Skip to content

Instantly share code, notes, and snippets.

@0xdabbad00

0xdabbad00/extract.py

Last active March 22, 2021 23:37
Show Gist options
  • Save 0xdabbad00/581714de8f0957fce30efcb1634785a9 to your computer and use it in GitHub Desktop.
Save 0xdabbad00/581714de8f0957fce30efcb1634785a9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
extract.py
#!/usr/bin/env python
from os import listdir
from os.path import isfile, join
import re
import json
from bs4 import BeautifulSoup
"""
Setup
-----
# Install libraries
pip install beautifulsoup4
# Download files
wget -r -np -k -A .html -nc https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
"""
def chomp(string):
"""This chomp cleans up all white-space, not just at the ends"""
response = string.replace('\n', ' ') # Convert line ends to spaces
response = re.sub(' [ ]*', ' ', response) # Truncate multiple spaces to single space
response = re.sub('^[\W]*', '', response) # Clean start
return re.sub('[\W]*$', '', response) # Clean end
mypath = './docs.aws.amazon.com/IAM/latest/UserGuide/'
schema = []
for filename in [f for f in listdir(mypath) if isfile(join(mypath, f))]:
if not filename.startswith("list_"):
continue
with open(mypath+filename, 'r') as f:
soup = BeautifulSoup(f.read(), 'html.parser')
main_content = soup.find(id="main-content")
if main_content is None:
continue
# Get service name
title = main_content.find('h1', class_="topictitle")
title = re.sub('.*Actions, Resources, and Condition Keys for *', '', str(title))
title = title.replace('</h1>', '')
service_name = chomp(title)
service_schema = {'service_name': service_name, 'privileges': []}
tables = main_content.find_all('div', class_="table-contents")
for table in tables:
# There can be 3 tables, the actions table, an ARN table, and a condition key table
# Example: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssecuritytokenservice.html
if '<th>Actions</th>' not in [str(x) for x in table.find_all('th')]:
continue
for row in table.find_all('tr'):
cells = row.find_all('td')
if len(cells) == 0:
# Skip the header row, which has th, not td cells
continue
if len(cells) != 6:
# Sometimes the privilege might span multiple rows.
# Example: amazonroute53-DisassociateVPCFromHostedZone
# at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonroute53.html
# TODO: Handle this situation. Currently, I only use the first row
continue
priv = ''
# Get the privilege
for link in cells[0].find_all('a'):
if 'href' not in link.attrs:
# Skip the <a id='...'> tags
continue
priv = chomp(link.text)
if priv == '':
continue
description = chomp(cells[1].text)
access_level = chomp(cells[2].text)
resource_types = chomp(cells[3].text)
condition_keys_element = cells[4]
condition_keys = []
if condition_keys_element.text != '':
for key_element in condition_keys_element.find_all('p'):
condition_keys.append(chomp(key_element.text))
dependent_actions_element = cells[5]
dependent_actions = []
if dependent_actions_element.text != '':
for action_element in dependent_actions_element.find_all('p'):
dependent_actions.append(chomp(action_element.text))
privilege_schema = {
'privilege': priv,
'description': description,
'access_level': access_level,
'resource_types': resource_types,
'condition_keys': condition_keys,
'dependent_actions': dependent_actions
}
service_schema['privileges'].append(privilege_schema)
schema.append(service_schema)
print(json.dumps(schema))
Raw
privileges.json
<
[
{
"service_name": "AWS Config",
"privileges": [
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the current configuration items for resources that are present in your AWS Config aggregator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetAggregateResourceConfig"
},
{
"resource_types": "",
"description": "Returns the current configuration for one or more requested resources",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetResourceConfig"
},
{
"resource_types": "AggregationAuthorization",
"description": "Deletes the authorization granted to the specified configuration aggregator account in a specified region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAggregationAuthorization"
},
{
"resource_types": "ConfigRule",
"description": "Deletes the specified AWS Config rule and all of its evaluation results",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConfigRule"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Deletes the specified configuration aggregator and the aggregated data associated with the aggregator",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConfigurationAggregator"
},
{
"resource_types": "",
"description": "Deletes the configuration recorder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConfigurationRecorder"
},
{
"resource_types": "",
"description": "Deletes the delivery channel",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDeliveryChannel"
},
{
"resource_types": "ConfigRule",
"description": "Deletes the evaluation results for the specified Config rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEvaluationResults"
},
{
"resource_types": "",
"description": "Deletes pending authorization requests for a specified aggregator account in a specified region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePendingAggregationRequest"
},
{
"resource_types": "",
"description": "Deletes the retention configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRetentionConfiguration"
},
{
"resource_types": "",
"description": "Schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DeliverConfigSnapshot"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAggregateComplianceByConfigRules"
},
{
"resource_types": "",
"description": "Returns a list of authorizations granted to various aggregator accounts and regions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAggregationAuthorizations"
},
{
"resource_types": "ConfigRule",
"description": "Indicates whether the specified AWS Config rules are compliant",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeComplianceByConfigRule"
},
{
"resource_types": "",
"description": "Indicates whether the specified AWS resources are compliant",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeComplianceByResource"
},
{
"resource_types": "ConfigRule",
"description": "Returns status information for each of your AWS managed Config rules",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigRuleEvaluationStatus"
},
{
"resource_types": "ConfigRule",
"description": "Returns details about your AWS Config rules",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigRules"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns status information for sources within an aggregator",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationAggregatorSourcesStatus"
},
{
"resource_types": "",
"description": "Returns the details of one or more configuration aggregators",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationAggregators"
},
{
"resource_types": "",
"description": "Returns the current status of the specified configuration recorder",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationRecorderStatus"
},
{
"resource_types": "",
"description": "Returns the name of one or more specified configuration recorders",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationRecorders"
},
{
"resource_types": "",
"description": "Returns the current status of the specified delivery channel",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDeliveryChannelStatus"
},
{
"resource_types": "",
"description": "Returns details about the specified delivery channel",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDeliveryChannels"
},
{
"resource_types": "",
"description": "Returns a list of all pending aggregation requests",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribePendingAggregationRequests"
},
{
"resource_types": "",
"description": "Returns the details of one or more retention configurations",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeRetentionConfigurations"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the evaluation results for the specified AWS Config rule for a specific resource in a rule",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateComplianceDetailsByConfigRule"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateConfigRuleComplianceSummary"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the resource counts across accounts and regions that are present in your AWS Config aggregator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateDiscoveredResourceCounts"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns configuration item that is aggregated for your specific resource in a specific source account and region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateResourceConfig"
},
{
"resource_types": "ConfigRule",
"description": "Returns the evaluation results for the specified AWS Config rule",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceDetailsByConfigRule"
},
{
"resource_types": "",
"description": "Returns the evaluation results for the specified AWS resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceDetailsByResource"
},
{
"resource_types": "",
"description": "Returns the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceSummaryByConfigRule"
},
{
"resource_types": "",
"description": "Returns the number of resources that are compliant and the number that are noncompliant",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceSummaryByResourceType"
},
{
"resource_types": "",
"description": "Returns the resource types, the number of each resource type, and the total number of resources that AWS Config is recording in this region for your AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDiscoveredResourceCounts"
},
{
"resource_types": "",
"description": "Returns a list of configuration items for the specified resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetResourceConfigHistory"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAggregateDiscoveredResources"
},
{
"resource_types": "",
"description": "Accepts a resource type and returns a list of resource identifiers for the resources of that type",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDiscoveredResources"
},
{
"resource_types": "AggregationAuthorization",
"description": "Authorizes the aggregator account and region to collect data from the source account and region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAggregationAuthorization"
},
{
"resource_types": "ConfigRule",
"description": "Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutConfigRule"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Creates and updates the configuration aggregator with the selected source accounts and regions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutConfigurationAggregator"
},
{
"resource_types": "",
"description": "Creates a new configuration recorder to record the selected resource configurations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutConfigurationRecorder"
},
{
"resource_types": "",
"description": "Creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutDeliveryChannel"
},
{
"resource_types": "",
"description": "Used by an AWS Lambda function to deliver evaluation results to AWS Config",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutEvaluations"
},
{
"resource_types": "",
"description": "Creates and updates the retention configuration with details about retention period (number of days) that AWS Config stores your historical information",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutRetentionConfiguration"
},
{
"resource_types": "ConfigRule",
"description": "Evaluates your resources against the specified Config rules",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartConfigRulesEvaluation"
},
{
"resource_types": "",
"description": "Starts recording configurations of the AWS resources you have selected to record in your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartConfigurationRecorder"
},
{
"resource_types": "",
"description": "Stops recording configurations of the AWS resources you have selected to record in your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopConfigurationRecorder"
}
]
},
{
"service_name": "AWS Service Catalog",
"privileges": [
{
"resource_types": "",
"description": "Accepts a portfolio that has been shared with you",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptPortfolioShare"
},
{
"resource_types": "",
"description": "Associates an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociatePrincipalWithPortfolio"
},
{
"resource_types": "",
"description": "Associates a product with a portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateProductWithPortfolio"
},
{
"resource_types": "",
"description": "Creates a constraint on an associated product and portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateConstraint"
},
{
"resource_types": "",
"description": "Creates a portfolio",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreatePortfolio"
},
{
"resource_types": "",
"description": "Shares a portfolio you own with another AWS account",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreatePortfolioShare"
},
{
"resource_types": "",
"description": "Creates a product and that product's first provisioning artifact",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateProduct"
},
{
"resource_types": "",
"description": "Adds a new provisioned product plan",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Adds a new provisioning artifact to an existing product",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateProvisioningArtifact"
},
{
"resource_types": "",
"description": "Removes and deletes an existing constraint from an associated product and portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConstraint"
},
{
"resource_types": "",
"description": "Deletes a portfolio if all associations and shares have been removed from the portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePortfolio"
},
{
"resource_types": "",
"description": "Unshares a portfolio you own from an AWS account you previously shared the portfolio with",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeletePortfolioShare"
},
{
"resource_types": "",
"description": "Deletes a product if all associations have been removed from the product",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProduct"
},
{
"resource_types": "",
"description": "Deletes a provisioned product plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Deletes a provisioning artifact from a product",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProvisioningArtifact"
},
{
"resource_types": "",
"description": "Describes a constraint",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeConstraint"
},
{
"resource_types": "",
"description": "Describes a portfolio",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePortfolio"
},
{
"resource_types": "",
"description": "Describes a product as an end-user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProduct"
},
{
"resource_types": "",
"description": "Describes a product as an admin",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProductAsAdmin"
},
{
"resource_types": "",
"description": "Describes a product as an end-user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProductView"
},
{
"resource_types": "",
"description": "Describes a provisioned product",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisionedProduct"
},
{
"resource_types": "",
"description": "Describes a provisioned product plan",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Describes a provisioning artifact",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisioningArtifact"
},
{
"resource_types": "",
"description": "Describes the parameters that you need to specify to successfully provision a specified provisioning artifact",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisioningParameters"
},
{
"resource_types": "",
"description": "Describes a record and lists any outputs",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRecord"
},
{
"resource_types": "",
"description": "Disassociates an IAM principal from a portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociatePrincipalFromPortfolio"
},
{
"resource_types": "",
"description": "Disassociates a product from a portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateProductFromPortfolio"
},
{
"resource_types": "",
"description": "Executes a provisioned product plan",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ExecuteProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Executes a provisioned product plan",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ExecuteProvisionedProductServiceAction"
},
{
"resource_types": "",
"description": "Lists the portfolios that have been shared with you and you have accepted",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAcceptedPortfolioShares"
},
{
"resource_types": "",
"description": "Lists constraints associated with a given portfolio",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListConstraintsForPortfolio"
},
{
"resource_types": "",
"description": "Lists the different ways to launch a given product as an end-user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListLaunchPaths"
},
{
"resource_types": "",
"description": "Lists the AWS accounts you have shared a given portfolio with",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPortfolioAccess"
},
{
"resource_types": "",
"description": "Lists the portfolios in your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPortfolios"
},
{
"resource_types": "",
"description": "Lists the portfolios associated with a given product",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPortfoliosForProduct"
},
{
"resource_types": "",
"description": "Lists the IAM principals associated with a given portfolio",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPrincipalsForPortfolio"
},
{
"resource_types": "",
"description": "Lists the provisioned product plans",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProvisionedProductPlans"
},
{
"resource_types": "",
"description": "Lists the provisioning artifacts associated with a given product",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProvisioningArtifacts"
},
{
"resource_types": "",
"description": "Lists all the records in your account or all the records related to a given provisioned product",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRecordHistory"
},
{
"resource_types": "",
"description": "Lists all the service actions in your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListServiceActionsForProvisioningArtifact"
},
{
"resource_types": "",
"description": "Provisions a product with a specified provisioning artifact and launch parameters",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ProvisionProduct"
},
{
"resource_types": "",
"description": "Rejects a portfolio that has been shared with you that you previously accepted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RejectPortfolioShare"
},
{
"resource_types": "",
"description": "Lists all the provisioned products in your account",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "ScanProvisionedProducts"
},
{
"resource_types": "",
"description": "Lists the products available to you as an end-user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "SearchProducts"
},
{
"resource_types": "",
"description": "Lists all the products in your account or all the products associated with a given portfolio",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "SearchProductsAsAdmin"
},
{
"resource_types": "",
"description": "Lists all the provisioned products in your account",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "SearchProvisionedProducts"
},
{
"resource_types": "",
"description": "Terminates an existing provisioned product",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateProvisionedProduct"
},
{
"resource_types": "",
"description": "Updates the metadata fields of an existing constraint",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateConstraint"
},
{
"resource_types": "",
"description": "Updates the metadata fields and/or tags of an existing portfolio",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UpdatePortfolio"
},
{
"resource_types": "",
"description": "Updates the metadata fields and/or tags of an existing product",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UpdateProduct"
},
{
"resource_types": "",
"description": "Updates an existing provisioned product",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProvisionedProduct"
},
{
"resource_types": "",
"description": "Updates the metadata fields of an existing provisioning artifact",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProvisioningArtifact"
}
]
},
{
"service_name": "AWS WAF",
"privileges": [
{
"resource_types": "bytematchset",
"description": "Creates a ByteMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateByteMatchSet"
},
{
"resource_types": "geomatchset",
"description": "Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate from",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate from",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateIPSet"
},
{
"resource_types": "ratebasedrule",
"description": "Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRateBasedRule"
},
{
"resource_types": "regexmatchset",
"description": "Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a RegexPatternSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRule"
},
{
"resource_types": "rulegroup",
"description": "Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRuleGroup"
},
{
"resource_types": "sizeconstraintset",
"description": "Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web requests",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreateWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web requests",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateXssMatchSet"
},
{
"resource_types": "bytematchset",
"description": "Permanently deletes a ByteMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteByteMatchSet"
},
{
"resource_types": "geomatchset",
"description": "Permanently deletes an GeoMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Permanently deletes an IPSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteIPSet"
},
{
"resource_types": "rulegroup",
"description": "Permanently deletes an IAM policy from the specified RuleGroup",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeletePermissionPolicy"
},
{
"resource_types": "ratebasedrule",
"description": "Permanently deletes a RateBasedRule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRateBasedRule"
},
{
"resource_types": "regexmatchset",
"description": "Permanently deletes an RegexMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Permanently deletes an RegexPatternSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Permanently deletes a Rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRule"
},
{
"resource_types": "rulegroup",
"description": "Permanently deletes a RuleGroup",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRuleGroup"
},
{
"resource_types": "sizeconstraintset",
"description": "Permanently deletes a SizeConstraintSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Permanently deletes a SqlInjectionMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Permanently deletes a WebACL",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Permanently deletes an XssMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteXssMatchSet"
},
{
"resource_types": "bytematchset",
"description": "Returns the ByteMatchSet specified by ByteMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetByteMatchSet"
},
{
"resource_types": "",
"description": "When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetChangeToken"
},
{
"resource_types": "",
"description": "Returns the status of a ChangeToken that you got by calling GetChangeToken",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetChangeTokenStatus"
},
{
"resource_types": "geomatchset",
"description": "Returns the GeoMatchSet specified by GeoMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Returns the IPSet that is specified by IPSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetIPSet"
},
{
"resource_types": "rulegroup",
"description": "Returns the IAM policy attached to the RuleGroup",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPermissionPolicy"
},
{
"resource_types": "ratebasedrule",
"description": "Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRateBasedRule"
},
{
"resource_types": "ratebasedrule",
"description": "Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRateBasedRuleManagedKeys"
},
{
"resource_types": "regexmatchset",
"description": "Returns the RegexMatchSet specified by RegexMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Returns the RegexPatternSet specified by RegexPatternSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Returns the Rule that is specified by the RuleId that you included in the GetRule request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRule"
},
{
"resource_types": "rulegroup",
"description": "Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRuleGroup"
},
{
"resource_types": "rule",
"description": "Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests that your AWS resource received during a time range that you choose",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSampledRequests"
},
{
"resource_types": "sizeconstraintset",
"description": "Returns the SizeConstraintSet specified by SizeConstraintSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Returns the WebACL that is specified by WebACLId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Returns the XssMatchSet that is specified by XssMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetXssMatchSet"
},
{
"resource_types": "",
"description": "Returns an array of ActivatedRule objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListActivatedRulesInRuleGroup"
},
{
"resource_types": "",
"description": "Returns an array of ByteMatchSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListByteMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of GeoMatchSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGeoMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of IPSetSummary objects in the response",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListIPSets"
},
{
"resource_types": "",
"description": "Returns an array of RuleSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRateBasedRules"
},
{
"resource_types": "",
"description": "Returns an array of RegexMatchSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRegexMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of RegexPatternSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRegexPatternSets"
},
{
"resource_types": "",
"description": "Returns an array of RuleGroup objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRuleGroups"
},
{
"resource_types": "",
"description": "Returns an array of RuleSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRules"
},
{
"resource_types": "",
"description": "Returns an array of SizeConstraintSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSizeConstraintSets"
},
{
"resource_types": "",
"description": "Returns an array of SqlInjectionMatchSet objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSqlInjectionMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of RuleGroup objects that you are subscribed to",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSubscribedRuleGroups"
},
{
"resource_types": "",
"description": "Returns an array of WebACLSummary objects in the response",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListWebACLs"
},
{
"resource_types": "",
"description": "Returns an array of XssMatchSet objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListXssMatchSets"
},
{
"resource_types": "rulegroup",
"description": "Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutPermissionPolicy"
},
{
"resource_types": "bytematchset",
"description": "Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateByteMatchSet"
},
{
"resource_types": "geomatchset",
"description": "Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Inserts or deletes IPSetDescriptor objects in an IPSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateIPSet"
},
{
"resource_types": "ratebasedrule",
"description": "Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRateBasedRule"
},
{
"resource_types": "regexmatchset",
"description": "Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Inserts or deletes RegexPatternStrings in a RegexPatternSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Inserts or deletes Predicate objects in a Rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRule"
},
{
"resource_types": "rulegroup",
"description": "Inserts or deletes ActivatedRule objects in a RuleGroup",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRuleGroup"
},
{
"resource_types": "sizeconstraintset",
"description": "Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Inserts or deletes ActivatedRule objects in a WebACL",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "UpdateWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateXssMatchSet"
}
]
},
{
"service_name": "Amazon Elastic MapReduce",
"privileges": [
{
"resource_types": "",
"description": "Adds instance groups to a running cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddInstanceGroups"
},
{
"resource_types": "",
"description": "Adds new steps to a running job flow",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddJobFlowSteps"
},
{
"resource_types": "",
"description": "Adds tags to an Amazon EMR resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "",
"description": "Cancels a pending step or steps in a running cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelSteps"
},
{
"resource_types": "",
"description": "Creates a security configuration which is stored in the service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSecurityConfiguration"
},
{
"resource_types": "",
"description": "Deletes a security configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSecurityConfiguration"
},
{
"resource_types": "",
"description": "Provides cluster-level details including status, hardware and software configuration, VPC settings, and so on",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCluster"
},
{
"resource_types": "",
"description": "Provides the details of a security configuration by returning the configuration JSON",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSecurityConfiguration"
},
{
"resource_types": "",
"description": "Provides more detail about the cluster step",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeStep"
},
{
"resource_types": "",
"description": "Provides information about the bootstrap actions associated with a cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBootstrapActions"
},
{
"resource_types": "",
"description": "Provides the status of all clusters visible to this AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListClusters"
},
{
"resource_types": "",
"description": "Provides all available details about the instance groups in a cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInstanceGroups"
},
{
"resource_types": "",
"description": "Provides information about the cluster instances that Amazon EMR provisions on behalf of a user when it creates the cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInstances"
},
{
"resource_types": "",
"description": "Lists all the security configurations visible to this account, providing their creation dates and times, and their names",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSecurityConfigurations"
},
{
"resource_types": "",
"description": "Provides a list of steps for the cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSteps"
},
{
"resource_types": "",
"description": "Modifies the number of nodes and configuration settings of an instance group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyInstanceGroups"
},
{
"resource_types": "",
"description": "Modifies the number of nodes and configuration settings of an instance group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAutoScalingPolicy"
},
{
"resource_types": "",
"description": "Removes an automatic scaling policy from a specified instance group within an EMR cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveAutoScalingPolicy"
},
{
"resource_types": "",
"description": "Removes tags from an Amazon EMR resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "",
"description": "Creates and starts running a new job flow",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RunJobFlow"
},
{
"resource_types": "",
"description": "Locks a job flow so the Amazon EC2 instances in the cluster cannot be terminated by user intervention, an API call, or in the event of a job-flow error",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetTerminationProtection"
},
{
"resource_types": "",
"description": "Sets whether all AWS Identity and Access Management (IAM) users under your account can access the specified job flows",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetVisibleToAllUsers"
},
{
"resource_types": "",
"description": "Shuts a list of job flows down",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateJobFlows"
}
]
},
{
"service_name": "AWS Serverless Application Repository",
"privileges": []
},
{
"service_name": "Amazon WorkSpaces",
"privileges": [
{
"resource_types": "",
"description": "Creates tags for a WorkSpace",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateTags"
},
{
"resource_types": "workspacebundle",
"description": "Creates one or more WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateWorkspaces"
},
{
"resource_types": "",
"description": "Deletes tags from a Workspace",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTags"
},
{
"resource_types": "",
"description": "Describes tags for a WorkSpace",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeTags"
},
{
"resource_types": "workspacebundle",
"description": "Obtains information about the WorkSpace bundles that are available to your account in the specified region",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeWorkspaceBundles"
},
{
"resource_types": "",
"description": "Retrieves information about the AWS Directory Service directories in the region that are registered with Amazon WorkSpaces and are available to your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeWorkspaceDirectories"
},
{
"resource_types": "",
"description": "Obtains information about the specified WorkSpaces",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeWorkspaces"
},
{
"resource_types": "",
"description": "Describes the connection status of a specified WorkSpace",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeWorkspacesConnectionStatus"
},
{
"resource_types": "workspaceid",
"description": "Modifies the WorkSpace properties, including the running mode and AutoStop time",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyWorkspaceProperties"
},
{
"resource_types": "workspaceid",
"description": "Reboots the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebootWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Rebuilds the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebuildWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Starts the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Stops the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Terminates the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateWorkspaces"
}
]
},
{
"service_name": "Amazon SNS",
"privileges": [
{
"resource_types": "topic",
"description": "Adds a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AddPermission"
},
{
"resource_types": "",
"description": "Accepts a phone number and indicates whether the phone holder has opted out of receiving SMS messages from your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "CheckIfPhoneNumberIsOptedOut"
},
{
"resource_types": "topic",
"description": "Verifies an endpoint owner's intent to receive messages by validating the token sent to the endpoint by an earlier Subscribe action",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ConfirmSubscription"
},
{
"resource_types": "",
"description": "Creates a platform application object for one of the supported push notification services, such as APNS and GCM, to which devices and mobile apps may register",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePlatformApplication"
},
{
"resource_types": "",
"description": "Creates an endpoint for a device and mobile app on one of the supported push notification services, such as GCM and APNS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePlatformEndpoint"
},
{
"resource_types": "topic",
"description": "Creates a topic to which notifications can be published",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTopic"
},
{
"resource_types": "",
"description": "Deletes the endpoint for a device and mobile app from Amazon SNS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEndpoint"
},
{
"resource_types": "",
"description": "Deletes a platform application object for one of the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePlatformApplication"
},
{
"resource_types": "topic",
"description": "Deletes a topic and all its subscriptions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTopic"
},
{
"resource_types": "",
"description": "Retrieves the endpoint attributes for a device on one of the supported push notification services, such as GCM and APNS",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetEndpointAttributes"
},
{
"resource_types": "",
"description": "Retrieves the attributes of the platform application object for the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPlatformApplicationAttributes"
},
{
"resource_types": "",
"description": "Returns the settings for sending SMS messages from your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSMSAttributes"
},
{
"resource_types": "",
"description": "Returns all of the properties of a subscription",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSubscriptionAttributes"
},
{
"resource_types": "topic",
"description": "Returns all of the properties of a topic. Topic properties returned might differ based on the authorization of the user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTopicAttributes"
},
{
"resource_types": "",
"description": "Lists the endpoints and endpoint attributes for devices in a supported push notification service, such as GCM and APNS",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListEndpointsByPlatformApplication"
},
{
"resource_types": "",
"description": "Returns a list of phone numbers that are opted out, meaning you cannot send SMS messages to them",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListPhoneNumbersOptedOut"
},
{
"resource_types": "",
"description": "Lists the platform application objects for the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPlatformApplications"
},
{
"resource_types": "",
"description": "Returns a list of the requester's subscriptions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSubscriptions"
},
{
"resource_types": "topic",
"description": "Returns a list of the subscriptions to a specific topic",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSubscriptionsByTopic"
},
{
"resource_types": "",
"description": "Returns a list of the requester's topics. Each call returns a limited list of topics, up to 100",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTopics"
},
{
"resource_types": "",
"description": "Opts in a phone number that is currently opted out, which enables you to resume sending SMS messages to the number",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "OptInPhoneNumber"
},
{
"resource_types": "topic",
"description": "Sends a message to all of a topic's subscribed endpoints",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Publish"
},
{
"resource_types": "topic",
"description": "Removes a statement from a topic's access control policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RemovePermission"
},
{
"resource_types": "",
"description": "Sets the attributes for an endpoint for a device on one of the supported push notification services, such as GCM and APNS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetEndpointAttributes"
},
{
"resource_types": "",
"description": "Sets the attributes of the platform application object for the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetPlatformApplicationAttributes"
},
{
"resource_types": "",
"description": "Allows a subscription owner to set an attribute of the topic to a new value",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetSubscriptionAttributes"
},
{
"resource_types": "topic",
"description": "Allows a topic owner to set an attribute of the topic to a new value",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetTopicAttributes"
},
{
"resource_types": "topic",
"description": "Prepares to subscribe an endpoint by sending the endpoint a confirmation message",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Subscribe"
},
{
"resource_types": "",
"description": "Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Unsubscribe"
}
]
},
{
"service_name": "Amazon FreeRTOS",
"privileges": []
},
{
"service_name": "Amazon API Gateway",
"privileges": [
{
"resource_types": "execute-api-general",
"description": "Used to invalidate API cache upon a client request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InvalidateCache"
},
{
"resource_types": "execute-api-general",
"description": "Used to invoke an API upon a client request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Invoke"
}
]
},
{
"service_name": "Amazon Connect",
"privileges": []
},
{
"service_name": "Elastic Load Balancing V2",
"privileges": [
{
"resource_types": "listener",
"description": "Adds the specified certificates to the specified secure listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddListenerCertificates"
},
{
"resource_types": "loadbalancer/app",
"description": "Adds the specified tags to the specified load balancer. Each load balancer can have a maximum of 10 tags",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "loadbalancer/app",
"description": "Creates a listener for the specified Application Load Balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateListener"
},
{
"resource_types": "loadbalancer/app",
"description": "Creates a load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateLoadBalancer"
},
{
"resource_types": "listener",
"description": "Creates a rule for the specified listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRule"
},
{
"resource_types": "targetgroup",
"description": "Creates a target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTargetGroup"
},
{
"resource_types": "listener",
"description": "Deletes the specified listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteListener"
},
{
"resource_types": "loadbalancer/app",
"description": "Deletes the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLoadBalancer"
},
{
"resource_types": "listener-rule",
"description": "Deletes the specified rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRule"
},
{
"resource_types": "targetgroup",
"description": "Deletes the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTargetGroup"
},
{
"resource_types": "targetgroup",
"description": "Deregisters the specified targets from the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterTargets"
},
{
"resource_types": "",
"description": "Describes the Elastic Load Balancing resource limits for the AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAccountLimits"
},
{
"resource_types": "",
"description": "Describes the certificates for the specified secure listener",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeListenerCertificates"
},
{
"resource_types": "",
"description": "Describes the specified listeners or the listeners for the specified Application Load Balancer",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeListeners"
},
{
"resource_types": "",
"description": "Describes the attributes for the specified load balancer",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLoadBalancerAttributes"
},
{
"resource_types": "",
"description": "Describes the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLoadBalancers"
},
{
"resource_types": "",
"description": "Describes the specified rules or the rules for the specified listener",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRules"
},
{
"resource_types": "",
"description": "Describes the specified policies or all policies used for SSL negotiation",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSSLPolicies"
},
{
"resource_types": "",
"description": "Describes the tags associated with the specified load balancers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTags"
},
{
"resource_types": "",
"description": "Describes the attributes for the specified target group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTargetGroupAttributes"
},
{
"resource_types": "",
"description": "Describes the specified target groups or all of your target groups",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTargetGroups"
},
{
"resource_types": "",
"description": "Describes the health of the specified targets or all of your targets",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTargetHealth"
},
{
"resource_types": "listener",
"description": "Modifies the specified properties of the specified listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyListener"
},
{
"resource_types": "loadbalancer/app",
"description": "Modifies the attributes of the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyLoadBalancerAttributes"
},
{
"resource_types": "listener-rule",
"description": "Modifies the specified rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyRule"
},
{
"resource_types": "targetgroup",
"description": "Modifies the health checks used when evaluating the health state of the targets in the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyTargetGroup"
},
{
"resource_types": "targetgroup",
"description": "Modifies the specified attributes of the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyTargetGroupAttributes"
},
{
"resource_types": "targetgroup",
"description": "Registers the specified targets with the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RegisterTargets"
},
{
"resource_types": "listener",
"description": "Removes the specified certificates of the specified secure listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveListenerCertificates"
},
{
"resource_types": "loadbalancer/app",
"description": "Removes one or more tags from the specified load balancer",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "loadbalancer/app",
"description": "Not found",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetIpAddressType"
},
{
"resource_types": "listener-rule",
"description": "Sets the priorities of the specified rules",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetRulePriorities"
},
{
"resource_types": "loadbalancer/app",
"description": "Associates the specified security groups with the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetSecurityGroups"
},
{
"resource_types": "loadbalancer/app",
"description": "Enables the Availability Zone for the specified subnets for the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetSubnets"
}
]
},
{
"service_name": "Amazon Mobile Analytics",
"privileges": [
{
"resource_types": "",
"description": "The PutEvents operation records one or more events",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutEvents"
}
]
},
{
"service_name": "AWS Trusted Advisor",
"privileges": []
},
{
"service_name": "Amazon Macie",
"privileges": [
{
"resource_types": "",
"description": "Enables the user to associate a specified AWS account with Amazon Macie as a member account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateMemberAccount"
},
{
"resource_types": "",
"description": "Enables the user to associate specified S3 resources with Amazon Macie for monitoring and data classification",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateS3Resources"
},
{
"resource_types": "",
"description": "Enables the user to remove the specified member account from Amazon Macie",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateMemberAccount"
},
{
"resource_types": "",
"description": "Enables the user to remove specified S3 resources from being monitored by Amazon Macie",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateS3Resources"
},
{
"resource_types": "",
"description": "Enables the user to list all Amazon Macie member accounts for the current Macie master account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMemberAccounts"
},
{
"resource_types": "",
"description": "Enables the user to list all the S3 resources associated with Amazon Macie",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListS3Resources"
},
{
"resource_types": "",
"description": "Enables the user to update the classification types for the specified S3 resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateS3Resources"
}
]
},
{
"service_name": "Amazon Textract",
"privileges": [
{
"resource_types": "",
"description": "Detects instances of real-world document entities within an image provided as input",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "AnalyzeDocument"
},
{
"resource_types": "",
"description": "Detects text in document images",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "DetectDocumentText"
},
{
"resource_types": "",
"description": "Returns information about a document analysis job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocumentAnalysis"
},
{
"resource_types": "",
"description": "Returns information about a document text detection job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocumentTextDetection"
},
{
"resource_types": "",
"description": "Starts an asynchronous job to detect instances of real-world document entities within an image or pdf provided as input",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "StartDocumentAnalysis"
},
{
"resource_types": "",
"description": "Starts an asynchronous job to detect text in document images or pdfs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "StartDocumentTextDetection"
}
]
},
{
"service_name": "AWS Certificate Manager Private Certificate Authority",
"privileges": [
{
"resource_types": "",
"description": "Creates an ACM Private CA and its associated private key and configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Creates an audit report for an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCertificateAuthorityAuditReport"
},
{
"resource_types": "certificate-authority",
"description": "Deletes an ACM Private CA and its associated private key and configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Returns a list of the configuration and status fields contained in the specified ACM Private CA",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Returns the status and information about an ACM Private CA audit report",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCertificateAuthorityAuditReport"
},
{
"resource_types": "certificate-authority",
"description": "Retrieves an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Retrieves an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificateAuthorityCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Retrieves an ACM Private CA certificate signing request (CSR) for the certificate-authority specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificateAuthorityCsr"
},
{
"resource_types": "certificate-authority",
"description": "Imports an SSL/TLS certificate into ACM Private CA for use as the CA certificate of an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportCertificateAuthorityCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Issues an ACM Private CA certificate",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "IssueCertificate"
},
{
"resource_types": "",
"description": "Retrieves a list of the ACM Private CA certificate authority ARNs, and a summary of the status of each CA in the calling account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListCertificateAuthorities"
},
{
"resource_types": "certificate-authority",
"description": "Lists the tags that have been applied to the ACM Private CA certificate authority",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTags"
},
{
"resource_types": "certificate-authority",
"description": "Restores an ACM Private CA from the deleted state to the state it was in when deleted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Revokes a certificate issued by an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RevokeCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Adds one or more tags to an ACM Private CA",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Remove one or more tags from an ACM Private CA",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Updates the configuration of an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateCertificateAuthority"
}
]
},
{
"service_name": "Amazon DynamoDB",
"privileges": [
{
"resource_types": "table",
"description": "Returns the attributes of one or more items from one or more tables",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetItem"
},
{
"resource_types": "table",
"description": "Puts or deletes multiple items in one or more tables",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchWriteItem"
},
{
"resource_types": "table",
"description": "The ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ConditionCheckItem"
},
{
"resource_types": "table",
"description": "Creates a backup for an existing table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBackup"
},
{
"resource_types": "global-table",
"description": "Enables the user to create a global table from an existing table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGlobalTable"
},
{
"resource_types": "table",
"description": "The CreateTable operation adds a new table to your account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTable"
},
{
"resource_types": "backup",
"description": "Deletes an existing backup of a table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackup"
},
{
"resource_types": "table",
"description": "Deletes a single item in a table by primary key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteItem"
},
{
"resource_types": "table",
"description": "The DeleteTable operation deletes a table and all of its items",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTable"
},
{
"resource_types": "backup",
"description": "Describes an existing backup of a table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeBackup"
},
{
"resource_types": "table",
"description": "Checks the status of the backup restore settings on the specified table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeContinuousBackups"
},
{
"resource_types": "global-table",
"description": "Returns information about the specified global table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeGlobalTable"
},
{
"resource_types": "global-table",
"description": "Returns settings information about the specified global table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeGlobalTableSettings"
},
{
"resource_types": "",
"description": "Returns the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLimits"
},
{
"resource_types": "stream",
"description": "Returns information about a stream, including the current status of the stream, its Amazon Resource Name (ARN), the composition of its shards, and its corresponding DynamoDB table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeStream"
},
{
"resource_types": "table",
"description": "Returns information about the table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTable"
},
{
"resource_types": "",
"description": "Gives a description of the Time to Live (TTL) status on the specified table",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTimeToLive"
},
{
"resource_types": "table",
"description": "The GetItem operation returns a set of attributes for the item with the given primary key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetItem"
},
{
"resource_types": "stream",
"description": "Retrieves the stream records from a given shard",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRecords"
},
{
"resource_types": "stream",
"description": "Returns a shard iterator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetShardIterator"
},
{
"resource_types": "",
"description": "List backups associated with the account and endpoint",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackups"
},
{
"resource_types": "",
"description": "Lists all global tables that have a replica in the specified region",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGlobalTables"
},
{
"resource_types": "",
"description": "Returns an array of stream ARNs associated with the current account and endpoint",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListStreams"
},
{
"resource_types": "",
"description": "Returns an array of table names associated with the current account and endpoint",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTables"
},
{
"resource_types": "",
"description": "List all tags on an Amazon DynamoDB resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsOfResource"
},
{
"resource_types": "table",
"description": "Creates a new item, or replaces an old item with a new item",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutItem"
},
{
"resource_types": "table",
"description": "Uses the primary key of a table or a secondary index to directly access items from that table or index",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "Query"
},
{
"resource_types": "backup",
"description": "Creates a new table from an existing backup",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreTableFromBackup"
},
{
"resource_types": "table",
"description": "Restores a table to a point in time",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreTableToPointInTime"
},
{
"resource_types": "table",
"description": "Returns one or more items and item attributes by accessing every item in a table or a secondary index",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "Scan"
},
{
"resource_types": "",
"description": "Associate a set of tags with an Amazon DynamoDB resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "",
"description": "Removes the association of tags from an Amazon DynamoDB resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "table",
"description": "Enables or disables continuous backups",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateContinuousBackups"
},
{
"resource_types": "global-table",
"description": "Enables the user to add or remove replicas in the specified global table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGlobalTable"
},
{
"resource_types": "global-table",
"description": "Enables the user to update settings of the specified global table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGlobalTableSettings"
},
{
"resource_types": "table",
"description": "Edits an existing item's attributes, or adds a new item to the table if it does not already exist",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateItem"
},
{
"resource_types": "table",
"description": "Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateTable"
},
{
"resource_types": "table",
"description": "Enables or disables TTL for the specified table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateTimeToLive"
}
]
},
{
"service_name": "AWS License Manager",
"privileges": [
{
"resource_types": "",
"description": "Creates a new license configuration",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateLicenseConfiguration"
},
{
"resource_types": "license-configuration",
"description": "Permanently deletes a license configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLicenseConfiguration"
},
{
"resource_types": "license-configuration",
"description": "Gets a license configuration",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetLicenseConfiguration"
},
{
"resource_types": "",
"description": "Gets service settings",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetServiceSettings"
},
{
"resource_types": "license-configuration",
"description": "Lists associations for a selected license configuration",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAssociationsForLicenseConfiguration"
},
{
"resource_types": "",
"description": "Lists license configurations",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListLicenseConfigurations"
},
{
"resource_types": "",
"description": "Lists license specifications associated with a selected resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListLicenseSpecificationsForResource"
},
{
"resource_types": "",
"description": "Lists resource inventory",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListResourceInventory"
},
{
"resource_types": "license-configuration",
"description": "Lists tags for a selected resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "license-configuration",
"description": "Lists usage records for selected license configuration",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUsageForLicenseConfiguration"
},
{
"resource_types": "license-configuration",
"description": "Tags a selected resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "license-configuration",
"description": "Untags a selected resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "license-configuration",
"description": "Updates an existing license configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateLicenseConfiguration"
},
{
"resource_types": "license-configuration",
"description": "Updates license specifications for a selected resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateLicenseSpecificationsForResource"
},
{
"resource_types": "",
"description": "Updates service settings",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "UpdateServiceSettings"
}
]
},
{
"service_name": "Amazon SimpleDB",
"privileges": [
{
"resource_types": "domain",
"description": "Performs multiple DeleteAttributes operations in a single call, which reduces round trips and latencies",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchDeleteAttributes"
},
{
"resource_types": "domain",
"description": "With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call. With the BatchPutAttributes operation, you can perform multiple PutAttribute operations in a single call",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchPutAttributes"
},
{
"resource_types": "domain",
"description": "The CreateDomain operation creates a new domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDomain"
},
{
"resource_types": "domain",
"description": "Deletes one or more attributes associated with the item",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAttributes"
},
{
"resource_types": "domain",
"description": "The DeleteDomain operation deletes a domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDomain"
},
{
"resource_types": "domain",
"description": "Returns information about the domain, including when the domain was created, the number of items and attributes, and the size of attribute names and values",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DomainMetadata"
},
{
"resource_types": "domain",
"description": "Returns all of the attributes associated with the item",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAttributes"
},
{
"resource_types": "",
"description": "Description for ListDomains",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDomains"
},
{
"resource_types": "domain",
"description": "The PutAttributes operation creates or replaces attributes in an item",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAttributes"
},
{
"resource_types": "domain",
"description": "Description for Select",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "Select"
}
]
},
{
"service_name": "AWS Database Migration Service",
"privileges": [
{
"resource_types": "",
"description": "Adds metadata tags to a DMS resource, including replication instance, endpoint, security group, and migration task",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTagsToResource"
},
{
"resource_types": "",
"description": "Creates an endpoint using the provided settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateEndpoint"
},
{
"resource_types": "",
"description": "Creates the replication instance using the specified parameters",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateReplicationInstance"
},
{
"resource_types": "",
"description": "Creates a replication subnet group given a list of the subnet IDs in a VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateReplicationSubnetGroup"
},
{
"resource_types": "",
"description": "Creates a replication task using the specified parameters",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateReplicationTask"
},
{
"resource_types": "",
"description": "Deletes the specified endpoint",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEndpoint"
},
{
"resource_types": "",
"description": "Deletes an AWS DMS event subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEventSubscription"
},
{
"resource_types": "",
"description": "Deletes the specified replication instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteReplicationInstance"
},
{
"resource_types": "",
"description": "Deletes a subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteReplicationSubnetGroup"
},
{
"resource_types": "",
"description": "Deletes the specified replication task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteReplicationTask"
},
{
"resource_types": "",
"description": "Lists all of the AWS DMS attributes for a customer account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAccountAttributes"
},
{
"resource_types": "",
"description": "Provides a description of the certificate",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCertificates"
},
{
"resource_types": "",
"description": "Describes the status of the connections that have been made between the replication instance and an endpoint",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeConnections"
},
{
"resource_types": "",
"description": "Returns information about the type of endpoints available",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEndpointTypes"
},
{
"resource_types": "",
"description": "Returns information about the endpoints for your account in the current region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEndpoints"
},
{
"resource_types": "",
"description": "Lists categories for all event source types, or, if specified, for a specified source type",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventCategories"
},
{
"resource_types": "",
"description": "Lists all the event subscriptions for a customer account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventSubscriptions"
},
{
"resource_types": "",
"description": "Lists events for a given source identifier and source type",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEvents"
},
{
"resource_types": "",
"description": "Returns information about the replication instance types that can be created in the specified region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeOrderableReplicationInstances"
},
{
"resource_types": "",
"description": "Returns the status of the RefreshSchemas operation",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRefreshSchemasStatus"
},
{
"resource_types": "",
"description": "Returns information about replication instances for your account in the current region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeReplicationInstances"
},
{
"resource_types": "",
"description": "Returns information about the replication subnet groups",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeReplicationSubnetGroups"
},
{
"resource_types": "",
"description": "Returns information about replication tasks for your account in the current region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeReplicationTasks"
},
{
"resource_types": "",
"description": "Returns information about the schema for the specified endpoint",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSchemas"
},
{
"resource_types": "",
"description": "Returns table statistics on the database migration task, including table name, rows inserted, rows updated, and rows deleted",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTableStatistics"
},
{
"resource_types": "",
"description": "Lists all tags for an AWS DMS resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "",
"description": "Modifies the specified endpoint",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyEndpoint"
},
{
"resource_types": "",
"description": "Modifies an existing AWS DMS event notification subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyEventSubscription"
},
{
"resource_types": "",
"description": "Modifies the replication instance to apply new settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyReplicationInstance"
},
{
"resource_types": "",
"description": "Modifies the settings for the specified replication subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyReplicationSubnetGroup"
},
{
"resource_types": "",
"description": "Modifies the specified replication task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyReplicationTask"
},
{
"resource_types": "",
"description": "Populates the schema for the specified endpoint",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RefreshSchemas"
},
{
"resource_types": "",
"description": "Removes metadata tags from a DMS resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTagsFromResource"
},
{
"resource_types": "",
"description": "Starts the replication task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartReplicationTask"
},
{
"resource_types": "",
"description": "Stops the replication task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopReplicationTask"
},
{
"resource_types": "",
"description": "Tests the connection between the replication instance and the endpoint",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "TestConnection"
}
]
},
{
"service_name": "AWS Elemental MediaPackage",
"privileges": [
{
"resource_types": "",
"description": "Grants permission to create a channel in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateChannel"
},
{
"resource_types": "",
"description": "Grants permission to create an endpoint in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateOriginEndpoint"
},
{
"resource_types": "",
"description": "Grants permission to delete a channel in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteChannel"
},
{
"resource_types": "",
"description": "Grants permission to delete an endpoint in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteOriginEndpoint"
},
{
"resource_types": "",
"description": "Grants permission to view the details of a channel in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeChannel"
},
{
"resource_types": "",
"description": "Grants permission to view the details of an endpoint in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeOriginEndpoint"
},
{
"resource_types": "",
"description": "Grants permission to view a list of channels in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListChannels"
},
{
"resource_types": "",
"description": "Grants permission to view a list of endpoints in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListOriginEndpoints"
},
{
"resource_types": "",
"description": "Grants permission to make changes to a channel in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateChannel"
},
{
"resource_types": "",
"description": "Grants permission to make changes to an endpoint in AWS Elemental MediaPackage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateOriginEndpoint"
}
]
},
{
"service_name": "AWS OpsWorks Configuration Management",
"privileges": [
{
"resource_types": "",
"description": "Associate a node to a configuration management server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateNode"
},
{
"resource_types": "",
"description": "Create a backup for the specified server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBackup"
},
{
"resource_types": "",
"description": "Create a new server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateServer"
},
{
"resource_types": "",
"description": "Delete the specified backup and possibly its S3 bucket",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackup"
},
{
"resource_types": "",
"description": "Deletes the specified server with his corresponding CF stack and possibly the S3 bucket",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteServer"
},
{
"resource_types": "",
"description": "Describe the service limits for the user's account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAccountAttributes"
},
{
"resource_types": "",
"description": "Describe a single backup, all backups of a specified server or all backups of the user's account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeBackups"
},
{
"resource_types": "",
"description": "Describe all events of the specified server",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEvents"
},
{
"resource_types": "",
"description": "Describe the association status for the specified node token and the specified server",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeNodeAssociationStatus"
},
{
"resource_types": "",
"description": "Describes the specified server or all servers of the user's account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeServers"
},
{
"resource_types": "",
"description": "Disassociates a specified node from a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateNode"
},
{
"resource_types": "",
"description": "Applies a backup to specified server. Possibly swaps out the ec2-instance if specified",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreServer"
},
{
"resource_types": "",
"description": "Start the server maintenance immediately",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartMaintenance"
},
{
"resource_types": "",
"description": "Update general server settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateServer"
},
{
"resource_types": "",
"description": "Update server settings specific to the configuration management type",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateServerEngineAttributes"
}
]
},
{
"service_name": "AWS Transfer for SFTP",
"privileges": [
{
"resource_types": "",
"description": "Enables the caller to create a server",
"condition_keys": [
"aws:TagKeys",
"aws:RequestTag/${TagKey"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateServer"
},
{
"resource_types": "server",
"description": "Enables the caller to add a user associated with a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"iam:PassRole"
],
"privilege": "CreateUser"
},
{
"resource_types": "server",
"description": "Enables the caller to delete a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteServer"
},
{
"resource_types": "user",
"description": "Enables the caller to delete an SSH public key from a user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSshPublicKey"
},
{
"resource_types": "user",
"description": "Enables the caller to delete a user associated with a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUser"
},
{
"resource_types": "server",
"description": "Enables the caller to describe a server",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeServer"
},
{
"resource_types": "user",
"description": "Enables the caller to describe a user associated with a server",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeUser"
},
{
"resource_types": "user",
"description": "Enables the caller to add an SSH public key to a user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportSshPublicKey"
},
{
"resource_types": "",
"description": "Enables the caller to list servers",
"condition_keys": [
"aws:TagKeys"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListServers"
},
{
"resource_types": "server",
"description": "Enables the caller to list tags for a server or a user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "user",
"description": "Enables the caller to list users associated with a server",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUsers"
},
{
"resource_types": "server",
"description": "Enables the caller to start a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartServer"
},
{
"resource_types": "server",
"description": "Enables the caller to stop a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopServer"
},
{
"resource_types": "server",
"description": "Enables the caller to tag a server or a user",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "server",
"description": "Enables the caller to test a server's custom identity provider",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "TestIdentityProvider"
},
{
"resource_types": "server",
"description": "Enables the caller to untag a server or a user",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "server",
"description": "Enables the caller to update the configuration of a server",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateServer"
},
{
"resource_types": "server",
"description": "Enables the caller to update the configuration of a user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateUser"
}
]
},
{
"service_name": "Amazon Route 53",
"privileges": [
{
"resource_types": "hostedzone",
"description": "Grants permission to associate an additional Amazon VPC with a private hosted zone",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateVPCWithHostedZone"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to create, update, or delete a record, which contains authoritative DNS information for a specified domain or subdomain name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ChangeResourceRecordSets"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to add, edit, or delete tags for a health check or a hosted zone",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ChangeTagsForResource"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to create a new health check, which monitors the health and performance of your web applications, web servers, and other resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateHealthCheck"
},
{
"resource_types": "",
"description": "Grants permission to create a public hosted zone, which you use to specify how the Domain Name System (DNS) routes traffic on the Internet for a domain, such as example.com, and its subdomains",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateHostedZone"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to create a configuration for DNS query logging",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateQueryLoggingConfig"
},
{
"resource_types": "",
"description": "Grants permission to create a delegation set (a group of four name servers) that can be reused by multiple hosted zones",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateReusableDelegationSet"
},
{
"resource_types": "",
"description": "Grants permission to create a traffic policy, which you use to create multiple DNS records for one domain name (such as example.com) or one subdomain name (such as www.example.com",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTrafficPolicy"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to create records in a specified hosted zone based on the settings in a specified traffic policy version",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTrafficPolicyInstance"
},
{
"resource_types": "trafficpolicy",
"description": "Grants permission to create a new version of an existing traffic policy",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTrafficPolicyVersion"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to authorize the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request, which associates the VPC with a specified hosted zone that was created by a different account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateVPCAssociationAuthorization"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to delete a health check",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteHealthCheck"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to delete a hosted zone",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteHostedZone"
},
{
"resource_types": "queryloggingconfig",
"description": "Grants permission to delete a configuration for DNS query logging",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteQueryLoggingConfig"
},
{
"resource_types": "delegationset",
"description": "Grants permission to delete a reusable delegation set",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteReusableDelegationSet"
},
{
"resource_types": "trafficpolicy",
"description": "Grants permission to delete a traffic policy",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTrafficPolicy"
},
{
"resource_types": "trafficpolicyinstance",
"description": "Grants permission to delete a traffic policy instance and all the records that Route 53 created when you created the instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTrafficPolicyInstance"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to remove authorization for associating an Amazon Virtual Private Cloud with a Route 53 private hosted zone",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteVPCAssociationAuthorization"
},
{
"resource_types": "",
"description": "Grants permission to disassociate an Amazon Virtual Private Cloud from a Route 53 private hosted zone",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateVPCFromHostedZone"
},
{
"resource_types": "",
"description": "Grants permission to get the specified limit for the current account, for example, the maximum number of health checks that you can create using the account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAccountLimit"
},
{
"resource_types": "change",
"description": "Grants permission to get the current status of a request to create, update, or delete one or more records",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetChange"
},
{
"resource_types": "",
"description": "Grants permission to get a list of the IP ranges that are used by Route 53 health checkers to check the health of your resources",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetCheckerIpRanges"
},
{
"resource_types": "",
"description": "Grants permission to get information about whether a specified geographic location is supported for Route 53 geolocation records",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetGeoLocation"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to get information about a specified health check",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetHealthCheck"
},
{
"resource_types": "",
"description": "Grants permission to get the number of health checks that are associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetHealthCheckCount"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to get the reason that a specified health check failed most recently",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetHealthCheckLastFailureReason"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to get the status of a specified health check",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetHealthCheckStatus"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to get information about a specified hosted zone including the four name servers that Route 53 assigned to the hosted zone",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetHostedZone"
},
{
"resource_types": "",
"description": "Grants permission to get the number of hosted zones that are associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetHostedZoneCount"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to get the specified limit for a specified hosted zone",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetHostedZoneLimit"
},
{
"resource_types": "queryloggingconfig",
"description": "Grants permission to get information about a specified configuration for DNS query logging",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetQueryLoggingConfig"
},
{
"resource_types": "delegationset",
"description": "Grants permission to get information about a specified reusable delegation set, including the four name servers that are assigned to the delegation set",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetReusableDelegationSet"
},
{
"resource_types": "delegationset",
"description": "Grants permission to get the maximum number of hosted zones that you can associate with the specified reusable delegation set",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetReusableDelegationSetLimit"
},
{
"resource_types": "trafficpolicy",
"description": "Grants permission to get information about a specified traffic policy version",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTrafficPolicy"
},
{
"resource_types": "trafficpolicyinstance",
"description": "Grants permission to get information about a specified traffic policy instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTrafficPolicyInstance"
},
{
"resource_types": "",
"description": "Grants permission to get the number of traffic policy instances that are associated with the current AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTrafficPolicyInstanceCount"
},
{
"resource_types": "",
"description": "Grants permission to get a list of geographic locations that Route 53 supports for geolocation",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGeoLocations"
},
{
"resource_types": "",
"description": "Grants permission to get a list of the health checks that are associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListHealthChecks"
},
{
"resource_types": "",
"description": "Grants permission to get a list of the public and private hosted zones that are associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListHostedZones"
},
{
"resource_types": "",
"description": "Grants permission to get a list of your hosted zones in lexicographic order. Hosted zones are sorted by name with the labels reversed, for example, com.example.www",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListHostedZonesByName"
},
{
"resource_types": "queryloggingconfig",
"description": "Grants permission to list the configurations for DNS query logging that are associated with the current AWS account or the configuration that is associated with a specified hosted zone",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListQueryLoggingConfigs"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to list the records in a specified hosted zone",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListResourceRecordSets"
},
{
"resource_types": "",
"description": "Grants permission to list the reusable delegation sets that are associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListReusableDelegationSets"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to list tags for one health check or hosted zone",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to list tags for up to 10 health checks or hosted zones",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResources"
},
{
"resource_types": "",
"description": "Grants permission to get information about the latest version for every traffic policy that is associated with the current AWS account. Policies are listed in the order in which they were created",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTrafficPolicies"
},
{
"resource_types": "",
"description": "Grants permission to get information about the traffic policy instances that you created by using the current AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTrafficPolicyInstances"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to get information about the traffic policy instances that you created in a specified hosted zone",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTrafficPolicyInstancesByHostedZone"
},
{
"resource_types": "trafficpolicy",
"description": "Grants permission to get information about the traffic policy instances that you created using a specified traffic policy version",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTrafficPolicyInstancesByPolicy"
},
{
"resource_types": "trafficpolicy",
"description": "Grants permission to get information about all the versions for a specified traffic policy",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTrafficPolicyVersions"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to get a list of the VPCs that were created by other accounts and that can be associated with a specified hosted zone",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListVPCAssociationAuthorizations"
},
{
"resource_types": "",
"description": "Grants permission to get the value that Route 53 returns in response to a DNS query for a specified record name and type",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "TestDNSAnswer"
},
{
"resource_types": "healthcheck",
"description": "Grants permission to update an existing health check",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateHealthCheck"
},
{
"resource_types": "hostedzone",
"description": "Grants permission to update the comment for a specified hosted zone",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateHostedZoneComment"
},
{
"resource_types": "trafficpolicy",
"description": "Grants permission to update the comment for a specified traffic policy version",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateTrafficPolicyComment"
},
{
"resource_types": "trafficpolicyinstance",
"description": "Grants permission to update the records in a specified hosted zone that were created based on the settings in a specified traffic policy version",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateTrafficPolicyInstance"
}
]
},
{
"service_name": "AWS Shield",
"privileges": [
{
"resource_types": "",
"description": "Authorizes the DDoS Response team to access the specified Amazon S3 bucket containing your flow logs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"privilege": "AssociateDRTLogBucket"
},
{
"resource_types": "",
"description": "Authorizes the DDoS Response team using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:PassRole"
],
"privilege": "AssociateDRTRole"
},
{
"resource_types": "protection",
"description": "Activate DDoS protection service for a given resource ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateProtection"
},
{
"resource_types": "",
"description": "Activate subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSubscription"
},
{
"resource_types": "protection",
"description": "Delete an existing protection",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProtection"
},
{
"resource_types": "",
"description": "Deactivate subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSubscription"
},
{
"resource_types": "attack",
"description": "Get attack details",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAttack"
},
{
"resource_types": "",
"description": "Returns the current role and list of Amazon S3 log buckets used by the DDoS Response team to access your AWS account while assisting with attack mitigation",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeDRTAccess"
},
{
"resource_types": "",
"description": "Lists the email addresses that the DRT can use to contact you during a suspected attack",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEmergencyContactSettings"
},
{
"resource_types": "protection",
"description": "Get protection details",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProtection"
},
{
"resource_types": "",
"description": "Get subscription details, such as start time",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSubscription"
},
{
"resource_types": "",
"description": "Removes the DDoS Response team's access to the specified Amazon S3 bucket containing your flow logs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:DeleteBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"privilege": "DisassociateDRTLogBucket"
},
{
"resource_types": "",
"description": "Removes the DDoS Response team's access to your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateDRTRole"
},
{
"resource_types": "",
"description": "Get subscription state",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSubscriptionState"
},
{
"resource_types": "",
"description": "List all existing attacks",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAttacks"
},
{
"resource_types": "",
"description": "List all existing protections",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProtections"
},
{
"resource_types": "",
"description": "Updates the details of the list of email addresses that the DRT can use to contact you during a suspected attack",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateEmergencyContactSettings"
}
]
},
{
"service_name": "Amazon Elastic File System",
"privileges": [
{
"resource_types": "",
"description": "Creates a new, empty file system",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateFileSystem"
},
{
"resource_types": "file-system",
"description": "Creates a mount target for a file system",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateMountTarget"
},
{
"resource_types": "file-system",
"description": "Creates or overwrites tags associated with a file system",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateTags"
},
{
"resource_types": "file-system",
"description": "Deletes a file system, permanently severing access to its contents",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFileSystem"
},
{
"resource_types": "file-system",
"description": "Deletes the specified mount target",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteMountTarget"
},
{
"resource_types": "file-system",
"description": "Deletes the specified tags from a file system",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "DeleteTags"
},
{
"resource_types": "file-system",
"description": "Returns the description of a specific Amazon EFS file system if either the file system CreationToken or the FileSystemId is provided; otherwise, returns descriptions of all file systems owned by the caller's AWS account in the AWS region of the endpoint that you're calling",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeFileSystems"
},
{
"resource_types": "file-system",
"description": "Returns the security groups currently in effect for a mount target",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeMountTargetSecurityGroups"
},
{
"resource_types": "file-system",
"description": "Returns the descriptions of all the current mount targets, or a specific mount target, for a file system",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeMountTargets"
},
{
"resource_types": "file-system",
"description": "Returns the tags associated with a file system",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTags"
},
{
"resource_types": "file-system",
"description": "Modifies the set of security groups in effect for a mount target",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyMountTargetSecurityGroups"
},
{
"resource_types": "file-system",
"description": "Updates the throughput mode or the amount of provisioned throughput of an existing file system",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFileSystem"
}
]
},
{
"service_name": "Amazon Rekognition",
"privileges": [
{
"resource_types": "",
"description": "Compares a face in source input image with each face detected in the target input image",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "CompareFaces"
},
{
"resource_types": "collection",
"description": "Creates a collection in an AWS region. You can then add faces to the collection using the IndexFaces API",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCollection"
},
{
"resource_types": "collection",
"description": "Creates an Amazon Rekognition stream processor that you can use to detect and recognize faces in a streaming video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateStreamProcessor"
},
{
"resource_types": "collection",
"description": "Deletes the specified collection. Note that this operation removes all faces in the collection",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCollection"
},
{
"resource_types": "collection",
"description": "Deletes faces from a collection",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFaces"
},
{
"resource_types": "streamprocessor",
"description": "Deletes the stream processor identified by Name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteStreamProcessor"
},
{
"resource_types": "streamprocessor",
"description": "Provides information about a stream processor created by CreateStreamProcessor",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeStreamProcessor"
},
{
"resource_types": "",
"description": "Detects human faces within an image (JPEG or PNG) provided as input",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DetectFaces"
},
{
"resource_types": "",
"description": "Detects instances of real-world labels within an image (JPEG or PNG) provided as input",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DetectLabels"
},
{
"resource_types": "",
"description": "Detects moderation labels within input image",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DetectModerationLabels"
},
{
"resource_types": "",
"description": "Detects text in the input image and converts it into machine-readable text",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DetectText"
},
{
"resource_types": "",
"description": "Gets the name and additional information about a celebrity based on his or her Rekognition ID",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCelebrityInfo"
},
{
"resource_types": "",
"description": "Gets the celebrity recognition results for a Rekognition Video analysis started by StartCelebrityRecognition",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCelebrityRecognition"
},
{
"resource_types": "",
"description": "Gets the content moderation analysis results for a Rekognition Video analysis started by StartContentModeration",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetContentModeration"
},
{
"resource_types": "",
"description": "Gets face detection results for a Rekognition Video analysis started by StartFaceDetection",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFaceDetection"
},
{
"resource_types": "",
"description": "Gets the face search results for Rekognition Video face search started by StartFaceSearch",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFaceSearch"
},
{
"resource_types": "",
"description": "Gets the label detection results of a Rekognition Video analysis started by StartLabelDetection",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetLabelDetection"
},
{
"resource_types": "",
"description": "Gets information about people detected within a video",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPersonTracking"
},
{
"resource_types": "collection",
"description": "Detects faces in the input image and adds them to the specified collection",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "IndexFaces"
},
{
"resource_types": "collection",
"description": "Returns a list of collection IDs in your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListCollections"
},
{
"resource_types": "collection",
"description": "Returns metadata for faces in the specified collection",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListFaces"
},
{
"resource_types": "streamprocessor",
"description": "Gets a list of stream processors that you have created with CreateStreamProcessor",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListStreamProcessors"
},
{
"resource_types": "",
"description": "Returns an array of celebrities recognized in the input image",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "RecognizeCelebrities"
},
{
"resource_types": "collection",
"description": "For a given input face ID, searches the specified collection for matching faces",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SearchFaces"
},
{
"resource_types": "collection",
"description": "For a given input image, first detects the largest face in the image, and then searches the specified collection for matching faces",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SearchFacesByImage"
},
{
"resource_types": "",
"description": "Starts asynchronous recognition of celebrities in a video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartCelebrityRecognition"
},
{
"resource_types": "",
"description": "Starts asynchronous detection of explicit or suggestive adult content in a video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartContentModeration"
},
{
"resource_types": "",
"description": "Starts asynchronous detection of faces in a video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartFaceDetection"
},
{
"resource_types": "collection",
"description": "Starts the asynchronous search for faces in a collection that match the faces of persons detected in a video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartFaceSearch"
},
{
"resource_types": "",
"description": "Starts asynchronous detection of labels in a video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartLabelDetection"
},
{
"resource_types": "",
"description": "Starts the asynchronous tracking of persons in a video",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartPersonTracking"
},
{
"resource_types": "streamprocessor",
"description": "Starts processing a stream processor",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartStreamProcessor"
},
{
"resource_types": "streamprocessor",
"description": "Stops a running stream processor that was created by CreateStreamProcessor",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopStreamProcessor"
}
]
},
{
"service_name": "Amazon DynamoDB Accelerator (DAX",
"privileges": [
{
"resource_types": "application",
"description": "The BatchGetItem action returns the attributes of one or more items from one or more tables",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetItem"
},
{
"resource_types": "application",
"description": "The BatchWriteItem action operation puts or deletes multiple items in one or more tables",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchWriteItem"
},
{
"resource_types": "application",
"description": "The ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ConditionCheckItem"
},
{
"resource_types": "application",
"description": "The CreateCluster action creates a DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"dax:CreateParameterGroup",
"dax:CreateSubnetGroup",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"iam:GetRole",
"iam:PassRole"
],
"privilege": "CreateCluster"
},
{
"resource_types": "",
"description": "The CreateParameterGroup action creates collection of parameters that you apply to all of the nodes in a DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateParameterGroup"
},
{
"resource_types": "",
"description": "The CreateSubnetGroup action creates a new subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSubnetGroup"
},
{
"resource_types": "application",
"description": "The DecreaseReplicationFactor action removes one or more nodes from a DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DecreaseReplicationFactor"
},
{
"resource_types": "application",
"description": "The DeleteCluster action deletes a previously provisioned DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCluster"
},
{
"resource_types": "application",
"description": "The DeleteItem action deletes a single item in a table by primary key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteItem"
},
{
"resource_types": "",
"description": "The DeleteParameterGroup action deletes the specified parameter group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteParameterGroup"
},
{
"resource_types": "",
"description": "The DeleteSubnetGroup action deletes a subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSubnetGroup"
},
{
"resource_types": "application",
"description": "The DescribeClusters action returns information about all provisioned DAX clusters",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeClusters"
},
{
"resource_types": "",
"description": "The DescribeDefaultParameters action returns the default system parameter information for DAX",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDefaultParameters"
},
{
"resource_types": "",
"description": "The DescribeEvents action returns events related to DAX clusters and parameter groups",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEvents"
},
{
"resource_types": "",
"description": "The DescribeParameterGroups action returns a list of parameter group descriptions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeParameterGroups"
},
{
"resource_types": "",
"description": "The DescribeParameters action returns the detailed parameter list for a particular parameter group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeParameters"
},
{
"resource_types": "",
"description": "The DescribeSubnetGroups action returns a list of subnet group descriptions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeSubnetGroups"
},
{
"resource_types": "application",
"description": "The GetItem action returns a set of attributes for the item with the given primary key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetItem"
},
{
"resource_types": "application",
"description": "The IncreaseReplicationFactor action adds one or more nodes to a DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "IncreaseReplicationFactor"
},
{
"resource_types": "application",
"description": "The ListTags action returns a list all of the tags for a DAX cluster",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTags"
},
{
"resource_types": "application",
"description": "The PutItem action creates a new item, or replaces an old item with a new item",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutItem"
},
{
"resource_types": "application",
"description": "The Query action finds items based on primary key values. You can query any table or secondary index that has a composite primary key (a partition key and a sort key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "Query"
},
{
"resource_types": "application",
"description": "The RebootNode action reboots a single node of a DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebootNode"
},
{
"resource_types": "application",
"description": "The Scan action returns one or more items and item attributes by accessing every item in a table or a secondary index",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "Scan"
},
{
"resource_types": "application",
"description": "The TagResource action associates a set of tags with a DAX resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "application",
"description": "The UntagResource action removes the association of tags from a DAX resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "application",
"description": "The UpdateCluster action modifies the settings for a DAX cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateCluster"
},
{
"resource_types": "application",
"description": "The UpdateItem action edits an existing item's attributes, or adds a new item to the table if it does not already exist",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateItem"
},
{
"resource_types": "",
"description": "The UpdateParameterGroup action modifies the parameters of a parameter group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateParameterGroup"
},
{
"resource_types": "",
"description": "The UpdateSubnetGroup action modifies an existing subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSubnetGroup"
}
]
},
{
"service_name": "AWS Performance Insights",
"privileges": []
},
{
"service_name": "Amazon GameLift",
"privileges": [
{
"resource_types": "",
"description": "Creates an alias for a fleet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAlias"
},
{
"resource_types": "",
"description": "Initializes a new build record and generates information required to upload a game build to Amazon GameLift",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBuild"
},
{
"resource_types": "",
"description": "Creates a new fleet of computing resources to run your game servers",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateFleet"
},
{
"resource_types": "",
"description": "Creates a game session for players to join",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGameSession"
},
{
"resource_types": "",
"description": "Adds a player to a game session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePlayerSession"
},
{
"resource_types": "",
"description": "Adds a group of players to a game session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePlayerSessions"
},
{
"resource_types": "",
"description": "Deletes an alias",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAlias"
},
{
"resource_types": "",
"description": "Deletes a build",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBuild"
},
{
"resource_types": "",
"description": "Deletes an empty fleet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFleet"
},
{
"resource_types": "",
"description": "Deletes a set of scaling rules",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteScalingPolicy"
},
{
"resource_types": "",
"description": "Retrieves properties for an alias",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAlias"
},
{
"resource_types": "",
"description": "Retrieves properties for a build",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeBuild"
},
{
"resource_types": "",
"description": "Retrieves maximum allowed usage and current usage for all EC2 instance types or a specified type",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEC2InstanceLimits"
},
{
"resource_types": "",
"description": "Retrieves general fleet properties for a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeFleetAttributes"
},
{
"resource_types": "",
"description": "Retrieves the current capacity status for a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeFleetCapacity"
},
{
"resource_types": "",
"description": "Retrieves entries from a fleet's event log",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeFleetEvents"
},
{
"resource_types": "",
"description": "Retrieves the inbound connection permissions set for a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeFleetPortSettings"
},
{
"resource_types": "",
"description": "Retrieves utilization statistics for a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeFleetUtilization"
},
{
"resource_types": "",
"description": "Retrieves game session properties plus game session protection policy",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeGameSessionDetails"
},
{
"resource_types": "",
"description": "Retrieves game session properties for a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeGameSessions"
},
{
"resource_types": "",
"description": "Retrieves information about a fleet's instances, including instance IDs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeInstances"
},
{
"resource_types": "",
"description": "Retrieves player session properties for a game session",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePlayerSessions"
},
{
"resource_types": "",
"description": "Retrieves the runtime configuration for a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRuntimeConfiguration"
},
{
"resource_types": "",
"description": "Retrieves all scaling policies applied to a fleet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeScalingPolicies"
},
{
"resource_types": "",
"description": "Retrieves the location of stored logs for a game session",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGameSessionLogUrl"
},
{
"resource_types": "",
"description": "Requests remote access to a fleet instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstanceAccess"
},
{
"resource_types": "",
"description": "Retrieves the fleet aliases used with this AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAliases"
},
{
"resource_types": "",
"description": "Retrieves the builds for this AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBuilds"
},
{
"resource_types": "",
"description": "Retrieves the fleet for this AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListFleets"
},
{
"resource_types": "",
"description": "Creates or updates a fleet scaling policy",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutScalingPolicy"
},
{
"resource_types": "",
"description": "Retrieves a fresh set of upload credentials and the Amazon S3 storage location for a specific build",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "RequestUploadCredentials"
},
{
"resource_types": "",
"description": "Retrieves the fleet ID associated with an alias",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ResolveAlias"
},
{
"resource_types": "",
"description": "Retrieves game sessions that match the search criteria and sorts them as specified",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SearchGameSessions"
},
{
"resource_types": "",
"description": "Updates properties for an alias",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateAlias"
},
{
"resource_types": "",
"description": "Updates a build's name and version",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateBuild"
},
{
"resource_types": "",
"description": "Sets a fleet's general properties",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFleetAttributes"
},
{
"resource_types": "",
"description": "Sets a fleet's capacity settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFleetCapacity"
},
{
"resource_types": "",
"description": "Sets a fleet's port settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFleetPortSettings"
},
{
"resource_types": "",
"description": "Sets game session properties",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGameSession"
},
{
"resource_types": "",
"description": "Sets a fleet's runtime configuration, which specifies how to launch server processes on the fleet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRuntimeConfiguration"
}
]
},
{
"service_name": "AWS Direct Connect",
"privileges": [
{
"resource_types": "",
"description": "Creates a hosted connection on an interconnect",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AllocateConnectionOnInterconnect"
},
{
"resource_types": "",
"description": "Provisions a private virtual interface to be owned by a different customer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AllocatePrivateVirtualInterface"
},
{
"resource_types": "",
"description": "Provisions a public virtual interface to be owned by a different customer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AllocatePublicVirtualInterface"
},
{
"resource_types": "",
"description": "Confirm the creation of a hosted connection on an interconnect",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ConfirmConnection"
},
{
"resource_types": "",
"description": "Accept ownership of a private virtual interface created by another customer",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ConfirmPrivateVirtualInterface"
},
{
"resource_types": "",
"description": "Accept ownership of a public virtual interface created by another customer",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ConfirmPublicVirtualInterface"
},
{
"resource_types": "",
"description": "Creates a new connection between the customer network and a specific AWS Direct Connect location",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateConnection"
},
{
"resource_types": "",
"description": "Creates a new interconnect between a AWS Direct Connect partner's network and a specific AWS Direct Connect location",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInterconnect"
},
{
"resource_types": "",
"description": "Creates a new private virtual interface",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePrivateVirtualInterface"
},
{
"resource_types": "",
"description": "Creates a new public virtual interface",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePublicVirtualInterface"
},
{
"resource_types": "",
"description": "Deletes the connection",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConnection"
},
{
"resource_types": "",
"description": "Deletes the specified interconnect",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInterconnect"
},
{
"resource_types": "",
"description": "Deletes a virtual interface",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteVirtualInterface"
},
{
"resource_types": "",
"description": "Returns the LOA-CFA for a Connection",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConnectionLoa"
},
{
"resource_types": "",
"description": "Displays all connections in this region",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConnections"
},
{
"resource_types": "",
"description": "Return a list of connections that have been provisioned on the given interconnect",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConnectionsOnInterconnect"
},
{
"resource_types": "",
"description": "Returns the LOA-CFA for an Interconnect",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeInterconnectLoa"
},
{
"resource_types": "",
"description": "Returns a list of interconnects owned by the AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeInterconnects"
},
{
"resource_types": "",
"description": "Returns the list of AWS Direct Connect locations in the current AWS region",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeLocations"
},
{
"resource_types": "",
"description": "Returns a list of virtual private gateways owned by the AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeVirtualGateways"
},
{
"resource_types": "",
"description": "Displays all virtual interfaces for an AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeVirtualInterfaces"
}
]
},
{
"service_name": "Amazon Lightsail",
"privileges": [
{
"resource_types": "StaticIp",
"description": "Allocates a static IP address",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AllocateStaticIp"
},
{
"resource_types": "Instance",
"description": "Attaches a static IP address to a specific Amazon Lightsail instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachStaticIp"
},
{
"resource_types": "Instance",
"description": "Closes the public ports on a specific Amazon Lightsail instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CloseInstancePublicPorts"
},
{
"resource_types": "Domain",
"description": "Creates a domain resource for the specified domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDomain"
},
{
"resource_types": "Domain",
"description": "Creates one of the following entry records associated with the domain: A record, CNAME record, TXT record, or MX record",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDomainEntry"
},
{
"resource_types": "Instance",
"description": "Creates a snapshot of a specific instance. You can use a snapshot to create a new instance that is based on that snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInstanceSnapshot"
},
{
"resource_types": "KeyPair",
"description": "Creates one or more Amazon Lightsail instances",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInstances"
},
{
"resource_types": "Instance",
"description": "Uses a specific snapshot as a blueprint for creating one or more new instances that are based on that identical configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInstancesFromSnapshot"
},
{
"resource_types": "KeyPair",
"description": "Creates sn SSH key pair",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateKeyPair"
},
{
"resource_types": "Domain",
"description": "Deletes the specified domain recordset and all of its domain records",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDomain"
},
{
"resource_types": "Domain",
"description": "Deletes a specific domain entry",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDomainEntry"
},
{
"resource_types": "Instance",
"description": "Deletes a specific Amazon Lightsail instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInstance"
},
{
"resource_types": "InstanceSnapshot",
"description": "Deletes a specific snapshot of an instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInstanceSnapshot"
},
{
"resource_types": "KeyPair",
"description": "Deletes a specific SSH key pair",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteKeyPair"
},
{
"resource_types": "Instance",
"description": "Detaches a static IP from the Amazon Lightsail instance to which it is attached",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DetachStaticIp"
},
{
"resource_types": "KeyPair",
"description": "Downloads the default SSH key pair from the user's account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DownloadDefaultKeyPair"
},
{
"resource_types": "",
"description": "Returns the names of all active (not deleted) resources",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetActiveNames"
},
{
"resource_types": "",
"description": "Returns the list of available instance images, or blueprints. You can use a blueprint to create a new instance already running a specific operating system, as well as a preinstalled app or development stack. The software each instance is running depends on the blueprint image you choose",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetBlueprints"
},
{
"resource_types": "",
"description": "Returns the list of bundles that are available for purchase. A bundle describes the specifications for your instance",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetBundles"
},
{
"resource_types": "Domain",
"description": "Returns information about a specific domain recordset",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetDomain"
},
{
"resource_types": "Domain",
"description": "Returns a list of all domains in the user's account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDomains"
},
{
"resource_types": "Instance",
"description": "Returns information about a specific Amazon Lightsail instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstance"
},
{
"resource_types": "Instance",
"description": "Returns temporary SSH keys you can use to connect to a specific instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstanceAccessDetails"
},
{
"resource_types": "Instance",
"description": "Returns the data points for the specified Amazon Lightsail instance metric, given an instance name",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstanceMetricData"
},
{
"resource_types": "Instance",
"description": "Returns the port states for a specific instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstancePortStates"
},
{
"resource_types": "InstanceSnapshot",
"description": "Returns information about a specific instance snapshot",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstanceSnapshot"
},
{
"resource_types": "InstanceSnapshot",
"description": "Returns all instance snapshots for the user's account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetInstanceSnapshots"
},
{
"resource_types": "Instance",
"description": "Returns the state of a specific instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstanceState"
},
{
"resource_types": "Instance",
"description": "Returns information about all Amazon Lightsail instances",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetInstances"
},
{
"resource_types": "KeyPair",
"description": "Returns information about a specific key pair",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetKeyPair"
},
{
"resource_types": "KeyPair",
"description": "Returns information about all key pairs in the user's account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetKeyPairs"
},
{
"resource_types": "",
"description": "Returns information about a specific operation. Operations include events such as when you create an instance, allocate a static IP, attach a static IP, and so on",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetOperation"
},
{
"resource_types": "",
"description": "Returns information about all operations",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetOperations"
},
{
"resource_types": "Domain",
"description": "Gets operations for a specific resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetOperationsForResource"
},
{
"resource_types": "",
"description": "Returns a list of all valid regions for Amazon Lightsail",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetRegions"
},
{
"resource_types": "StaticIp",
"description": "Returns information about a specific static IP",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetStaticIp"
},
{
"resource_types": "StaticIp",
"description": "Returns information about all static IPs in the user's account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetStaticIps"
},
{
"resource_types": "KeyPair",
"description": "Imports a public SSH key from a specific key pair",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportKeyPair"
},
{
"resource_types": "",
"description": "Returns a Boolean value indicating whether your Lightsail VPC is peered",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "IsVpcPeered"
},
{
"resource_types": "Instance",
"description": "Adds public ports to an Amazon Lightsail instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "OpenInstancePublicPorts"
},
{
"resource_types": "",
"description": "Tries to peer the Lightsail VPC with the user's default VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PeerVpc"
},
{
"resource_types": "Instance",
"description": "Restarts a specific instance. When your Amazon Lightsail instance is finished rebooting, Lightsail assigns a new public IP address. To use the same IP address after restarting, create a static IP address and attach it to the instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebootInstance"
},
{
"resource_types": "StaticIp",
"description": "Deletes a specific static IP from your account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ReleaseStaticIp"
},
{
"resource_types": "Instance",
"description": "Starts a specific Amazon Lightsail instance from a stopped state. To restart an instance, use the reboot instance operation",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartInstance"
},
{
"resource_types": "Instance",
"description": "Stops a specific Amazon Lightsail instance that is currently running",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopInstance"
},
{
"resource_types": "",
"description": "Attempts to unpeer the Lightsail VPC from the user's default VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UnpeerVpc"
},
{
"resource_types": "Domain",
"description": "Updates a domain RecordSet after it is created",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDomainEntry"
}
]
},
{
"service_name": "Amazon Lex",
"privileges": [
{
"resource_types": "bot",
"description": "Creates a new version based on the $LATEST version of the specified bot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBotVersion"
},
{
"resource_types": "intent",
"description": "Creates a new version based on the $LATEST version of the specified intent",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateIntentVersion"
},
{
"resource_types": "slottype",
"description": "Creates a new version based on the $LATEST version of the specified slot type",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSlotTypeVersion"
},
{
"resource_types": "bot",
"description": "Deletes all versions of a bot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBot"
},
{
"resource_types": "bot",
"description": "Deletes an alias for a specific bot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBotAlias"
},
{
"resource_types": "channel",
"description": "Deletes the association between a Amazon Lex bot alias and a messaging platform",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBotChannelAssociation"
},
{
"resource_types": "bot",
"description": "Deletes a specific version of a bot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBotVersion"
},
{
"resource_types": "intent",
"description": "Deletes all versions of an intent",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteIntent"
},
{
"resource_types": "intent",
"description": "Deletes a specific version of an intent",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteIntentVersion"
},
{
"resource_types": "slottype",
"description": "Deletes all versions of a slot type",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSlotType"
},
{
"resource_types": "slottype",
"description": "Deletes a specific version of a slot type",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSlotTypeVersion"
},
{
"resource_types": "bot",
"description": "Deletes the information Amazon Lex maintains for utterances on a specific bot and userId",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUtterances"
},
{
"resource_types": "bot",
"description": "Returns information for a specific bot. In addition to the bot name, the bot version or alias is required",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBot"
},
{
"resource_types": "bot",
"description": "Returns information about a Amazon Lex bot alias",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBotAlias"
},
{
"resource_types": "bot",
"description": "Returns a list of aliases for a given Amazon Lex bot",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetBotAliases"
},
{
"resource_types": "channel",
"description": "Returns information about the association between a Amazon Lex bot and a messaging platform",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBotChannelAssociation"
},
{
"resource_types": "channel",
"description": "Returns a list of all of the channels associated with a single bot",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetBotChannelAssociations"
},
{
"resource_types": "bot",
"description": "Returns information for all versions of a specific bot",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetBotVersions"
},
{
"resource_types": "",
"description": "Returns information for the $LATEST version of all bots, subject to filters provided by the client",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetBots"
},
{
"resource_types": "",
"description": "Returns information about a built-in intent",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBuiltinIntent"
},
{
"resource_types": "",
"description": "Gets a list of built-in intents that meet the specified criteria",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBuiltinIntents"
},
{
"resource_types": "",
"description": "Gets a list of built-in slot types that meet the specified criteria",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBuiltinSlotTypes"
},
{
"resource_types": "intent",
"description": "Returns information for a specific intent. In addition to the intent name, you must also specify the intent version",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetIntent"
},
{
"resource_types": "intent",
"description": "Returns information for all versions of a specific intent",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetIntentVersions"
},
{
"resource_types": "",
"description": "Returns information for the $LATEST version of all intents, subject to filters provided by the client",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetIntents"
},
{
"resource_types": "slottype",
"description": "Returns information about a specific version of a slot type. In addition to specifying the slot type name, you must also specify the slot type version",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSlotType"
},
{
"resource_types": "slottype",
"description": "Returns information for all versions of a specific slot type",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetSlotTypeVersions"
},
{
"resource_types": "",
"description": "Returns information for the $LATEST version of all slot types, subject to filters provided by the client",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetSlotTypes"
},
{
"resource_types": "bot",
"description": "Returns a view of aggregate utterance data for versions of a bot for a recent time period",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetUtterancesView"
},
{
"resource_types": "bot",
"description": "Sends user input (text or speech) to Amazon Lex",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PostContent"
},
{
"resource_types": "bot",
"description": "Sends user input (text-only) to Amazon Lex",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PostText"
},
{
"resource_types": "bot",
"description": "Creates or updates the $LATEST version of a Amazon Lex conversational bot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutBot"
},
{
"resource_types": "bot",
"description": "Creates or updates an alias for the specific bot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutBotAlias"
},
{
"resource_types": "intent",
"description": "Creates or updates the $LATEST version of an intent",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutIntent"
},
{
"resource_types": "slottype",
"description": "Creates or updates the $LATEST version of a slot type",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutSlotType"
}
]
},
{
"service_name": "AWS Amplify",
"privileges": [
{
"resource_types": "",
"description": "Creates a new Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateApp"
},
{
"resource_types": "apps",
"description": "Creates a new Branch for an Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBranch"
},
{
"resource_types": "apps",
"description": "Create a new DomainAssociation on an App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDomainAssociation"
},
{
"resource_types": "apps",
"description": "Delete an existing Aemilia App by appId",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApp"
},
{
"resource_types": "branches",
"description": "Deletes a branch for an Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBranch"
},
{
"resource_types": "domains",
"description": "Deletes a DomainAssociation",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDomainAssociation"
},
{
"resource_types": "jobs",
"description": "Delete a job, for an Aemilia branch, part of Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteJob"
},
{
"resource_types": "apps",
"description": "Retrieves an existing Aemilia App by appId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetApp"
},
{
"resource_types": "branches",
"description": "Retrieves a branch for an Aemilia App",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBranch"
},
{
"resource_types": "domains",
"description": "Retrieves domain info that corresponds to an appId and domainName",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDomainAssociation"
},
{
"resource_types": "jobs",
"description": "Get a job for a branch, part of an Aemilia App",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetJob"
},
{
"resource_types": "",
"description": "Lists existing Aemilia Apps",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListApps"
},
{
"resource_types": "apps",
"description": "Lists branches for an Aemilia App",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBranches"
},
{
"resource_types": "apps",
"description": "List domains with an app",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDomainAssociations"
},
{
"resource_types": "branches",
"description": "List Jobs for a branch, part of an Aemilia App",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobs"
},
{
"resource_types": "jobs",
"description": "Starts a new job for a branch, part of an Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartJob"
},
{
"resource_types": "jobs",
"description": "Stop a job that is in progress, for an Aemilia branch, part of Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopJob"
},
{
"resource_types": "apps",
"description": "Updates an existing Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApp"
},
{
"resource_types": "branches",
"description": "Updates a branch for an Aemilia App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateBranch"
},
{
"resource_types": "domains",
"description": "Update a DomainAssociation on an App",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDomainAssociation"
}
]
},
{
"service_name": "Amazon SQS",
"privileges": [
{
"resource_types": "queue",
"description": "Adds a permission to a queue for a specific principal",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AddPermission"
},
{
"resource_types": "queue",
"description": "Changes the visibility timeout of a specified message in a queue to a new value",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ChangeMessageVisibility"
},
{
"resource_types": "queue",
"description": "Changes the visibility timeout of multiple messages",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ChangeMessageVisibilityBatch"
},
{
"resource_types": "queue",
"description": "Creates a new queue, or returns the URL of an existing one",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateQueue"
},
{
"resource_types": "queue",
"description": "Deletes the specified message from the specified queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteMessage"
},
{
"resource_types": "queue",
"description": "Deletes up to ten messages from the specified queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteMessageBatch"
},
{
"resource_types": "queue",
"description": "Deletes the queue specified by the queue URL, regardless of whether the queue is empty",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteQueue"
},
{
"resource_types": "queue",
"description": "Gets attributes for the specified queue",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetQueueAttributes"
},
{
"resource_types": "queue",
"description": "Returns the URL of an existing queue",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetQueueUrl"
},
{
"resource_types": "queue",
"description": "Returns a list of your queues that have the RedrivePolicy queue attribute configured with a dead letter queue",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListDeadLetterSourceQueues"
},
{
"resource_types": "queue",
"description": "Lists tags added to an SQS queue",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListQueueTags"
},
{
"resource_types": "",
"description": "Returns a list of your queues",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListQueues"
},
{
"resource_types": "queue",
"description": "Deletes the messages in a queue specified by the queue URL",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PurgeQueue"
},
{
"resource_types": "queue",
"description": "Retrieves one or more messages, with a maximum limit of 10 messages, from the specified queue",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ReceiveMessage"
},
{
"resource_types": "queue",
"description": "Revokes any permissions in the queue policy that matches the specified Label parameter",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RemovePermission"
},
{
"resource_types": "queue",
"description": "Delivers a message to the specified queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SendMessage"
},
{
"resource_types": "queue",
"description": "Delivers up to ten messages to the specified queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SendMessageBatch"
},
{
"resource_types": "queue",
"description": "Sets the value of one or more queue attributes",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetQueueAttributes"
},
{
"resource_types": "queue",
"description": "Add tags to the specified SQS queue",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagQueue"
},
{
"resource_types": "queue",
"description": "Remove tags from the specified SQS queue",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagQueue"
}
]
},
{
"service_name": "AWS Marketplace",
"privileges": [
{
"resource_types": "",
"description": "Allows users to add new software subscriptions on the Your Software page",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Subscribe"
},
{
"resource_types": "",
"description": "Allows users to remove software subscriptions from the Your Software page",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Unsubscribe"
},
{
"resource_types": "",
"description": "Allows users to see subscribed software. Without this permission, no other permissions will work",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ViewSubscriptions"
}
]
},
{
"service_name": "Amazon CloudWatch Logs",
"privileges": [
{
"resource_types": "log-group",
"description": "Associates the specified AWS Key Management Service (AWS KMS) customer master key (CMK) with the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateKmsKey"
},
{
"resource_types": "",
"description": "Cancels an export task if it is in PENDING or RUNNING state",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelExportTask"
},
{
"resource_types": "log-group",
"description": "Creates an ExportTask which allows you to efficiently export data from a Log Group to your Amazon S3 bucket",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateExportTask"
},
{
"resource_types": "",
"description": "Creates a new log group with the specified name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateLogGroup"
},
{
"resource_types": "log-group",
"description": "Creates a new log stream with the specified name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateLogStream"
},
{
"resource_types": "",
"description": "Deletes the destination with the specified name and eventually disables all the subscription filters that publish to it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDestination"
},
{
"resource_types": "log-group",
"description": "Deletes the log group with the specified name and permanently deletes all the archived log events associated with it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLogGroup"
},
{
"resource_types": "log-group",
"description": "Deletes a log stream and permanently deletes all the archived log events associated with it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLogStream"
},
{
"resource_types": "log-group",
"description": "Deletes a metric filter associated with the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteMetricFilter"
},
{
"resource_types": "",
"description": "Deletes a resource policy from this account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteResourcePolicy"
},
{
"resource_types": "log-group",
"description": "Deletes the retention policy of the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRetentionPolicy"
},
{
"resource_types": "log-group",
"description": "Deletes a subscription filter associated with the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSubscriptionFilter"
},
{
"resource_types": "",
"description": "Returns all the destinations that are associated with the AWS account making the request",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDestinations"
},
{
"resource_types": "",
"description": "Returns all the export tasks that are associated with the AWS account making the request",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeExportTasks"
},
{
"resource_types": "log-group",
"description": "Returns all the log groups that are associated with the AWS account making the request",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeLogGroups"
},
{
"resource_types": "log-group",
"description": "Returns all the log streams that are associated with the specified log group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeLogStreams"
},
{
"resource_types": "log-group",
"description": "Returns all the metrics filters associated with the specified log group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeMetricFilters"
},
{
"resource_types": "",
"description": "Returns a list of CloudWatch Logs Insights queries that are scheduled, executing, or have been executed recently in this account. You can request all queries, or limit it to queries of a specific log group or queries with a certain status",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeQueries"
},
{
"resource_types": "",
"description": "Return all the resource policies in this account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeResourcePolicies"
},
{
"resource_types": "log-group",
"description": "Returns all the subscription filters associated with the specified log group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeSubscriptionFilters"
},
{
"resource_types": "log-group",
"description": "Disassociates the associated AWS Key Management Service (AWS KMS) customer master key (CMK) from the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateKmsKey"
},
{
"resource_types": "log-group",
"description": "Retrieves log events, optionally filtered by a filter pattern from the specified log group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "FilterLogEvents"
},
{
"resource_types": "log-group",
"description": "Retrieves log events from the specified log stream",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetLogEvents"
},
{
"resource_types": "log-group",
"description": "Returns a list of the fields that are included in log events in the specified log group, along with the percentage of log events that contain each field. The search is limited to a time period that you specify",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetLogGroupFields"
},
{
"resource_types": "",
"description": "Retrieves all the fields and values of a single log event. All fields are retrieved, even if the original query that produced the logRecordPointer retrieved only a subset of fields. Fields are returned as field name/field value pairs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetLogRecord"
},
{
"resource_types": "",
"description": "Returns the results from the specified query. If the query is in progress, partial results of that current execution are returned. Only the fields requested in the query are returned",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetQueryResults"
},
{
"resource_types": "log-group",
"description": "Lists the tags for the specified log group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTagsLogGroup"
},
{
"resource_types": "",
"description": "Creates or updates a Destination",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutDestination"
},
{
"resource_types": "",
"description": "Creates or updates an access policy associated with an existing Destination",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutDestinationPolicy"
},
{
"resource_types": "log-group",
"description": "Uploads a batch of log events to the specified log stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutLogEvents"
},
{
"resource_types": "log-group",
"description": "Creates or updates a metric filter and associates it with the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutMetricFilter"
},
{
"resource_types": "",
"description": "Creates or updates a resource policy allowing other AWS services to put log events to this account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutResourcePolicy"
},
{
"resource_types": "log-group",
"description": "Sets the retention of the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutRetentionPolicy"
},
{
"resource_types": "log-group",
"description": "Creates or updates a subscription filter and associates it with the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutSubscriptionFilter"
},
{
"resource_types": "log-group",
"description": "Schedules a query of a log group using CloudWatch Logs Insights. You specify the log group and time range to query, and the query string to use",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "StartQuery"
},
{
"resource_types": "",
"description": "Stops a CloudWatch Logs Insights query that is in progress. If the query has already ended, the operation returns an error indicating that the specified query is not running",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "StopQuery"
},
{
"resource_types": "log-group",
"description": "Adds or updates the specified tags for the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TagLogGroup"
},
{
"resource_types": "",
"description": "Tests the filter pattern of a metric filter against a sample of log event messages",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "TestMetricFilter"
},
{
"resource_types": "log-group",
"description": "Removes the specified tags from the specified log group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UntagLogGroup"
}
]
},
{
"service_name": "Amazon Redshift",
"privileges": [
{
"resource_types": "securitygroup",
"description": "Adds an inbound (ingress) rule to an Amazon Redshift security group",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AuthorizeClusterSecurityGroupIngress"
},
{
"resource_types": "snapshot",
"description": "Authorizes the specified AWS customer account to restore the specified snapshot",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AuthorizeSnapshotAccess"
},
{
"resource_types": "",
"description": "Controls whether a user can see queries in the Amazon Redshift console in the Queries tab of the Cluster section",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelQuerySession"
},
{
"resource_types": "snapshot",
"description": "Copies the specified automated cluster snapshot to a new manual cluster snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyClusterSnapshot"
},
{
"resource_types": "cluster",
"description": "Creates a new cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCluster"
},
{
"resource_types": "parametergroup",
"description": "Creates an Amazon Redshift parameter group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateClusterParameterGroup"
},
{
"resource_types": "securitygroup",
"description": "Creates a new Amazon Redshift security group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateClusterSecurityGroup"
},
{
"resource_types": "snapshot",
"description": "Creates a manual snapshot of the specified cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateClusterSnapshot"
},
{
"resource_types": "subnetgroup",
"description": "Creates a new Amazon Redshift subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateClusterSubnetGroup"
},
{
"resource_types": "dbuser",
"description": "Give permission to auto create the specified redshift user if it does not exist",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreateClusterUser"
},
{
"resource_types": "eventsubscription",
"description": "Creates an Amazon Redshift event notification subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateEventSubscription"
},
{
"resource_types": "hsmclientcertificate",
"description": "Creates an HSM client certificate that an Amazon Redshift cluster will use to connect to the client's HSM in order to store and retrieve the keys used to encrypt the cluster databases",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateHsmClientCertificate"
},
{
"resource_types": "hsmconfiguration",
"description": "Creates an HSM configuration that contains the information required by an Amazon Redshift cluster to store and use database encryption keys in a Hardware Security Module (HSM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateHsmConfiguration"
},
{
"resource_types": "snapshotcopygrant",
"description": "Creates a snapshot copy grant that permits Amazon Redshift to use a customer master key (CMK) from AWS Key Management Service (AWS KMS) to encrypt copied snapshots in a destination region",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreateSnapshotCopyGrant"
},
{
"resource_types": "",
"description": "Adds one or more tags to a specified resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateTags"
},
{
"resource_types": "cluster",
"description": "Deletes a previously provisioned cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCluster"
},
{
"resource_types": "parametergroup",
"description": "Deletes a specified Amazon Redshift parameter group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteClusterParameterGroup"
},
{
"resource_types": "securitygroup",
"description": "Deletes an Amazon Redshift security group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteClusterSecurityGroup"
},
{
"resource_types": "snapshot",
"description": "Deletes the specified manual snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteClusterSnapshot"
},
{
"resource_types": "subnetgroup",
"description": "Deletes the specified cluster subnet group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteClusterSubnetGroup"
},
{
"resource_types": "eventsubscription",
"description": "Deletes an Amazon Redshift event notification subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEventSubscription"
},
{
"resource_types": "hsmclientcertificate",
"description": "Deletes the specified HSM client certificate",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteHsmClientCertificate"
},
{
"resource_types": "hsmconfiguration",
"description": "Deletes the specified Amazon Redshift HSM configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteHsmConfiguration"
},
{
"resource_types": "snapshotcopygrant",
"description": "Deletes the specified snapshot copy grant",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSnapshotCopyGrant"
},
{
"resource_types": "",
"description": "Deletes a tag or tags from a resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "DeleteTags"
},
{
"resource_types": "",
"description": "Returns a list of Amazon Redshift parameter groups, including parameter groups you created and the default parameter group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusterParameterGroups"
},
{
"resource_types": "parametergroup",
"description": "Returns a detailed list of parameters contained within the specified Amazon Redshift parameter group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusterParameters"
},
{
"resource_types": "",
"description": "Returns information about Amazon Redshift security groups",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusterSecurityGroups"
},
{
"resource_types": "",
"description": "Returns one or more snapshot objects, which contain metadata about your cluster snapshots",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusterSnapshots"
},
{
"resource_types": "",
"description": "Returns one or more cluster subnet group objects, which contain metadata about your cluster subnet groups",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusterSubnetGroups"
},
{
"resource_types": "",
"description": "Returns descriptions of the available Amazon Redshift cluster versions",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusterVersions"
},
{
"resource_types": "",
"description": "Returns properties of provisioned clusters including general cluster properties, cluster database properties, maintenance and backup properties, and security and access properties",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeClusters"
},
{
"resource_types": "",
"description": "Returns a list of parameter settings for the specified parameter group family",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeDefaultClusterParameters"
},
{
"resource_types": "",
"description": "Displays a list of event categories for all event source types, or for a specified source type",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventCategories"
},
{
"resource_types": "",
"description": "Lists descriptions of all the Amazon Redshift event notifications subscription for a customer account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventSubscriptions"
},
{
"resource_types": "",
"description": "Returns events related to clusters, security groups, snapshots, and parameter groups for the past 14 days",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEvents"
},
{
"resource_types": "",
"description": "Returns information about the specified HSM client certificate",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeHsmClientCertificates"
},
{
"resource_types": "",
"description": "Returns information about the specified Amazon Redshift HSM configuration",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeHsmConfigurations"
},
{
"resource_types": "cluster",
"description": "Describes whether information, such as queries and connection attempts, is being logged for the specified Amazon Redshift cluster",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLoggingStatus"
},
{
"resource_types": "",
"description": "Returns a list of orderable cluster options",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeOrderableClusterOptions"
},
{
"resource_types": "",
"description": "Returns a list of the available reserved node offerings by Amazon Redshift with their descriptions including the node type, the fixed and recurring costs of reserving the node and duration the node will be reserved for you",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeReservedNodeOfferings"
},
{
"resource_types": "",
"description": "Returns the descriptions of the reserved nodes",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeReservedNodes"
},
{
"resource_types": "cluster",
"description": "Returns information about the last resize operation for the specified cluster",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeResize"
},
{
"resource_types": "",
"description": "Returns a list of snapshot copy grants owned by the AWS account in the destination region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSnapshotCopyGrants"
},
{
"resource_types": "",
"description": "Lists the status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTableRestoreStatus"
},
{
"resource_types": "",
"description": "Returns a list of tags",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTags"
},
{
"resource_types": "cluster",
"description": "Stops logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableLogging"
},
{
"resource_types": "cluster",
"description": "Disables the automatic copying of snapshots from one region to another region for a specified cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableSnapshotCopy"
},
{
"resource_types": "cluster",
"description": "Starts logging information, such as queries and connection attempts, for the specified Amazon Redshift cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableLogging"
},
{
"resource_types": "cluster",
"description": "Enables the automatic copy of snapshots from one region to another region for a specified cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableSnapshotCopy"
},
{
"resource_types": "dbuser",
"description": "Get a temporary cluster credential for the specified redshift user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GetClusterCredentials"
},
{
"resource_types": "dbgroup",
"description": "Give permission to join the specified redshift groups",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "JoinGroup"
},
{
"resource_types": "cluster",
"description": "Modifies the settings for a cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyCluster"
},
{
"resource_types": "cluster",
"description": "Modifies the list of AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "ModifyClusterIamRoles"
},
{
"resource_types": "parametergroup",
"description": "Modifies the parameters of a parameter group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyClusterParameterGroup"
},
{
"resource_types": "subnetgroup",
"description": "Modifies a cluster subnet group to include the specified list of VPC subnets",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyClusterSubnetGroup"
},
{
"resource_types": "eventsubscription",
"description": "Modifies an existing Amazon Redshift event notification subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyEventSubscription"
},
{
"resource_types": "cluster",
"description": "Modifies the number of days to retain automated snapshots in the destination region after they are copied from the source region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifySnapshotCopyRetentionPeriod"
},
{
"resource_types": "",
"description": "Allows you to purchase reserved nodes. Amazon Redshift offers a predefined set of reserved node offerings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PurchaseReservedNodeOffering"
},
{
"resource_types": "cluster",
"description": "Reboots a cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebootCluster"
},
{
"resource_types": "parametergroup",
"description": "Sets one or more parameters of the specified parameter group to their default values and sets the source values of the parameters to \"engine-default",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResetClusterParameterGroup"
},
{
"resource_types": "snapshot",
"description": "Creates a new cluster from a snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreFromClusterSnapshot"
},
{
"resource_types": "cluster",
"description": "Creates a new table from a table in an Amazon Redshift cluster snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreTableFromClusterSnapshot"
},
{
"resource_types": "securitygroup",
"description": "Revokes an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RevokeClusterSecurityGroupIngress"
},
{
"resource_types": "snapshot",
"description": "Removes the ability of the specified AWS customer account to restore the specified snapshot",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RevokeSnapshotAccess"
},
{
"resource_types": "cluster",
"description": "Rotates the encryption keys for a cluster",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RotateEncryptionKey"
},
{
"resource_types": "",
"description": "Controls whether a user can terminate running queries and loads from the Cluster section in the Amazon Redshift console",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ViewQueriesInConsole"
}
]
},
{
"service_name": "Amazon Glacier",
"privileges": [
{
"resource_types": "vault",
"description": "Aborts a multipart upload identified by the upload ID",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AbortMultipartUpload"
},
{
"resource_types": "vault",
"description": "Aborts the vault locking process if the vault lock is not in the Locked state",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AbortVaultLock"
},
{
"resource_types": "vault",
"description": "Adds the specified tags to a vault",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTagsToVault"
},
{
"resource_types": "vault",
"description": "Completes a multipart upload process",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CompleteMultipartUpload"
},
{
"resource_types": "vault",
"description": "Completes the vault locking process",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CompleteVaultLock"
},
{
"resource_types": "vault",
"description": "Creates a new vault with the specified name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateVault"
},
{
"resource_types": "vault",
"description": "Deletes an archive from a vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteArchive"
},
{
"resource_types": "vault",
"description": "Deletes a vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteVault"
},
{
"resource_types": "vault",
"description": "Deletes the access policy associated with the specified vault",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteVaultAccessPolicy"
},
{
"resource_types": "vault",
"description": "Deletes the notification configuration set for a vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteVaultNotifications"
},
{
"resource_types": "vault",
"description": "Returns information about a job you previously initiated",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeJob"
},
{
"resource_types": "vault",
"description": "Returns information about a vault",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeVault"
},
{
"resource_types": "",
"description": "Returns the current data retrieval policy for the account and region specified in the GET request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDataRetrievalPolicy"
},
{
"resource_types": "vault",
"description": "Downloads the output of the job you initiated",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetJobOutput"
},
{
"resource_types": "vault",
"description": "Retrieves the access-policy subresource set on the vault",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetVaultAccessPolicy"
},
{
"resource_types": "vault",
"description": "Retrieves attributes from the lock-policy subresource set on the specified vault",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetVaultLock"
},
{
"resource_types": "vault",
"description": "Retrieves the notification-configuration subresource set on the vault",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetVaultNotifications"
},
{
"resource_types": "vault",
"description": "Initiates a job of the specified type",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InitiateJob"
},
{
"resource_types": "vault",
"description": "Initiates a multipart upload",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InitiateMultipartUpload"
},
{
"resource_types": "vault",
"description": "Initiates the vault locking process",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "InitiateVaultLock"
},
{
"resource_types": "vault",
"description": "Lists jobs for a vault that are in-progress and jobs that have recently finished",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobs"
},
{
"resource_types": "vault",
"description": "Lists in-progress multipart uploads for the specified vault",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMultipartUploads"
},
{
"resource_types": "vault",
"description": "Lists the parts of an archive that have been uploaded in a specific multipart upload",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListParts"
},
{
"resource_types": "",
"description": "This operation lists the provisioned capacity for the specified AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProvisionedCapacity"
},
{
"resource_types": "vault",
"description": "Lists all the tags attached to a vault",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTagsForVault"
},
{
"resource_types": "",
"description": "Lists all vaults",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListVaults"
},
{
"resource_types": "",
"description": "This operation purchases a provisioned capacity unit for an AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PurchaseProvisionedCapacity"
},
{
"resource_types": "vault",
"description": "Removes one or more tags from the set of tags attached to a vault",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTagsFromVault"
},
{
"resource_types": "",
"description": "Sets and then enacts a data retrieval policy in the region specified in the PUT request",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "SetDataRetrievalPolicy"
},
{
"resource_types": "vault",
"description": "Configures an access policy for a vault and will overwrite an existing policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "SetVaultAccessPolicy"
},
{
"resource_types": "vault",
"description": "Configures vault notifications",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetVaultNotifications"
},
{
"resource_types": "vault",
"description": "Adds an archive to a vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UploadArchive"
},
{
"resource_types": "vault",
"description": "Uploads a part of an archive",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UploadMultipartPart"
}
]
},
{
"service_name": "Amazon Kinesis Firehose",
"privileges": [
{
"resource_types": "deliverystream",
"description": "Creates a delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDeliveryStream"
},
{
"resource_types": "deliverystream",
"description": "Deletes a delivery stream and its data",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDeliveryStream"
},
{
"resource_types": "deliverystream",
"description": "Describes the specified delivery stream and gets the status",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDeliveryStream"
},
{
"resource_types": "",
"description": "Lists your delivery streams",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDeliveryStreams"
},
{
"resource_types": "deliverystream",
"description": "Lists the tags for the specified delivery stream",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTagsForDeliveryStream"
},
{
"resource_types": "deliverystream",
"description": "Writes a single data record into an Amazon Kinesis Firehose delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutRecord"
},
{
"resource_types": "deliverystream",
"description": "Writes multiple data records into a delivery stream in a single call, which can achieve higher throughput per producer than when writing single records",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutRecordBatch"
},
{
"resource_types": "deliverystream",
"description": "Enables server-side encryption (SSE) for the delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartDeliveryStreamEncryption"
},
{
"resource_types": "deliverystream",
"description": "Disables the specified destination of the specified delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopDeliveryStreamEncryption"
},
{
"resource_types": "deliverystream",
"description": "Adds or updates tags for the specified delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TagDeliveryStream"
},
{
"resource_types": "deliverystream",
"description": "Removes tags from the specified delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UntagDeliveryStream"
},
{
"resource_types": "deliverystream",
"description": "Updates the specified destination of the specified delivery stream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDestination"
}
]
},
{
"service_name": "AWS Security Hub",
"privileges": [
{
"resource_types": "",
"description": "Accepts the invitation to be monitored by a master Security Hub account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptInvitation"
},
{
"resource_types": "standards-subscription",
"description": "Disables the standards specified by the standards subscription ARNs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchDisableStandards"
},
{
"resource_types": "standard",
"description": "Enables the standards specified by the standards ARNs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchEnableStandards"
},
{
"resource_types": "",
"description": "Imports security findings that are generated by the integrated third-party products into Security Hub",
"condition_keys": [
"securityhub:TargetAccount"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchImportFindings"
},
{
"resource_types": "",
"description": "Creates an insight, which is a collection of related findings defined by an aggregation statement and optional filters",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInsight"
},
{
"resource_types": "",
"description": "Creates member Security Hub accounts in the current AWS account (which becomes the master Security Hub account) that has Security Hub enabled",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateMembers"
},
{
"resource_types": "",
"description": "Declines invitations that are sent to this AWS account (invitee) by the AWS accounts (inviters) that are specified by the account IDs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeclineInvitations"
},
{
"resource_types": "insight",
"description": "Deletes an insight that is specified by the insight ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInsight"
},
{
"resource_types": "",
"description": "Deletes invitations that are sent to this AWS account (invitee) by the AWS accounts (inviters) that are specified by their account IDs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInvitations"
},
{
"resource_types": "",
"description": "Deletes the Security Hub member accounts that are specified by the account IDs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteMembers"
},
{
"resource_types": "product",
"description": "Stops you from being able to import findings generated by the integrated third-party providers into Security Hub",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableImportFindingsForProduct"
},
{
"resource_types": "",
"description": "Disables the AWS Security Hub Service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableSecurityHub"
},
{
"resource_types": "",
"description": "Disassociates the current Security Hub member account from its master account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateFromMasterAccount"
},
{
"resource_types": "",
"description": "Disassociates the Security Hub member accounts that are specified by the account IDs from their master account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateMembers"
},
{
"resource_types": "product",
"description": "Enables you to import findings generated by the integrated third-party providers into Security Hub",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableImportFindingsForProduct"
},
{
"resource_types": "",
"description": "Enables the AWS Security Hub service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableSecurityHub"
},
{
"resource_types": "",
"description": "Lists and describes enabled standards",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetEnabledStandards"
},
{
"resource_types": "",
"description": "Lists and describes Security Hub-aggregated findings that are specified by filter attributes",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFindings"
},
{
"resource_types": "insight",
"description": "Lists the results of the Security Hub insight specified by the insight ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInsightResults"
},
{
"resource_types": "insight",
"description": "Lists and describes insights that are specified by insight ARNs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetInsights"
},
{
"resource_types": "",
"description": "Returns the count of all Security Hub membership invitations that were sent to the current member account, not including the currently accepted invitation",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInvitationsCount"
},
{
"resource_types": "",
"description": "Provides the details for the Security Hub master account to the current member account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetMasterAccount"
},
{
"resource_types": "",
"description": "Returns the details on the Security Hub member accounts that are specified by the account IDs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetMembers"
},
{
"resource_types": "",
"description": "Invites other AWS accounts to enable Security Hub and become Security Hub member accounts. When an account accepts the invitation and becomes a member account, the master account can view and manage the Security Hub findings of the member account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InviteMembers"
},
{
"resource_types": "",
"description": "Lists all Security Hub integrated third-party findings providers",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListEnabledProductsForImport"
},
{
"resource_types": "",
"description": "Lists all Security Hub membership invitations that were sent to the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInvitations"
},
{
"resource_types": "",
"description": "Lists details about all member accounts for the current Security Hub master account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMembers"
},
{
"resource_types": "",
"description": "Updates the AWS Security Hub-aggregated findings specified by the filter attributes",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFindings"
},
{
"resource_types": "insight",
"description": "Updates the AWS Security Hub insight specified by the insight ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateInsight"
}
]
},
{
"service_name": "Amazon GroundTruth Labeling",
"privileges": [
{
"resource_types": "",
"description": "Get status of GroundTruthLabeling Jobs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeConsoleJob"
},
{
"resource_types": "",
"description": "Paginated list api to list dataset objects in a manifest file",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListDatasetObjects"
},
{
"resource_types": "",
"description": "Filter records from a manifest file using S3 select. Get Sample entries based on random sampling",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RunFilterOrSampleDatasetJob"
},
{
"resource_types": "",
"description": "List a S3 prefix and create manifest files from objects in there",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RunGenerateManifestByCrawlingJob"
}
]
},
{
"service_name": "AWS Artifact",
"privileges": [
{
"resource_types": "agreement",
"description": "Grants permission to accept an AWS agreement that has not yet been accepted by the customer account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptAgreement"
},
{
"resource_types": "agreement",
"description": "Grants permission to download an AWS agreement that has not yet been accepted or a customer agreement that has been accepted by the customer account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DownloadAgreement"
},
{
"resource_types": "report-package",
"description": "Grants permission to download an AWS compliance report package",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "Get"
},
{
"resource_types": "customer-agreement",
"description": "Grants permission to terminate a customer agreement that was previously accepted by the customer account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateAgreement"
}
]
},
{
"service_name": "AWS Billing",
"privileges": [
{
"resource_types": "",
"description": "Allow or deny IAM users permission to modify Account Settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyAccount"
},
{
"resource_types": "",
"description": "Allow or deny IAM users permission to modify billing settings",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyBilling"
},
{
"resource_types": "",
"description": "Allow or deny IAM users permission to modify payment methods",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyPaymentMethods"
},
{
"resource_types": "",
"description": "Allow or deny IAM users permission to view account settings",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ViewAccount"
},
{
"resource_types": "",
"description": "Allow or deny IAM users permission to view billing pages in the console",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ViewBilling"
},
{
"resource_types": "",
"description": "Allow or deny IAM users permission to view payment methods",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ViewPaymentMethods"
},
{
"resource_types": "",
"description": "Allow or deny IAM users permission to view AWS usage reports",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ViewUsage"
}
]
},
{
"service_name": "Amazon CloudWatch",
"privileges": [
{
"resource_types": "",
"description": "Deletes all specified alarms. In the event of an error, no alarms are deleted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAlarms"
},
{
"resource_types": "",
"description": "Deletes all CloudWatch dashboards that you specify",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDashboards"
},
{
"resource_types": "",
"description": "Retrieves history for the specified alarm",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAlarmHistory"
},
{
"resource_types": "",
"description": "Retrieves alarms with the specified names",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAlarms"
},
{
"resource_types": "",
"description": "Retrieves all alarms for a single metric",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAlarmsForMetric"
},
{
"resource_types": "",
"description": "Disables actions for the specified alarms",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableAlarmActions"
},
{
"resource_types": "",
"description": "Enables actions for the specified alarms",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableAlarmActions"
},
{
"resource_types": "",
"description": "Displays the details of the CloudWatch dashboard you specify",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDashboard"
},
{
"resource_types": "",
"description": "Required to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetMetricData"
},
{
"resource_types": "",
"description": "Gets statistics for the specified metric",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetMetricStatistics"
},
{
"resource_types": "",
"description": "Required to retrieve snapshots of metric widgets",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetMetricWidgetImage"
},
{
"resource_types": "",
"description": "Returns a list of all CloudWatch dashboards in your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDashboards"
},
{
"resource_types": "",
"description": "Returns a list of valid metrics stored for the AWS account owner",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMetrics"
},
{
"resource_types": "",
"description": "Creates a CloudWatch dashboard, or updates an existing dashboard if it already exists",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutDashboard"
},
{
"resource_types": "",
"description": "Creates or updates an alarm and associates it with the specified Amazon CloudWatch metric",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutMetricAlarm"
},
{
"resource_types": "",
"description": "Publishes metric data points to Amazon CloudWatch",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutMetricData"
},
{
"resource_types": "",
"description": "Temporarily sets the state of an alarm for testing purposes",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetAlarmState"
}
]
},
{
"service_name": "AWS Health APIs and Notifications",
"privileges": [
{
"resource_types": "event",
"description": "Gets a list of entities that have been affected by the specified events",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAffectedEntities"
},
{
"resource_types": "",
"description": "Returns the number of entities that are affected by each of the specified events",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEntityAggregates"
},
{
"resource_types": "",
"description": "Returns the number of events of each event type (issue, scheduled change, and account notification",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventAggregates"
},
{
"resource_types": "event",
"description": "Returns detailed information about one or more specified events",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventDetails"
},
{
"resource_types": "",
"description": "Returns the event types that meet the specified filter criteria",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventTypes"
},
{
"resource_types": "",
"description": "Returns information about events that meet the specified filter criteria",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEvents"
}
]
},
{
"service_name": "AWS Cloud9",
"privileges": [
{
"resource_types": "",
"description": "Creates an AWS Cloud9 development environment, launches an Amazon Elastic Compute Cloud (Amazon EC2) instance, and then hosts the environment on the instance",
"condition_keys": [
"cloud9:EnvironmentName",
"cloud9:InstanceType",
"cloud9:SubnetId",
"cloud9:UserArn"
],
"access_level": "Write",
"dependent_actions": [
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"iam:CreateServiceLinkedRole"
],
"privilege": "CreateEnvironmentEC2"
},
{
"resource_types": "",
"description": "Adds an environment member to an AWS Cloud9 development environment",
"condition_keys": [
"cloud9:UserArn",
"cloud9:EnvironmentId",
"cloud9:Permissions"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateEnvironmentMembership"
},
{
"resource_types": "environment",
"description": "Deletes an AWS Cloud9 development environment. If the environment is hosted on an Amazon Elastic Compute Cloud (Amazon EC2) instance, also terminates the instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"iam:CreateServiceLinkedRole"
],
"privilege": "DeleteEnvironment"
},
{
"resource_types": "",
"description": "Deletes an environment member from an AWS Cloud9 development environment",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEnvironmentMembership"
},
{
"resource_types": "",
"description": "Gets information about environment members for an AWS Cloud9 development environment",
"condition_keys": [
"cloud9:UserArn",
"cloud9:EnvironmentId"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEnvironmentMemberships"
},
{
"resource_types": "",
"description": "Gets status information for an AWS Cloud9 development environment",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEnvironmentStatus"
},
{
"resource_types": "environment",
"description": "Gets information about AWS Cloud9 development environments",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEnvironments"
},
{
"resource_types": "",
"description": "Gets a list of AWS Cloud9 development environment identifiers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListEnvironments"
},
{
"resource_types": "environment",
"description": "Changes the settings of an existing AWS Cloud9 development environment",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateEnvironment"
},
{
"resource_types": "",
"description": "Changes the settings of an existing environment member for an AWS Cloud9 development environment",
"condition_keys": [
"cloud9:UserArn",
"cloud9:EnvironmentId",
"cloud9:Permissions"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateEnvironmentMembership"
}
]
},
{
"service_name": "AWS Directory Service",
"privileges": [
{
"resource_types": "",
"description": "Accepts a directory sharing request that was sent from the directory owner account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptSharedDirectory"
},
{
"resource_types": "",
"description": "Adds a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeSecurityGroups"
],
"privilege": "AddIpRoutes"
},
{
"resource_types": "",
"description": "Adds or overwrites one or more tags for the specified Amazon Directory Services directory",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTagsToResource"
},
{
"resource_types": "",
"description": "Cancels an in-progress schema extension to a Microsoft AD directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelSchemaExtension"
},
{
"resource_types": "",
"description": "Creates an AD Connector to connect to an on-premises directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"privilege": "ConnectDirectory"
},
{
"resource_types": "",
"description": "Creates an alias for a directory and assigns the alias to the directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAlias"
},
{
"resource_types": "",
"description": "Creates a computer account in the specified directory, and joins the computer to the directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateComputer"
},
{
"resource_types": "",
"description": "Creates a conditional forwarder associated with your AWS directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateConditionalForwarder"
},
{
"resource_types": "",
"description": "Creates a Simple AD directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"privilege": "CreateDirectory"
},
{
"resource_types": "",
"description": "Creates a subscription to forward real time Directory Service domain controller security logs to the specified CloudWatch log group in your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateLogSubscription"
},
{
"resource_types": "",
"description": "Creates a Microsoft AD in the AWS cloud",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"privilege": "CreateMicrosoftAD"
},
{
"resource_types": "",
"description": "Creates a snapshot of a Simple AD or Microsoft AD directory in the AWS cloud",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSnapshot"
},
{
"resource_types": "",
"description": "Initiates the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTrust"
},
{
"resource_types": "",
"description": "Deletes a conditional forwarder that has been set up for your AWS directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConditionalForwarder"
},
{
"resource_types": "",
"description": "Deletes an AWS Directory Service directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"privilege": "DeleteDirectory"
},
{
"resource_types": "",
"description": "Deletes the specified log subscription",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLogSubscription"
},
{
"resource_types": "",
"description": "Deletes a directory snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSnapshot"
},
{
"resource_types": "",
"description": "Deletes an existing trust relationship between your Microsoft AD in the AWS cloud and an external domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTrust"
},
{
"resource_types": "",
"description": "Removes the specified directory as a publisher to the specified SNS topic",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterEventTopic"
},
{
"resource_types": "",
"description": "Obtains information about the conditional forwarders for this account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeConditionalForwarders"
},
{
"resource_types": "",
"description": "Obtains information about the directories that belong to this account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDirectories"
},
{
"resource_types": "",
"description": "Provides information about any domain controllers in your directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeDomainControllers"
},
{
"resource_types": "",
"description": "Obtains information about which SNS topics receive status messages from the specified directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeEventTopics"
},
{
"resource_types": "",
"description": "Returns the shared directories in your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSharedDirectories"
},
{
"resource_types": "",
"description": "Obtains information about the directory snapshots that belong to this account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSnapshots"
},
{
"resource_types": "",
"description": "Obtains information about the trust relationships for this account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTrusts"
},
{
"resource_types": "",
"description": "Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableRadius"
},
{
"resource_types": "",
"description": "Disables single-sign on for a directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableSso"
},
{
"resource_types": "",
"description": "Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableRadius"
},
{
"resource_types": "",
"description": "Enables single-sign on for a directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableSso"
},
{
"resource_types": "",
"description": "Obtains directory limit information for the current region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDirectoryLimits"
},
{
"resource_types": "",
"description": "Obtains the manual snapshot limits for a directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSnapshotLimits"
},
{
"resource_types": "",
"description": "Lists the address blocks that you have added to a directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListIpRoutes"
},
{
"resource_types": "",
"description": "Lists the active log subscriptions for the AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListLogSubscriptions"
},
{
"resource_types": "",
"description": "Lists all schema extensions applied to a Microsoft AD Directory",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSchemaExtensions"
},
{
"resource_types": "",
"description": "Lists all tags on an Amazon Directory Services directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "",
"description": "Associates a directory with an SNS topic",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"sns:GetTopicAttributes"
],
"privilege": "RegisterEventTopic"
},
{
"resource_types": "",
"description": "Rejects a directory sharing request that was sent from the directory owner account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RejectSharedDirectory"
},
{
"resource_types": "",
"description": "Removes IP address blocks from a directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveIpRoutes"
},
{
"resource_types": "",
"description": "Removes tags from an Amazon Directory Services directory",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTagsFromResource"
},
{
"resource_types": "",
"description": "Resets the password for any user in your AWS Managed Microsoft AD or Simple AD directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResetUserPassword"
},
{
"resource_types": "",
"description": "Restores a directory using an existing directory snapshot",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreFromSnapshot"
},
{
"resource_types": "",
"description": "Shares a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ShareDirectory"
},
{
"resource_types": "",
"description": "Applies a schema extension to a Microsoft AD directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartSchemaExtension"
},
{
"resource_types": "",
"description": "Stops the directory sharing between the directory owner and consumer accounts",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UnshareDirectory"
},
{
"resource_types": "",
"description": "Updates a conditional forwarder that has been set up for your AWS directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateConditionalForwarder"
},
{
"resource_types": "",
"description": "Adds or removes domain controllers to or from the directory. Based on the difference between current value and new value (provided through this API call), domain controllers will be added or removed. It may take up to 45 minutes for any new domain controllers to become fully active once the requested number of domain controllers is updated. During this time, you cannot make another update request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateNumberOfDomainControllers"
},
{
"resource_types": "",
"description": "Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRadius"
},
{
"resource_types": "",
"description": "Verifies a trust relationship between your Microsoft AD in the AWS cloud and an external domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "VerifyTrust"
}
]
},
{
"service_name": "AWS Elemental MediaStore",
"privileges": [
{
"resource_types": "",
"description": "Creates a storage container",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateContainer"
},
{
"resource_types": "",
"description": "Deletes a storage container",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteContainer"
},
{
"resource_types": "",
"description": "Deletes a container storage policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteContainerPolicy"
},
{
"resource_types": "",
"description": "Deletes an object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteObject"
},
{
"resource_types": "",
"description": "Retrieves details of a specific container",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeContainer"
},
{
"resource_types": "",
"description": "Retrieves an objects metadata",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeObject"
},
{
"resource_types": "",
"description": "Retrieves a container resource policy",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetContainerPolicy"
},
{
"resource_types": "",
"description": "Retrieves an object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetObject"
},
{
"resource_types": "",
"description": "Retrieves a list of storage containers",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListContainers"
},
{
"resource_types": "",
"description": "Retrieves a list of items like objects or folders",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListItems"
},
{
"resource_types": "",
"description": "Adds or modifies a container resource policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutContainerPolicy"
},
{
"resource_types": "",
"description": "Uploads an object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutObject"
}
]
},
{
"service_name": "AWS Support",
"privileges": [
{
"resource_types": "",
"description": "Adds one or more attachments to an attachment set. If an attachmentSetId is not specified, a new attachment set is created",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddAttachmentsToSet"
},
{
"resource_types": "",
"description": "Adds additional customer communication to an AWS Support case",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddCommunicationToCase"
},
{
"resource_types": "",
"description": "Creates a new case in the AWS Support Center",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCase"
},
{
"resource_types": "",
"description": "Returns a description of an attachment",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAttachment"
},
{
"resource_types": "",
"description": "Returns a list of cases that matches the given inputs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeCases"
},
{
"resource_types": "",
"description": "Returns the communications (and attachments) for one or more support cases",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCommunications"
},
{
"resource_types": "",
"description": "Returns the current list of AWS services and a list of service categories that applies to each one",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeServices"
},
{
"resource_types": "",
"description": "Returns the list of severity levels that can be assigned to an AWS Support case",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeSeverityLevels"
},
{
"resource_types": "",
"description": "Returns the refresh status of the Trusted Advisor checks that have the specified check identifiers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTrustedAdvisorCheckRefreshStatuses"
},
{
"resource_types": "",
"description": "Returns the results of the Trusted Advisor check that has the specified check identifier",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTrustedAdvisorCheckResult"
},
{
"resource_types": "",
"description": "Returns the summaries of the results of the Trusted Advisor checks that have the specified check identifiers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTrustedAdvisorCheckSummaries"
},
{
"resource_types": "",
"description": "Returns information about all available Trusted Advisor checks, including name, ID, category, description, and metadata",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTrustedAdvisorChecks"
},
{
"resource_types": "",
"description": "Requests a refresh of the Trusted Advisor check that has the specified check ID",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RefreshTrustedAdvisorCheck"
},
{
"resource_types": "",
"description": "Resolves a case",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResolveCase"
}
]
},
{
"service_name": "Amazon Cloud Directory",
"privileges": [
{
"resource_types": "directory",
"description": "Adds a new Facet to an object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddFacetToObject"
},
{
"resource_types": "directory",
"description": "Copies input published schema into Directory with same name and version as that of published schema",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ApplySchema"
},
{
"resource_types": "directory",
"description": "Attaches an existing object to another existing object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachObject"
},
{
"resource_types": "directory",
"description": "Attaches a policy object to any other object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachPolicy"
},
{
"resource_types": "directory",
"description": "Attaches the specified object to the specified index",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachToIndex"
},
{
"resource_types": "directory",
"description": "Attaches a typed link b/w a source & target object reference",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachTypedLink"
},
{
"resource_types": "directory",
"description": "Performs all the read operations in a batch. Each individual operation inside BatchRead needs to be granted permissions explicitly",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchRead"
},
{
"resource_types": "directory",
"description": "Performs all the write operations in a batch. Each individual operation inside BatchWrite needs to be granted permissions explicitly",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchWrite"
},
{
"resource_types": "publishedSchema",
"description": "Creates a Directory by copying the published schema into the directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDirectory"
},
{
"resource_types": "appliedSchema",
"description": "Creates a new Facet in a schema",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateFacet"
},
{
"resource_types": "directory",
"description": "Creates an index object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateIndex"
},
{
"resource_types": "directory",
"description": "Creates an object in a Directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateObject"
},
{
"resource_types": "",
"description": "Creates a new schema in a development state",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSchema"
},
{
"resource_types": "appliedSchema",
"description": "Creates a new Typed Link facet in a schema",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTypedLinkFacet"
},
{
"resource_types": "directory",
"description": "Deletes a directory. Only disabled directories can be deleted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDirectory"
},
{
"resource_types": "developmentSchema",
"description": "Deletes a given Facet. All attributes and Rules associated with the facet will be deleted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFacet"
},
{
"resource_types": "directory",
"description": "Deletes an object and its associated attributes",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteObject"
},
{
"resource_types": "developmentSchema",
"description": "Deletes a given schema",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSchema"
},
{
"resource_types": "developmentSchema",
"description": "Deletes a given TypedLink Facet. All attributes and Rules associated with the facet will be deleted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTypedLinkFacet"
},
{
"resource_types": "directory",
"description": "Detaches the specified object from the specified index",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DetachFromIndex"
},
{
"resource_types": "directory",
"description": "Detaches a given object from the parent object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DetachObject"
},
{
"resource_types": "directory",
"description": "Detaches a policy from an object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DetachPolicy"
},
{
"resource_types": "directory",
"description": "Detaches a given typed link b/w given source and target object reference",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DetachTypedLink"
},
{
"resource_types": "directory",
"description": "Disables the specified directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableDirectory"
},
{
"resource_types": "directory",
"description": "Enables the specified directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableDirectory"
},
{
"resource_types": "directory",
"description": "Retrieves metadata about a directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDirectory"
},
{
"resource_types": "appliedSchema",
"description": "Gets details of the Facet, such as Facet Name, Attributes, Rules, or ObjectType",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFacet"
},
{
"resource_types": "directory",
"description": "Retrieves attributes that are associated with a typed link",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetLinkAttributes"
},
{
"resource_types": "directory",
"description": "Retrieves attributes within a facet that are associated with an object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetObjectAttributes"
},
{
"resource_types": "directory",
"description": "Retrieves metadata about an object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetObjectInformation"
},
{
"resource_types": "appliedSchema",
"description": "Retrieves a JSON representation of the schema",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSchemaAsJson"
},
{
"resource_types": "appliedSchema",
"description": "Returns identity attributes order information associated with a given typed link facet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTypedLinkFacetInformation"
},
{
"resource_types": "directory",
"description": "Lists schemas applied to a directory",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAppliedSchemaArns"
},
{
"resource_types": "directory",
"description": "Lists indices attached to an object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListAttachedIndices"
},
{
"resource_types": "",
"description": "Retrieves the ARNs of schemas in the development state",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDevelopmentSchemaArns"
},
{
"resource_types": "",
"description": "Lists directories created within an account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDirectories"
},
{
"resource_types": "appliedSchema",
"description": "Retrieves attributes attached to the facet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListFacetAttributes"
},
{
"resource_types": "appliedSchema",
"description": "Retrieves the names of facets that exist in a schema",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListFacetNames"
},
{
"resource_types": "directory",
"description": "Returns a paginated list of all incoming TypedLinks for a given object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListIncomingTypedLinks"
},
{
"resource_types": "directory",
"description": "Lists objects attached to the specified index",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListIndex"
},
{
"resource_types": "directory",
"description": "Lists all attributes associated with an object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListObjectAttributes"
},
{
"resource_types": "directory",
"description": "Returns a paginated list of child objects associated with a given object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListObjectChildren"
},
{
"resource_types": "directory",
"description": "Retrieves all available parent paths for any object type such as node, leaf node, policy node, and index node objects",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListObjectParentPaths"
},
{
"resource_types": "directory",
"description": "Lists parent objects associated with a given object in pagination fashion",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListObjectParents"
},
{
"resource_types": "directory",
"description": "Returns policies attached to an object in pagination fashion",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListObjectPolicies"
},
{
"resource_types": "directory",
"description": "Returns a paginated list of all outgoing TypedLinks for a given object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListOutgoingTypedLinks"
},
{
"resource_types": "directory",
"description": "Returns all of the ObjectIdentifiers to which a given policy is attached",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListPolicyAttachments"
},
{
"resource_types": "",
"description": "Retrieves published schema ARNs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPublishedSchemaArns"
},
{
"resource_types": "directory",
"description": "Returns tags for a resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "appliedSchema",
"description": "Returns a paginated list of attributes associated with typed link facet",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTypedLinkFacetAttributes"
},
{
"resource_types": "appliedSchema",
"description": "Returns a paginated list of typed link facet names that exist in a schema",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTypedLinkFacetNames"
},
{
"resource_types": "directory",
"description": "Lists all policies from the root of the Directory to the object specified",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "LookupPolicy"
},
{
"resource_types": "developmentSchema",
"description": "Publishes a development schema with a version",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PublishSchema"
},
{
"resource_types": "",
"description": "Allows a schema to be updated using JSON upload. Only available for development schemas",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutSchemaFromJson"
},
{
"resource_types": "directory",
"description": "Removes the specified facet from the specified object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveFacetFromObject"
},
{
"resource_types": "directory",
"description": "Adds tags to a resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "directory",
"description": "Removes tags from a resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "appliedSchema",
"description": "Adds/Updates/Deletes existing Attributes, Rules, or ObjectType of a Facet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFacet"
},
{
"resource_types": "directory",
"description": "Updates a given typed linkโ€™s attributes. Attributes to be updated must not contribute to the typed linkโ€™s identity, as defined by its IdentityAttributeOrder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateLinkAttributes"
},
{
"resource_types": "directory",
"description": "Updates a given object's attributes",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateObjectAttributes"
},
{
"resource_types": "developmentSchema",
"description": "Updates the schema name with a new name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSchema"
},
{
"resource_types": "developmentSchema",
"description": "Adds/Updates/Deletes existing Attributes, Rules, identity attribute order of a TypedLink Facet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateTypedLinkFacet"
}
]
},
{
"service_name": "AWS Key Management Service",
"privileges": [
{
"resource_types": "key",
"description": "Grants permission to cancel the scheduled deletion of a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelKeyDeletion"
},
{
"resource_types": "key",
"description": "Grants permission to create an alias for a customer master key (CMK). Aliases are optional display names that you can associate with CMKs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAlias"
},
{
"resource_types": "key",
"description": "Grants permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreateGrant"
},
{
"resource_types": "",
"description": "Grants permission to create a customer master key that can be used to protect data keys and other sensitive information",
"condition_keys": [
"kms:BypassPolicyLockoutSafetyCheck",
"kms:KeyOrigin"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateKey"
},
{
"resource_types": "key",
"description": "Grants permission to decrypt ciphertext that was encrypted under a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Decrypt"
},
{
"resource_types": "alias",
"description": "Grants permission to delete an alias, which is an optional friendly name for a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAlias"
},
{
"resource_types": "key",
"description": "Grants permission to delete cryptographic material that you imported into a customer master key. This action makes the key unusable",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteImportedKeyMaterial"
},
{
"resource_types": "key",
"description": "Grants permission to view detailed information about a customer master key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeKey"
},
{
"resource_types": "key",
"description": "Grants permission to disable a customer master key, which prevents it from being used in cryptographic operations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableKey"
},
{
"resource_types": "key",
"description": "Grants permission to disable automatic rotation of a customer managed customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableKeyRotation"
},
{
"resource_types": "key",
"description": "Grants permission to change the state of a customer master key (CMK) to enabled. This allows the CMK to be used in cryptographic operations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableKey"
},
{
"resource_types": "key",
"description": "Grants permission to enable automatic rotation of the cryptographic material in a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableKeyRotation"
},
{
"resource_types": "key",
"description": "Grants permission to use the specified customer master key to encrypt data and data keys",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Encrypt"
},
{
"resource_types": "key",
"description": "Grants permission to use the customer master key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GenerateDataKey"
},
{
"resource_types": "key",
"description": "Grants permission to use the customer master key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GenerateDataKeyWithoutPlaintext"
},
{
"resource_types": "",
"description": "Grants permission to get a cryptographically secure random byte string from AWS KMS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GenerateRandom"
},
{
"resource_types": "key",
"description": "Grants permission to view the key policy for the specified customer master key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetKeyPolicy"
},
{
"resource_types": "key",
"description": "Grants permission to determine whether automatic key rotation is enabled on the customer master key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetKeyRotationStatus"
},
{
"resource_types": "key",
"description": "Grants permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetParametersForImport"
},
{
"resource_types": "key",
"description": "Grants permission to import cryptographic material into a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportKeyMaterial"
},
{
"resource_types": "",
"description": "Grants permission to view the aliases that are defined in the account. Aliases are optional display names that you can associate with customer master keys",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAliases"
},
{
"resource_types": "key",
"description": "Grants permission to view all grants for a customer master key",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGrants"
},
{
"resource_types": "key",
"description": "Grants permission to view the names of key policies for a customer master key",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListKeyPolicies"
},
{
"resource_types": "",
"description": "Grants permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListKeys"
},
{
"resource_types": "key",
"description": "Grants permission to view all tags that are attached to a customer master key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListResourceTags"
},
{
"resource_types": "key",
"description": "Grants permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRetirableGrants"
},
{
"resource_types": "key",
"description": "Grants permission to replace the key policy for the specified customer master key",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutKeyPolicy"
},
{
"resource_types": "key",
"description": "Grants permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ReEncryptFrom"
},
{
"resource_types": "key",
"description": "Grants permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ReEncryptTo"
},
{
"resource_types": "key",
"description": "Grants permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RetireGrant"
},
{
"resource_types": "key",
"description": "Grants permission to revoke a grant, which denies permission for all operations that depend on the grant",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RevokeGrant"
},
{
"resource_types": "key",
"description": "Grants permission to schedule deletion of a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ScheduleKeyDeletion"
},
{
"resource_types": "key",
"description": "Grants permission to create or update tags that are attached to a customer master key",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "key",
"description": "Grants permission to delete tags that are attached to a customer master key",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "alias",
"description": "Grants permission to associate an alias with a different customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateAlias"
},
{
"resource_types": "key",
"description": "Grants permission to delete or change the description of a customer master key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateKeyDescription"
}
]
},
{
"service_name": "AWS SSO",
"privileges": [
{
"resource_types": "",
"description": "Adds member to the group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddMemberToGroup"
},
{
"resource_types": "",
"description": "Connect a directory to be used by AWS Single Sign-On",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateDirectory"
},
{
"resource_types": "",
"description": "Create an association between a directory user or group and a profile",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateProfile"
},
{
"resource_types": "",
"description": "Creates an alias for User Pool",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAlias"
},
{
"resource_types": "",
"description": "Add an application instance to AWS Single Sign-On",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateApplicationInstance"
},
{
"resource_types": "",
"description": "Add a new certificate for an application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateApplicationInstanceCertificate"
},
{
"resource_types": "",
"description": "Creats a group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGroup"
},
{
"resource_types": "",
"description": "Create a permission set",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePermissionSet"
},
{
"resource_types": "",
"description": "Create a profile for an application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateProfile"
},
{
"resource_types": "",
"description": "Create a federation trust in a target account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTrust"
},
{
"resource_types": "",
"description": "Creates a user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateUser"
},
{
"resource_types": "",
"description": "Delete the application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApplicationInstance"
},
{
"resource_types": "",
"description": "Delete an inactive or expired certificate from the application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApplicationInstanceCertificate"
},
{
"resource_types": "",
"description": "Deletes a group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteGroup"
},
{
"resource_types": "",
"description": "Delete a permission set",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePermissionSet"
},
{
"resource_types": "",
"description": "Delete the permission policy associated with a permission set",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePermissionsPolicy"
},
{
"resource_types": "",
"description": "Delete the profile for an application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProfile"
},
{
"resource_types": "",
"description": "Deletes a user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUser"
},
{
"resource_types": "",
"description": "Retrieve groups' information",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeGroups"
},
{
"resource_types": "",
"description": "Retrieve all the permissions policies associated with a permission set",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePermissionsPolicies"
},
{
"resource_types": "",
"description": "Retrieves users' information",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeUsers"
},
{
"resource_types": "",
"description": "Deactivates user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableUser"
},
{
"resource_types": "",
"description": "Disassociate a directory to be used by AWS Single Sign-On",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateDirectory"
},
{
"resource_types": "",
"description": "Disassociate a directory user or group from a profile",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateProfile"
},
{
"resource_types": "",
"description": "Activates user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableUser"
},
{
"resource_types": "",
"description": "Retrieve details for an application instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetApplicationInstance"
},
{
"resource_types": "",
"description": "Retrieve application template details",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetApplicationTemplate"
},
{
"resource_types": "",
"description": "Retrieve details of a permission set",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPermissionSet"
},
{
"resource_types": "",
"description": "Retrieve all permission policies associated with a permission set",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"sso:DescribePermissionsPolicies"
],
"privilege": "GetPermissionsPolicy"
},
{
"resource_types": "",
"description": "Retrieve a profile for an application instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetProfile"
},
{
"resource_types": "",
"description": "Retrieve configuration for the current SSO instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSSOConfiguration"
},
{
"resource_types": "",
"description": "Check if AWS Single Sign-On is enabled",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSSOStatus"
},
{
"resource_types": "",
"description": "Retrieve the federation trust in a target account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTrust"
},
{
"resource_types": "",
"description": "Retrieve User Pool information",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUserPoolInfo"
},
{
"resource_types": "",
"description": "Update the application instance by uploading an application SAML metadata file provided by the service provider",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportApplicationInstanceServiceProviderMetadata"
},
{
"resource_types": "",
"description": "Retrieve all of the certificates for a given application instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListApplicationInstanceCertificates"
},
{
"resource_types": "",
"description": "Retrieve all application instances",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [
"sso:GetApplicationInstance"
],
"privilege": "ListApplicationInstances"
},
{
"resource_types": "",
"description": "Retrieve all supported application templates",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"sso:GetApplicationTemplate"
],
"privilege": "ListApplicationTemplates"
},
{
"resource_types": "",
"description": "Retrieve all supported applications",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListApplications"
},
{
"resource_types": "",
"description": "Retrieve details about the directory connected to AWS Single Sign-On",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListDirectoryAssociations"
},
{
"resource_types": "",
"description": "Lists groups for a user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGroupsForUser"
},
{
"resource_types": "",
"description": "Retrives all members that are part of the group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMembersInGroup"
},
{
"resource_types": "",
"description": "Retrieve all permission sets",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListPermissionSets"
},
{
"resource_types": "",
"description": "Retrieve the directory user or group associated with the profile",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListProfileAssociations"
},
{
"resource_types": "",
"description": "Retrieve all profiles for an application instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"sso:GetProfile"
],
"privilege": "ListProfiles"
},
{
"resource_types": "",
"description": "Add a policy to a permission set",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutPermissionsPolicy"
},
{
"resource_types": "",
"description": "Removes member that are part of the group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveMemberFromGroup"
},
{
"resource_types": "",
"description": "Search for groups within the associated directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SearchGroups"
},
{
"resource_types": "",
"description": "Search for users within the associated directory",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SearchUsers"
},
{
"resource_types": "",
"description": "Sets a temporary password for a user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetTemporaryPassword"
},
{
"resource_types": "",
"description": "Initialize AWS Single Sign-On",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartSSO"
},
{
"resource_types": "",
"description": "Set a certificate as the active one for this application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceActiveCertificate"
},
{
"resource_types": "",
"description": "Update display data of an application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceDisplayData"
},
{
"resource_types": "",
"description": "Update federation response configuration for the application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceResponseConfiguration"
},
{
"resource_types": "",
"description": "Update federation response schema configuration for the application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceResponseSchemaConfiguration"
},
{
"resource_types": "",
"description": "Update security details for the application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceSecurityConfiguration"
},
{
"resource_types": "",
"description": "Update service provider related configuration for the application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceServiceProviderConfiguration"
},
{
"resource_types": "",
"description": "Update the status of an application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplicationInstanceStatus"
},
{
"resource_types": "",
"description": "Update the user attribute mappings for your connected directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDirectoryAssociation"
},
{
"resource_types": "",
"description": "Updates group information",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGroup"
},
{
"resource_types": "",
"description": "Update the profile for an application instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProfile"
},
{
"resource_types": "",
"description": "Update the configuration for the current SSO instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSSOConfiguration"
},
{
"resource_types": "",
"description": "Update the federation trust in a target account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateTrust"
},
{
"resource_types": "",
"description": "Updates user information",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateUser"
}
]
},
{
"service_name": "AWS Cloud Map",
"privileges": []
},
{
"service_name": "AWS X-Ray",
"privileges": [
{
"resource_types": "",
"description": "Retrieves a list of traces specified by ID. Each trace is a collection of segment documents that originates from a single request. Use GetTraceSummaries to get a list of trace IDs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetTraces"
},
{
"resource_types": "",
"description": "Creates a group resource with a name and a filter expression",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGroup"
},
{
"resource_types": "",
"description": "Creates a rule to control sampling behavior for instrumented applications",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSamplingRule"
},
{
"resource_types": "",
"description": "Deletes a group resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteGroup"
},
{
"resource_types": "",
"description": "Deletes a sampling rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSamplingRule"
},
{
"resource_types": "",
"description": "Retrieves the current encryption configuration for X-Ray data",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "GetEncryptionConfig"
},
{
"resource_types": "",
"description": "Retrieves group resource details",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGroup"
},
{
"resource_types": "",
"description": "Retrieves all active group details",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGroups"
},
{
"resource_types": "",
"description": "Retrieves all sampling rules",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSamplingRules"
},
{
"resource_types": "",
"description": "Retrieves information about recent sampling results for all sampling rules",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSamplingStatisticSummaries"
},
{
"resource_types": "",
"description": "Requests a sampling quota for rules that the service is using to sample requests",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSamplingTargets"
},
{
"resource_types": "",
"description": "Retrieves a document that describes services that process incoming requests, and downstream services that they call as a result",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetServiceGraph"
},
{
"resource_types": "",
"description": "Retrieves a service graph for one or more specific trace IDs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTraceGraph"
},
{
"resource_types": "",
"description": "Retrieves IDs and metadata for traces available for a specified time frame using an optional filter. To get the full traces, pass the trace IDs to BatchGetTraces",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTraceSummaries"
},
{
"resource_types": "",
"description": "Updates the encryption configuration for X-Ray data",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutEncryptionConfig"
},
{
"resource_types": "",
"description": "Used by the AWS X-Ray daemon to send telemetry to the service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutTelemetryRecords"
},
{
"resource_types": "",
"description": "Uploads segment documents to AWS X-Ray. The X-Ray SDK generates segment documents and sends them to the X-Ray daemon, which uploads them in batches",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutTraceSegments"
},
{
"resource_types": "",
"description": "Updates a group resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGroup"
},
{
"resource_types": "",
"description": "Modifies a sampling rule's configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSamplingRule"
}
]
},
{
"service_name": "Amazon RDS",
"privileges": [
{
"resource_types": "cluster",
"description": "Associates an Identity and Access Management (IAM) role from an Aurora DB cluster",
"condition_keys": [
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:Vpc",
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddRoleToDBCluster"
},
{
"resource_types": "es",
"description": "Adds a source identifier to an existing RDS event notification subscription",
"condition_keys": [
"rds:es-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddSourceIdentifierToSubscription"
},
{
"resource_types": "db",
"description": "Adds metadata tags to an Amazon RDS resource",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTagsToResource"
},
{
"resource_types": "db",
"description": "Applies a pending maintenance action to a resource",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ApplyPendingMaintenanceAction"
},
{
"resource_types": "secgrp",
"description": "Enables ingress to a DBSecurityGroup using one of two forms of authorization",
"condition_keys": [
"rds:secgrp-tag"
],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AuthorizeDBSecurityGroupIngress"
},
{
"resource_types": "cluster-snapshot",
"description": "Creates a snapshot of a DB cluster",
"condition_keys": [
"rds:cluster-snapshot-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyDBClusterSnapshot"
},
{
"resource_types": "pg",
"description": "Copies the specified DB parameter group",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyDBParameterGroup"
},
{
"resource_types": "snapshot",
"description": "Copies the specified DB snapshot",
"condition_keys": [
"rds:snapshot-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyDBSnapshot"
},
{
"resource_types": "og",
"description": "Copies the specified option group",
"condition_keys": [
"rds:og-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyOptionGroup"
},
{
"resource_types": "cluster",
"description": "Creates a new Amazon Aurora DB cluster",
"condition_keys": [
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:Vpc",
"rds:cluster-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBCluster"
},
{
"resource_types": "cluster-pg",
"description": "Create a new DB cluster parameter group",
"condition_keys": [
"rds:cluster-pg-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBClusterParameterGroup"
},
{
"resource_types": "cluster",
"description": "Creates a snapshot of a DB cluster",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBClusterSnapshot"
},
{
"resource_types": "db",
"description": "Creates a new DB instance",
"condition_keys": [
"rds:DatabaseClass",
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:MultiAz",
"rds:Piops",
"rds:StorageSize",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBInstance"
},
{
"resource_types": "db",
"description": "Creates a DB instance for a DB instance running MySQL, MariaDB, or PostgreSQL that acts as a Read Replica of a source DB instance",
"condition_keys": [
"Piops",
"rds:DatabaseClass",
"rds:db-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBInstanceReadReplica"
},
{
"resource_types": "pg",
"description": "Creates a new DB parameter group",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBParameterGroup"
},
{
"resource_types": "secgrp",
"description": "Creates a new DB security group. DB security groups control access to a DB instance",
"condition_keys": [
"rds:secgrp-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBSecurityGroup"
},
{
"resource_types": "db",
"description": "Creates a DBSnapshot",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBSnapshot"
},
{
"resource_types": "subgrp",
"description": "Creates a new DB subnet group",
"condition_keys": [
"rds:subgrp-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateDBSubnetGroup"
},
{
"resource_types": "es",
"description": "Creates an RDS event notification subscription",
"condition_keys": [
"rds:es-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateEventSubscription"
},
{
"resource_types": "og",
"description": "Creates a new option group",
"condition_keys": [
"rds:og-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateOptionGroup"
},
{
"resource_types": "cluster",
"description": "The DeleteDBCluster action deletes a previously provisioned DB cluster",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBCluster"
},
{
"resource_types": "cluster-pg",
"description": "Deletes a specified DB cluster parameter group",
"condition_keys": [
"rds:cluster-pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBClusterParameterGroup"
},
{
"resource_types": "cluster-snapshot",
"description": "Deletes a DB cluster snapshot",
"condition_keys": [
"rds:cluster-snapshot-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBClusterSnapshot"
},
{
"resource_types": "db",
"description": "The DeleteDBInstance action deletes a previously provisioned DB instance",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBInstance"
},
{
"resource_types": "pg",
"description": "Deletes a specified DBParameterGroup",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBParameterGroup"
},
{
"resource_types": "secgrp",
"description": "Deletes a DB security group",
"condition_keys": [
"rds:secgrp-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBSecurityGroup"
},
{
"resource_types": "snapshot",
"description": "Deletes a DBSnapshot",
"condition_keys": [
"rds:snapshot-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBSnapshot"
},
{
"resource_types": "subgrp",
"description": "Deletes a DB subnet group",
"condition_keys": [
"rds:subgrp-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDBSubnetGroup"
},
{
"resource_types": "es",
"description": "Deletes an RDS event notification subscription",
"condition_keys": [
"rds:es-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEventSubscription"
},
{
"resource_types": "og",
"description": "Deletes an existing option group",
"condition_keys": [
"rds:og-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteOptionGroup"
},
{
"resource_types": "",
"description": "Lists all of the attributes for a customer account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAccountAttributes"
},
{
"resource_types": "",
"description": "Lists the set of CA certificates provided by Amazon RDS for this AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeCertificates"
},
{
"resource_types": "cluster-pg",
"description": "Returns a list of DBClusterParameterGroup descriptions",
"condition_keys": [
"rds:cluster-pg-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBClusterParameterGroups"
},
{
"resource_types": "cluster-pg",
"description": "Returns the detailed parameter list for a particular DB cluster parameter group",
"condition_keys": [
"rds:cluster-pg-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBClusterParameters"
},
{
"resource_types": "cluster-snapshot",
"description": "Returns a list of DB cluster snapshot attribute names and values for a manual DB cluster snapshot",
"condition_keys": [
"rds:cluster-snapshot-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBClusterSnapshotAttributes"
},
{
"resource_types": "cluster",
"description": "Returns information about provisioned Aurora DB clusters",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBClusters"
},
{
"resource_types": "pg",
"description": "Returns a list of the available DB engines",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBEngineVersions"
},
{
"resource_types": "",
"description": "Returns information about provisioned RDS instances",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBInstances"
},
{
"resource_types": "db",
"description": "Returns a list of DB log files for the DB instance",
"condition_keys": [
"rds:db-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBLogFiles"
},
{
"resource_types": "pg",
"description": "Returns a list of DBParameterGroup descriptions",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBParameterGroups"
},
{
"resource_types": "pg",
"description": "Returns the detailed parameter list for a particular DB parameter group",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBParameters"
},
{
"resource_types": "secgrp",
"description": "Returns a list of DBSecurityGroup descriptions",
"condition_keys": [
"rds:secgrp-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBSecurityGroups"
},
{
"resource_types": "snapshot",
"description": "Returns a list of DB snapshot attribute names and values for a manual DB snapshot",
"condition_keys": [
"rds:snapshot-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBSnapshotAttributes"
},
{
"resource_types": "db",
"description": "Returns information about DB snapshots",
"condition_keys": [
"rds:db-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBSnapshots"
},
{
"resource_types": "subgrp",
"description": "Returns a list of DBSubnetGroup descriptions",
"condition_keys": [
"rds:subgrp-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDBSubnetGroups"
},
{
"resource_types": "",
"description": "Returns the default engine and system parameter information for the cluster database engine",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEngineDefaultClusterParameters"
},
{
"resource_types": "",
"description": "Returns the default engine and system parameter information for the specified database engine",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEngineDefaultParameters"
},
{
"resource_types": "",
"description": "Displays a list of categories for all event source types, or, if specified, for a specified source type",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEventCategories"
},
{
"resource_types": "es",
"description": "Lists all the subscription descriptions for a customer account",
"condition_keys": [
"rds:es-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEventSubscriptions"
},
{
"resource_types": "es",
"description": "Returns events related to DB instances, DB security groups, DB snapshots, and DB parameter groups for the past 14 days",
"condition_keys": [
"rds:es-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeEvents"
},
{
"resource_types": "og",
"description": "Describes all available options",
"condition_keys": [
"rds:og-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeOptionGroupOptions"
},
{
"resource_types": "og",
"description": "Describes the available option groups",
"condition_keys": [
"rds:og-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeOptionGroups"
},
{
"resource_types": "",
"description": "Returns a list of orderable DB instance options for the specified engine",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeOrderableDBInstanceOptions"
},
{
"resource_types": "db",
"description": "Returns a list of resources (for example, DB instances) that have at least one pending maintenance action",
"condition_keys": [
"rds:DatabaseClass",
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:MultiAz",
"rds:Piops",
"rds:StorageSize",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribePendingMaintenanceActions"
},
{
"resource_types": "ri",
"description": "Returns information about reserved DB instances for this account, or about a specified reserved DB instance",
"condition_keys": [
"rds:DatabaseClass",
"rds:MultiAz",
"rds:ri-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeReservedDBInstances"
},
{
"resource_types": "db",
"description": "Lists available reserved DB instance offerings",
"condition_keys": [
"rds:db-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeReservedDBInstancesOfferings"
},
{
"resource_types": "db",
"description": "Lists available modifications you can make to your DB instance",
"condition_keys": [
"rds:db-tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeValidDBInstanceModifications"
},
{
"resource_types": "",
"description": "Downloads the contents of the specified database log file",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DownloadCompleteDBLogFile"
},
{
"resource_types": "db",
"description": "Downloads all or a portion of the specified log file, up to 1 MB in size",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DownloadDBLogFilePortion"
},
{
"resource_types": "cluster",
"description": "Forces a failover for a DB cluster",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "FailoverDBCluster"
},
{
"resource_types": "db",
"description": "Lists all tags on an Amazon RDS resource",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "cluster",
"description": "Modify current cluster capacity for an Amazon Aurora Severless DB cluster",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyCurrentDBClusterCapacity"
},
{
"resource_types": "cluster",
"description": "Modify a setting for an Amazon Aurora DB cluster",
"condition_keys": [
"rds:Vpc",
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBCluster"
},
{
"resource_types": "cluster-pg",
"description": "Modifies the parameters of a DB cluster parameter group",
"condition_keys": [
"rds:cluster-pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBClusterParameterGroup"
},
{
"resource_types": "cluster-snapshot",
"description": "Adds an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot",
"condition_keys": [
"rds:cluster-snapshot-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBClusterSnapshotAttribute"
},
{
"resource_types": "db",
"description": "Modify settings for a DB instance",
"condition_keys": [
"rds:DatabaseClass",
"rds:MultiAz",
"rds:Piops",
"rds:StorageSize",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBInstance"
},
{
"resource_types": "pg",
"description": "Modifies the parameters of a DB parameter group",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBParameterGroup"
},
{
"resource_types": "snapshot",
"description": "Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot",
"condition_keys": [
"rds:snapshot-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBSnapshotAttribute"
},
{
"resource_types": "subgrp",
"description": "Modifies an existing DB subnet group",
"condition_keys": [
"rds:subgrp-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyDBSubnetGroup"
},
{
"resource_types": "es",
"description": "Modifies an existing RDS event notification subscription",
"condition_keys": [
"rds:es-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyEventSubscription"
},
{
"resource_types": "og",
"description": "Modifies an existing option group",
"condition_keys": [
"rds:og-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyOptionGroup"
},
{
"resource_types": "db",
"description": "Promotes a Read Replica DB instance to a standalone DB instance",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PromoteReadReplica"
},
{
"resource_types": "",
"description": "Purchases a reserved DB instance offering",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PurchaseReservedDBInstancesOffering"
},
{
"resource_types": "db",
"description": "Rebooting a DB instance restarts the database engine service",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebootDBInstance"
},
{
"resource_types": "es",
"description": "Removes a source identifier from an existing RDS event notification subscription",
"condition_keys": [
"rds:es-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveSourceIdentifierFromSubscription"
},
{
"resource_types": "db",
"description": "Removes metadata tags from an Amazon RDS resource",
"condition_keys": [
"rds:db-tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTagsFromResource"
},
{
"resource_types": "cluster-pg",
"description": "Modifies the parameters of a DB cluster parameter group to the default value",
"condition_keys": [
"rds:cluster-pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResetDBClusterParameterGroup"
},
{
"resource_types": "pg",
"description": "Modifies the parameters of a DB parameter group to the engine/system default value",
"condition_keys": [
"rds:pg-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResetDBParameterGroup"
},
{
"resource_types": "cluster",
"description": "Creates a new DB cluster from a DB cluster snapshot",
"condition_keys": [
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:Vpc",
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreDBClusterFromSnapshot"
},
{
"resource_types": "cluster",
"description": "Restores a DB cluster to an arbitrary point in time",
"condition_keys": [
"rds:Vpc",
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreDBClusterToPointInTime"
},
{
"resource_types": "db",
"description": "Creates a new DB instance from a DB snapshot",
"condition_keys": [
"rds:DatabaseClass",
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:MultiAz",
"rds:Piops",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreDBInstanceFromDBSnapshot"
},
{
"resource_types": "db",
"description": "Restores a DB instance to an arbitrary point in time",
"condition_keys": [
"rds:DatabaseClass",
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:MultiAz",
"rds:Piops",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreDBInstanceToPointInTime"
},
{
"resource_types": "secgrp",
"description": "Revokes ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups",
"condition_keys": [
"rds:secgrp-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RevokeDBSecurityGroupIngress"
},
{
"resource_types": "cluster",
"description": "Starts the DB cluster",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartDBCluster"
},
{
"resource_types": "db",
"description": "Starts the DB instance",
"condition_keys": [
"rds:DatabaseClass",
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:MultiAz",
"rds:Piops",
"rds:StorageSize",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartDBInstance"
},
{
"resource_types": "cluster",
"description": "Stops the DB cluster",
"condition_keys": [
"rds:cluster-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopDBCluster"
},
{
"resource_types": "db",
"description": "Stops the DB instance",
"condition_keys": [
"rds:DatabaseClass",
"rds:DatabaseEngine",
"rds:DatabaseName",
"rds:MultiAz",
"rds:Piops",
"rds:StorageSize",
"rds:Vpc",
"rds:db-tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopDBInstance"
}
]
},
{
"service_name": "AWS Security Token Service",
"privileges": [
{
"resource_types": "role",
"description": "Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssumeRole"
},
{
"resource_types": "role",
"description": "Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssumeRoleWithSAML"
},
{
"resource_types": "role",
"description": "Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssumeRoleWithWebIdentity"
},
{
"resource_types": "",
"description": "Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DecodeAuthorizationMessage"
},
{
"resource_types": "",
"description": "Returns details about the IAM identity whose credentials are used to call the API",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCallerIdentity"
},
{
"resource_types": "user",
"description": "Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFederationToken"
}
]
},
{
"service_name": "Amazon WorkDocs",
"privileges": [
{
"resource_types": "",
"description": "Aborts the upload of the specified document version that was previously initiated by InitiateDocumentVersionUpload",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AbortDocumentVersionUpload"
},
{
"resource_types": "",
"description": "Activates the specified user. Only active users can access Amazon WorkDocs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ActivateUser"
},
{
"resource_types": "",
"description": "Creates a set of permissions for the specified folder or document",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddResourcePermissions"
},
{
"resource_types": "",
"description": "Creates a folder with the specified name and parent folder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateFolder"
},
{
"resource_types": "",
"description": "Configure WorkDocs to use Amazon SNS notifications",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateNotificationSubscription"
},
{
"resource_types": "",
"description": "Creates a user in a Simple AD or Microsoft AD directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateUser"
},
{
"resource_types": "",
"description": "Deactivates the specified user, which revokes the user's access to Amazon WorkDocs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeactivateUser"
},
{
"resource_types": "",
"description": "Permanently deletes the specified document and its associated metadata",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDocument"
},
{
"resource_types": "",
"description": "Permanently deletes the specified folder and its contents",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFolder"
},
{
"resource_types": "",
"description": "Deletes the contents of the specified folder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFolderContents"
},
{
"resource_types": "",
"description": "Deletes the specified subscription from the specified organization",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteNotificationSubscription"
},
{
"resource_types": "",
"description": "Deletes the specified user from a Simple AD or Microsoft AD directory",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUser"
},
{
"resource_types": "",
"description": "Retrieves the document versions for the specified document",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDocumentVersions"
},
{
"resource_types": "",
"description": "Describes the contents of the specified folder, including its documents and sub-folders",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeFolderContents"
},
{
"resource_types": "",
"description": "Lists the specified notification subscriptions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeNotificationSubscriptions"
},
{
"resource_types": "",
"description": "Describes the permissions of a specified resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeResourcePermissions"
},
{
"resource_types": "",
"description": "Describes the specified users. You can describe all users or filter the results (for example, by status or organization",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeUsers"
},
{
"resource_types": "",
"description": "Retrieves the specified document object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocument"
},
{
"resource_types": "",
"description": "Retrieves the path information (the hierarchy from the root folder) for the requested document",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocumentPath"
},
{
"resource_types": "",
"description": "Retrieves version metadata for the specified document",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocumentVersion"
},
{
"resource_types": "",
"description": "Retrieves the metadata of the specified folder",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFolder"
},
{
"resource_types": "",
"description": "Retrieves the path information (the hierarchy from the root folder) for the specified folder",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFolderPath"
},
{
"resource_types": "",
"description": "Creates a new document object and version object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InitiateDocumentVersionUpload"
},
{
"resource_types": "",
"description": "Removes all the permissions from the specified resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveAllResourcePermissions"
},
{
"resource_types": "",
"description": "Removes the permission for the specified principal from the specified resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveResourcePermission"
},
{
"resource_types": "",
"description": "Updates the specified attributes of the specified document",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDocument"
},
{
"resource_types": "",
"description": "Changes the status of the document version to ACTIVE",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDocumentVersion"
},
{
"resource_types": "",
"description": "Updates the specified attributes of the specified folder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFolder"
},
{
"resource_types": "",
"description": "Updates the specified attributes of the specified user, and grants or revokes administrative privileges to the Amazon WorkDocs site",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateUser"
}
]
},
{
"service_name": "AWS Migration Hub",
"privileges": [
{
"resource_types": "migrationTask",
"description": "Associate a given AWS artifact to a MigrationTask",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateCreatedArtifact"
},
{
"resource_types": "migrationTask",
"description": "Associate a given ADS resource to a MigrationTask",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateDiscoveredResource"
},
{
"resource_types": "progressUpdateStream",
"description": "Create a ProgressUpdateStream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateProgressUpdateStream"
},
{
"resource_types": "progressUpdateStream",
"description": "Delete a ProgressUpdateStream",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProgressUpdateStream"
},
{
"resource_types": "",
"description": "Get an Application Discovery Service Application's state",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeApplicationState"
},
{
"resource_types": "migrationTask",
"description": "Describe a MigrationTask",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeMigrationTask"
},
{
"resource_types": "migrationTask",
"description": "Disassociate a given AWS artifact from a MigrationTask",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateCreatedArtifact"
},
{
"resource_types": "migrationTask",
"description": "Disassociate a given ADS resource from a MigrationTask",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateDiscoveredResource"
},
{
"resource_types": "migrationTask",
"description": "Import a MigrationTask",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportMigrationTask"
},
{
"resource_types": "migrationTask",
"description": "List associated created artifacts for a MigrationTask",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListCreatedArtifacts"
},
{
"resource_types": "migrationTask",
"description": "List associated ADS resources from MigrationTask",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDiscoveredResources"
},
{
"resource_types": "",
"description": "List MigrationTasks",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMigrationTasks"
},
{
"resource_types": "",
"description": "List ProgressUpdateStreams",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProgressUpdateStreams"
},
{
"resource_types": "",
"description": "Update an Application Discovery Service Application's state",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "NotifyApplicationState"
},
{
"resource_types": "migrationTask",
"description": "Notify latest MigrationTask state",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "NotifyMigrationTaskState"
},
{
"resource_types": "migrationTask",
"description": "Put ResourceAttributes",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutResourceAttributes"
}
]
},
{
"service_name": "Amazon Elasticsearch Service",
"privileges": [
{
"resource_types": "domain",
"description": "Grants permission to attach resource tags to an Amazon ES domain",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "domain",
"description": "Grants permission to create an Amazon ES domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateElasticsearchDomain"
},
{
"resource_types": "domain",
"description": "Grants permission to delete an Amazon ES domain and all of its data",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteElasticsearchDomain"
},
{
"resource_types": "",
"description": "Grants permission to delete the service-linked role required for Amazon ES domains that use VPC access",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteElasticsearchServiceRole"
},
{
"resource_types": "domain",
"description": "Grants permission to view a description of the domain configuration for the specified Amazon ES domain, including the domain ID, domain service endpoint, and domain ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeElasticsearchDomain"
},
{
"resource_types": "domain",
"description": "Grants permission to view a description of the configuration options and status of an Amazon ES domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeElasticsearchDomainConfig"
},
{
"resource_types": "domain",
"description": "Grants permission to view a description of the domain configuration for up to five specified Amazon ES domains",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeElasticsearchDomains"
},
{
"resource_types": "",
"description": "Grants permission to view the instance count, storage, and master node limits for a given Elasticsearch version and instance type",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeElasticsearchInstanceTypeLimits"
},
{
"resource_types": "",
"description": "Grants permission to fetch reserved instance offerings for ES",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeReservedElasticsearchInstanceOfferings"
},
{
"resource_types": "",
"description": "Grants permission to fetch ES reserved instances already purchased by customer",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeReservedElasticsearchInstances"
},
{
"resource_types": "domain",
"description": "Grants permission to fetch list of compatible elastic search versions to which Amazon ES domain can be upgraded",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetCompatibleElasticsearchVersions"
},
{
"resource_types": "domain",
"description": "Grants permission to fetch upgrade history for given ES domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUpgradeHistory"
},
{
"resource_types": "domain",
"description": "Grants permission to fetch upgrade status for given ES domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUpgradeStatus"
},
{
"resource_types": "",
"description": "Grants permission to display the names of all Amazon ES domains that the current user owns",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDomainNames"
},
{
"resource_types": "",
"description": "Grants permission to list all Elasticsearch instance types that are supported for a given Elasticsearch version",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListElasticsearchInstanceTypes"
},
{
"resource_types": "",
"description": "Grants permission to list all supported Elasticsearch versions on Amazon ES",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListElasticsearchVersions"
},
{
"resource_types": "domain",
"description": "Grants permission to display all of the tags for an Amazon ES domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTags"
},
{
"resource_types": "",
"description": "Grants permission to purchase ES reserved instances",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PurchaseReservedElasticsearchInstance"
},
{
"resource_types": "domain",
"description": "Grants permission to remove tags from Amazon ES domains",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "domain",
"description": "Grants permission to modify the configuration of an Amazon ES domain, such as the instance type or number of instances",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateElasticsearchDomainConfig"
},
{
"resource_types": "domain",
"description": "Grants permission to initiate upgrade of elastic search domain to given version",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpgradeElasticsearchDomain"
}
]
},
{
"service_name": "AWS CodeStar",
"privileges": [
{
"resource_types": "project",
"description": "Adds a user to the team for an AWS CodeStar project",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AssociateTeamMember"
},
{
"resource_types": "",
"description": "Creates a project with minimal structure, customer policies, and no resources",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreateProject"
},
{
"resource_types": "",
"description": "Creates a profile for a user that includes user preferences, display name, and email",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateUserProfile"
},
{
"resource_types": "project",
"description": "Deletes a project, including project resources. Does not delete users associated with the project, but does delete the IAM roles that allowed access to the project",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteProject"
},
{
"resource_types": "",
"description": "Deletes a user profile in AWS CodeStar, including all personal preference data associated with that profile, such as display name and email address. It does not delete the history of that user, for example the history of commits made by that user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUserProfile"
},
{
"resource_types": "project",
"description": "Describes a project and its resources",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProject"
},
{
"resource_types": "",
"description": "Describes a user in AWS CodeStar and the user attributes across all projects",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeUserProfile"
},
{
"resource_types": "project",
"description": "Removes a user from a project. Removing a user from a project also removes the IAM policies from that user that allowed access to the project and its resources",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DisassociateTeamMember"
},
{
"resource_types": "",
"description": "Lists all projects in CodeStar associated with your AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProjects"
},
{
"resource_types": "project",
"description": "Lists all resources associated with a project in CodeStar",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListResources"
},
{
"resource_types": "project",
"description": "Lists all team members associated with a project",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTeamMembers"
},
{
"resource_types": "",
"description": "Lists user profiles in AWS CodeStar",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUserProfiles"
},
{
"resource_types": "project",
"description": "Updates a project in CodeStar",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProject"
},
{
"resource_types": "project",
"description": "Updates team member attributes within a CodeStar project",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "UpdateTeamMember"
},
{
"resource_types": "",
"description": "Updates a profile for a user that includes user preferences, display name, and email",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateUserProfile"
}
]
},
{
"service_name": "AWS Certificate Manager",
"privileges": [
{
"resource_types": "certificate",
"description": "Adds one or more tags to a certificate",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTagsToCertificate"
},
{
"resource_types": "certificate",
"description": "Deletes a certificate and its associated private key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCertificate"
},
{
"resource_types": "certificate",
"description": "Returns a list of the fields contained in the specified certificate",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCertificate"
},
{
"resource_types": "certificate",
"description": "Exports a private certificate issued by a private certificate authority (CA) for use anywhere",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ExportCertificate"
},
{
"resource_types": "certificate",
"description": "Retrieves a certificate and certificate chain for the certificate specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificate"
},
{
"resource_types": "certificate",
"description": "Imports a 3rd party SSL/TLS certificate into AWS Certificate Manager (ACM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportCertificate"
},
{
"resource_types": "",
"description": "Retrieves a list of the certificate ARNs and the domain name for each ARN",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListCertificates"
},
{
"resource_types": "",
"description": "Lists the tags that have been applied to the certificate",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForCertificate"
},
{
"resource_types": "certificate",
"description": "Remove one or more tags from a certificate. A tag consists of a key-value pair",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTagsFromCertificate"
},
{
"resource_types": "",
"description": "Requests a public or private certificate",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RequestCertificate"
},
{
"resource_types": "certificate",
"description": "Resends an email to request domain ownership validation",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResendValidationEmail"
},
{
"resource_types": "certificate",
"description": "Updates a certificate. Use to specify whether to opt in to or out of certificate transparency logging",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateCertificateOptions"
}
]
},
{
"service_name": "Amazon Elastic Transcoder",
"privileges": [
{
"resource_types": "job",
"description": "Cancel a job that Elastic Transcoder has not begun to process",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelJob"
},
{
"resource_types": "pipeline",
"description": "Create a job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateJob"
},
{
"resource_types": "pipeline",
"description": "Create a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePipeline"
},
{
"resource_types": "preset",
"description": "Create a preset",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePreset"
},
{
"resource_types": "pipeline",
"description": "Delete a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePipeline"
},
{
"resource_types": "preset",
"description": "Delete a preset",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePreset"
},
{
"resource_types": "pipeline",
"description": "Get a list of the jobs that you assigned to a pipeline",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobsByPipeline"
},
{
"resource_types": "",
"description": "Get information about all of the jobs associated with the current AWS account that have a specified status",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobsByStatus"
},
{
"resource_types": "",
"description": "Get a list of the pipelines associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPipelines"
},
{
"resource_types": "",
"description": "Get a list of all presets associated with the current AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPresets"
},
{
"resource_types": "job",
"description": "Get detailed information about a job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ReadJob"
},
{
"resource_types": "pipeline",
"description": "Get detailed information about a pipeline",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ReadPipeline"
},
{
"resource_types": "preset",
"description": "Get detailed information about a preset",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ReadPreset"
},
{
"resource_types": "",
"description": "Test the settings for a pipeline to ensure that Elastic Transcoder can create and process jobs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TestRole"
},
{
"resource_types": "pipeline",
"description": "Update settings for a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePipeline"
},
{
"resource_types": "pipeline",
"description": "Update only Amazon Simple Notification Service (Amazon SNS) notifications for a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePipelineNotifications"
},
{
"resource_types": "pipeline",
"description": "Pause or reactivate a pipeline, so the pipeline stops or restarts processing jobs, update the status for the pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePipelineStatus"
}
]
},
{
"service_name": "AWS Snowball",
"privileges": [
{
"resource_types": "",
"description": "Cancels a cluster job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelCluster"
},
{
"resource_types": "",
"description": "Cancels the specified job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelJob"
},
{
"resource_types": "",
"description": "Creates an address for a Snowball to be shipped to",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAddress"
},
{
"resource_types": "",
"description": "Creates an empty cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCluster"
},
{
"resource_types": "",
"description": "Creates a job to import or export data between Amazon S3 and your on-premises data center",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateJob"
},
{
"resource_types": "",
"description": "Takes an AddressId and returns specific details about that address in the form of an Address object",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAddress"
},
{
"resource_types": "",
"description": "Returns a specified number of ADDRESS objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAddresses"
},
{
"resource_types": "",
"description": "Returns information about a specific cluster including shipping information, cluster status, and other important metadata",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCluster"
},
{
"resource_types": "",
"description": "Returns information about a specific job including shipping information, job status, and other important metadata",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeJob"
},
{
"resource_types": "",
"description": "Returns a link to an Amazon S3 presigned URL for the manifest file associated with the specified JobId value",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetJobManifest"
},
{
"resource_types": "",
"description": "Returns the UnlockCode code value for the specified job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetJobUnlockCode"
},
{
"resource_types": "",
"description": "Returns information about the Snowball service limit for your account, and also the number of Snowballs your account has in use",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSnowballUsage"
},
{
"resource_types": "",
"description": "Returns an array of JobListEntry objects of the specified length",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListClusterJobs"
},
{
"resource_types": "",
"description": "Returns an array of ClusterListEntry objects of the specified length",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListClusters"
},
{
"resource_types": "",
"description": "Returns an array of JobListEntry objects of the specified length",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobs"
},
{
"resource_types": "",
"description": "While a cluster's ClusterState value is in the AwaitingQuorum state, you can update some of the information associated with a cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateCluster"
},
{
"resource_types": "",
"description": "While a job's JobState value is New, you can update some of the information associated with a job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateJob"
}
]
},
{
"service_name": "Amazon Elastic Container Service",
"privileges": [
{
"resource_types": "",
"description": "Creates a new Amazon ECS cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCluster"
},
{
"resource_types": "",
"description": "Runs and maintains a desired number of tasks from a specified task definition",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateService"
},
{
"resource_types": "container-instance",
"description": "Deletes one or more custom attributes from an Amazon ECS resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAttributes"
},
{
"resource_types": "cluster",
"description": "Deletes the specified cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCluster"
},
{
"resource_types": "",
"description": "Deletes a specified service within a cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteService"
},
{
"resource_types": "cluster",
"description": "Deregisters an Amazon ECS container instance from the specified cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterContainerInstance"
},
{
"resource_types": "",
"description": "Deregisters the specified task definition by family and revision",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterTaskDefinition"
},
{
"resource_types": "cluster",
"description": "Describes one or more of your clusters",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeClusters"
},
{
"resource_types": "container-instance",
"description": "Describes Amazon Elastic Container Service container instances",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeContainerInstances"
},
{
"resource_types": "",
"description": "Describes the specified services running in your cluster",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeServices"
},
{
"resource_types": "",
"description": "Describes a task definition. You can specify a family and revision to find information about a specific task definition, or you can simply specify the family to find the latest ACTIVE revision in that family",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTaskDefinition"
},
{
"resource_types": "task",
"description": "Describes a specified task or tasks",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTasks"
},
{
"resource_types": "",
"description": "Returns an endpoint for the Amazon ECS agent to poll for updates",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DiscoverPollEndpoint"
},
{
"resource_types": "cluster",
"description": "Lists the attributes for Amazon ECS resources within a specified target type and cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAttributes"
},
{
"resource_types": "",
"description": "Returns a list of existing clusters",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListClusters"
},
{
"resource_types": "cluster",
"description": "Returns a list of container instances in a specified cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListContainerInstances"
},
{
"resource_types": "",
"description": "Lists the services that are running in a specified cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListServices"
},
{
"resource_types": "cluster",
"description": "List tags for the specified resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "",
"description": "Returns a list of task definition families that are registered to your account (which may include task definition families that no longer have any ACTIVE task definitions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTaskDefinitionFamilies"
},
{
"resource_types": "",
"description": "Returns a list of task definitions that are registered to your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTaskDefinitions"
},
{
"resource_types": "container-instance",
"description": "Returns a list of tasks for a specified cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTasks"
},
{
"resource_types": "container-instance",
"description": "Grants permission to an agent to connect with the Amazon ECS service to report status and get commands",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Poll"
},
{
"resource_types": "container-instance",
"description": "Create or update an attribute on an Amazon ECS resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAttributes"
},
{
"resource_types": "cluster",
"description": "Registers an EC2 instance into the specified cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RegisterContainerInstance"
},
{
"resource_types": "",
"description": "Registers a new task definition from the supplied family and containerDefinitions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RegisterTaskDefinition"
},
{
"resource_types": "task-definition",
"description": "Start a task using random placement and the default Amazon ECS scheduler",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RunTask"
},
{
"resource_types": "task-definition",
"description": "Starts a new task from the specified task definition on the specified container instance or instances",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartTask"
},
{
"resource_types": "task",
"description": "Stops a running task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopTask"
},
{
"resource_types": "cluster",
"description": "Sent to acknowledge that a container changed states",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SubmitContainerStateChange"
},
{
"resource_types": "cluster",
"description": "Sent to acknowledge that a task changed states",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SubmitTaskStateChange"
},
{
"resource_types": "cluster",
"description": "Tags the specified resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "cluster",
"description": "Untags the specified resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "container-instance",
"description": "Updates the Amazon ECS container agent on a specified container instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateContainerAgent"
},
{
"resource_types": "container-instance",
"description": "Enables the user to modify the status of an Amazon ECS container instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateContainerInstancesState"
},
{
"resource_types": "",
"description": "Modifies the desired count, deployment configuration, or task definition used in a service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateService"
}
]
},
{
"service_name": "AWS Private Marketplace",
"privileges": [
{
"resource_types": "",
"description": "Adds new approved products to the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateProductsWithPrivateMarketplace"
},
{
"resource_types": "",
"description": "Creates a Private Marketplace for the individual account, or for the entire AWS Organization if one exists. This action can only be performed by the master account if using an AWS Organization",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePrivateMarketplace"
},
{
"resource_types": "",
"description": "Creates a Private Marketplace Profile that customizes the white label experience on the AWS Marketplace website for the individual account, or for the entire AWS Organization if one exists. This action can only be performed by the master account if using an AWS Organization",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePrivateMarketplaceProfile"
},
{
"resource_types": "",
"description": "Describes the status of requested products in the Private Marketplace for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribePrivateMarketplaceProducts"
},
{
"resource_types": "",
"description": "Describes details about the Private Marketplace Profile for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePrivateMarketplaceProfile"
},
{
"resource_types": "",
"description": "Describes the status of the Private Marketplace for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePrivateMarketplaceStatus"
},
{
"resource_types": "",
"description": "Removes approved products from the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateProductsFromPrivateMarketplace"
},
{
"resource_types": "",
"description": "Queryable list for the products and status of products in the Private Marketplace for administrative purposes. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPrivateMarketplaceProducts"
},
{
"resource_types": "",
"description": "Starts the Private Marketplace, enabling the customized AWS Marketplace experience, and enabling restrictions on the procurement of products based on what is available in the Private Marketplace. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartPrivateMarketplace"
},
{
"resource_types": "",
"description": "Stops the Private Marketplace, disabling the customized AWS Marketplace experience and removing the Private Marketplace procurement restrictions on products. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopPrivateMarketplace"
},
{
"resource_types": "",
"description": "Updates the Private Marketplace Profile that customizes the white label experience on the AWS Marketplace website for the individual account, or for the entire AWS Organization if one exists. This action can be performed by any account in an AWS Organization, provided the user has permissions to do so, and the Organization's Service Control Policies allow it",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePrivateMarketplaceProfile"
}
]
},
{
"service_name": "AWS Import Export Disk Service",
"privileges": [
{
"resource_types": "",
"description": "This action cancels a specified job. Only the job owner can cancel it. The action fails if the job has already started or is complete",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelJob"
},
{
"resource_types": "",
"description": "This action initiates the process of scheduling an upload or download of your data",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateJob"
},
{
"resource_types": "",
"description": "This action generates a pre-paid shipping label that you will use to ship your device to AWS for processing",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetShippingLabel"
},
{
"resource_types": "",
"description": "This action returns information about a job, including where the job is in the processing pipeline, the status of the results, and the signature value associated with the job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetStatus"
},
{
"resource_types": "",
"description": "This action returns the jobs associated with the requester",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobs"
},
{
"resource_types": "",
"description": "You use this action to change the parameters specified in the original manifest file by supplying a new manifest file",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateJob"
}
]
},
{
"service_name": "Amazon AppStream 2.0",
"privileges": [
{
"resource_types": "fleet",
"description": "Grants permission to associate the specified fleet with the specified stack",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateFleet"
},
{
"resource_types": "",
"description": "Grants permission to associate the specified users with the specified stacks",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchAssociateUserStack"
},
{
"resource_types": "",
"description": "Grants permission to disassociate the specified users from the specified stacks",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchDisassociateUserStack"
},
{
"resource_types": "image",
"description": "Grants permission to copy the specified image within the same region or to a new region within the same AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyImage"
},
{
"resource_types": "",
"description": "Grants permission to create a Directory Config object in AppStream 2.0. This object includes the information required to join streaming instances to an Active Directory domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDirectoryConfig"
},
{
"resource_types": "fleet",
"description": "Grants permission to create a fleet. A fleet consists of streaming instances that run a specified image",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateFleet"
},
{
"resource_types": "image-builder",
"description": "Grants permission to create an image builder. An image builder is a virtual machine that is used to create an image",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateImageBuilder"
},
{
"resource_types": "image-builder",
"description": "Grants permission to create a URL to start an image builder streaming session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateImageBuilderStreamingURL"
},
{
"resource_types": "stack",
"description": "Grants permission to create a stack to start streaming applications to users. A stack consists of an associated fleet, user access policies, and storage configurations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateStack"
},
{
"resource_types": "fleet",
"description": "Grants permission to create a temporary URL to start an AppStream 2.0 streaming session for a user. A streaming URL enables application streaming to be tested without user setup",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateStreamingURL"
},
{
"resource_types": "",
"description": "Grants permission to create a new user in the user pool",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateUser"
},
{
"resource_types": "",
"description": "Grants permission to delete the specified Directory Config object from AppStream 2.0. This object includes the information required to join streaming instances to an Active Directory domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDirectoryConfig"
},
{
"resource_types": "fleet",
"description": "Grants permission to delete the specified fleet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFleet"
},
{
"resource_types": "image",
"description": "Grants permission to delete the specified image. An image cannot be deleted when it is in use",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteImage"
},
{
"resource_types": "image-builder",
"description": "Grants permission to delete the specified image builder and release capacity",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteImageBuilder"
},
{
"resource_types": "image",
"description": "Grants permission to delete permissions for the specified private image",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteImagePermissions"
},
{
"resource_types": "stack",
"description": "Grants permission to delete the specified stack. After the stack is deleted, the application streaming environment provided by the stack is no longer available to users. Also, any reservations made for application streaming sessions for the stack are released",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteStack"
},
{
"resource_types": "",
"description": "Grants permission to delete a user from the user pool",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUser"
},
{
"resource_types": "",
"description": "Grants permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0, if the names for these objects are provided. Otherwise, all Directory Config objects in the account are described. This object includes the information required to join streaming instances to an Active Directory domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeDirectoryConfigs"
},
{
"resource_types": "fleet",
"description": "Grants permission to retrieve a list that describes one or more specified fleets, if the fleet names are provided. Otherwise, all fleets in the account are described",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeFleets"
},
{
"resource_types": "image-builder",
"description": "Grants permission to retrieve a list that describes one or more specified image builders, if the image builder names are provided. Otherwise, all image builders in the account are described",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeImageBuilders"
},
{
"resource_types": "image",
"description": "Grants permission to retrieve a list that describes the permissions for shared AWS account IDs on a private image that you own",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeImagePermissions"
},
{
"resource_types": "image",
"description": "Grants permission to retrieve a list that describes one or more specified images, if the image names are provided. Otherwise, all images in the account are described",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeImages"
},
{
"resource_types": "",
"description": "Grants permission to retrieve a list that describes the streaming sessions for the specified stack and fleet. If a user ID is provided for the stack and fleet, only the streaming sessions for that user are described",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSessions"
},
{
"resource_types": "stack",
"description": "Grants permission to retrieve a list that describes one or more specified stacks, if the stack names are provided. Otherwise, all stacks in the account are described",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeStacks"
},
{
"resource_types": "",
"description": "Grants permission to retrieve a list that describes the UserStackAssociation objects",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeUserStackAssociations"
},
{
"resource_types": "",
"description": "Grants permission to retrieve a list that describes users in the user pool",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeUsers"
},
{
"resource_types": "",
"description": "Grants permission to disable the specified user in the user pool",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableUser"
},
{
"resource_types": "fleet",
"description": "Grants permission to disassociate the specified fleet from the specified stack",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateFleet"
},
{
"resource_types": "",
"description": "Grants permission to enable a user in the user pool",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableUser"
},
{
"resource_types": "",
"description": "Grants permission to immediately stop the specified streaming session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ExpireSession"
},
{
"resource_types": "stack",
"description": "Grants permission to retrieve the name of the fleet associated with the specified stack",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListAssociatedFleets"
},
{
"resource_types": "fleet",
"description": "Grants permission to retrieve the name of the stack with which the specified fleet is associated",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListAssociatedStacks"
},
{
"resource_types": "",
"description": "Grants permission to retrieve a list of all tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTagsForResource"
},
{
"resource_types": "fleet",
"description": "Grants permission to start the specified fleet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartFleet"
},
{
"resource_types": "image-builder",
"description": "Grants permission to start the specified image builder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartImageBuilder"
},
{
"resource_types": "fleet",
"description": "Grants permission to stop the specified fleet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopFleet"
},
{
"resource_types": "image-builder",
"description": "Grants permission to stop the specified image builder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopImageBuilder"
},
{
"resource_types": "stack",
"description": "Grants permission to federated users to sign in by using their existing credentials and stream applications from the specified stack",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Stream"
},
{
"resource_types": "",
"description": "Grants permission to add or overwrite one or more tags for the specified AppStream 2.0 resource. The following resources can be tagged: Image builders, images, fleets, and stacks",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "",
"description": "Grants permission to disassociate one or more tags from the specified AppStream 2.0 resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "",
"description": "Grants permission to update the specified Directory Config object in AppStream 2.0. This object includes the information required to join streaming instances to an Active Directory domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDirectoryConfig"
},
{
"resource_types": "fleet",
"description": "Grants permission to update the specified fleet. All attributes except the fleet name can be updated when the fleet is in the STOPPED state",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateFleet"
},
{
"resource_types": "image",
"description": "Grants permission to add or update permissions for the specified private image",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateImagePermissions"
},
{
"resource_types": "stack",
"description": "Grants permission to update the specified fields for the specified stack",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateStack"
}
]
},
{
"service_name": "Identity And Access Management",
"privileges": [
{
"resource_types": "oidc-provider",
"description": "Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddClientIDToOpenIDConnectProvider"
},
{
"resource_types": "instance-profile",
"description": "Adds the specified IAM role to the specified instance profile",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddRoleToInstanceProfile"
},
{
"resource_types": "group",
"description": "Adds the specified user to the specified group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddUserToGroup"
},
{
"resource_types": "group",
"description": "Attaches the specified managed policy to the specified IAM group",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AttachGroupPolicy"
},
{
"resource_types": "role",
"description": "Attaches the specified managed policy to the specified IAM role",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AttachRolePolicy"
},
{
"resource_types": "user",
"description": "Attaches the specified managed policy to the specified user",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AttachUserPolicy"
},
{
"resource_types": "user",
"description": "Changes the password of the IAM user who is calling this action",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ChangePassword"
},
{
"resource_types": "user",
"description": "Creates a new AWS secret access key and corresponding AWS access key ID for the specified user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAccessKey"
},
{
"resource_types": "",
"description": "Creates an alias for your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateAccountAlias"
},
{
"resource_types": "group",
"description": "Creates a new group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGroup"
},
{
"resource_types": "instance-profile",
"description": "Creates a new instance profile",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInstanceProfile"
},
{
"resource_types": "user",
"description": "Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateLoginProfile"
},
{
"resource_types": "oidc-provider",
"description": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateOpenIDConnectProvider"
},
{
"resource_types": "policy",
"description": "Creates a new managed policy for your AWS account",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreatePolicy"
},
{
"resource_types": "policy",
"description": "Creates a new version of the specified managed policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreatePolicyVersion"
},
{
"resource_types": "role",
"description": "Creates a new role for your AWS account",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateRole"
},
{
"resource_types": "saml-provider",
"description": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSAMLProvider"
},
{
"resource_types": "user",
"description": "Creates a new IAM user for your AWS account",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateUser"
},
{
"resource_types": "mfa",
"description": "Creates a new virtual MFA device for the AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateVirtualMFADevice"
},
{
"resource_types": "user",
"description": "Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeactivateMFADevice"
},
{
"resource_types": "user",
"description": "Deletes the access key pair associated with the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAccessKey"
},
{
"resource_types": "",
"description": "Deletes the specified AWS account alias. For information about using an AWS account alias",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAccountAlias"
},
{
"resource_types": "",
"description": "Deletes the password policy for the AWS account",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteAccountPasswordPolicy"
},
{
"resource_types": "group",
"description": "Deletes the specified IAM group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteGroup"
},
{
"resource_types": "group",
"description": "Deletes the specified inline policy that is embedded in the specified IAM group",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteGroupPolicy"
},
{
"resource_types": "instance-profile",
"description": "Deletes the specified instance profile",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInstanceProfile"
},
{
"resource_types": "user",
"description": "Deletes the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLoginProfile"
},
{
"resource_types": "oidc-provider",
"description": "Deletes an OpenID Connect identity provider (IdP) resource object in IAM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteOpenIDConnectProvider"
},
{
"resource_types": "policy",
"description": "Deletes the specified managed policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeletePolicy"
},
{
"resource_types": "policy",
"description": "Deletes the specified version from the specified managed policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeletePolicyVersion"
},
{
"resource_types": "role",
"description": "Deletes the specified role",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "DeleteRole"
},
{
"resource_types": "role",
"description": "Deletes the permissions boundary from a role",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteRolePermissionsBoundary"
},
{
"resource_types": "role",
"description": "Deletes the specified inline policy that is embedded in the specified IAM role",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteRolePolicy"
},
{
"resource_types": "saml-provider",
"description": "Deletes a SAML provider resource in IAM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSAMLProvider"
},
{
"resource_types": "user",
"description": "Deletes the specified SSH public key",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSSHPublicKey"
},
{
"resource_types": "server-certificate",
"description": "Deletes the specified server certificate",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteServerCertificate"
},
{
"resource_types": "role",
"description": "Deletes an IAM role that is linked to a specific AWS service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteServiceLinkedRole"
},
{
"resource_types": "user",
"description": "Deletes the specified service-specific credential for an IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteServiceSpecificCredential"
},
{
"resource_types": "user",
"description": "Deletes a signing certificate associated with the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSigningCertificate"
},
{
"resource_types": "user",
"description": "Deletes the specified IAM user",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "DeleteUser"
},
{
"resource_types": "user",
"description": "Deletes the permissions boundary from the user",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteUserPermissionsBoundary"
},
{
"resource_types": "user",
"description": "Deletes the specified inline policy that is embedded in the specified IAM user",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteUserPolicy"
},
{
"resource_types": "mfa",
"description": "Deletes a virtual MFA device",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteVirtualMFADevice"
},
{
"resource_types": "group",
"description": "Removes the specified managed policy from the specified IAM group",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DetachGroupPolicy"
},
{
"resource_types": "role",
"description": "Removes the specified managed policy from the specified role",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DetachRolePolicy"
},
{
"resource_types": "user",
"description": "Removes the specified managed policy from the specified user",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DetachUserPolicy"
},
{
"resource_types": "user",
"description": "Enables the specified MFA device and associates it with the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableMFADevice"
},
{
"resource_types": "",
"description": "Generates a credential report for the AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GenerateCredentialReport"
},
{
"resource_types": "user",
"description": "Retrieves information about when the specified access key was last used",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAccessKeyLastUsed"
},
{
"resource_types": "",
"description": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAccountAuthorizationDetails"
},
{
"resource_types": "",
"description": "Retrieves the password policy for the AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAccountPasswordPolicy"
},
{
"resource_types": "",
"description": "Retrieves information about IAM entity usage and IAM quotas in the AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetAccountSummary"
},
{
"resource_types": "",
"description": "Gets a list of all of the context keys referenced in the input policies",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetContextKeysForCustomPolicy"
},
{
"resource_types": "group",
"description": "Gets a list of all of the context keys referenced in all of the IAM policies attached to the specified IAM entity",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetContextKeysForPrincipalPolicy"
},
{
"resource_types": "",
"description": "Retrieves a credential report for the AWS account. For more information about the credential report",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCredentialReport"
},
{
"resource_types": "group",
"description": "Returns a list of IAM users that are in the specified IAM group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGroup"
},
{
"resource_types": "group",
"description": "Retrieves the specified inline policy document that is embedded in the specified IAM group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGroupPolicy"
},
{
"resource_types": "instance-profile",
"description": "Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetInstanceProfile"
},
{
"resource_types": "user",
"description": "Retrieves the user name and password-creation date for the specified IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetLoginProfile"
},
{
"resource_types": "oidc-provider",
"description": "Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetOpenIDConnectProvider"
},
{
"resource_types": "policy",
"description": "Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPolicy"
},
{
"resource_types": "policy",
"description": "Retrieves information about the specified version of the specified managed policy, including the policy document",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPolicyVersion"
},
{
"resource_types": "role",
"description": "Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRole"
},
{
"resource_types": "role",
"description": "Retrieves the specified inline policy document that is embedded with the specified IAM role",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRolePolicy"
},
{
"resource_types": "saml-provider",
"description": "Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSAMLProvider"
},
{
"resource_types": "user",
"description": "Retrieves the specified SSH public key, including metadata about the key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSSHPublicKey"
},
{
"resource_types": "server-certificate",
"description": "Retrieves information about the specified server certificate stored in IAM",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetServerCertificate"
},
{
"resource_types": "role",
"description": "Retrieves an IAM service linked role deletion status",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetServiceLinkedRoleDeletionStatus"
},
{
"resource_types": "user",
"description": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUser"
},
{
"resource_types": "user",
"description": "Retrieves the specified inline policy document that is embedded in the specified IAM user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUserPolicy"
},
{
"resource_types": "user",
"description": "Returns information about the access key IDs associated with the specified IAM user. If there are none, the action returns an empty list",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAccessKeys"
},
{
"resource_types": "",
"description": "Lists the account alias associated with the AWS account (Note: you can have only one",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAccountAliases"
},
{
"resource_types": "group",
"description": "Lists all managed policies that are attached to the specified IAM group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAttachedGroupPolicies"
},
{
"resource_types": "role",
"description": "Lists all managed policies that are attached to the specified IAM role",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAttachedRolePolicies"
},
{
"resource_types": "user",
"description": "Lists all managed policies that are attached to the specified IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAttachedUserPolicies"
},
{
"resource_types": "policy",
"description": "Lists all IAM users, groups, and roles that the specified managed policy is attached to",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListEntitiesForPolicy"
},
{
"resource_types": "group",
"description": "Lists the names of the inline policies that are embedded in the specified IAM group",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGroupPolicies"
},
{
"resource_types": "",
"description": "Lists the IAM groups that have the specified path prefix",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGroups"
},
{
"resource_types": "user",
"description": "Lists the IAM groups that the specified IAM user belongs to",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGroupsForUser"
},
{
"resource_types": "instance-profile",
"description": "Lists the instance profiles that have the specified path prefix",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInstanceProfiles"
},
{
"resource_types": "role",
"description": "Lists the instance profiles that have the specified associated IAM role",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInstanceProfilesForRole"
},
{
"resource_types": "user",
"description": "Lists the MFA devices for an IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMFADevices"
},
{
"resource_types": "",
"description": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListOpenIDConnectProviders"
},
{
"resource_types": "",
"description": "Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPolicies"
},
{
"resource_types": "policy",
"description": "Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPolicyVersions"
},
{
"resource_types": "role",
"description": "Lists the names of the inline policies that are embedded in the specified IAM role",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRolePolicies"
},
{
"resource_types": "role",
"description": "Lists the tags that are attached to the specified role",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRoleTags"
},
{
"resource_types": "",
"description": "Lists the IAM roles that have the specified path prefix",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRoles"
},
{
"resource_types": "",
"description": "Lists the SAML provider resource objects defined in IAM in the account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSAMLProviders"
},
{
"resource_types": "user",
"description": "Returns information about the SSH public keys associated with the specified IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSSHPublicKeys"
},
{
"resource_types": "",
"description": "Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the action returns an empty list",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListServerCertificates"
},
{
"resource_types": "user",
"description": "List service-specific credentials associated with the specified IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListServiceSpecificCredentials"
},
{
"resource_types": "user",
"description": "Returns information about the signing certificates associated with the specified IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSigningCertificates"
},
{
"resource_types": "user",
"description": "Lists the names of the inline policies embedded in the specified IAM user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUserPolicies"
},
{
"resource_types": "user",
"description": "Lists the tags that are attached to the specified user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUserTags"
},
{
"resource_types": "",
"description": "Lists the IAM users that have the specified path prefix",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUsers"
},
{
"resource_types": "",
"description": "Lists the virtual MFA devices defined in the AWS account by assignment status",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListVirtualMFADevices"
},
{
"resource_types": "group",
"description": "Adds or updates an inline policy document that is embedded in the specified IAM group",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutGroupPolicy"
},
{
"resource_types": "role",
"description": "Put a policy to a role as permissions boundary",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutRolePermissionsBoundary"
},
{
"resource_types": "role",
"description": "Adds or updates an inline policy document that is embedded in the specified IAM role",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutRolePolicy"
},
{
"resource_types": "user",
"description": "Put a policy to a user as permissions boundary",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutUserPermissionsBoundary"
},
{
"resource_types": "user",
"description": "Adds or updates an inline policy document that is embedded in the specified IAM user",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutUserPolicy"
},
{
"resource_types": "oidc-provider",
"description": "Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveClientIDFromOpenIDConnectProvider"
},
{
"resource_types": "instance-profile",
"description": "Removes the specified IAM role from the specified EC2 instance profile",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveRoleFromInstanceProfile"
},
{
"resource_types": "group",
"description": "Removes the specified user from the specified group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveUserFromGroup"
},
{
"resource_types": "user",
"description": "Resets the password for an existing service-specific credential for an IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResetServiceSpecificCredential"
},
{
"resource_types": "user",
"description": "Synchronizes the specified MFA device with its IAM resource object on the AWS servers",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ResyncMFADevice"
},
{
"resource_types": "policy",
"description": "Sets the specified version of the specified policy as the policy's default (operative) version",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "SetDefaultPolicyVersion"
},
{
"resource_types": "",
"description": "Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API actions and AWS resources to determine the policies' effective permissions",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SimulateCustomPolicy"
},
{
"resource_types": "group",
"description": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SimulatePrincipalPolicy"
},
{
"resource_types": "role",
"description": "Adds one or more tags to an IAM role",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagRole"
},
{
"resource_types": "user",
"description": "Adds one or more tags to an IAM user",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagUser"
},
{
"resource_types": "role",
"description": "Removes the specified tags from the role",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagRole"
},
{
"resource_types": "user",
"description": "Removes the specified tags from the user",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagUser"
},
{
"resource_types": "user",
"description": "Changes the status of the specified access key from Active to Inactive, or vice versa",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateAccessKey"
},
{
"resource_types": "",
"description": "Updates the password policy settings for the AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateAccountPasswordPolicy"
},
{
"resource_types": "role",
"description": "Updates the policy that grants an IAM entity permission to assume a role",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "UpdateAssumeRolePolicy"
},
{
"resource_types": "group",
"description": "Updates the name and/or the path of the specified IAM group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGroup"
},
{
"resource_types": "user",
"description": "Changes the password for the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateLoginProfile"
},
{
"resource_types": "oidc-provider",
"description": "Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateOpenIDConnectProviderThumbprint"
},
{
"resource_types": "role",
"description": "Updates the description or maximum session duration setting of a role",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRole"
},
{
"resource_types": "role",
"description": "Modifies only the description of a role. This operation performs the same function as the Description parameter in the UpdateRole operation",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRoleDescription"
},
{
"resource_types": "saml-provider",
"description": "Updates the metadata document for an existing SAML provider resource object",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSAMLProvider"
},
{
"resource_types": "user",
"description": "Sets the status of an IAM user's SSH public key to active or inactive",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSSHPublicKey"
},
{
"resource_types": "server-certificate",
"description": "Updates the name and/or the path of the specified server certificate stored in IAM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateServerCertificate"
},
{
"resource_types": "user",
"description": "Sets the status of a service-specific credential to active or inactive for an IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateServiceSpecificCredential"
},
{
"resource_types": "user",
"description": "Changes the status of the specified user signing certificate from active to disabled, or vice versa",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSigningCertificate"
},
{
"resource_types": "user",
"description": "Updates the name and/or the path of the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateUser"
},
{
"resource_types": "user",
"description": "Uploads an SSH public key and associates it with the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UploadSSHPublicKey"
},
{
"resource_types": "server-certificate",
"description": "Uploads a server certificate entity for the AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UploadServerCertificate"
},
{
"resource_types": "user",
"description": "Uploads an X.509 signing certificate and associates it with the specified IAM user",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UploadSigningCertificate"
}
]
},
{
"service_name": "AWS Auto Scaling",
"privileges": [
{
"resource_types": "",
"description": "Creates a scaling plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateScalingPlan"
},
{
"resource_types": "",
"description": "Deletes the specified scaling plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteScalingPlan"
},
{
"resource_types": "",
"description": "Describes the scalable resources in the specified scaling plan",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeScalingPlanResources"
},
{
"resource_types": "",
"description": "Describes the specified scaling plans or all of your scaling plans",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeScalingPlans"
},
{
"resource_types": "",
"description": "Retrieves the forecast data for a scalable resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetScalingPlanResourceForecastData"
},
{
"resource_types": "",
"description": "Updates a scaling plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateScalingPlan"
}
]
},
{
"service_name": "Amazon CloudSearch",
"privileges": [
{
"resource_types": "domain",
"description": "Attaches resource tags to an Amazon CloudSearch domain",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "domain",
"description": "Indexes the search suggestions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BuildSuggesters"
},
{
"resource_types": "domain",
"description": "Creates a new search domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDomain"
},
{
"resource_types": "domain",
"description": "Configures an analysis scheme that can be applied to a text or text-array field to define language-specific text processing options",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DefineAnalysisScheme"
},
{
"resource_types": "domain",
"description": "Configures an Expression for the search domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DefineExpression"
},
{
"resource_types": "domain",
"description": "Configures an IndexField for the search domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DefineIndexField"
},
{
"resource_types": "domain",
"description": "Configures a suggester for a domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DefineSuggester"
},
{
"resource_types": "domain",
"description": "Deletes an analysis scheme",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAnalysisScheme"
},
{
"resource_types": "domain",
"description": "Permanently deletes a search domain and all of its data",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDomain"
},
{
"resource_types": "domain",
"description": "Removes an Expression from the search domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteExpression"
},
{
"resource_types": "domain",
"description": "Removes an IndexField from the search domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteIndexField"
},
{
"resource_types": "domain",
"description": "Deletes a suggester",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSuggester"
},
{
"resource_types": "domain",
"description": "Gets the analysis schemes configured for a domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAnalysisSchemes"
},
{
"resource_types": "domain",
"description": "Gets the availability options configured for a domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAvailabilityOptions"
},
{
"resource_types": "domain",
"description": "Gets information about the search domains owned by this account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDomains"
},
{
"resource_types": "domain",
"description": "Gets the expressions configured for the search domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeExpressions"
},
{
"resource_types": "domain",
"description": "Gets information about the index fields configured for the search domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeIndexFields"
},
{
"resource_types": "domain",
"description": "Gets the scaling parameters configured for a domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeScalingParameters"
},
{
"resource_types": "domain",
"description": "Gets information about the access policies that control access to the domain's document and search endpoints",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeServiceAccessPolicies"
},
{
"resource_types": "domain",
"description": "Gets the suggesters configured for a domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSuggesters"
},
{
"resource_types": "domain",
"description": "Tells the search domain to start indexing its documents using the latest indexing options",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "IndexDocuments"
},
{
"resource_types": "domain",
"description": "Lists all search domains owned by an account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDomainNames"
},
{
"resource_types": "domain",
"description": "Displays all of the resource tags for an Amazon CloudSearch domain",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTags"
},
{
"resource_types": "domain",
"description": "Removes the specified resource tags from an Amazon ES domain",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "domain",
"description": "Configures the availability options for a domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateAvailabilityOptions"
},
{
"resource_types": "domain",
"description": "Configures scaling parameters for a domain",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateScalingParameters"
},
{
"resource_types": "domain",
"description": "Configures the access rules that control access to the domain's document and search endpoints",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "UpdateServiceAccessPolicies"
},
{
"resource_types": "domain",
"description": "Allows access to the document service operations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "document"
},
{
"resource_types": "domain",
"description": "Allows access to the search operations",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "search"
},
{
"resource_types": "domain",
"description": "Allows access to the suggest operations",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "suggest"
}
]
},
{
"service_name": "AWS Device Farm",
"privileges": [
{
"resource_types": "",
"description": "Creates a device pool",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDevicePool"
},
{
"resource_types": "",
"description": "Creates a new project",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateProject"
},
{
"resource_types": "",
"description": "Specifies and starts a remote access session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRemoteAccessSession"
},
{
"resource_types": "",
"description": "Creates a new project",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateUpload"
},
{
"resource_types": "",
"description": "Deletes a device pool given the pool ARN. Does not allow deletion of curated pools owned by the system",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDevicePool"
},
{
"resource_types": "",
"description": "Deletes an AWS Device Farm project, given the project ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProject"
},
{
"resource_types": "",
"description": "Deletes a completed remote access session and its results",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRemoteAccessSession"
},
{
"resource_types": "",
"description": "Deletes the run, given the run ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRun"
},
{
"resource_types": "",
"description": "Deletes an upload given the upload ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteUpload"
},
{
"resource_types": "",
"description": "Returns the number of unmetered iOS and/or unmetered Android devices that have been purchased by the account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAccountSettings"
},
{
"resource_types": "",
"description": "Gets information about a unique device type",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDevice"
},
{
"resource_types": "",
"description": "Gets information about a device pool",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDevicePool"
},
{
"resource_types": "",
"description": "Gets information about compatibility with a device pool",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDevicePoolCompatibility"
},
{
"resource_types": "",
"description": "Gets information about a job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetJob"
},
{
"resource_types": "",
"description": "Gets the current status and future status of all offerings purchased by an AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetOfferingStatus"
},
{
"resource_types": "",
"description": "Gets information about a project",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetProject"
},
{
"resource_types": "",
"description": "Returns a link to a currently running remote access session",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRemoteAccessSession"
},
{
"resource_types": "",
"description": "Gets information about a run",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRun"
},
{
"resource_types": "",
"description": "Gets information about a suite",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSuite"
},
{
"resource_types": "",
"description": "Gets information about a test",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTest"
},
{
"resource_types": "",
"description": "Gets information about an upload",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUpload"
},
{
"resource_types": "",
"description": "Installs an application to the device in a remote access session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InstallToRemoteAccessSession"
},
{
"resource_types": "",
"description": "Gets information about artifacts",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListArtifacts"
},
{
"resource_types": "",
"description": "Gets information about device pools",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDevicePools"
},
{
"resource_types": "",
"description": "Gets information about unique device types",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDevices"
},
{
"resource_types": "",
"description": "Gets information about jobs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobs"
},
{
"resource_types": "",
"description": "Returns a list of all historical purchases, renewals, and system renewal transactions for an AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListOfferingTransactions"
},
{
"resource_types": "",
"description": "Returns a list of products or offerings that the user can manage through the API",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListOfferings"
},
{
"resource_types": "",
"description": "Gets information about projects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProjects"
},
{
"resource_types": "",
"description": "Returns a list of all currently running remote access sessions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRemoteAccessSessions"
},
{
"resource_types": "",
"description": "Gets information about runs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRuns"
},
{
"resource_types": "",
"description": "Gets information about samples",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSamples"
},
{
"resource_types": "",
"description": "Gets information about suites",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSuites"
},
{
"resource_types": "",
"description": "Gets information about tests",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTests"
},
{
"resource_types": "",
"description": "Gets information about unique problems",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUniqueProblems"
},
{
"resource_types": "",
"description": "Gets information about uploads",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListUploads"
},
{
"resource_types": "",
"description": "Immediately purchases offerings for an AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PurchaseOffering"
},
{
"resource_types": "",
"description": "Explicitly sets the quantity of devices to renew for an offering, starting from the effectiveDate of the next period",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RenewOffering"
},
{
"resource_types": "",
"description": "Schedules a run",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ScheduleRun"
},
{
"resource_types": "",
"description": "Ends a specified remote access session",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopRemoteAccessSession"
},
{
"resource_types": "",
"description": "Initiates a stop request for the current test run",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopRun"
},
{
"resource_types": "",
"description": "Modifies the name, description, and rules in a device pool given the attributes and the pool ARN",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDevicePool"
},
{
"resource_types": "",
"description": "Modifies the specified project name, given the project ARN and a new name",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProject"
}
]
},
{
"service_name": "Data Pipeline",
"privileges": [
{
"resource_types": "",
"description": "Validates the specified pipeline and starts processing pipeline tasks. If the pipeline does not pass validation, activation fails",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag",
"datapipeline:workerGroup"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ActivatePipeline"
},
{
"resource_types": "",
"description": "Adds or modifies tags for the specified pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "",
"description": "Creates a new, empty pipeline",
"condition_keys": [
"datapipeline:Tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePipeline"
},
{
"resource_types": "",
"description": "Deactivates the specified running pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag",
"datapipeline:workerGroup"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeactivatePipeline"
},
{
"resource_types": "",
"description": "Deletes a pipeline, its pipeline definition, and its run history",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePipeline"
},
{
"resource_types": "",
"description": "Gets the object definitions for a set of objects associated with the pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeObjects"
},
{
"resource_types": "",
"description": "Retrieves metadata about one or more pipelines",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribePipelines"
},
{
"resource_types": "",
"description": "Task runners call EvaluateExpression to evaluate a string in the context of the specified object",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "EvaluateExpression"
},
{
"resource_types": "",
"description": "Description for GetAccountLimits",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "GetAccountLimits"
},
{
"resource_types": "",
"description": "Gets the definition of the specified pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag",
"datapipeline:workerGroup"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPipelineDefinition"
},
{
"resource_types": "",
"description": "Lists the pipeline identifiers for all active pipelines that you have permission to access",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPipelines"
},
{
"resource_types": "",
"description": "Task runners call PollForTask to receive a task to perform from AWS Data Pipeline",
"condition_keys": [
"datapipeline:workerGroup"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PollForTask"
},
{
"resource_types": "",
"description": "Description for PutAccountLimits",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAccountLimits"
},
{
"resource_types": "",
"description": "Adds tasks, schedules, and preconditions to the specified pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag",
"datapipeline:workerGroup"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutPipelineDefinition"
},
{
"resource_types": "",
"description": "Queries the specified pipeline for the names of objects that match the specified set of conditions",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "QueryObjects"
},
{
"resource_types": "",
"description": "Removes existing tags from the specified pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "",
"description": "Task runners call ReportTaskProgress when assigned a task to acknowledge that it has the task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ReportTaskProgress"
},
{
"resource_types": "",
"description": "Task runners call ReportTaskRunnerHeartbeat every 15 minutes to indicate that they are operational",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ReportTaskRunnerHeartbeat"
},
{
"resource_types": "",
"description": "Requests that the status of the specified physical or logical pipeline objects be updated in the specified pipeline",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetStatus"
},
{
"resource_types": "",
"description": "Task runners call SetTaskStatus to notify AWS Data Pipeline that a task is completed and provide information about the final status",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetTaskStatus"
},
{
"resource_types": "",
"description": "Validates the specified pipeline definition to ensure that it is well formed and can be run without error",
"condition_keys": [
"datapipeline:PipelineCreator",
"datapipeline:Tag",
"datapipeline:workerGroup"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ValidatePipelineDefinition"
}
]
},
{
"service_name": "Amazon Polly",
"privileges": [
{
"resource_types": "lexicon",
"description": "Deletes the specified pronunciation lexicon stored in an AWS Region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLexicon"
},
{
"resource_types": "",
"description": "Returns the list of voices that are available for use when requesting speech synthesis",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeVoices"
},
{
"resource_types": "lexicon",
"description": "Returns the content of the specified pronunciation lexicon stored in an AWS Region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetLexicon"
},
{
"resource_types": "",
"description": "Enables the user to get information about specific speech synthesis task",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSpeechSynthesisTask"
},
{
"resource_types": "",
"description": "Returns a list of pronunciation lexicons stored in an AWS Region",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListLexicons"
},
{
"resource_types": "",
"description": "Enables the user to list requested speech synthesis tasks",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSpeechSynthesisTasks"
},
{
"resource_types": "lexicon",
"description": "Stores a pronunciation lexicon in an AWS Region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutLexicon"
},
{
"resource_types": "lexicon",
"description": "Enables the user to synthesize long inputs to provided S3 location",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:PutObject"
],
"privilege": "StartSpeechSynthesisTask"
},
{
"resource_types": "lexicon",
"description": "Synthesizes UTF-8 input, plain text or SSML, to a stream of bytes",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "SynthesizeSpeech"
}
]
},
{
"service_name": "AWS CodePipeline",
"privileges": [
{
"resource_types": "",
"description": "Returns information about a specified job and whether that job has been received by the job worker",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcknowledgeJob"
},
{
"resource_types": "",
"description": "Confirms a job worker has received the specified job. Only used for partner actions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcknowledgeThirdPartyJob"
},
{
"resource_types": "actiontype",
"description": "Create a custom action you can use in the pipelines associated with your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCustomActionType"
},
{
"resource_types": "pipeline",
"description": "Create a uniquely named pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePipeline"
},
{
"resource_types": "actiontype",
"description": "Delete a custom action",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCustomActionType"
},
{
"resource_types": "pipeline",
"description": "Delete a specified pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePipeline"
},
{
"resource_types": "webhook",
"description": "Delete a specified webhook",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteWebhook"
},
{
"resource_types": "webhook",
"description": "Remove the registration of a webhook with the third party specified in its configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterWebhookWithThirdParty"
},
{
"resource_types": "stage",
"description": "Prevent revisions from transitioning to the next stage in a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisableStageTransition"
},
{
"resource_types": "stage",
"description": "Enable revisions to transition to the next stage in a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "EnableStageTransition"
},
{
"resource_types": "",
"description": "Returns information about a job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetJobDetails"
},
{
"resource_types": "pipeline",
"description": "Retrieve information about a pipeline structure",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPipeline"
},
{
"resource_types": "pipeline",
"description": "Returns information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPipelineExecution"
},
{
"resource_types": "pipeline",
"description": "Retrieve information about the current state of the stages and actions of a pipeline",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPipelineState"
},
{
"resource_types": "",
"description": "Requests the details of a job for a third party action. Only used for partner actions",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetThirdPartyJobDetails"
},
{
"resource_types": "actiontype",
"description": "Retrieve a summary of all the action types available for pipelines in your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListActionTypes"
},
{
"resource_types": "pipeline",
"description": "Gets a summary of the most recent executions for a pipeline",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPipelineExecutions"
},
{
"resource_types": "pipeline",
"description": "Get a summary of all the pipelines associated with your AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPipelines"
},
{
"resource_types": "webhook",
"description": "Get all the webhooks associated with your AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListWebhooks"
},
{
"resource_types": "actiontype",
"description": "Returns information about any jobs for AWS CodePipeline to act upon",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PollForJobs"
},
{
"resource_types": "",
"description": "Determines whether there are any third party jobs for a job worker to act on. Only used for partner actions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PollForThirdPartyJobs"
},
{
"resource_types": "action",
"description": "Edit actions within a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutActionRevision"
},
{
"resource_types": "",
"description": "Provides the response to a manual approval request to AWS CodePipeline. Valid responses include Approved and Rejected",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutApprovalResult"
},
{
"resource_types": "",
"description": "Represents the failure of a job as returned to the pipeline by a job worker. Only used for custom actions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutJobFailureResult"
},
{
"resource_types": "",
"description": "Represents the success of a job as returned to the pipeline by a job worker. Only used for custom actions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutJobSuccessResult"
},
{
"resource_types": "",
"description": "Represents the failure of a third party job as returned to the pipeline by a job worker. Only used for partner actions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutThirdPartyJobFailureResult"
},
{
"resource_types": "",
"description": "Represents the success of a third party job as returned to the pipeline by a job worker. Only used for partner actions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutThirdPartyJobSuccessResult"
},
{
"resource_types": "pipeline",
"description": "Create or update a webhook",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutWebhook"
},
{
"resource_types": "webhook",
"description": "Register a webhook with the third party specified in its configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RegisterWebhookWithThirdParty"
},
{
"resource_types": "stage",
"description": "Resumes the pipeline execution by retrying the last failed actions in a stage",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RetryStageExecution"
},
{
"resource_types": "pipeline",
"description": "Run the most recent revision through the pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartPipelineExecution"
},
{
"resource_types": "pipeline",
"description": "Update a pipeline with changes to the structure of the pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePipeline"
}
]
},
{
"service_name": "AWS Batch",
"privileges": [
{
"resource_types": "",
"description": "Cancels jobs in an AWS Batch job queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelJob"
},
{
"resource_types": "",
"description": "Creates an AWS Batch compute environment",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateComputeEnvironment"
},
{
"resource_types": "",
"description": "Creates an AWS Batch job queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateJobQueue"
},
{
"resource_types": "",
"description": "Deletes an AWS Batch compute environment",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteComputeEnvironment"
},
{
"resource_types": "",
"description": "Deletes the specified job queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteJobQueue"
},
{
"resource_types": "job-definition",
"description": "Deregisters an AWS Batch job definition",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterJobDefinition"
},
{
"resource_types": "",
"description": "Describes one or more of your compute environments",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeComputeEnvironments"
},
{
"resource_types": "",
"description": "Describes a list of job definitions",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeJobDefinitions"
},
{
"resource_types": "",
"description": "Describes one or more of your job queues",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeJobQueues"
},
{
"resource_types": "",
"description": "Describes a list of AWS Batch jobs",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeJobs"
},
{
"resource_types": "",
"description": "Returns a list of task jobs for a specified job queue",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListJobs"
},
{
"resource_types": "job-definition",
"description": "Registers an AWS Batch job definition",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RegisterJobDefinition"
},
{
"resource_types": "job-definition",
"description": "Submits an AWS Batch job from a job definition",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SubmitJob"
},
{
"resource_types": "",
"description": "Terminates jobs in a job queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateJob"
},
{
"resource_types": "",
"description": "Updates an AWS Batch compute environment",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateComputeEnvironment"
},
{
"resource_types": "",
"description": "Updates a job queue",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateJobQueue"
}
]
},
{
"service_name": "AWS IoT Events",
"privileges": [
{
"resource_types": "input",
"description": "Sends a set of messages to the AWS IoT Events system",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchPutMessage"
},
{
"resource_types": "",
"description": "Creates a detector model",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDetectorModel"
},
{
"resource_types": "",
"description": "Creates an input",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateInput"
},
{
"resource_types": "detectorModel",
"description": "Deletes a detector model",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDetectorModel"
},
{
"resource_types": "input",
"description": "Deletes an input",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteInput"
},
{
"resource_types": "detectorModel",
"description": "Returns information about the specified detector (instance",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeDetector"
},
{
"resource_types": "detectorModel",
"description": "Describes a detector model",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeDetectorModel"
},
{
"resource_types": "input",
"description": "Describes an input",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeInput"
},
{
"resource_types": "",
"description": "Retrieves the current settings of the AWS IoT Events logging options",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLoggingOptions"
},
{
"resource_types": "detectorModel",
"description": "Lists all the versions of a detector model. Only the metadata associated with each detector model version is returned",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDetectorModelVersions"
},
{
"resource_types": "",
"description": "Lists the detector models you have created. Only the metadata associated with each detector model is returned",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDetectorModels"
},
{
"resource_types": "detectorModel",
"description": "Lists detectors (the instances of a detector model",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDetectors"
},
{
"resource_types": "",
"description": "Sets or updates the AWS IoT Events logging options",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutLoggingOptions"
},
{
"resource_types": "detectorModel",
"description": "Updates a detector model",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDetectorModel"
},
{
"resource_types": "input",
"description": "Updates an input",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateInput"
}
]
},
{
"service_name": "AWS Server Migration Service",
"privileges": [
{
"resource_types": "",
"description": "Create an application configuration to migrate on-premise application onto AWS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateApp"
},
{
"resource_types": "",
"description": "Create a job to migrate on-premise server onto AWS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateReplicationJob"
},
{
"resource_types": "",
"description": "Delete an existing application configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApp"
},
{
"resource_types": "",
"description": "Delete launch configuration for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAppLaunchConfiguration"
},
{
"resource_types": "",
"description": "Delete replication configuration for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAppReplicationConfiguration"
},
{
"resource_types": "",
"description": "Delete an existing job to migrate on-premise server onto AWS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteReplicationJob"
},
{
"resource_types": "",
"description": "Delete the complete list of on-premise servers gathered into AWS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteServerCatalog"
},
{
"resource_types": "",
"description": "Disassociate a connector that has been associated",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateConnectors"
},
{
"resource_types": "",
"description": "Generate a changeSet for the CloudFormation stack of an application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GenerateChangeSet"
},
{
"resource_types": "",
"description": "Generate a CloudFormation template for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GenerateTemplate"
},
{
"resource_types": "",
"description": "Get the configuration and statuses for an existing application",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetApp"
},
{
"resource_types": "",
"description": "Get launch configuration for an existing application",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAppLaunchConfiguration"
},
{
"resource_types": "",
"description": "Get replication configuration for an existing application",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAppReplicationConfiguration"
},
{
"resource_types": "",
"description": "Get all connectors that have been associated",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetConnectors"
},
{
"resource_types": "",
"description": "Get all existing jobs to migrate on-premise servers onto AWS",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetReplicationJobs"
},
{
"resource_types": "",
"description": "Get all runs for an existing job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetReplicationRuns"
},
{
"resource_types": "",
"description": "Get all servers that have been imported",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetServers"
},
{
"resource_types": "",
"description": "Gathers a complete list of on-premise servers",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportServerCatalog"
},
{
"resource_types": "",
"description": "Create and launch a CloudFormation stack for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "LaunchApp"
},
{
"resource_types": "",
"description": "Get a list of summaries for existing applications",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListApps"
},
{
"resource_types": "",
"description": "Create or update launch configuration for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAppLaunchConfiguration"
},
{
"resource_types": "",
"description": "Create or update replication configuration for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAppReplicationConfiguration"
},
{
"resource_types": "",
"description": "Create and start replication jobs for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartAppReplication"
},
{
"resource_types": "",
"description": "Start a replication run for an existing replication job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartOnDemandReplicationRun"
},
{
"resource_types": "",
"description": "Stop and delete replication jobs for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopAppReplication"
},
{
"resource_types": "",
"description": "Terminate the CloudFormation stack for an existing application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateApp"
},
{
"resource_types": "",
"description": "Update an existing application configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApp"
},
{
"resource_types": "",
"description": "Update an existing job to migrate on-premise server onto AWS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateReplicationJob"
}
]
},
{
"service_name": "Manage Amazon API Gateway",
"privileges": [
{
"resource_types": "apigateway-general",
"description": "Used to delete resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DELETE"
},
{
"resource_types": "apigateway-general",
"description": "Used to get information about resources",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GET"
},
{
"resource_types": "apigateway-general",
"description": "Used to update resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PATCH"
},
{
"resource_types": "apigateway-general",
"description": "Used to create child resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "POST"
},
{
"resource_types": "apigateway-general",
"description": "Used to update resources (and, although not recommended, can be used to create child resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PUT"
}
]
},
{
"service_name": "AWS CodeCommit",
"privileges": [
{
"resource_types": "repository",
"description": "Returns information about one or more pull requests in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetPullRequests"
},
{
"resource_types": "repository",
"description": "Get information about multiple repositories",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetRepositories"
},
{
"resource_types": "repository",
"description": "Required to cancel the uploading of an archive to a pipeline",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "CancelUploadArchive"
},
{
"resource_types": "repository",
"description": "Create a branch in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBranch"
},
{
"resource_types": "repository",
"description": "Creates a pull request in the specified repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePullRequest"
},
{
"resource_types": "repository",
"description": "Create a new AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRepository"
},
{
"resource_types": "repository",
"description": "Delete a branch in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBranch"
},
{
"resource_types": "repository",
"description": "Deletes the content of a comment made on a change, file, or commit in a repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCommentContent"
},
{
"resource_types": "repository",
"description": "Deletes a specified file from a specified branch",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteFile"
},
{
"resource_types": "repository",
"description": "Delete an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRepository"
},
{
"resource_types": "repository",
"description": "Returns information about one or more pull request events",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePullRequestEvents"
},
{
"resource_types": "repository",
"description": "View the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBlob"
},
{
"resource_types": "repository",
"description": "Get details about a branch in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBranch"
},
{
"resource_types": "repository",
"description": "Returns the content of a comment made on a change, file, or commit in a repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComment"
},
{
"resource_types": "repository",
"description": "Returns information about comments made on the comparison between two commits",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCommentsForComparedCommit"
},
{
"resource_types": "repository",
"description": "Returns comments made on a pull request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCommentsForPullRequest"
},
{
"resource_types": "repository",
"description": "Returns information about a commit, including commit message and committer information",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCommit"
},
{
"resource_types": "repository",
"description": "Returns information about the history of commits in a repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCommitHistory"
},
{
"resource_types": "repository",
"description": "Returns information about the difference between commits in the context of a potential merge",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCommitsFromMergeBase"
},
{
"resource_types": "repository",
"description": "Enables the user to view information about the differences in a valid commit specifier (such as a branch, tag, HEAD, commit ID or other fully qualified reference). Results can be limited to a specified path",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDifferences"
},
{
"resource_types": "repository",
"description": "Returns the base-64 encoded contents of a specified file and its metadata",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFile"
},
{
"resource_types": "repository",
"description": "Returns the contents of a specified folder in a repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetFolder"
},
{
"resource_types": "repository",
"description": "Returns information about merge conflicts between the before and after commit IDs for a pull request in a repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetMergeConflicts"
},
{
"resource_types": "repository",
"description": "Resolve blobs, trees, and commits to their identifier",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetObjectIdentifier"
},
{
"resource_types": "repository",
"description": "Gets information about a pull request in a specified repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPullRequest"
},
{
"resource_types": "repository",
"description": "Get details about references in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetReferences"
},
{
"resource_types": "repository",
"description": "Get information about a single AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRepository"
},
{
"resource_types": "repository",
"description": "Gets information about triggers configured for a repository",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRepositoryTriggers"
},
{
"resource_types": "repository",
"description": "View the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTree"
},
{
"resource_types": "repository",
"description": "Required to determine the status of an archive upload: whether it is in progress, complete, cancelled, or if an error occurred",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetUploadArchiveStatus"
},
{
"resource_types": "repository",
"description": "Pull information from an AWS CodeCommit repository to a local repo",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GitPull"
},
{
"resource_types": "repository",
"description": "Push information from a local repo to an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "GitPush"
},
{
"resource_types": "repository",
"description": "Get a list of branches in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBranches"
},
{
"resource_types": "repository",
"description": "Returns a list of pull requests for a specified repository. The return list can be refined by pull request status or pull request author ARN",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPullRequests"
},
{
"resource_types": "",
"description": "Gets information about one or more repositories",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRepositories"
},
{
"resource_types": "repository",
"description": "Closes a pull request and attempts to merge the source commit of a pull request into the specified destination branch for that pull request at the specified commit using the fast-forward merge option",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "MergePullRequestByFastForward"
},
{
"resource_types": "repository",
"description": "Posts a comment on the comparison between two commits",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PostCommentForComparedCommit"
},
{
"resource_types": "repository",
"description": "Posts a comment on a pull request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PostCommentForPullRequest"
},
{
"resource_types": "repository",
"description": "Posts a comment in reply to an existing comment on a comparison between commits or a pull request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PostCommentReply"
},
{
"resource_types": "repository",
"description": "Enables the user to add or update a file in a branch in an AWS CodeCommit repository, and generate a commit for the addition in the specified branch",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutFile"
},
{
"resource_types": "repository",
"description": "Replaces all triggers for a repository. This can be used to create or delete triggers",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutRepositoryTriggers"
},
{
"resource_types": "repository",
"description": "Tests the functionality of repository triggers by sending information to the trigger target",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TestRepositoryTriggers"
},
{
"resource_types": "repository",
"description": "Replaces the contents of a comment",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateComment"
},
{
"resource_types": "repository",
"description": "Change the default branch in an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateDefaultBranch"
},
{
"resource_types": "repository",
"description": "Replaces the contents of the description of a pull request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePullRequestDescription"
},
{
"resource_types": "repository",
"description": "Updates the status of a pull request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePullRequestStatus"
},
{
"resource_types": "repository",
"description": "Replaces the title of a pull request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdatePullRequestTitle"
},
{
"resource_types": "repository",
"description": "Change the description of an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRepositoryDescription"
},
{
"resource_types": "repository",
"description": "Change the name of an AWS CodeCommit repository",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRepositoryName"
},
{
"resource_types": "repository",
"description": "Allows the service role for AWS CodePipeline to upload repository changes into a pipeline",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UploadArchive"
}
]
},
{
"service_name": "AWS Backup",
"privileges": [
{
"resource_types": "backupVault",
"description": "Creates a new backup plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBackupPlan"
},
{
"resource_types": "",
"description": "Creates a new resource assignment in a backup plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBackupSelection"
},
{
"resource_types": "backupVault",
"description": "Creates a new backup vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBackupVault"
},
{
"resource_types": "",
"description": "Deletes a backup plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackupPlan"
},
{
"resource_types": "",
"description": "Deletes a resource assignment from a backup plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackupSelection"
},
{
"resource_types": "backupVault",
"description": "Deletes a backup vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackupVault"
},
{
"resource_types": "backupVault",
"description": "Deletes backup vault access policy",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackupVaultAccessPolicy"
},
{
"resource_types": "backupVault",
"description": "Remove notifications from backup vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteBackupVaultNotifications"
},
{
"resource_types": "backupVault",
"description": "Deletes a recovery point from a backup vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRecoveryPoint"
},
{
"resource_types": "",
"description": "Describes a backup job",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeBackupJob"
},
{
"resource_types": "backupVault",
"description": "Creates a new backup vault with the specified name",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeBackupVault"
},
{
"resource_types": "",
"description": "Describes a protected resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProtectedResource"
},
{
"resource_types": "backupVault",
"description": "Describes a recovery point",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRecoveryPoint"
},
{
"resource_types": "backupVault",
"description": "Describes a restore job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRestoreJob"
},
{
"resource_types": "",
"description": "Exports a backup plan as a JSON",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ExportBackupPlanTemplate"
},
{
"resource_types": "",
"description": "Gets a backup plan",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBackupPlan"
},
{
"resource_types": "",
"description": "Transforms a JSON to a backup plan",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBackupPlanFromJSON"
},
{
"resource_types": "",
"description": "Transforms a template to a backup plan",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBackupPlanFromTemplate"
},
{
"resource_types": "backupVault",
"description": "Gets a backup plan resource assignment",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBackupSelection"
},
{
"resource_types": "backupVault",
"description": "Gets backup vault access policy",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBackupVaultAccessPolicy"
},
{
"resource_types": "backupVault",
"description": "Gets backup vault notifications",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetBackupVaultNotifications"
},
{
"resource_types": "backupVault",
"description": "Gets recovery point restore metadata",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRecoveryPointRestoreMetadata"
},
{
"resource_types": "",
"description": "Gets supported resource types",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSupportedResourceTypes"
},
{
"resource_types": "",
"description": "Lists backup jobs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackupJobs"
},
{
"resource_types": "",
"description": "Lists backup plan templates provided by AWS Backup",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackupPlanTemplates"
},
{
"resource_types": "",
"description": "Lists backup plan versions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackupPlanVersions"
},
{
"resource_types": "",
"description": "Lists backup plans",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackupPlans"
},
{
"resource_types": "",
"description": "Lists resource assignments for a specific backup plan",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackupSelections"
},
{
"resource_types": "",
"description": "Lists backup vaults",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBackupVaults"
},
{
"resource_types": "",
"description": "Lists protected resources by AWS Backup",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProtectedResources"
},
{
"resource_types": "backupVault",
"description": "Lists recovery points inside a backup vault",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRecoveryPointsByBackupVault"
},
{
"resource_types": "",
"description": "Lists recovery points for a resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRecoveryPointsByResource"
},
{
"resource_types": "backupVault",
"description": "Lists restore jobs",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRestoreJobs"
},
{
"resource_types": "",
"description": "Lists tags for a resource",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTags"
},
{
"resource_types": "backupVault",
"description": "Adds an access policy to the backup vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutBackupVaultAccessPolicy"
},
{
"resource_types": "backupVault",
"description": "Adds an SNS topic to the backup vault",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutBackupVaultNotifications"
},
{
"resource_types": "backupVault",
"description": "Starts a new backup job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartBackupJob"
},
{
"resource_types": "backupVault",
"description": "Starts a new restore job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartRestoreJob"
},
{
"resource_types": "backupVault",
"description": "Stops a backup job",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopBackupJob"
},
{
"resource_types": "",
"description": "Tags a resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TagResource"
},
{
"resource_types": "",
"description": "Untags a resource",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UntagResource"
},
{
"resource_types": "",
"description": "Updates a backup plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateBackupPlan"
},
{
"resource_types": "backupVault",
"description": "Updates the lifecycle of the recovery point",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRecoveryPointLifecycle"
}
]
},
{
"service_name": "Comprehend Medical",
"privileges": [
{
"resource_types": "",
"description": "Inspects the specified text for the specified type of entities and returns information about them",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DetectEntities"
},
{
"resource_types": "",
"description": "Inspects the specified text for PHI entities and returns information about them",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DetectPHI"
}
]
},
{
"service_name": "Amazon Kinesis Analytics",
"privileges": [
{
"resource_types": "application",
"description": "Adds input to the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddApplicationInput"
},
{
"resource_types": "application",
"description": "Adds output to the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddApplicationOutput"
},
{
"resource_types": "application",
"description": "Adds reference data source to the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddApplicationReferenceDataSource"
},
{
"resource_types": "",
"description": "Creates an application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateApplication"
},
{
"resource_types": "application",
"description": "Deletes the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApplication"
},
{
"resource_types": "application",
"description": "Deletes the specified output of the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApplicationOutput"
},
{
"resource_types": "application",
"description": "Deletes the specified reference data source of the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteApplicationReferenceDataSource"
},
{
"resource_types": "application",
"description": "Describes the specified application",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeApplication"
},
{
"resource_types": "",
"description": "Discovers the input schema for the application",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DiscoverInputSchema"
},
{
"resource_types": "",
"description": "List applications for the account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListApplications"
},
{
"resource_types": "application",
"description": "Starts the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartApplication"
},
{
"resource_types": "application",
"description": "Stops the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopApplication"
},
{
"resource_types": "application",
"description": "Updates the application",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateApplication"
}
]
},
{
"service_name": "Amazon EC2",
"privileges": [
{
"resource_types": "",
"description": "Accepts the Convertible Reserved Instance exchange quote described in the GetReservedInstancesExchangeQuote call",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptReservedInstancesExchangeQuote"
},
{
"resource_types": "",
"description": "Accepts one or more interface VPC endpoint connection requests to your VPC endpoint service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptVpcEndpointConnections"
},
{
"resource_types": "vpc",
"description": "Accept a VPC peering connection request",
"condition_keys": [
"ec2:Region",
"ec2:ResourceTag/tag-key",
"ec2:Tenancy"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptVpcPeeringConnection"
},
{
"resource_types": "",
"description": "Acquires an Elastic IP address",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AllocateAddress"
},
{
"resource_types": "",
"description": "Allocates a Dedicated Host to your account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AllocateHosts"
},
{
"resource_types": "",
"description": "Assigns one or more IPv6 addresses to the specified network interface",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssignIpv6Addresses"
},
{
"resource_types": "",
"description": "Assigns one or more secondary private IP addresses to the specified network interface",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssignPrivateIpAddresses"
},
{
"resource_types": "",
"description": "Associates an Elastic IP address with an instance or a network interface",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateAddress"
},
{
"resource_types": "",
"description": "Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateDhcpOptions"
},
{
"resource_types": "instance",
"description": "Associates an IAM instance profile with a running or stopped instance",
"condition_keys": [
"ec2:AvailabilityZone",
"ec2:EbsOptimized",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:PlacementGroup",
"ec2:Region",
"ec2:ResourceTag/tag-key",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"access_level": "Write",
"dependent_actions": [
"iam:PassRole"
],
"privilege": "AssociateIamInstanceProfile"
},
{
"resource_types": "",
"description": "Associates a subnet with a route table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateRouteTable"
},
{
"resource_types": "",
"description": "Associates a CIDR block with your subnet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateSubnetCidrBlock"
},
{
"resource_types": "",
"description": "Associates a CIDR block with your VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateVpcCidrBlock"
},
{
"resource_types": "instance",
"description": "Links an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups",
"condition_keys": [
"ec2:AvailabilityZone",
"ec2:EbsOptimized",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:PlacementGroup",
"ec2:Region",
"ec2:ResourceTag/tag-key",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachClassicLinkVpc"
},
{
"resource_types": "",
"description": "Attaches an Internet gateway to a VPC, enabling connectivity between the Internet and the VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachInternetGateway"
},
{
"resource_types": "",
"description": "Attaches a network interface to an instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachNetworkInterface"
},
{
"resource_types": "instance",
"description": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name",
"condition_keys": [
"ec2:AvailabilityZone",
"ec2:EbsOptimized",
"ec2:InstanceProfile",
"ec2:InstanceType",
"ec2:PlacementGroup",
"ec2:Region",
"ec2:ResourceTag/tag-key",
"ec2:RootDeviceType",
"ec2:Tenancy"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachVolume"
},
{
"resource_types": "",
"description": "Attaches a virtual private gateway to a VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AttachVpnGateway"
},
{
"resource_types": "security-group",
"description": "EC2-VPC only] Adds one or more egress rules to a security group for use with a VPC",
"condition_keys": [
"ec2:Region",
"ec2:ResourceTag/tag-key",
"ec2:Vpc"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AuthorizeSecurityGroupEgress"
},
{
"resource_types": "security-group",
"description": "Adds one or more ingress rules to a security group",
"condition_keys": [
"ec2:Region",
"ec2:ResourceTag/tag-key",
"ec2:Vpc"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AuthorizeSecurityGroupIngress"
},
{
"resource_types": "",
"description": "Bundles an Amazon instance store-backed Windows instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BundleInstance"
},
{
"resource_types": "",
"description": "Cancels a bundling operation for an instance store-backed Windows instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelBundleTask"
},
{
"resource_types": "",
"description": "Cancels an active conversion task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelConversionTask"
},
{
"resource_types": "",
"description": "Cancels an active export task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelExportTask"
},
{
"resource_types": "",
"description": "Cancels an in-process import virtual machine or import snapshot task",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelImportTask"
},
{
"resource_types": "",
"description": "Cancels the specified Reserved Instance listing in the Reserved Instance Marketplace",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelReservedInstancesListing"
},
{
"resource_types": "",
"description": "Cancels the specified Spot fleet requests",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelSpotFleetRequests"
},
{
"resource_types": "",
"description": "Cancels one or more Spot instance requests",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelSpotInstanceRequests"
},
{
"resource_types": "",
"description": "Determines whether a product code is associated with an instance",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ConfirmProductInstance"
},
{
"resource_types": "",
"description": "Initiates the copy of an Amazon FPGA Image (AFI) from the specified source region to the current region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyFpgaImage"
},
{
"resource_types": "",
"description": "Initiates the copy of an AMI from the specified source region to the current region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopyImage"
},
{
"resource_types": "",
"description": "Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CopySnapshot"
},
{
"resource_types": "",
"description": "Provides information to AWS about your VPN customer gateway device",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCustomerGateway"
},
{
"resource_types": "",
"description": "Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDefaultSubnet"
},
{
"resource_types": "",
"description": "Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability Zone",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDefaultVpc"
},
{
"resource_types": "",
"description": "Creates a set of DHCP options for your VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateDhcpOptions"
},
{
"resource_types": "",
"description": "Creates an egress-only Internet gateway for your VPC",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateEgressOnlyInternetGateway"