda:listLayers', 'lambda:listVersionsByFunction', 'lex:getBot', 'lex:getBotAlias', 'lex:getBotAliases', 'lex:getBotChannelAssociation', 'lex:getBotChannelAssociations', 'lex:getBotVersions', 'lex:getBots', 'lex:getBuiltinIntent', 'lex:getBuiltinIntents', 'lex:getBuiltinSlotTypes', 'lex:getIntent', 'lex:getIntentVersions', 'lex:getIntents', 'lex:getSlotType', 'lex:getSlotTypeVersions', 'lex:getSlotTypes', 'lightsail:getActiveNames', 'lightsail:getBlueprints', 'lightsail:getBundles', 'lightsail:getDomain', 'lightsail:getDomains', 'lightsail:getInstance', 'lightsail:getInstanceAccessDetails', 'lightsail:getInstanceMetricData', 'lightsail:getInstancePortStates', 'lightsail:getInstanceSnapshot', 'lightsail:getInstanceSnapshots', 'lightsail:getInstanceState', 'lightsail:getInstances', 'lightsail:getKeyPair', 'lightsail:getKeyPairs', 'lightsail:getOperation', 'lightsail:getOperations', 'lightsail:getOperationsForResource', 'lightsail:getRegions', 'lightsail:getStaticIp', 'lightsail:getStaticIps', 'logs:describeDestinations', 'logs:describeExportTasks', 'logs:describeLogGroups', 'logs:describeLogStreams', 'logs:describeMetricFilters', 'logs:describeQueries', 'logs:describeSubscriptionFilters', 'logs:testMetricFilter', 'machinelearning:describeBatchPredictions', 'machinelearning:describeDataSources', 'machinelearning:describeEvaluations', 'machinelearning:describeMLModels', 'machinelearning:getBatchPrediction', 'machinelearning:getDataSource', 'machinelearning:getEvaluation', 'machinelearning:getMLModel', 'managedblockchain:getMember', 'managedblockchain:getNetwork', 'managedblockchain:getNode', 'managedblockchain:listMembers', 'managedblockchain:listNetworks', 'managedblockchain:listNodes', 'mediaconvert:describeEndpoints', 'mediaconvert:getJob', 'mediaconvert:getJobTemplate', 'mediaconvert:getPreset', 'mediaconvert:getQueue', 'mediaconvert:listJobTemplates', 'mediaconvert:listJobs', 'medialive:describeChannel', 'medialive:describeInput', 'medialive:describeInputSecurityGroup', 'medialive:describeOffering', 'medialive:describeReservation', 'medialive:describeSchedule', 'medialive:listChannels', 'medialive:listInputSecurityGroups', 'medialive:listInputs', 'medialive:listOfferings', 'medialive:listReservations', 'mediapackage:describeChannel', 'mediapackage:describeOriginEndpoint', 'mediapackage:listChannels', 'mediapackage:listOriginEndpoints', 'mediastore:describeContainer', 'mediastore:describeObject', 'mediastore:getContainerPolicy', 'mediastore:getCorsPolicy', 'mediastore:listContainers', 'mediastore:listItems', 'mediatailor:getPlaybackConfiguration', 'mediatailor:listPlaybackConfigurations', 'mobiletargeting:getAdmChannel', 'mobiletargeting:getApnsChannel', 'mobiletargeting:getApnsSandboxChannel', 'mobiletargeting:getApnsVoipChannel', 'mobiletargeting:getApnsVoipSandboxChannel', 'mobiletargeting:getApp', 'mobiletargeting:getApplicationSettings', 'mobiletargeting:getApps', 'mobiletargeting:getBaiduChannel', 'mobiletargeting:getCampaign', 'mobiletargeting:getCampaignActivities', 'mobiletargeting:getCampaignVersion', 'mobiletargeting:getCampaignVersions', 'mobiletargeting:getCampaigns', 'mobiletargeting:getEmailChannel', 'mobiletargeting:getEndpoint', 'mobiletargeting:getEventStream', 'mobiletargeting:getExportJob', 'mobiletargeting:getExportJobs', 'mobiletargeting:getGcmChannel', 'mobiletargeting:getImportJob', 'mobiletargeting:getImportJobs', 'mobiletargeting:getSegment', 'mobiletargeting:getSegmentImportJobs', 'mobiletargeting:getSegmentVersion', 'mobiletargeting:getSegmentVersions', 'mobiletargeting:getSegments', 'mobiletargeting:getSmsChannel', 'mq:describeBroker', 'mq:describeConfiguration', 'mq:describeConfigurationRevision', 'mq:describeUser', 'mq:listBrokers', 'mq:listConfigurationRevisions', 'mq:listConfigurations', 'mq:listUsers', 'opsworks-cm:describeAccountAttributes', 'opsworks-cm:describeBackups', 'opsworks-cm:describeEvents', 'opsworks-cm:describeNodeAssociationStatus', 'opsworks-cm:describeServers', 'opsworks:describeAgentVersions', 'opsworks:describeApps', 'opsworks:describeCommands', 'opsworks:describeDeployments', 'opsworks:describeEcsClusters', 'opsworks:describeElasticIps', 'opsworks:describeElasticLoadBalancers', 'opsworks:describeInstances', 'opsworks:describeLayers', 'opsworks:describeLoadBasedAutoScaling', 'opsworks:describeMyUserProfile', 'opsworks:describePermissions', 'opsworks:describeRaidArrays', 'opsworks:describeRdsDbInstances', 'opsworks:describeServiceErrors', 'opsworks:describeStackProvisioningParameters', 'opsworks:describeStackSummary', 'opsworks:describeStacks', 'opsworks:describeTimeBasedAutoScaling', 'opsworks:describeUserProfiles', 'opsworks:describeVolumes', 'opsworks:getHostnameSuggestion', 'personalize:describeAlgorithm', 'personalize:describeCampaign', 'personalize:describeDataset', 'personalize:describeDatasetGroup', 'personalize:describeDatasetImportJob', 'personalize:describeEventTracker', 'personalize:describeFeatureTransformation', 'personalize:describeRecipe', 'personalize:describeSchema', 'personalize:describeSolution', 'personalize:describeSolutionVersion', 'personalize:listCampaigns', 'personalize:listDatasetGroups', 'personalize:listDatasetImportJobs', 'personalize:listDatasets', 'personalize:listEventTrackers', 'personalize:listRecipes', 'personalize:listSchemas', 'personalize:listSolutionVersions', 'personalize:listSolutions', 'polly:describeVoices', 'polly:getLexicon', 'polly:listLexicons', 'pricing:describeServices', 'pricing:getAttributeValues', 'pricing:getProducts', 'rds:describeAccountAttributes', 'rds:describeCertificates', 'rds:describeDBClusterParameterGroups', 'rds:describeDBClusterParameters', 'rds:describeDBClusterSnapshots', 'rds:describeDBClusters', 'rds:describeDBEngineVersions', 'rds:describeDBInstances', 'rds:describeDBParameterGroups', 'rds:describeDBParameters', 'rds:describeDBSecurityGroups', 'rds:describeDBSnapshotAttributes', 'rds:describeDBSnapshots', 'rds:describeDBSubnetGroups', 'rds:describeEngineDefaultClusterParameters', 'rds:describeEngineDefaultParameters', 'rds:describeEventCategories', 'rds:describeEventSubscriptions', 'rds:describeEvents', 'rds:describeOptionGroupOptions', 'rds:describeOptionGroups', 'rds:describeOrderableDBInstanceOptions', 'rds:describePendingMaintenanceActions', 'rds:describeReservedDBInstances', 'rds:describeReservedDBInstancesOfferings', 'rds:listTagsForResource', 'redshift:describeClusterParameterGroups', 'redshift:describeClusterParameters', 'redshift:describeClusterSecurityGroups', 'redshift:describeClusterSnapshots', 'redshift:describeClusterSubnetGroups', 'redshift:describeClusterVersions', 'redshift:describeClusters', 'redshift:describeDefaultClusterParameters', 'redshift:describeEventCategories', 'redshift:describeEventSubscriptions', 'redshift:describeEvents', 'redshift:describeHsmClientCertificates', 'redshift:describeHsmConfigurations', 'redshift:describeLoggingStatus', 'redshift:describeOrderableClusterOptions', 'redshift:describeReservedNodeOfferings', 'redshift:describeReservedNodes', 'redshift:describeResize', 'redshift:describeSnapshotCopyGrants', 'redshift:describeTableRestoreStatus', 'redshift:describeTags', 'rekognition:listCollections', 'rekognition:listFaces', 'robomaker:batchDescribeSimulationJob', 'robomaker:describeDeploymentJob', 'robomaker:describeFleet', 'robomaker:describeRobot', 'robomaker:describeRobotApplication', 'robomaker:describeSimulationApplication', 'robomaker:describeSimulationJob', 'robomaker:listDeploymentJobs', 'robomaker:listFleets', 'robomaker:listRobotApplications', 'robomaker:listRobots', 'robomaker:listSimulationApplications', 'robomaker:listSimulationJobs', 'route53:getChange', 'route53:getCheckerIpRanges', 'route53:getGeoLocation', 'route53:getHealthCheck', 'route53:getHealthCheckCount', 'route53:getHealthCheckLastFailureReason', 'route53:getHealthCheckStatus', 'route53:getHostedZone', 'route53:getHostedZoneCount', 'route53:getReusableDelegationSet', 'route53:getTrafficPolicy', 'route53:getTrafficPolicyInstance', 'route53:getTrafficPolicyInstanceCount', 'route53:listGeoLocations', 'route53:listHealthChecks', 'route53:listHostedZones', 'route53:listHostedZonesByName', 'route53:listResourceRecordSets', 'route53:listReusableDelegationSets', 'route53:listTagsForResource', 'route53:listTagsForResources', 'route53:listTrafficPolicies', 'route53:listTrafficPolicyInstances', 'route53:listTrafficPolicyInstancesByHostedZone', 'route53:listTrafficPolicyInstancesByPolicy', 'route53:listTrafficPolicyVersions', 'route53domains:checkDomainAvailability', 'route53domains:getContactReachabilityStatus', 'route53domains:getDomainDetail', 'route53domains:getOperationDetail', 'route53domains:listDomains', 'route53domains:listOperations', 'route53domains:listTagsForDomain', 'route53domains:viewBilling', 'route53resolver:getResolverRulePolicy', 'route53resolver:listResolverEndpointIpAddresses', 'route53resolver:listResolverEndpoints', 'route53resolver:listResolverRuleAssociations', 'route53resolver:listResolverRules', 'route53resolver:listTagsForResource', 's3:getAccelerateConfiguration', 's3:getAnalyticsConfiguration', 's3:getBucketAcl', 's3:getBucketCORS', 's3:getBucketLocation', 's3:getBucketLogging', 's3:getBucketNotification', 's3:getBucketPolicy', 's3:getBucketRequestPayment', 's3:getBucketTagging', 's3:getBucketVersioning', 's3:getBucketWebsite', 's3:getEncryptionConfiguration', 's3:getInventoryConfiguration', 's3:getLifecycleConfiguration', 's3:getMetricsConfiguration', 's3:getReplicationConfiguration', 's3:listAllMyBuckets', 's3:listBucket', 's3:listBucketMultipartUploads', 'sagemaker:describeAlgorithm', 'sagemaker:describeCompilationJob', 'sagemaker:describeEndpoint', 'sagemaker:describeEndpointConfig', 'sagemaker:describeHyperParameterTuningJob', 'sagemaker:describeLabelingJob', 'sagemaker:describeModel', 'sagemaker:describeModelPackage', 'sagemaker:describeNotebookInstance', 'sagemaker:describeNotebookInstanceLifecycleConfig', 'sagemaker:describeTrainingJob', 'sagemaker:describeTransformJob', 'sagemaker:describeWorkteam', 'sagemaker:listAlgorithms', 'sagemaker:listCompilationJobs', 'sagemaker:listEndpointConfigs', 'sagemaker:listEndpoints', 'sagemaker:listHyperParameterTuningJobs', 'sagemaker:listLabelingJobs', 'sagemaker:listLabelingJobsForWorkteam', 'sagemaker:listModelPackages', 'sagemaker:listModels', 'sagemaker:listNotebookInstanceLifecycleConfigs', 'sagemaker:listNotebookInstances', 'sagemaker:listTags', 'sagemaker:listTrainingJobs', 'sagemaker:listTrainingJobsForHyperParameterTuningJob', 'sagemaker:listTransformJobs', 'sagemaker:listWorkteams', 'sdb:domainMetadata', 'sdb:listDomains', 'secretsmanager:describeSecret', 'secretsmanager:getResourcePolicy', 'secretsmanager:listSecretVersionIds', 'secretsmanager:listSecrets', 'securityhub:getEnabledStandards', 'securityhub:getFindings', 'securityhub:getInsightResults', 'securityhub:getInsights', 'securityhub:getMasterAccount', 'securityhub:getMembers', 'securityhub:listEnabledProductsForImport', 'securityhub:listInvitations', 'securityhub:listMembers', 'servicecatalog:describeConstraint', 'servicecatalog:describePortfolio', 'servicecatalog:describeProduct', 'servicecatalog:describeProductAsAdmin', 'servicecatalog:describeProductView', 'servicecatalog:describeProvisioningArtifact', 'servicecatalog:describeProvisioningParameters', 'servicecatalog:describeRecord', 'servicecatalog:listAcceptedPortfolioShares', 'servicecatalog:listConstraintsForPortfolio', 'servicecatalog:listLaunchPaths', 'servicecatalog:listPortfolioAccess', 'servicecatalog:listPortfolios', 'servicecatalog:listPortfoliosForProduct', 'servicecatalog:listPrincipalsForPortfolio', 'servicecatalog:listProvisioningArtifacts', 'servicecatalog:listRecordHistory', 'servicecatalog:scanProvisionedProducts', 'servicecatalog:searchProducts', 'servicequotas:getAWSDefaultServiceQuota', 'servicequotas:getAssociationForServiceQuotaTemplate', 'servicequotas:getRequestedServiceQuotaChange', 'servicequotas:getServiceQuota', 'servicequotas:getServiceQuotaIncreaseRequestFromTemplate', 'servicequotas:listAWSDefaultServiceQuotas', 'servicequotas:listRequestedServiceQuotaChangeHistory', 'servicequotas:listRequestedServiceQuotaChangeHistoryByQuota', 'servicequotas:listServiceQuotaIncreaseRequestsInTemplate', 'servicequotas:listServiceQuotas', 'servicequotas:listServices', 'ses:describeActiveReceiptRuleSet', 'ses:describeReceiptRule', 'ses:describeReceiptRuleSet', 'ses:getIdentityDkimAttributes', 'ses:getIdentityMailFromDomainAttributes', 'ses:getIdentityNotificationAttributes', 'ses:getIdentityPolicies', 'ses:getIdentityVerificationAttributes', 'ses:getSendQuota', 'ses:getSendStatistics', 'ses:listIdentities', 'ses:listIdentityPolicies', 'ses:listReceiptFilters', 'ses:listReceiptRuleSets', 'ses:listVerifiedEmailAddresses', 'shield:describeAttack', 'shield:describeProtection', 'shield:describeSubscription', 'shield:listAttacks', 'shield:listProtections', 'sms:getConnectors', 'sms:getReplicationJobs', 'sms:getReplicationRuns', 'sms:getServers', 'snowball:describeAddress', 'snowball:describeAddresses', 'snowball:describeJob', 'snowball:getSnowballUsage', 'snowball:listJobs', 'sns:checkIfPhoneNumberIsOptedOut', 'sns:getEndpointAttributes', 'sns:getPlatformApplicationAttributes', 'sns:getSMSAttributes', 'sns:getSubscriptionAttributes', 'sns:getTopicAttributes', 'sns:listEndpointsByPlatformApplication', 'sns:listPhoneNumbersOptedOut', 'sns:listPlatformApplications', 'sns:listSubscriptions', 'sns:listSubscriptionsByTopic', 'sns:listTopics', 'sqs:getQueueAttributes', 'sqs:getQueueUrl', 'sqs:listDeadLetterSourceQueues', 'sqs:listQueues', 'ssm:describeActivations', 'ssm:describeAssociation', 'ssm:describeAutomationExecutions', 'ssm:describeAvailablePatches', 'ssm:describeDocument', 'ssm:describeDocumentPermission', 'ssm:describeEffectiveInstanceAssociations', 'ssm:describeEffectivePatchesForPatchBaseline', 'ssm:describeInstanceAssociationsStatus', 'ssm:describeInstanceInformation', 'ssm:describeInstancePatchStates', 'ssm:describeInstancePatchStatesForPatchGroup', 'ssm:describeInstancePatches', 'ssm:describeMaintenanceWindowExecutionTaskInvocations', 'ssm:describeMaintenanceWindowExecutionTasks', 'ssm:describeMaintenanceWindowExecutions', 'ssm:describeMaintenanceWindowTargets', 'ssm:describeMaintenanceWindowTasks', 'ssm:describeMaintenanceWindows', 'ssm:describeParameters', 'ssm:describePatchBaselines', 'ssm:describePatchGroupState', 'ssm:describePatchGroups', 'ssm:getAutomationExecution', 'ssm:getCommandInvocation', 'ssm:getDefaultPatchBaseline', 'ssm:getDeployablePatchSnapshotForInstance', 'ssm:getInventorySchema', 'ssm:getMaintenanceWindow', 'ssm:getMaintenanceWindowExecution', 'ssm:getMaintenanceWindowExecutionTask', 'ssm:getPatchBaseline', 'ssm:getPatchBaselineForPatchGroup', 'ssm:listAssociations', 'ssm:listCommandInvocations', 'ssm:listCommands', 'ssm:listDocumentVersions', 'ssm:listDocuments', 'ssm:listTagsForResource', 'states:describeActivity', 'states:describeExecution', 'states:describeStateMachine', 'states:getExecutionHistory', 'states:listActivities', 'states:listExecutions', 'states:listStateMachines', 'storagegateway:describeBandwidthRateLimit', 'storagegateway:describeCache', 'storagegateway:describeCachediSCSIVolumes', 'storagegateway:describeGatewayInformation', 'storagegateway:describeMaintenanceStartTime', 'storagegateway:describeNFSFileShares', 'storagegateway:describeSMBFileShares', 'storagegateway:describeSMBSettings', 'storagegateway:describeSnapshotSchedule', 'storagegateway:describeStorediSCSIVolumes', 'storagegateway:describeTapeArchives', 'storagegateway:describeTapeRecoveryPoints', 'storagegateway:describeTapes', 'storagegateway:describeUploadBuffer', 'storagegateway:describeVTLDevices', 'storagegateway:describeWorkingStorage', 'storagegateway:listFileShares', 'storagegateway:listGateways', 'storagegateway:listLocalDisks', 'storagegateway:listTagsForResource', 'storagegateway:listTapes', 'storagegateway:listVolumeInitiators', 'storagegateway:listVolumeRecoveryPoints', 'storagegateway:listVolumes', 'swf:countClosedWorkflowExecutions', 'swf:countOpenWorkflowExecutions', 'swf:countPendingActivityTasks', 'swf:countPendingDecisionTasks', 'swf:describeActivityType', 'swf:describeDomain', 'swf:describeWorkflowExecution', 'swf:describeWorkflowType', 'swf:getWorkflowExecutionHistory', 'swf:listActivityTypes', 'swf:listClosedWorkflowExecutions', 'swf:listDomains', 'swf:listOpenWorkflowExecutions', 'swf:listWorkflowTypes', 'transfer:describeServer', 'transfer:describeUser', 'transfer:listServers', 'transfer:listTagsForResource', 'transfer:listUsers', 'waf-regional:getByteMatchSet', 'waf-regional:getChangeTokenStatus', 'waf-regional:getIPSet', 'waf-regional:getRule', 'waf-regional:getSqlInjectionMatchSet', 'waf-regional:getWebACL', 'waf-regional:getWebACLForResource', 'waf-regional:listByteMatchSets', 'waf-regional:listIPSets', 'waf-regional:listResourcesForWebACL', 'waf-regional:listRules', 'waf-regional:listSqlInjectionMatchSets', 'waf-regional:listWebACLs', 'waf:getByteMatchSet', 'waf:getChangeTokenStatus', 'waf:getIPSet', 'waf:getRule', 'waf:getSampledRequests', 'waf:getSizeConstraintSet', 'waf:getSqlInjectionMatchSet', 'waf:getWebACL', 'waf:getXssMatchSet', 'waf:listByteMatchSets', 'waf:listIPSets', 'waf:listRules', 'waf:listSizeConstraintSets', 'waf:listSqlInjectionMatchSets', 'waf:listWebACLs', 'waf:listXssMatchSets', 'workdocs:checkAlias', 'workdocs:describeAvailableDirectories', 'workdocs:describeInstances', 'worklink:describeAuditStreamConfiguration', 'worklink:describeCompanyNetworkConfiguration', 'worklink:describeDevice', 'worklink:describeDevicePolicyConfiguration', 'worklink:describeDomain', 'worklink:describeFleetMetadata', 'worklink:describeIdentityProviderConfiguration', 'worklink:describeWebsiteCertificateAuthority', 'worklink:listDevices', 'worklink:listDomains', 'worklink:listFleets', 'worklink:listWebsiteAuthorizationProviders', 'worklink:listWebsiteCertificateAuthorities', 'workmail:describeGroup', 'workmail:describeOrganization', 'workmail:describeResource', 'workmail:describeUser', 'workmail:listAliases', 'workmail:listGroupMembers', 'workmail:listGroups', 'workmail:listMailboxPermissions', 'workmail:listOrganizations', 'workmail:listResourceDelegates', 'workmail:listResources', 'workmail:listUsers', 'workspaces:describeAccount', 'workspaces:describeAccountModifications', 'workspaces:describeIpGroups', 'workspaces:describeTags', 'workspaces:describeWorkspaceBundles', 'workspaces:describeWorkspaceDirectories', 'workspaces:describeWorkspaceImages', 'workspaces:describeWorkspaces', 'workspaces:describeWorkspacesConnectionStatus'], 'Effect': 'Allow', 'Resource': ['*']}, 'filepath': None}",
"policy": {
"Statement": [
{
"Action": [
"apigateway:GET"
],
"Effect": "Allow",
"Resource": [
"arn:aws:apigateway:*::/account",
"arn:aws:apigateway:*::/apis",
"arn:aws:apigateway:*::/apis/*",
"arn:aws:apigateway:*::/apis/*/authorizers",
"arn:aws:apigateway:*::/apis/*/authorizers/*",
"arn:aws:apigateway:*::/apis/*/deployments",
"arn:aws:apigateway:*::/apis/*/deployments/*",
"arn:aws:apigateway:*::/apis/*/integrations",
"arn:aws:apigateway:*::/apis/*/integrations/*",
"arn:aws:apigateway:*::/apis/*/integrations/*/integrationresponses",
"arn:aws:apigateway:*::/apis/*/integrations/*/integrationresponses/*",
"arn:aws:apigateway:*::/apis/*/models",
"arn:aws:apigateway:*::/apis/*/models/*",
"arn:aws:apigateway:*::/apis/*/routes",
"arn:aws:apigateway:*::/apis/*/routes/*",
"arn:aws:apigateway:*::/apis/*/routes/*/routeresponses",
"arn:aws:apigateway:*::/apis/*/routes/*/routeresponses/*",
"arn:aws:apigateway:*::/apis/*/stages",
"arn:aws:apigateway:*::/apis/*/stages/*",
"arn:aws:apigateway:*::/clientcertificates",
"arn:aws:apigateway:*::/clientcertificates/*",
"arn:aws:apigateway:*::/domainnames",
"arn:aws:apigateway:*::/domainnames/*",
"arn:aws:apigateway:*::/domainnames/*/apimappings",
"arn:aws:apigateway:*::/domainnames/*/apimappings/*",
"arn:aws:apigateway:*::/domainnames/*/basepathmappings",
"arn:aws:apigateway:*::/domainnames/*/basepathmappings/*",
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis/*/authorizers",
"arn:aws:apigateway:*::/restapis/*/authorizers/*",
"arn:aws:apigateway:*::/restapis/*/deployments",
"arn:aws:apigateway:*::/restapis/*/deployments/*",
"arn:aws:apigateway:*::/restapis/*/models",
"arn:aws:apigateway:*::/restapis/*/models/*",
"arn:aws:apigateway:*::/restapis/*/models/*/default_template",
"arn:aws:apigateway:*::/restapis/*/resources",
"arn:aws:apigateway:*::/restapis/*/resources/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integration/responses/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/responses/*",
"arn:aws:apigateway:*::/restapis/*/stages/*/sdks/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integration",
"arn:aws:apigateway:*::/restapis/*/stages",
"arn:aws:apigateway:*::/restapis/*/stages/*"
]
},
{
"Action": [
"iam:DeleteRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
]
},
{
"Action": [
"a4b:getDevice",
"a4b:getProfile",
"a4b:getRoom",
"a4b:getRoomSkillParameter",
"a4b:getSkillGroup",
"a4b:searchDevices",
"a4b:searchProfiles",
"a4b:searchRooms",
"a4b:searchSkillGroups",
"access-analyzer:getFinding",
"access-analyzer:listAnalyzers",
"access-analyzer:listArchiveRules",
"access-analyzer:listFindings",
"acm-pca:describeCertificateAuthority",
"acm-pca:describeCertificateAuthorityAuditReport",
"acm-pca:getCertificate",
"acm-pca:getCertificateAuthorityCertificate",
"acm-pca:getCertificateAuthorityCsr",
"acm-pca:listCertificateAuthorities",
"acm-pca:listTags",
"acm:describeCertificate",
"acm:getCertificate",
"acm:listCertificates",
"acm:listTagsForCertificate",
"application-autoscaling:describeScalableTargets",
"application-autoscaling:describeScalingActivities",
"application-autoscaling:describeScalingPolicies",
"application-autoscaling:describeScheduledActions",
"appstream:describeDirectoryConfigs",
"appstream:describeFleets",
"appstream:describeImageBuilders",
"appstream:describeImages",
"appstream:describeSessions",
"appstream:describeStacks",
"appstream:listAssociatedFleets",
"appstream:listAssociatedStacks",
"appstream:listTagsForResource",
"appsync:getFunction",
"appsync:getGraphqlApi",
"appsync:getIntrospectionSchema",
"appsync:getResolver",
"appsync:getSchemaCreationStatus",
"appsync:getType",
"appsync:listDataSources",
"appsync:listFunctions",
"appsync:listGraphqlApis",
"appsync:listResolvers",
"appsync:listTypes",
"athena:batchGetNamedQuery",
"athena:batchGetQueryExecution",
"athena:getNamedQuery",
"athena:getQueryExecution",
"athena:getWorkGroup",
"athena:listNamedQueries",
"athena:listQueryExecutions",
"athena:listTagsForResource",
"athena:listWorkGroups",
"autoscaling-plans:describeScalingPlanResources",
"autoscaling-plans:describeScalingPlans",
"autoscaling-plans:getScalingPlanResourceForecastData",
"autoscaling:describeAccountLimits",
"autoscaling:describeAdjustmentTypes",
"autoscaling:describeAutoScalingGroups",
"autoscaling:describeAutoScalingInstances",
"autoscaling:describeAutoScalingNotificationTypes",
"autoscaling:describeLaunchConfigurations",
"autoscaling:describeLifecycleHookTypes",
"autoscaling:describeLifecycleHooks",
"autoscaling:describeLoadBalancerTargetGroups",
"autoscaling:describeLoadBalancers",
"autoscaling:describeMetricCollectionTypes",
"autoscaling:describeNotificationConfigurations",
"autoscaling:describePolicies",
"autoscaling:describeScalingActivities",
"autoscaling:describeScalingProcessTypes",
"autoscaling:describeScheduledActions",
"autoscaling:describeTags",
"autoscaling:describeTerminationPolicyTypes",
"backup:describeBackupJob",
"backup:describeBackupVault",
"backup:describeProtectedResource",
"backup:describeRecoveryPoint",
"backup:describeRestoreJob",
"backup:getBackupPlan",
"backup:getBackupPlanFromJSON",
"backup:getBackupPlanFromTemplate",
"backup:getBackupSelection",
"backup:getBackupVaultAccessPolicy",
"backup:getBackupVaultNotifications",
"backup:getRecoveryPointRestoreMetadata",
"backup:getSupportedResourceTypes",
"backup:listBackupJobs",
"backup:listBackupPlanTemplates",
"backup:listBackupPlanVersions",
"backup:listBackupPlans",
"backup:listBackupSelections",
"backup:listBackupVaults",
"backup:listProtectedResources",
"backup:listRecoveryPointsByBackupVault",
"backup:listRecoveryPointsByResource",
"backup:listRestoreJobs",
"backup:listTags",
"batch:describeComputeEnvironments",
"batch:describeJobDefinitions",
"batch:describeJobQueues",
"batch:describeJobs",
"batch:listJobs",
"ce:getCostAndUsage",
"ce:getDimensionValues",
"ce:getReservationCoverage",
"ce:getReservationUtilization",
"ce:getTags",
"cloud9:describeEnvironmentMemberships",
"cloud9:describeEnvironments",
"cloud9:listEnvironments",
"clouddirectory:getDirectory",
"clouddirectory:listDirectories",
"cloudformation:describeAccountLimits",
"cloudformation:describeChangeSet",
"cloudformation:describeStackEvents",
"cloudformation:describeStackInstance",
"cloudformation:describeStackResource",
"cloudformation:describeStackResources",
"cloudformation:describeStackSet",
"cloudformation:describeStackSetOperation",
"cloudformation:describeStacks",
"cloudformation:estimateTemplateCost",
"cloudformation:getStackPolicy",
"cloudformation:getTemplate",
"cloudformation:getTemplateSummary",
"cloudformation:listChangeSets",
"cloudformation:listExports",
"cloudformation:listImports",
"cloudformation:listStackInstances",
"cloudformation:listStackResources",
"cloudformation:listStackSetOperationResults",
"cloudformation:listStackSetOperations",
"cloudformation:listStackSets",
"cloudformation:listStacks",
"cloudfront:getCloudFrontOriginAccessIdentity",
"cloudfront:getCloudFrontOriginAccessIdentityConfig",
"cloudfront:getDistribution",
"cloudfront:getDistributionConfig",
"cloudfront:getInvalidation",
"cloudfront:getStreamingDistribution",
"cloudfront:getStreamingDistributionConfig",
"cloudfront:listCloudFrontOriginAccessIdentities",
"cloudfront:listDistributions",
"cloudfront:listDistributionsByWebACLId",
"cloudfront:listInvalidations",
"cloudfront:listStreamingDistributions",
"cloudhsm:describeBackups",
"cloudhsm:describeClusters",
"cloudsearch:describeAnalysisSchemes",
"cloudsearch:describeAvailabilityOptions",
"cloudsearch:describeDomains",
"cloudsearch:describeExpressions",
"cloudsearch:describeIndexFields",
"cloudsearch:describeScalingParameters",
"cloudsearch:describeServiceAccessPolicies",
"cloudsearch:describeSuggesters",
"cloudsearch:listDomainNames",
"cloudtrail:describeTrails",
"cloudtrail:getEventSelectors",
"cloudtrail:getInsightSelectors",
"cloudtrail:getTrail",
"cloudtrail:getTrailStatus",
"cloudtrail:listPublicKeys",
"cloudtrail:listTags",
"cloudtrail:listTrails",
"cloudtrail:lookupEvents",
"cloudwatch:describeAlarmHistory",
"cloudwatch:describeAlarms",
"cloudwatch:describeAlarmsForMetric",
"cloudwatch:getDashboard",
"cloudwatch:getMetricData",
"cloudwatch:getMetricStatistics",
"cloudwatch:listDashboards",
"cloudwatch:listMetrics",
"codebuild:batchGetBuilds",
"codebuild:batchGetProjects",
"codebuild:listBuilds",
"codebuild:listBuildsForProject",
"codebuild:listCuratedEnvironmentImages",
"codebuild:listProjects",
"codebuild:listSourceCredentials",
"codecommit:batchGetRepositories",
"codecommit:getBranch",
"codecommit:getRepository",
"codecommit:getRepositoryTriggers",
"codecommit:listBranches",
"codecommit:listRepositories",
"codedeploy:batchGetApplicationRevisions",
"codedeploy:batchGetApplications",
"codedeploy:batchGetDeploymentGroups",
"codedeploy:batchGetDeploymentInstances",
"codedeploy:batchGetDeployments",
"codedeploy:batchGetOnPremisesInstances",
"codedeploy:getApplication",
"codedeploy:getApplicationRevision",
"codedeploy:getDeployment",
"codedeploy:getDeploymentConfig",
"codedeploy:getDeploymentGroup",
"codedeploy:getDeploymentInstance",
"codedeploy:getOnPremisesInstance",
"codedeploy:listApplicationRevisions",
"codedeploy:listApplications",
"codedeploy:listDeploymentConfigs",
"codedeploy:listDeploymentGroups",
"codedeploy:listDeploymentInstances",
"codedeploy:listDeployments",
"codedeploy:listOnPremisesInstances",
"codepipeline:getJobDetails",
"codepipeline:getPipeline",
"codepipeline:getPipelineExecution",
"codepipeline:getPipelineState",
"codepipeline:listActionTypes",
"codepipeline:listPipelines",
"codestar:describeProject",
"codestar:listProjects",
"codestar:listResources",
"codestar:listTeamMembers",
"codestar:listUserProfiles",
"cognito-identity:describeIdentityPool",
"cognito-identity:getIdentityPoolRoles",
"cognito-identity:listIdentities",
"cognito-identity:listIdentityPools",
"cognito-idp:adminGetUser",
"cognito-idp:describeIdentityProvider",
"cognito-idp:describeResourceServer",
"cognito-idp:describeRiskConfiguration",
"cognito-idp:describeUserImportJob",
"cognito-idp:describeUserPool",
"cognito-idp:describeUserPoolClient",
"cognito-idp:describeUserPoolDomain",
"cognito-idp:getGroup",
"cognito-idp:getUICustomization",
"cognito-idp:getUser",
"cognito-idp:getUserPoolMfaConfig",
"cognito-idp:listGroups",
"cognito-idp:listIdentityProviders",
"cognito-idp:listResourceServers",
"cognito-idp:listUserImportJobs",
"cognito-idp:listUserPoolClients",
"cognito-idp:listUserPools",
"cognito-sync:describeDataset",
"cognito-sync:describeIdentityPoolUsage",
"cognito-sync:describeIdentityUsage",
"cognito-sync:getCognitoEvents",
"cognito-sync:getIdentityPoolConfiguration",
"cognito-sync:listDatasets",
"cognito-sync:listIdentityPoolUsage",
"config:describeConfigRuleEvaluationStatus",
"config:describeConfigRules",
"config:describeConfigurationRecorderStatus",
"config:describeConfigurationRecorders",
"config:describeDeliveryChannelStatus",
"config:describeDeliveryChannels",
"config:getResourceConfigHistory",
"config:listDiscoveredResources",
"connect:describeUser",
"connect:getCurrentMetricData",
"connect:getMetricData",
"connect:listRoutingProfiles",
"connect:listSecurityProfiles",
"connect:listUsers",
"datapipeline:describeObjects",
"datapipeline:describePipelines",
"datapipeline:getPipelineDefinition",
"datapipeline:listPipelines",
"datapipeline:queryObjects",
"datasync:describeAgent",
"datasync:describeLocationEfs",
"datasync:describeLocationNfs",
"datasync:describeLocationS3",
"datasync:describeTask",
"datasync:describeTaskExecution",
"datasync:listAgents",
"datasync:listLocations",
"datasync:listTaskExecutions",
"datasync:listTasks",
"dax:describeClusters",
"dax:describeDefaultParameters",
"dax:describeEvents",
"dax:describeParameterGroups",
"dax:describeParameters",
"dax:describeSubnetGroups",
"devicefarm:getAccountSettings",
"devicefarm:getDevice",
"devicefarm:getDevicePool",
"devicefarm:getDevicePoolCompatibility",
"devicefarm:getJob",
"devicefarm:getProject",
"devicefarm:getRemoteAccessSession",
"devicefarm:getRun",
"devicefarm:getSuite",
"devicefarm:getTest",
"devicefarm:getUpload",
"devicefarm:listArtifacts",
"devicefarm:listDevicePools",
"devicefarm:listDevices",
"devicefarm:listJobs",
"devicefarm:listProjects",
"devicefarm:listRemoteAccessSessions",
"devicefarm:listRuns",
"devicefarm:listSamples",
"devicefarm:listSuites",
"devicefarm:listTests",
"devicefarm:listUniqueProblems",
"devicefarm:listUploads",
"directconnect:describeConnections",
"directconnect:describeConnectionsOnInterconnect",
"directconnect:describeInterconnects",
"directconnect:describeLocations",
"directconnect:describeVirtualGateways",
"directconnect:describeVirtualInterfaces",
"dlm:getLifecyclePolicies",
"dlm:getLifecyclePolicy",
"dms:describeAccountAttributes",
"dms:describeConnections",
"dms:describeEndpointTypes",
"dms:describeEndpoints",
"dms:describeOrderableReplicationInstances",
"dms:describeRefreshSchemasStatus",
"dms:describeReplicationInstances",
"dms:describeReplicationSubnetGroups",
"ds:describeConditionalForwarders",
"ds:describeDirectories",
"ds:describeEventTopics",
"ds:describeSnapshots",
"ds:describeTrusts",
"ds:getDirectoryLimits",
"ds:getSnapshotLimits",
"ds:listIpRoutes",
"ds:listSchemaExtensions",
"ds:listTagsForResource",
"dynamodb:describeBackup",
"dynamodb:describeContinuousBackups",
"dynamodb:describeGlobalTable",
"dynamodb:describeLimits",
"dynamodb:describeStream",
"dynamodb:describeTable",
"dynamodb:describeTimeToLive",
"dynamodb:listBackups",
"dynamodb:listGlobalTables",
"dynamodb:listStreams",
"dynamodb:listTables",
"dynamodb:listTagsOfResource",
"ec2:acceptReservedInstancesExchangeQuote",
"ec2:cancelReservedInstancesListing",
"ec2:createReservedInstancesListing",
"ec2:describeAccountAttributes",
"ec2:describeAddresses",
"ec2:describeAvailabilityZones",
"ec2:describeBundleTasks",
"ec2:describeByoipCidrs",
"ec2:describeCapacityReservations",
"ec2:describeClassicLinkInstances",
"ec2:describeClientVpnAuthorizationRules",
"ec2:describeClientVpnConnections",
"ec2:describeClientVpnEndpoints",
"ec2:describeClientVpnRoutes",
"ec2:describeClientVpnTargetNetworks",
"ec2:describeConversionTasks",
"ec2:describeCustomerGateways",
"ec2:describeDhcpOptions",
"ec2:describeElasticGpus",
"ec2:describeExportTasks",
"ec2:describeFastSnapshotRestores",
"ec2:describeFleetHistory",
"ec2:describeFleetInstances",
"ec2:describeFleets",
"ec2:describeFlowLogs",
"ec2:describeHostReservationOfferings",
"ec2:describeHostReservations",
"ec2:describeHosts",
"ec2:describeIdFormat",
"ec2:describeIdentityIdFormat",
"ec2:describeImageAttribute",
"ec2:describeImages",
"ec2:describeImportImageTasks",
"ec2:describeImportSnapshotTasks",
"ec2:describeInstanceAttribute",
"ec2:describeInstanceStatus",
"ec2:describeInstances",
"ec2:describeInternetGateways",
"ec2:describeKeyPairs",
"ec2:describeLaunchTemplateVersions",
"ec2:describeLaunchTemplates",
"ec2:describeMovingAddresses",
"ec2:describeNatGateways",
"ec2:describeNetworkAcls",
"ec2:describeNetworkInterfaceAttribute",
"ec2:describeNetworkInterfaces",
"ec2:describePlacementGroups",
"ec2:describePrefixLists",
"ec2:describePublicIpv4Pools",
"ec2:describeRegions",
"ec2:describeReservedInstances",
"ec2:describeReservedInstancesListings",
"ec2:describeReservedInstancesModifications",
"ec2:describeReservedInstancesOfferings",
"ec2:describeRouteTables",
"ec2:describeScheduledInstances",
"ec2:describeSecurityGroups",
"ec2:describeSnapshotAttribute",
"ec2:describeSnapshots",
"ec2:describeSpotDatafeedSubscription",
"ec2:describeSpotFleetInstances",
"ec2:describeSpotFleetRequestHistory",
"ec2:describeSpotFleetRequests",
"ec2:describeSpotInstanceRequests",
"ec2:describeSpotPriceHistory",
"ec2:describeSubnets",
"ec2:describeTags",
"ec2:describeTrafficMirrorFilters",
"ec2:describeTrafficMirrorSessions",
"ec2:describeTrafficMirrorTargets",
"ec2:describeTransitGatewayAttachments",
"ec2:describeTransitGatewayRouteTables",
"ec2:describeTransitGatewayVpcAttachments",
"ec2:describeTransitGateways",
"ec2:describeVolumeAttribute",
"ec2:describeVolumeStatus",
"ec2:describeVolumes",
"ec2:describeVolumesModifications",
"ec2:describeVpcAttribute",
"ec2:describeVpcClassicLink",
"ec2:describeVpcClassicLinkDnsSupport",
"ec2:describeVpcEndpointConnectionNotifications",
"ec2:describeVpcEndpointConnections",
"ec2:describeVpcEndpointServiceConfigurations",
"ec2:describeVpcEndpointServicePermissions",
"ec2:describeVpcEndpointServices",
"ec2:describeVpcEndpoints",
"ec2:describeVpcPeeringConnections",
"ec2:describeVpcs",
"ec2:describeVpnConnections",
"ec2:describeVpnGateways",
"ec2:getConsoleScreenshot",
"ec2:getReservedInstancesExchangeQuote",
"ec2:getTransitGatewayAttachmentPropagations",
"ec2:getTransitGatewayRouteTableAssociations",
"ec2:getTransitGatewayRouteTablePropagations",
"ec2:modifyReservedInstances",
"ec2:purchaseReservedInstancesOffering",
"ecr:batchCheckLayerAvailability",
"ecr:describeImages",
"ecr:describeRepositories",
"ecr:getRepositoryPolicy",
"ecr:listImages",
"ecs:describeClusters",
"ecs:describeContainerInstances",
"ecs:describeServices",
"ecs:describeTaskDefinition",
"ecs:describeTasks",
"ecs:listClusters",
"ecs:listContainerInstances",
"ecs:listServices",
"ecs:listTaskDefinitions",
"ecs:listTasks",
"eks:describeCluster",
"eks:describeUpdate",
"eks:listClusters",
"eks:listUpdates",
"elasticache:describeCacheClusters",
"elasticache:describeCacheEngineVersions",
"elasticache:describeCacheParameterGroups",
"elasticache:describeCacheParameters",
"elasticache:describeCacheSecurityGroups",
"elasticache:describeCacheSubnetGroups",
"elasticache:describeEngineDefaultParameters",
"elasticache:describeEvents",
"elasticache:describeReplicationGroups",
"elasticache:describeReservedCacheNodes",
"elasticache:describeReservedCacheNodesOfferings",
"elasticache:describeSnapshots",
"elasticache:listAllowedNodeTypeModifications",
"elasticache:listTagsForResource",
"elasticbeanstalk:checkDNSAvailability",
"elasticbeanstalk:describeApplicationVersions",
"elasticbeanstalk:describeApplications",
"elasticbeanstalk:describeConfigurationOptions",
"elasticbeanstalk:describeConfigurationSettings",
"elasticbeanstalk:describeEnvironmentHealth",
"elasticbeanstalk:describeEnvironmentManagedActionHistory",
"elasticbeanstalk:describeEnvironmentManagedActions",
"elasticbeanstalk:describeEnvironmentResources",
"elasticbeanstalk:describeEnvironments",
"elasticbeanstalk:describeEvents",
"elasticbeanstalk:describeInstancesHealth",
"elasticbeanstalk:describePlatformVersion",
"elasticbeanstalk:listAvailableSolutionStacks",
"elasticbeanstalk:listPlatformVersions",
"elasticbeanstalk:validateConfigurationSettings",
"elasticfilesystem:describeFileSystems",
"elasticfilesystem:describeLifecycleConfiguration",
"elasticfilesystem:describeMountTargetSecurityGroups",
"elasticfilesystem:describeMountTargets",
"elasticfilesystem:describeTags",
"elasticloadbalancing:describeInstanceHealth",
"elasticloadbalancing:describeListenerCertificates",
"elasticloadbalancing:describeListeners",
"elasticloadbalancing:describeLoadBalancerAttributes",
"elasticloadbalancing:describeLoadBalancerPolicies",
"elasticloadbalancing:describeLoadBalancerPolicyTypes",
"elasticloadbalancing:describeLoadBalancers",
"elasticloadbalancing:describeRules",
"elasticloadbalancing:describeSSLPolicies",
"elasticloadbalancing:describeTags",
"elasticloadbalancing:describeTargetGroupAttributes",
"elasticloadbalancing:describeTargetGroups",
"elasticloadbalancing:describeTargetHealth",
"elasticmapreduce:describeCluster",
"elasticmapreduce:describeSecurityConfiguration",
"elasticmapreduce:describeStep",
"elasticmapreduce:listBootstrapActions",
"elasticmapreduce:listClusters",
"elasticmapreduce:listInstanceGroups",
"elasticmapreduce:listInstances",
"elasticmapreduce:listSecurityConfigurations",
"elasticmapreduce:listSteps",
"elastictranscoder:listJobsByPipeline",
"elastictranscoder:listJobsByStatus",
"elastictranscoder:listPipelines",
"elastictranscoder:listPresets",
"elastictranscoder:readPipeline",
"elastictranscoder:readPreset",
"es:describeElasticsearchDomain",
"es:describeElasticsearchDomainConfig",
"es:describeElasticsearchDomains",
"es:listDomainNames",
"es:listTags",
"events:describeEventBus",
"events:describeRule",
"events:listRuleNamesByTarget",
"events:listRules",
"events:listTargetsByRule",
"events:testEventPattern",
"firehose:describeDeliveryStream",
"firehose:listDeliveryStreams",
"forecast:describeDataset",
"forecast:describeDatasetGroup",
"forecast:describeDatasetImportJob",
"forecast:describeForecast",
"forecast:describeForecastExportJob",
"forecast:describePredictor",
"forecast:getAccuracyMetrics",
"forecast:listDatasetGroups",
"forecast:listDatasetImportJobs",
"forecast:listDatasets",
"forecast:listForecastExportJobs",
"forecast:listForecasts",
"forecast:listPredictors",
"fsx:describeBackups",
"fsx:describeFileSystems",
"fsx:listTagsForResource",
"glacier:describeJob",
"glacier:describeVault",
"glacier:getDataRetrievalPolicy",
"glacier:getVaultAccessPolicy",
"glacier:getVaultLock",
"glacier:getVaultNotifications",
"glacier:listJobs",
"glacier:listTagsForVault",
"glacier:listVaults",
"globalaccelerator:describeAccelerator",
"globalaccelerator:describeAcceleratorAttributes",
"globalaccelerator:describeEndpointGroup",
"globalaccelerator:describeListener",
"globalaccelerator:listAccelerators",
"globalaccelerator:listEndpointGroups",
"globalaccelerator:listListeners",
"glue:batchGetPartition",
"glue:getCatalogImportStatus",
"glue:getClassifier",
"glue:getClassifiers",
"glue:getCrawler",
"glue:getCrawlerMetrics",
"glue:getCrawlers",
"glue:getDatabase",
"glue:getDatabases",
"glue:getDataflowGraph",
"glue:getDevEndpoint",
"glue:getDevEndpoints",
"glue:getJob",
"glue:getJobRun",
"glue:getJobRuns",
"glue:getJobs",
"glue:getMapping",
"glue:getPartition",
"glue:getPartitions",
"glue:getTable",
"glue:getTableVersions",
"glue:getTables",
"glue:getTrigger",
"glue:getTriggers",
"glue:getUserDefinedFunction",
"glue:getUserDefinedFunctions",
"greengrass:getConnectivityInfo",
"greengrass:getCoreDefinition",
"greengrass:getCoreDefinitionVersion",
"greengrass:getDeploymentStatus",
"greengrass:getDeviceDefinition",
"greengrass:getDeviceDefinitionVersion",
"greengrass:getFunctionDefinition",
"greengrass:getFunctionDefinitionVersion",
"greengrass:getGroup",
"greengrass:getGroupCertificateAuthority",
"greengrass:getGroupVersion",
"greengrass:getLoggerDefinition",
"greengrass:getLoggerDefinitionVersion",
"greengrass:getResourceDefinitionVersion",
"greengrass:getServiceRoleForAccount",
"greengrass:getSubscriptionDefinition",
"greengrass:getSubscriptionDefinitionVersion",
"greengrass:listCoreDefinitionVersions",
"greengrass:listCoreDefinitions",
"greengrass:listDeployments",
"greengrass:listDeviceDefinitionVersions",
"greengrass:listDeviceDefinitions",
"greengrass:listFunctionDefinitionVersions",
"greengrass:listFunctionDefinitions",
"greengrass:listGroupVersions",
"greengrass:listGroups",
"greengrass:listLoggerDefinitionVersions",
"greengrass:listLoggerDefinitions",
"greengrass:listResourceDefinitionVersions",
"greengrass:listResourceDefinitions",
"greengrass:listSubscriptionDefinitionVersions",
"greengrass:listSubscriptionDefinitions",
"guardduty:getDetector",
"guardduty:getFindings",
"guardduty:getFindingsStatistics",
"guardduty:getIPSet",
"guardduty:getInvitationsCount",
"guardduty:getMasterAccount",
"guardduty:getMembers",
"guardduty:getThreatIntelSet",
"guardduty:listDetectors",
"guardduty:listFindings",
"guardduty:listIPSets",
"guardduty:listInvitations",
"guardduty:listMembers",
"guardduty:listThreatIntelSets",
"health:describeAffectedEntities",
"health:describeEntityAggregates",
"health:describeEventAggregates",
"health:describeEventDetails",
"health:describeEventTypes",
"health:describeEvents",
"iam:getAccessKeyLastUsed",
"iam:getAccountAuthorizationDetails",
"iam:getAccountPasswordPolicy",
"iam:getAccountSummary",
"iam:getContextKeysForCustomPolicy",
"iam:getContextKeysForPrincipalPolicy",
"iam:getCredentialReport",
"iam:getGroup",
"iam:getGroupPolicy",
"iam:getInstanceProfile",
"iam:getLoginProfile",
"iam:getOpenIDConnectProvider",
"iam:getPolicy",
"iam:getPolicyVersion",
"iam:getRole",
"iam:getRolePolicy",
"iam:getSAMLProvider",
"iam:getSSHPublicKey",
"iam:getServerCertificate",
"iam:getUser",
"iam:getUserPolicy",
"iam:listAccessKeys",
"iam:listAccountAliases",
"iam:listAttachedGroupPolicies",
"iam:listAttachedRolePolicies",
"iam:listAttachedUserPolicies",
"iam:listEntitiesForPolicy",
"iam:listGroupPolicies",
"iam:listGroups",
"iam:listGroupsForUser",
"iam:listInstanceProfiles",
"iam:listInstanceProfilesForRole",
"iam:listMFADevices",
"iam:listOpenIDConnectProviders",
"iam:listPolicies",
"iam:listPolicyVersions",
"iam:listRolePolicies",
"iam:listRoles",
"iam:listSAMLProviders",
"iam:listSSHPublicKeys",
"iam:listServerCertificates",
"iam:listSigningCertificates",
"iam:listUserPolicies",
"iam:listUsers",
"iam:listVirtualMFADevices",
"iam:simulateCustomPolicy",
"iam:simulatePrincipalPolicy",
"importexport:getStatus",
"importexport:listJobs",
"inspector:describeAssessmentRuns",
"inspector:describeAssessmentTargets",
"inspector:describeAssessmentTemplates",
"inspector:describeCrossAccountAccessRole",
"inspector:describeResourceGroups",
"inspector:describeRulesPackages",
"inspector:getTelemetryMetadata",
"inspector:listAssessmentRunAgents",
"inspector:listAssessmentRuns",
"inspector:listAssessmentTargets",
"inspector:listAssessmentTemplates",
"inspector:listEventSubscriptions",
"inspector:listRulesPackages",
"inspector:listTagsForResource",
"iot:describeAuthorizer",
"iot:describeCACertificate",
"iot:describeCertificate",
"iot:describeDefaultAuthorizer",
"iot:describeEndpoint",
"iot:describeIndex",
"iot:describeJobExecution",
"iot:describeThing",
"iot:describeThingGroup",
"iot:getEffectivePolicies",
"iot:getIndexingConfiguration",
"iot:getLoggingOptions",
"iot:getPolicy",
"iot:getPolicyVersion",
"iot:getTopicRule",
"iot:getV2LoggingOptions",
"iot:listAttachedPolicies",
"iot:listAuthorizers",
"iot:listCACertificates",
"iot:listCertificates",
"iot:listCertificatesByCA",
"iot:listJobExecutionsForJob",
"iot:listJobExecutionsForThing",
"iot:listJobs",
"iot:listOutgoingCertificates",
"iot:listPolicies",
"iot:listPolicyPrincipals",
"iot:listPolicyVersions",
"iot:listPrincipalPolicies",
"iot:listPrincipalThings",
"iot:listRoleAliases",
"iot:listTargetsForPolicy",
"iot:listThingGroups",
"iot:listThingGroupsForThing",
"iot:listThingPrincipals",
"iot:listThingRegistrationTasks",
"iot:listThingTypes",
"iot:listThings",
"iot:listTopicRules",
"iot:listV2LoggingLevels",
"iotevents:describeDetector",
"iotevents:describeDetectorModel",
"iotevents:describeInput",
"iotevents:describeLoggingOptions",
"iotevents:listDetectorModelVersions",
"iotevents:listDetectorModels",
"iotevents:listDetectors",
"iotevents:listInputs",
"kafka:describeCluster",
"kafka:getBootstrapBrokers",
"kafka:listClusters",
"kafka:listNodes",
"kinesis:describeStream",
"kinesis:listStreams",
"kinesis:listTagsForStream",
"kinesisanalytics:describeApplication",
"kinesisanalytics:listApplications",
"kms:describeKey",
"kms:getKeyPolicy",
"kms:getKeyRotationStatus",
"kms:listAliases",
"kms:listGrants",
"kms:listKeyPolicies",
"kms:listKeys",
"kms:listResourceTags",
"kms:listRetirableGrants",
"lambda:getAccountSettings",
"lambda:getAlias",
"lambda:getEventSourceMapping",
"lambda:getFunction",
"lambda:getFunctionConfiguration",
"lambda:getLayerVersion",
"lambda:getLayerVersionPolicy",
"lambda:getPolicy",
"lambda:listAliases",
"lambda:listEventSourceMappings",
"lambda:listFunctions",
"lambda:listLayerVersions",
"lambda:listLayers",
"lambda:listVersionsByFunction",
"lex:getBot",
"lex:getBotAlias",
"lex:getBotAliases",
"lex:getBotChannelAssociation",
"lex:getBotChannelAssociations",
"lex:getBotVersions",
"lex:getBots",
"lex:getBuiltinIntent",
"lex:getBuiltinIntents",
"lex:getBuiltinSlotTypes",
"lex:getIntent",
"lex:getIntentVersions",
"lex:getIntents",
"lex:getSlotType",
"lex:getSlotTypeVersions",
"lex:getSlotTypes",
"lightsail:getActiveNames",
"lightsail:getBlueprints",
"lightsail:getBundles",
"lightsail:getDomain",
"lightsail:getDomains",
"lightsail:getInstance",
"lightsail:getInstanceAccessDetails",
"lightsail:getInstanceMetricData",
"lightsail:getInstancePortStates",
"lightsail:getInstanceSnapshot",
"lightsail:getInstanceSnapshots",
"lightsail:getInstanceState",
"lightsail:getInstances",
"lightsail:getKeyPair",
"lightsail:getKeyPairs",
"lightsail:getOperation",
"lightsail:getOperations",
"lightsail:getOperationsForResource",
"lightsail:getRegions",
"lightsail:getStaticIp",
"lightsail:getStaticIps",
"logs:describeDestinations",
"logs:describeExportTasks",
"logs:describeLogGroups",
"logs:describeLogStreams",
"logs:describeMetricFilters",
"logs:describeQueries",
"logs:describeSubscriptionFilters",
"logs:testMetricFilter",
"machinelearning:describeBatchPredictions",
"machinelearning:describeDataSources",
"machinelearning:describeEvaluations",
"machinelearning:describeMLModels",
"machinelearning:getBatchPrediction",
"machinelearning:getDataSource",
"machinelearning:getEvaluation",
"machinelearning:getMLModel",
"managedblockchain:getMember",
"managedblockchain:getNetwork",
"managedblockchain:getNode",
"managedblockchain:listMembers",
"managedblockchain:listNetworks",
"managedblockchain:listNodes",
"mediaconvert:describeEndpoints",
"mediaconvert:getJob",
"mediaconvert:getJobTemplate",
"mediaconvert:getPreset",
"mediaconvert:getQueue",
"mediaconvert:listJobTemplates",
"mediaconvert:listJobs",
"medialive:describeChannel",
"medialive:describeInput",
"medialive:describeInputSecurityGroup",
"medialive:describeOffering",
"medialive:describeReservation",
"medialive:describeSchedule",
"medialive:listChannels",
"medialive:listInputSecurityGroups",
"medialive:listInputs",
"medialive:listOfferings",
"medialive:listReservations",
"mediapackage:describeChannel",
"mediapackage:describeOriginEndpoint",
"mediapackage:listChannels",
"mediapackage:listOriginEndpoints",
"mediastore:describeContainer",
"mediastore:describeObject",
"mediastore:getContainerPolicy",
"mediastore:getCorsPolicy",
"mediastore:listContainers",
"mediastore:listItems",
"mediatailor:getPlaybackConfiguration",
"mediatailor:listPlaybackConfigurations",
"mobiletargeting:getAdmChannel",
"mobiletargeting:getApnsChannel",
"mobiletargeting:getApnsSandboxChannel",
"mobiletargeting:getApnsVoipChannel",
"mobiletargeting:getApnsVoipSandboxChannel",
"mobiletargeting:getApp",
"mobiletargeting:getApplicationSettings",
"mobiletargeting:getApps",
"mobiletargeting:getBaiduChannel",
"mobiletargeting:getCampaign",
"mobiletargeting:getCampaignActivities",
"mobiletargeting:getCampaignVersion",
"mobiletargeting:getCampaignVersions",
"mobiletargeting:getCampaigns",
"mobiletargeting:getEmailChannel",
"mobiletargeting:getEndpoint",
"mobiletargeting:getEventStream",
"mobiletargeting:getExportJob",
"mobiletargeting:getExportJobs",
"mobiletargeting:getGcmChannel",
"mobiletargeting:getImportJob",
"mobiletargeting:getImportJobs",
"mobiletargeting:getSegment",
"mobiletargeting:getSegmentImportJobs",
"mobiletargeting:getSegmentVersion",
"mobiletargeting:getSegmentVersions",
"mobiletargeting:getSegments",
"mobiletargeting:getSmsChannel",
"mq:describeBroker",
"mq:describeConfiguration",
"mq:describeConfigurationRevision",
"mq:describeUser",
"mq:listBrokers",
"mq:listConfigurationRevisions",
"mq:listConfigurations",
"mq:listUsers",
"opsworks-cm:describeAccountAttributes",
"opsworks-cm:describeBackups",
"opsworks-cm:describeEvents",
"opsworks-cm:describeNodeAssociationStatus",
"opsworks-cm:describeServers",
"opsworks:describeAgentVersions",
"opsworks:describeApps",
"opsworks:describeCommands",
"opsworks:describeDeployments",
"opsworks:describeEcsClusters",
"opsworks:describeElasticIps",
"opsworks:describeElasticLoadBalancers",
"opsworks:describeInstances",
"opsworks:describeLayers",
"opsworks:describeLoadBasedAutoScaling",
"opsworks:describeMyUserProfile",
"opsworks:describePermissions",
"opsworks:describeRaidArrays",
"opsworks:describeRdsDbInstances",
"opsworks:describeServiceErrors",
"opsworks:describeStackProvisioningParameters",
"opsworks:describeStackSummary",
"opsworks:describeStacks",
"opsworks:describeTimeBasedAutoScaling",
"opsworks:describeUserProfiles",
"opsworks:describeVolumes",
"opsworks:getHostnameSuggestion",
"personalize:describeAlgorithm",
"personalize:describeCampaign",
"personalize:describeDataset",
"personalize:describeDatasetGroup",
"personalize:describeDatasetImportJob",
"personalize:describeEventTracker",
"personalize:describeFeatureTransformation",
"personalize:describeRecipe",
"personalize:describeSchema",
"personalize:describeSolution",
"personalize:describeSolutionVersion",
"personalize:listCampaigns",
"personalize:listDatasetGroups",
"personalize:listDatasetImportJobs",
"personalize:listDatasets",
"personalize:listEventTrackers",
"personalize:listRecipes",
"personalize:listSchemas",
"personalize:listSolutionVersions",
"personalize:listSolutions",
"polly:describeVoices",
"polly:getLexicon",
"polly:listLexicons",
"pricing:describeServices",
"pricing:getAttributeValues",
"pricing:getProducts",
"rds:describeAccountAttributes",
"rds:describeCertificates",
"rds:describeDBClusterParameterGroups",
"rds:describeDBClusterParameters",
"rds:describeDBClusterSnapshots",
"rds:describeDBClusters",
"rds:describeDBEngineVersions",
"rds:describeDBInstances",
"rds:describeDBParameterGroups",
"rds:describeDBParameters",
"rds:describeDBSecurityGroups",
"rds:describeDBSnapshotAttributes",
"rds:describeDBSnapshots",
"rds:describeDBSubnetGroups",
"rds:describeEngineDefaultClusterParameters",
"rds:describeEngineDefaultParameters",
"rds:describeEventCategories",
"rds:describeEventSubscriptions",
"rds:describeEvents",
"rds:describeOptionGroupOptions",
"rds:describeOptionGroups",
"rds:describeOrderableDBInstanceOptions",
"rds:describePendingMaintenanceActions",
"rds:describeReservedDBInstances",
"rds:describeReservedDBInstancesOfferings",
"rds:listTagsForResource",
"redshift:describeClusterParameterGroups",
"redshift:describeClusterParameters",
"redshift:describeClusterSecurityGroups",
"redshift:describeClusterSnapshots",
"redshift:describeClusterSubnetGroups",
"redshift:describeClusterVersions",
"redshift:describeClusters",
"redshift:describeDefaultClusterParameters",
"redshift:describeEventCategories",
"redshift:describeEventSubscriptions",
"redshift:describeEvents",
"redshift:describeHsmClientCertificates",
"redshift:describeHsmConfigurations",
"redshift:describeLoggingStatus",
"redshift:describeOrderableClusterOptions",
"redshift:describeReservedNodeOfferings",
"redshift:describeReservedNodes",
"redshift:describeResize",
"redshift:describeSnapshotCopyGrants",
"redshift:describeTableRestoreStatus",
"redshift:describeTags",
"rekognition:listCollections",
"rekognition:listFaces",
"robomaker:batchDescribeSimulationJob",
"robomaker:describeDeploymentJob",
"robomaker:describeFleet",
"robomaker:describeRobot",
"robomaker:describeRobotApplication",
"robomaker:describeSimulationApplication",
"robomaker:describeSimulationJob",
"robomaker:listDeploymentJobs",
"robomaker:listFleets",
"robomaker:listRobotApplications",
"robomaker:listRobots",
"robomaker:listSimulationApplications",
"robomaker:listSimulationJobs",
"route53:getChange",
"route53:getCheckerIpRanges",
"route53:getGeoLocation",
"route53:getHealthCheck",
"route53:getHealthCheckCount",
"route53:getHealthCheckLastFailureReason",
"route53:getHealthCheckStatus",
"route53:getHostedZone",
"route53:getHostedZoneCount",
"route53:getReusableDelegationSet",
"route53:getTrafficPolicy",
"route53:getTrafficPolicyInstance",
"route53:getTrafficPolicyInstanceCount",
"route53:listGeoLocations",
"route53:listHealthChecks",
"route53:listHostedZones",
"route53:listHostedZonesByName",
"route53:listResourceRecordSets",
"route53:listReusableDelegationSets",
"route53:listTagsForResource",
"route53:listTagsForResources",
"route53:listTrafficPolicies",
"route53:listTrafficPolicyInstances",
"route53:listTrafficPolicyInstancesByHostedZone",
"route53:listTrafficPolicyInstancesByPolicy",
"route53:listTrafficPolicyVersions",
"route53domains:checkDomainAvailability",
"route53domains:getContactReachabilityStatus",
"route53domains:getDomainDetail",
"route53domains:getOperationDetail",
"route53domains:listDomains",
"route53domains:listOperations",
"route53domains:listTagsForDomain",
"route53domains:viewBilling",
"route53resolver:getResolverRulePolicy",
"route53resolver:listResolverEndpointIpAddresses",
"route53resolver:listResolverEndpoints",
"route53resolver:listResolverRuleAssociations",
"route53resolver:listResolverRules",
"route53resolver:listTagsForResource",
"s3:getAccelerateConfiguration",
"s3:getAnalyticsConfiguration",
"s3:getBucketAcl",
"s3:getBucketCORS",
"s3:getBucketLocation",
"s3:getBucketLogging",
"s3:getBucketNotification",
"s3:getBucketPolicy",
"s3:getBucketRequestPayment",
"s3:getBucketTagging",
"s3:getBucketVersioning",
"s3:getBucketWebsite",
"s3:getEncryptionConfiguration",
"s3:getInventoryConfiguration",
"s3:getLifecycleConfiguration",
"s3:getMetricsConfiguration",
"s3:getReplicationConfiguration",
"s3:listAllMyBuckets",
"s3:listBucket",
"s3:listBucketMultipartUploads",
"sagemaker:describeAlgorithm",
"sagemaker:describeCompilationJob",
"sagemaker:describeEndpoint",
"sagemaker:describeEndpointConfig",
"sagemaker:describeHyperParameterTuningJob",
"sagemaker:describeLabelingJob",
"sagemaker:describeModel",
"sagemaker:describeModelPackage",
"sagemaker:describeNotebookInstance",
"sagemaker:describeNotebookInstanceLifecycleConfig",
"sagemaker:describeTrainingJob",
"sagemaker:describeTransformJob",
"sagemaker:describeWorkteam",
"sagemaker:listAlgorithms",
"sagemaker:listCompilationJobs",
"sagemaker:listEndpointConfigs",
"sagemaker:listEndpoints",
"sagemaker:listHyperParameterTuningJobs",
"sagemaker:listLabelingJobs",
"sagemaker:listLabelingJobsForWorkteam",
"sagemaker:listModelPackages",
"sagemaker:listModels",
"sagemaker:listNotebookInstanceLifecycleConfigs",
"sagemaker:listNotebookInstances",
"sagemaker:listTags",
"sagemaker:listTrainingJobs",
"sagemaker:listTrainingJobsForHyperParameterTuningJob",
"sagemaker:listTransformJobs",
"sagemaker:listWorkteams",
"sdb:domainMetadata",
"sdb:listDomains",
"secretsmanager:describeSecret",
"secretsmanager:getResourcePolicy",
"secretsmanager:listSecretVersionIds",
"secretsmanager:listSecrets",
"securityhub:getEnabledStandards",
"securityhub:getFindings",
"securityhub:getInsightResults",
"securityhub:getInsights",
"securityhub:getMasterAccount",
"securityhub:getMembers",
"securityhub:listEnabledProductsForImport",
"securityhub:listInvitations",
"securityhub:listMembers",
"servicecatalog:describeConstraint",
"servicecatalog:describePortfolio",
"servicecatalog:describeProduct",
"servicecatalog:describeProductAsAdmin",
"servicecatalog:describeProductView",
"servicecatalog:describeProvisioningArtifact",
"servicecatalog:describeProvisioningParameters",
"servicecatalog:describeRecord",
"servicecatalog:listAcceptedPortfolioShares",
"servicecatalog:listConstraintsForPortfolio",
"servicecatalog:listLaunchPaths",
"servicecatalog:listPortfolioAccess",
"servicecatalog:listPortfolios",
"servicecatalog:listPortfoliosForProduct",
"servicecatalog:listPrincipalsForPortfolio",
"servicecatalog:listProvisioningArtifacts",
"servicecatalog:listRecordHistory",
"servicecatalog:scanProvisionedProducts",
"servicecatalog:searchProducts",
"servicequotas:getAWSDefaultServiceQuota",
"servicequotas:getAssociationForServiceQuotaTemplate",
"servicequotas:getRequestedServiceQuotaChange",
"servicequotas:getServiceQuota",
"servicequotas:getServiceQuotaIncreaseRequestFromTemplate",
"servicequotas:listAWSDefaultServiceQuotas",
"servicequotas:listRequestedServiceQuotaChangeHistory",
"servicequotas:listRequestedServiceQuotaChangeHistoryByQuota",
"servicequotas:listServiceQuotaIncreaseRequestsInTemplate",
"servicequotas:listServiceQuotas",
"servicequotas:listServices",
"ses:describeActiveReceiptRuleSet",
"ses:describeReceiptRule",
"ses:describeReceiptRuleSet",
"ses:getIdentityDkimAttributes",
"ses:getIdentityMailFromDomainAttributes",
"ses:getIdentityNotificationAttributes",
"ses:getIdentityPolicies",
"ses:getIdentityVerificationAttributes",
"ses:getSendQuota",
"ses:getSendStatistics",
"ses:listIdentities",
"ses:listIdentityPolicies",
"ses:listReceiptFilters",
"ses:listReceiptRuleSets",
"ses:listVerifiedEmailAddresses",
"shield:describeAttack",
"shield:describeProtection",
"shield:describeSubscription",
"shield:listAttacks",
"shield:listProtections",
"sms:getConnectors",
"sms:getReplicationJobs",
"sms:getReplicationRuns",
"sms:getServers",
"snowball:describeAddress",
"snowball:describeAddresses",
"snowball:describeJob",
"snowball:getSnowballUsage",
"snowball:listJobs",
"sns:checkIfPhoneNumberIsOptedOut",
"sns:getEndpointAttributes",
"sns:getPlatformApplicationAttributes",
"sns:getSMSAttributes",
"sns:getSubscriptionAttributes",
"sns:getTopicAttributes",
"sns:listEndpointsByPlatformApplication",
"sns:listPhoneNumbersOptedOut",
"sns:listPlatformApplications",
"sns:listSubscriptions",
"sns:listSubscriptionsByTopic",
"sns:listTopics",
"sqs:getQueueAttributes",
"sqs:getQueueUrl",
"sqs:listDeadLetterSourceQueues",
"sqs:listQueues",
"ssm:describeActivations",
"ssm:describeAssociation",
"ssm:describeAutomationExecutions",
"ssm:describeAvailablePatches",
"ssm:describeDocument",
"ssm:describeDocumentPermission",
"ssm:describeEffectiveInstanceAssociations",
"ssm:describeEffectivePatchesForPatchBaseline",
"ssm:describeInstanceAssociationsStatus",
"ssm:describeInstanceInformation",
"ssm:describeInstancePatchStates",
"ssm:describeInstancePatchStatesForPatchGroup",
"ssm:describeInstancePatches",
"ssm:describeMaintenanceWindowExecutionTaskInvocations",
"ssm:describeMaintenanceWindowExecutionTasks",
"ssm:describeMaintenanceWindowExecutions",
"ssm:describeMaintenanceWindowTargets",
"ssm:describeMaintenanceWindowTasks",
"ssm:describeMaintenanceWindows",
"ssm:describeParameters",
"ssm:describePatchBaselines",
"ssm:describePatchGroupState",
"ssm:describePatchGroups",
"ssm:getAutomationExecution",
"ssm:getCommandInvocation",
"ssm:getDefaultPatchBaseline",
"ssm:getDeployablePatchSnapshotForInstance",
"ssm:getInventorySchema",
"ssm:getMaintenanceWindow",
"ssm:getMaintenanceWindowExecution",
"ssm:getMaintenanceWindowExecutionTask",
"ssm:getPatchBaseline",
"ssm:getPatchBaselineForPatchGroup",
"ssm:listAssociations",
"ssm:listCommandInvocations",
"ssm:listCommands",
"ssm:listDocumentVersions",
"ssm:listDocuments",
"ssm:listTagsForResource",
"states:describeActivity",
"states:describeExecution",
"states:describeStateMachine",
"states:getExecutionHistory",
"states:listActivities",
"states:listExecutions",
"states:listStateMachines",
"storagegateway:describeBandwidthRateLimit",
"storagegateway:describeCache",
"storagegateway:describeCachediSCSIVolumes",
"storagegateway:describeGatewayInformation",
"storagegateway:describeMaintenanceStartTime",
"storagegateway:describeNFSFileShares",
"storagegateway:describeSMBFileShares",
"storagegateway:describeSMBSettings",
"storagegateway:describeSnapshotSchedule",
"storagegateway:describeStorediSCSIVolumes",
"storagegateway:describeTapeArchives",
"storagegateway:describeTapeRecoveryPoints",
"storagegateway:describeTapes",
"storagegateway:describeUploadBuffer",
"storagegateway:describeVTLDevices",
"storagegateway:describeWorkingStorage",
"storagegateway:listFileShares",
"storagegateway:listGateways",
"storagegateway:listLocalDisks",
"storagegateway:listTagsForResource",
"storagegateway:listTapes",
"storagegateway:listVolumeInitiators",
"storagegateway:listVolumeRecoveryPoints",
"storagegateway:listVolumes",
"swf:countClosedWorkflowExecutions",
"swf:countOpenWorkflowExecutions",
"swf:countPendingActivityTasks",
"swf:countPendingDecisionTasks",
"swf:describeActivityType",
"swf:describeDomain",
"swf:describeWorkflowExecution",
"swf:describeWorkflowType",
"swf:getWorkflowExecutionHistory",
"swf:listActivityTypes",
"swf:listClosedWorkflowExecutions",
"swf:listDomains",
"swf:listOpenWorkflowExecutions",
"swf:listWorkflowTypes",
"transfer:describeServer",
"transfer:describeUser",
"transfer:listServers",
"transfer:listTagsForResource",
"transfer:listUsers",
"waf-regional:getByteMatchSet",
"waf-regional:getChangeTokenStatus",
"waf-regional:getIPSet",
"waf-regional:getRule",
"waf-regional:getSqlInjectionMatchSet",
"waf-regional:getWebACL",
"waf-regional:getWebACLForResource",
"waf-regional:listByteMatchSets",
"waf-regional:listIPSets",
"waf-regional:listResourcesForWebACL",
"waf-regional:listRules",
"waf-regional:listSqlInjectionMatchSets",
"waf-regional:listWebACLs",
"waf:getByteMatchSet",
"waf:getChangeTokenStatus",
"waf:getIPSet",
"waf:getRule",
"waf:getSampledRequests",
"waf:getSizeConstraintSet",
"waf:getSqlInjectionMatchSet",
"waf:getWebACL",
"waf:getXssMatchSet",
"waf:listByteMatchSets",
"waf:listIPSets",
"waf:listRules",
"waf:listSizeConstraintSets",
"waf:listSqlInjectionMatchSets",
"waf:listWebACLs",
"waf:listXssMatchSets",
"workdocs:checkAlias",
"workdocs:describeAvailableDirectories",
"workdocs:describeInstances",
"worklink:describeAuditStreamConfiguration",
"worklink:describeCompanyNetworkConfiguration",
"worklink:describeDevice",
"worklink:describeDevicePolicyConfiguration",
"worklink:describeDomain",
"worklink:describeFleetMetadata",
"worklink:describeIdentityProviderConfiguration",
"worklink:describeWebsiteCertificateAuthority",
"worklink:listDevices",
"worklink:listDomains",
"worklink:listFleets",
"worklink:listWebsiteAuthorizationProviders",
"worklink:listWebsiteCertificateAuthorities",
"workmail:describeGroup",
"workmail:describeOrganization",
"workmail:describeResource",
"workmail:describeUser",
"workmail:listAliases",
"workmail:listGroupMembers",
"workmail:listGroups",
"workmail:listMailboxPermissions",
"workmail:listOrganizations",
"workmail:listResourceDelegates",
"workmail:listResources",
"workmail:listUsers",
"workspaces:describeAccount",
"workspaces:describeAccountModifications",
"workspaces:describeIpGroups",
"workspaces:describeTags",
"workspaces:describeWorkspaceBundles",
"workspaces:describeWorkspaceDirectories",
"workspaces:describeWorkspaceImages",
"workspaces:describeWorkspaces",
"workspaces:describeWorkspacesConnectionStatus"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17"
}
}
{
"issue": "UNKNOWN_ACTION",
"severity": "",
"location": "{'unknown_action': 'cloudformation:describeType', 'statement': {'Action': ['acm:DescribeCertificate', 'acm:ListCertificates', 'acm:ListTagsForCertificate', 'application-autoscaling:DescribeScalableTargets', 'application-autoscaling:DescribeScalingPolicies', 'autoscaling:DescribeAutoScalingGroups', 'autoscaling:DescribeLaunchConfigurations', 'autoscaling:DescribeLifecycleHooks', 'autoscaling:DescribePolicies', 'autoscaling:DescribeScheduledActions', 'autoscaling:DescribeTags', 'cloudfront:ListTagsForResource', 'cloudformation:describeType', 'cloudformation:listTypes', 'cloudtrail:DescribeTrails', 'cloudtrail:GetEventSelectors', 'cloudtrail:GetTrailStatus', 'cloudtrail:ListTags', 'cloudwatch:DescribeAlarms', 'codepipeline:GetPipeline', 'codepipeline:GetPipelineState', 'codepipeline:ListPipelines', 'config:BatchGet*', 'config:Describe*', 'config:Get*', 'config:List*', 'config:Put*', 'config:Select*', 'dms:DescribeReplicationInstances', 'dynamodb:DescribeContinuousBackups', 'dynamodb:DescribeLimits', 'dynamodb:DescribeTable', 'dynamodb:ListTables', 'dynamodb:ListTagsOfResource', 'ec2:Describe*', 'elasticache:DescribeCacheClusters', 'elasticache:DescribeReplicationGroups', 'elasticfilesystem:DescribeFileSystems', 'elasticloadbalancing:DescribeListeners', 'elasticloadbalancing:DescribeLoadBalancerAttributes', 'elasticloadbalancing:DescribeLoadBalancerPolicies', 'elasticloadbalancing:DescribeLoadBalancers', 'elasticloadbalancing:DescribeRules', 'elasticloadbalancing:DescribeTags', 'elasticmapreduce:DescribeCluster', 'elasticmapreduce:DescribeSecurityConfiguration', 'elasticmapreduce:ListClusters', 'elasticmapreduce:ListInstances', 'es:DescribeElasticsearchDomain', 'es:DescribeElasticsearchDomains', 'es:ListDomainNames', 'es:ListTags', 'guardduty:GetDetector', 'guardduty:GetFindings', 'guardduty:GetMasterAccount', 'guardduty:ListDetectors', 'guardduty:ListFindings', 'iam:GenerateCredentialReport', 'iam:GetAccountAuthorizationDetails', 'iam:GetAccountPasswordPolicy', 'iam:GetAccountSummary', 'iam:GetCredentialReport', 'iam:GetGroup', 'iam:GetGroupPolicy', 'iam:GetPolicy', 'iam:GetPolicyVersion', 'iam:GetRole', 'iam:GetRolePolicy', 'iam:GetUser', 'iam:GetUserPolicy', 'iam:ListAttachedGroupPolicies', 'iam:ListAttachedRolePolicies', 'iam:ListAttachedUserPolicies', 'iam:ListEntitiesForPolicy', 'iam:ListGroupPolicies', 'iam:ListGroupsForUser', 'iam:ListInstanceProfilesForRole', 'iam:ListPolicyVersions', 'iam:ListRolePolicies', 'iam:ListUserPolicies', 'iam:ListVirtualMFADevices', 'kms:DescribeKey', 'kms:GetKeyPolicy', 'kms:GetKeyRotationStatus', 'kms:ListKeys', 'kms:ListResourceTags', 'lambda:GetAlias', 'lambda:GetFunction', 'lambda:GetPolicy', 'lambda:ListAliases', 'lambda:ListFunctions', 'logs:DescribeLogGroups', 'rds:DescribeDBClusters', 'rds:DescribeDBClusterSnapshotAttributes', 'rds:DescribeDBClusterSnapshots', 'rds:DescribeDBInstances', 'rds:DescribeDBSecurityGroups', 'rds:DescribeDBSnapshotAttributes', 'rds:DescribeDBSnapshots', 'rds:DescribeDBSubnetGroups', 'rds:DescribeEventSubscriptions', 'rds:ListTagsForResource', 'redshift:DescribeClusterParameterGroups', 'redshift:DescribeClusterParameters', 'redshift:DescribeClusterSecurityGroups', 'redshift:DescribeClusterSnapshots', 'redshift:DescribeClusterSubnetGroups', 'redshift:DescribeClusters', 'redshift:DescribeEventSubscriptions', 'redshift:DescribeLoggingStatus', 's3:GetAccelerateConfiguration', 's3:GetAccountPublicAccessBlock', 's3:GetBucketAcl', 's3:GetBucketCORS', 's3:GetBucketLocation', 's3:GetBucketLogging', 's3:GetBucketNotification', 's3:GetBucketObjectLockConfiguration', 's3:GetBucketPolicy', 's3:GetBucketPublicAccessBlock', 's3:GetBucketRequestPayment', 's3:GetBucketTagging', 's3:GetBucketVersioning', 's3:GetBucketWebsite', 's3:GetEncryptionConfiguration', 's3:GetLifecycleConfiguration', 's3:GetReplicationConfiguration', 's3:ListAllMyBuckets', 's3:ListBucket', 'sagemaker:DescribeEndpointConfig', 'sagemaker:DescribeNotebookInstance', 'sagemaker:ListEndpointConfigs', 'sagemaker:ListNotebookInstances', 'secretsmanager:ListSecrets', 'secretsmanager:ListSecretVersionIds', 'shield:DescribeDRTAccess', 'shield:DescribeProtection', 'shield:DescribeSubscription', 'sns:GetTopicAttributes', 'sns:ListSubscriptions', 'sns:ListTagsForResource', 'sns:ListTopics', 'sqs:GetQueueAttributes', 'sqs:ListQueues', 'sqs:ListQueueTags', 'ssm:DescribeAutomationExecutions', 'ssm:DescribeDocument', 'ssm:GetAutomationExecution', 'ssm:GetDocument', 'support:DescribeCases', 'waf-regional:GetWebACL', 'waf-regional:GetWebACLForResource'], 'Effect': 'Allow', 'Resource': '*'}, 'filepath': None}",
"policy": {
"Statement": [
{
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeTags",
"cloudfront:ListTagsForResource",
"cloudformation:describeType",
"cloudformation:listTypes",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudwatch:DescribeAlarms",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:ListPipelines",
"config:BatchGet*",
"config:Describe*",
"config:Get*",
"config:List*",
"config:Put*",
"config:Select*",
"dms:DescribeReplicationInstances",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:Describe*",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeReplicationGroups",
"elasticfilesystem:DescribeFileSystems",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListInstances",
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"es:ListTags",
"guardduty:GetDetector",
"guardduty:GetFindings",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"iam:GenerateCredentialReport",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"kms:ListResourceTags",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetPolicy",
"lambda:ListAliases",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusters",
"redshift:DescribeEventSubscriptions",
"redshift:DescribeLoggingStatus",
"s3:GetAccelerateConfiguration",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeNotebookInstance",
"sagemaker:ListEndpointConfigs",
"sagemaker:ListNotebookInstances",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"shield:DescribeDRTAccess",
"shield:DescribeProtection",
"shield:DescribeSubscription",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"sqs:ListQueueTags",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeDocument",
"ssm:GetAutomationExecution",
"ssm:GetDocument",
"support:DescribeCases",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
}
Severity: High
Issue ID: IAM_ROLE_ALLOWS_ASSUMPTION_FROM_ANYWHERE
The IAM role's trust policy allows any other account to assume it.
{
"statement": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Sid": ""
}
],
"Version": "2012-10-17"
}
}
Severity: Medium
Issue ID: IAM_NOTACTION_ALLOW
Using NotAction in an Allow policy almost always results in unwanted actions being allowed and should be avoided.
{
"Statement": {
"Effect": "Allow",
"NotAction": [
"ec2:Describe*"
],
"Resource": "*"
}
}
{
"Statement": {
"Effect": "Allow",
"NotAction": [
"ec2:*"
],
"Resource": "*"
}
}
{
"Statement": {
"Effect": "Allow",
"NotAction": "s3:DeleteBucket",
"Resource": "*"
}
}
Severity: High
Issue ID: IAM_UNEXPECTED_ADMIN_PRINCIPAL
Admins in an account should be assumed by people. This rule detects IAM Roles that can be granted to EC2s and other services, that has admin privileges.
{
"comment": "Unexpected Principal in AssumeRolePolicyDocument for an admin",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
Severity: Low
Issue ID: IAM_NAME_DOES_NOT_INDICATE_ADMIN
This IAM Group grants admin privileges, but the name does not indicate it is for admins.
Severity: High
Issue ID: IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL
The ability to list s3 buckets, and get objects from them, should be restricted largely to people as compromising an EC2 with this privilege could lead to exfiltration of data.
{
"comment": "Unexpected Principal in AssumeRolePolicyDocument for an admin",
"Principal": {
"Service": "cloudformation.amazonaws.com"
}
}
Severity: Low
Issue ID: PASSWORD_POLICY_CHARACTER_MINIMUM
A password length requirement helps ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
{
"MinimumPasswordLength": 6
}
Severity: Low
Issue ID: PASSWORD_POLICY_CHARACTER_SET_REQUIREMENTS
A password character set requirement help ensure strong passwords are used by IAM Users. Setting a password policy does not impact existing users, so after setting this, you should ensure users reset their passwords so that they are in compliance.
{
"Policy lacks": [
"RequireNumbers",
"RequireSymbols",
"RequireLowercaseCharacters",
"RequireUppercaseCharacters"
]
}
Severity: Medium
Issue ID: USER_WITH_PASSWORD_LOGIN_BUT_NO_MFA
MFA (multi-factor authentication) helps mitigate user account take-over.
{
"Number of days since user was created": 168
}
Severity: Medium
Issue ID: USER_HAS_NOT_LOGGED_IN_FOR_OVER_MAX_DAYS
The user has not used their password login for over 90 days. The password login should be removed from this user, or the user entirely.
{
"Number of days since user was created": 168,
"Number of days since last login": 160
}
Severity: Low
Issue ID: USER_HAS_NOT_USED_ACCESS_KEY_FOR_MAX_DAYS
Access keys that have not been used for a while should be removed as they may have been lost, but still grant access to the account.
{
"Days since key 1 used:": 160,
"Number of days since key was rotated": 160
}
{
"Days since key 1 used:": 159,
"Number of days since key was rotated": 159
}
Severity: Low
Issue ID: USER_HAS_TWO_ACCESS_KEYS
A user should only have one access key. The ability to have multiple access keys is only for when an access key is being rolled, and the old one should be removed. The user should identify one access key to use and the other should be removed.
{
"Number of days since key1 was rotated": 159,
"Number of days since key2 was rotated": 160
}
Severity: Low
Issue ID: RDS_PUBLIC_IP
Check whether this RDS instance is publicly accessible. Best practice is to put RDS instances in private subnets and not give them public IPs.
Severity: Medium
Issue ID: ECR_PUBLIC
The Amazon Elastic Container Registry (ECR) stores docker images. These may contain sensitive information. These are somewhat hard for an attacker to find, but should not be made public.
"{\n \"Version\" : \"2008-10-17\",\n \"Statement\" : [ {\n \"Sid\" : \"AllowPull\",\n \"Effect\" : \"Allow\",\n \"Principal\" : \"*\",\n \"Action\" : [ \"ecr:GetDownloadUrlForLayer\", \"ecr:BatchGetImage\", \"ecr:BatchCheckLayerAvailability\", \"ecr:PutImage\", \"ecr:InitiateLayerUpload\", \"ecr:UploadLayerPart\", \"ecr:CompleteLayerUpload\", \"ecr:DescribeRepositories\", \"ecr:GetRepositoryPolicy\", \"ecr:ListImages\", \"ecr:DeleteRepository\", \"ecr:BatchDeleteImage\", \"ecr:SetRepositoryPolicy\", \"ecr:DeleteRepositoryPolicy\" ]\n } ]\n}"
Severity: Medium
Issue ID: REDSHIFT_PUBLIC_IP
Redshift databases should be in private subnets. Databases should not have public IPs. You should additionally check if the Security Groups associated with this are allowing it to be publicly accessible.
Severity: High
Issue ID: ES_PUBLIC
ElasticSearch databases should be public. Change the resource policy to fix this.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:XXXXXXXXXXXX:domain/sadcloud/*\"}]}"
Severity: Low
Issue ID: SG_CIDR_OVERLAPS
This often happens when one attempts to restrict access, then opens up the access further.
{
"cidr1": "162.168.2.0/24",
"cidr2": "162.168.2.0/25"
}
Severity: Info
Issue ID: SG_CIDR_UNNEEDED
The CIDR in the Security Group cannot be blocked, so including it is not necessary.
{
"cidr": "127.0.0.0/8"
}
Severity: Info
Issue ID: SG_CIDR_UNEXPECTED
The CIDR in the Security Group is formatted oddly.
{
"cidr": "0.0.0.0/8"
}
Severity: Info
Issue ID: SG_LARGE_CIDR
The CIDR in a Security Group in the account contains a large IP range, defeating the purpose of restricting access with a Security Group
{
"size": 65536,
"security_groups": [
"sg-001d97901591b23e0"
]
}
{
"size": 65536,
"security_groups": [
"sg-0b84c11a41112b0cd"
]
}
Severity: Medium
Issue ID: GLACIER_PUBLIC
Glacier is a storage service like S3. These vaults are harder to find, but may still contain sensitive information. The resource policy should be locked down to allow access only by certain accounts.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"public\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"glacier:*\",\"Resource\":\"arn:aws:glacier:us-east-1:XXXXXXXXXXXX:vaults/sadcloud_public_vault\"}]}"
Severity: Medium
Issue ID: KMS_PUBLIC
This may allow an attacker to decrypt data using the KMS key.
"{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-insecure-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Default IAM policy for KMS keys\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}"
Severity: Medium
Issue ID: SQS_PUBLIC
This may allow an attacker to read or write messages to this queue.
"{\"Version\":\"2012-10-17\",\"Id\":\"sqspolicy\",\"Statement\":[{\"Sid\":\"First\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"sqs:*\",\"Resource\":\"arn:aws:sqs:us-east-1:XXXXXXXXXXXX:sadcloud\"}]}"
Severity: Medium
Issue ID: SNS_PUBLIC
This may allow an attacker to read or write messages to this queue.
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:Subscribe\",\"SNS:SetTopicAttributes\",\"SNS:RemovePermission\",\"SNS:Receive\",\"SNS:Publish\",\"SNS:ListSubscriptionsByTopic\",\"SNS:GetTopicAttributes\",\"SNS:DeleteTopic\",\"SNS:AddPermission\"],\"Resource\":\"arn:aws:sns:us-east-1:XXXXXXXXXXXX:sadcloud\"}]}"
Severity: Info
Issue ID: LIGHTSAIL_IN_USE
There is nothing wrong with Lightsail, but it does not tend to be used in enterprises. The instances often were created while testing something and forgotten about.
{
"instance count": 1
}