Skip to content

Instantly share code, notes, and snippets.

@0xdabbad00

0xdabbad00/extract.py

Last active Mar 22, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
extract.py
#!/usr/bin/env python
from os import listdir
from os.path import isfile, join
import re
import json
from bs4 import BeautifulSoup
"""
Setup
-----
# Install libraries
pip install beautifulsoup4
# Download files
wget -r -np -k -A .html -nc https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
"""
def chomp(string):
"""This chomp cleans up all white-space, not just at the ends"""
response = string.replace('\n', ' ') # Convert line ends to spaces
response = re.sub(' [ ]*', ' ', response) # Truncate multiple spaces to single space
response = re.sub('^[\W]*', '', response) # Clean start
return re.sub('[\W]*$', '', response) # Clean end
mypath = './docs.aws.amazon.com/IAM/latest/UserGuide/'
schema = []
for filename in [f for f in listdir(mypath) if isfile(join(mypath, f))]:
if not filename.startswith("list_"):
continue
with open(mypath+filename, 'r') as f:
soup = BeautifulSoup(f.read(), 'html.parser')
main_content = soup.find(id="main-content")
if main_content is None:
continue
# Get service name
title = main_content.find('h1', class_="topictitle")
title = re.sub('.*Actions, Resources, and Condition Keys for *', '', str(title))
title = title.replace('</h1>', '')
service_name = chomp(title)
service_schema = {'service_name': service_name, 'privileges': []}
tables = main_content.find_all('div', class_="table-contents")
for table in tables:
# There can be 3 tables, the actions table, an ARN table, and a condition key table
# Example: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssecuritytokenservice.html
if '<th>Actions</th>' not in [str(x) for x in table.find_all('th')]:
continue
for row in table.find_all('tr'):
cells = row.find_all('td')
if len(cells) == 0:
# Skip the header row, which has th, not td cells
continue
if len(cells) != 6:
# Sometimes the privilege might span multiple rows.
# Example: amazonroute53-DisassociateVPCFromHostedZone
# at https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonroute53.html
# TODO: Handle this situation. Currently, I only use the first row
continue
priv = ''
# Get the privilege
for link in cells[0].find_all('a'):
if 'href' not in link.attrs:
# Skip the <a id='...'> tags
continue
priv = chomp(link.text)
if priv == '':
continue
description = chomp(cells[1].text)
access_level = chomp(cells[2].text)
resource_types = chomp(cells[3].text)
condition_keys_element = cells[4]
condition_keys = []
if condition_keys_element.text != '':
for key_element in condition_keys_element.find_all('p'):
condition_keys.append(chomp(key_element.text))
dependent_actions_element = cells[5]
dependent_actions = []
if dependent_actions_element.text != '':
for action_element in dependent_actions_element.find_all('p'):
dependent_actions.append(chomp(action_element.text))
privilege_schema = {
'privilege': priv,
'description': description,
'access_level': access_level,
'resource_types': resource_types,
'condition_keys': condition_keys,
'dependent_actions': dependent_actions
}
service_schema['privileges'].append(privilege_schema)
schema.append(service_schema)
print(json.dumps(schema))
Raw
privileges.json
[
{
"service_name": "AWS Config",
"privileges": [
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the current configuration items for resources that are present in your AWS Config aggregator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetAggregateResourceConfig"
},
{
"resource_types": "",
"description": "Returns the current configuration for one or more requested resources",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetResourceConfig"
},
{
"resource_types": "AggregationAuthorization",
"description": "Deletes the authorization granted to the specified configuration aggregator account in a specified region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteAggregationAuthorization"
},
{
"resource_types": "ConfigRule",
"description": "Deletes the specified AWS Config rule and all of its evaluation results",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConfigRule"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Deletes the specified configuration aggregator and the aggregated data associated with the aggregator",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConfigurationAggregator"
},
{
"resource_types": "",
"description": "Deletes the configuration recorder",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConfigurationRecorder"
},
{
"resource_types": "",
"description": "Deletes the delivery channel",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteDeliveryChannel"
},
{
"resource_types": "ConfigRule",
"description": "Deletes the evaluation results for the specified Config rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEvaluationResults"
},
{
"resource_types": "",
"description": "Deletes pending authorization requests for a specified aggregator account in a specified region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePendingAggregationRequest"
},
{
"resource_types": "",
"description": "Deletes the retention configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRetentionConfiguration"
},
{
"resource_types": "",
"description": "Schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DeliverConfigSnapshot"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAggregateComplianceByConfigRules"
},
{
"resource_types": "",
"description": "Returns a list of authorizations granted to various aggregator accounts and regions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeAggregationAuthorizations"
},
{
"resource_types": "ConfigRule",
"description": "Indicates whether the specified AWS Config rules are compliant",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeComplianceByConfigRule"
},
{
"resource_types": "",
"description": "Indicates whether the specified AWS resources are compliant",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeComplianceByResource"
},
{
"resource_types": "ConfigRule",
"description": "Returns status information for each of your AWS managed Config rules",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigRuleEvaluationStatus"
},
{
"resource_types": "ConfigRule",
"description": "Returns details about your AWS Config rules",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigRules"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns status information for sources within an aggregator",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationAggregatorSourcesStatus"
},
{
"resource_types": "",
"description": "Returns the details of one or more configuration aggregators",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationAggregators"
},
{
"resource_types": "",
"description": "Returns the current status of the specified configuration recorder",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationRecorderStatus"
},
{
"resource_types": "",
"description": "Returns the name of one or more specified configuration recorders",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeConfigurationRecorders"
},
{
"resource_types": "",
"description": "Returns the current status of the specified delivery channel",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDeliveryChannelStatus"
},
{
"resource_types": "",
"description": "Returns details about the specified delivery channel",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeDeliveryChannels"
},
{
"resource_types": "",
"description": "Returns a list of all pending aggregation requests",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribePendingAggregationRequests"
},
{
"resource_types": "",
"description": "Returns the details of one or more retention configurations",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeRetentionConfigurations"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the evaluation results for the specified AWS Config rule for a specific resource in a rule",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateComplianceDetailsByConfigRule"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateConfigRuleComplianceSummary"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns the resource counts across accounts and regions that are present in your AWS Config aggregator",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateDiscoveredResourceCounts"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Returns configuration item that is aggregated for your specific resource in a specific source account and region",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetAggregateResourceConfig"
},
{
"resource_types": "ConfigRule",
"description": "Returns the evaluation results for the specified AWS Config rule",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceDetailsByConfigRule"
},
{
"resource_types": "",
"description": "Returns the evaluation results for the specified AWS resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceDetailsByResource"
},
{
"resource_types": "",
"description": "Returns the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceSummaryByConfigRule"
},
{
"resource_types": "",
"description": "Returns the number of resources that are compliant and the number that are noncompliant",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetComplianceSummaryByResourceType"
},
{
"resource_types": "",
"description": "Returns the resource types, the number of each resource type, and the total number of resources that AWS Config is recording in this region for your AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDiscoveredResourceCounts"
},
{
"resource_types": "",
"description": "Returns a list of configuration items for the specified resource",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetResourceConfigHistory"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAggregateDiscoveredResources"
},
{
"resource_types": "",
"description": "Accepts a resource type and returns a list of resource identifiers for the resources of that type",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListDiscoveredResources"
},
{
"resource_types": "AggregationAuthorization",
"description": "Authorizes the aggregator account and region to collect data from the source account and region",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAggregationAuthorization"
},
{
"resource_types": "ConfigRule",
"description": "Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutConfigRule"
},
{
"resource_types": "ConfigurationAggregator",
"description": "Creates and updates the configuration aggregator with the selected source accounts and regions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutConfigurationAggregator"
},
{
"resource_types": "",
"description": "Creates a new configuration recorder to record the selected resource configurations",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutConfigurationRecorder"
},
{
"resource_types": "",
"description": "Creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutDeliveryChannel"
},
{
"resource_types": "",
"description": "Used by an AWS Lambda function to deliver evaluation results to AWS Config",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutEvaluations"
},
{
"resource_types": "",
"description": "Creates and updates the retention configuration with details about retention period (number of days) that AWS Config stores your historical information",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutRetentionConfiguration"
},
{
"resource_types": "ConfigRule",
"description": "Evaluates your resources against the specified Config rules",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartConfigRulesEvaluation"
},
{
"resource_types": "",
"description": "Starts recording configurations of the AWS resources you have selected to record in your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartConfigurationRecorder"
},
{
"resource_types": "",
"description": "Stops recording configurations of the AWS resources you have selected to record in your AWS account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopConfigurationRecorder"
}
]
},
{
"service_name": "AWS Service Catalog",
"privileges": [
{
"resource_types": "",
"description": "Accepts a portfolio that has been shared with you",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AcceptPortfolioShare"
},
{
"resource_types": "",
"description": "Associates an IAM principal with a portfolio, giving the specified principal access to any products associated with the specified portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociatePrincipalWithPortfolio"
},
{
"resource_types": "",
"description": "Associates a product with a portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateProductWithPortfolio"
},
{
"resource_types": "",
"description": "Creates a constraint on an associated product and portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateConstraint"
},
{
"resource_types": "",
"description": "Creates a portfolio",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreatePortfolio"
},
{
"resource_types": "",
"description": "Shares a portfolio you own with another AWS account",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreatePortfolioShare"
},
{
"resource_types": "",
"description": "Creates a product and that product's first provisioning artifact",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateProduct"
},
{
"resource_types": "",
"description": "Adds a new provisioned product plan",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Adds a new provisioning artifact to an existing product",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateProvisioningArtifact"
},
{
"resource_types": "",
"description": "Removes and deletes an existing constraint from an associated product and portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteConstraint"
},
{
"resource_types": "",
"description": "Deletes a portfolio if all associations and shares have been removed from the portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePortfolio"
},
{
"resource_types": "",
"description": "Unshares a portfolio you own from an AWS account you previously shared the portfolio with",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeletePortfolioShare"
},
{
"resource_types": "",
"description": "Deletes a product if all associations have been removed from the product",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProduct"
},
{
"resource_types": "",
"description": "Deletes a provisioned product plan",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Deletes a provisioning artifact from a product",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteProvisioningArtifact"
},
{
"resource_types": "",
"description": "Describes a constraint",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeConstraint"
},
{
"resource_types": "",
"description": "Describes a portfolio",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribePortfolio"
},
{
"resource_types": "",
"description": "Describes a product as an end-user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProduct"
},
{
"resource_types": "",
"description": "Describes a product as an admin",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProductAsAdmin"
},
{
"resource_types": "",
"description": "Describes a product as an end-user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProductView"
},
{
"resource_types": "",
"description": "Describes a provisioned product",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisionedProduct"
},
{
"resource_types": "",
"description": "Describes a provisioned product plan",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Describes a provisioning artifact",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisioningArtifact"
},
{
"resource_types": "",
"description": "Describes the parameters that you need to specify to successfully provision a specified provisioning artifact",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeProvisioningParameters"
},
{
"resource_types": "",
"description": "Describes a record and lists any outputs",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRecord"
},
{
"resource_types": "",
"description": "Disassociates an IAM principal from a portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociatePrincipalFromPortfolio"
},
{
"resource_types": "",
"description": "Disassociates a product from a portfolio",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateProductFromPortfolio"
},
{
"resource_types": "",
"description": "Executes a provisioned product plan",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ExecuteProvisionedProductPlan"
},
{
"resource_types": "",
"description": "Executes a provisioned product plan",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ExecuteProvisionedProductServiceAction"
},
{
"resource_types": "",
"description": "Lists the portfolios that have been shared with you and you have accepted",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListAcceptedPortfolioShares"
},
{
"resource_types": "",
"description": "Lists constraints associated with a given portfolio",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListConstraintsForPortfolio"
},
{
"resource_types": "",
"description": "Lists the different ways to launch a given product as an end-user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListLaunchPaths"
},
{
"resource_types": "",
"description": "Lists the AWS accounts you have shared a given portfolio with",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPortfolioAccess"
},
{
"resource_types": "",
"description": "Lists the portfolios in your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPortfolios"
},
{
"resource_types": "",
"description": "Lists the portfolios associated with a given product",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPortfoliosForProduct"
},
{
"resource_types": "",
"description": "Lists the IAM principals associated with a given portfolio",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPrincipalsForPortfolio"
},
{
"resource_types": "",
"description": "Lists the provisioned product plans",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProvisionedProductPlans"
},
{
"resource_types": "",
"description": "Lists the provisioning artifacts associated with a given product",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListProvisioningArtifacts"
},
{
"resource_types": "",
"description": "Lists all the records in your account or all the records related to a given provisioned product",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRecordHistory"
},
{
"resource_types": "",
"description": "Lists all the service actions in your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListServiceActionsForProvisioningArtifact"
},
{
"resource_types": "",
"description": "Provisions a product with a specified provisioning artifact and launch parameters",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "ProvisionProduct"
},
{
"resource_types": "",
"description": "Rejects a portfolio that has been shared with you that you previously accepted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RejectPortfolioShare"
},
{
"resource_types": "",
"description": "Lists all the provisioned products in your account",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "ScanProvisionedProducts"
},
{
"resource_types": "",
"description": "Lists the products available to you as an end-user",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "SearchProducts"
},
{
"resource_types": "",
"description": "Lists all the products in your account or all the products associated with a given portfolio",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "SearchProductsAsAdmin"
},
{
"resource_types": "",
"description": "Lists all the provisioned products in your account",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "List",
"dependent_actions": [],
"privilege": "SearchProvisionedProducts"
},
{
"resource_types": "",
"description": "Terminates an existing provisioned product",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateProvisionedProduct"
},
{
"resource_types": "",
"description": "Updates the metadata fields of an existing constraint",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateConstraint"
},
{
"resource_types": "",
"description": "Updates the metadata fields and/or tags of an existing portfolio",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UpdatePortfolio"
},
{
"resource_types": "",
"description": "Updates the metadata fields and/or tags of an existing product",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UpdateProduct"
},
{
"resource_types": "",
"description": "Updates an existing provisioned product",
"condition_keys": [
"servicecatalog:accountLevel",
"servicecatalog:roleLevel",
"servicecatalog:userLevel"
],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProvisionedProduct"
},
{
"resource_types": "",
"description": "Updates the metadata fields of an existing provisioning artifact",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateProvisioningArtifact"
}
]
},
{
"service_name": "AWS WAF",
"privileges": [
{
"resource_types": "bytematchset",
"description": "Creates a ByteMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateByteMatchSet"
},
{
"resource_types": "geomatchset",
"description": "Creates a GeoMatchSet, which you use to specify which web requests you want to allow or block based on the country that the requests originate from",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Creates an IPSet, which you use to specify which web requests you want to allow or block based on the IP addresses that the requests originate from",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateIPSet"
},
{
"resource_types": "ratebasedrule",
"description": "Creates a RateBasedRule, which contains a RateLimit specifying the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRateBasedRule"
},
{
"resource_types": "regexmatchset",
"description": "Creates a RegexMatchSet, which you use to specify which web requests you want to allow or block based on the regex patterns you specified in a RegexPatternSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Creates a RegexPatternSet, which you use to specify the regular expression (regex) pattern that you want AWS WAF to search for",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Creates a Rule, which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRule"
},
{
"resource_types": "rulegroup",
"description": "Creates a RuleGroup. A rule group is a collection of predefined rules that you add to a WebACL",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRuleGroup"
},
{
"resource_types": "sizeconstraintset",
"description": "Creates a SizeConstraintSet, which you use to identify the part of a web request that you want to check for length",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Creates a SqlInjectionMatchSet, which you use to allow, block, or count requests that contain snippets of SQL code in a specified part of web requests",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Creates a WebACL, which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "CreateWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Creates an XssMatchSet, which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web requests",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateXssMatchSet"
},
{
"resource_types": "bytematchset",
"description": "Permanently deletes a ByteMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteByteMatchSet"
},
{
"resource_types": "geomatchset",
"description": "Permanently deletes an GeoMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Permanently deletes an IPSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteIPSet"
},
{
"resource_types": "rulegroup",
"description": "Permanently deletes an IAM policy from the specified RuleGroup",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeletePermissionPolicy"
},
{
"resource_types": "ratebasedrule",
"description": "Permanently deletes a RateBasedRule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRateBasedRule"
},
{
"resource_types": "regexmatchset",
"description": "Permanently deletes an RegexMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Permanently deletes an RegexPatternSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Permanently deletes a Rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRule"
},
{
"resource_types": "rulegroup",
"description": "Permanently deletes a RuleGroup",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRuleGroup"
},
{
"resource_types": "sizeconstraintset",
"description": "Permanently deletes a SizeConstraintSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Permanently deletes a SqlInjectionMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Permanently deletes a WebACL",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "DeleteWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Permanently deletes an XssMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteXssMatchSet"
},
{
"resource_types": "bytematchset",
"description": "Returns the ByteMatchSet specified by ByteMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetByteMatchSet"
},
{
"resource_types": "",
"description": "When you want to create, update, or delete AWS WAF objects, get a change token and include the change token in the create, update, or delete request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetChangeToken"
},
{
"resource_types": "",
"description": "Returns the status of a ChangeToken that you got by calling GetChangeToken",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetChangeTokenStatus"
},
{
"resource_types": "geomatchset",
"description": "Returns the GeoMatchSet specified by GeoMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Returns the IPSet that is specified by IPSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetIPSet"
},
{
"resource_types": "rulegroup",
"description": "Returns the IAM policy attached to the RuleGroup",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPermissionPolicy"
},
{
"resource_types": "ratebasedrule",
"description": "Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRateBasedRule"
},
{
"resource_types": "ratebasedrule",
"description": "Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRateBasedRuleManagedKeys"
},
{
"resource_types": "regexmatchset",
"description": "Returns the RegexMatchSet specified by RegexMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Returns the RegexPatternSet specified by RegexPatternSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Returns the Rule that is specified by the RuleId that you included in the GetRule request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRule"
},
{
"resource_types": "rulegroup",
"description": "Returns the RuleGroup that is specified by the RuleGroupId that you included in the GetRuleGroup request",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetRuleGroup"
},
{
"resource_types": "rule",
"description": "Gets detailed information about a specified number of requests--a sample--that AWS WAF randomly selects from among the first 5,000 requests that your AWS resource received during a time range that you choose",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSampledRequests"
},
{
"resource_types": "sizeconstraintset",
"description": "Returns the SizeConstraintSet specified by SizeConstraintSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Returns the SqlInjectionMatchSet that is specified by SqlInjectionMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Returns the WebACL that is specified by WebACLId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Returns the XssMatchSet that is specified by XssMatchSetId",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetXssMatchSet"
},
{
"resource_types": "",
"description": "Returns an array of ActivatedRule objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListActivatedRulesInRuleGroup"
},
{
"resource_types": "",
"description": "Returns an array of ByteMatchSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListByteMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of GeoMatchSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListGeoMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of IPSetSummary objects in the response",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListIPSets"
},
{
"resource_types": "",
"description": "Returns an array of RuleSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRateBasedRules"
},
{
"resource_types": "",
"description": "Returns an array of RegexMatchSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRegexMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of RegexPatternSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRegexPatternSets"
},
{
"resource_types": "",
"description": "Returns an array of RuleGroup objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRuleGroups"
},
{
"resource_types": "",
"description": "Returns an array of RuleSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListRules"
},
{
"resource_types": "",
"description": "Returns an array of SizeConstraintSetSummary objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSizeConstraintSets"
},
{
"resource_types": "",
"description": "Returns an array of SqlInjectionMatchSet objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSqlInjectionMatchSets"
},
{
"resource_types": "",
"description": "Returns an array of RuleGroup objects that you are subscribed to",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSubscribedRuleGroups"
},
{
"resource_types": "",
"description": "Returns an array of WebACLSummary objects in the response",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListWebACLs"
},
{
"resource_types": "",
"description": "Returns an array of XssMatchSet objects",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListXssMatchSets"
},
{
"resource_types": "rulegroup",
"description": "Attaches a IAM policy to the specified resource. The only supported use for this action is to share a RuleGroup across accounts",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "PutPermissionPolicy"
},
{
"resource_types": "bytematchset",
"description": "Inserts or deletes ByteMatchTuple objects (filters) in a ByteMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateByteMatchSet"
},
{
"resource_types": "geomatchset",
"description": "Inserts or deletes GeoMatchConstraint objects in a GeoMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateGeoMatchSet"
},
{
"resource_types": "ipset",
"description": "Inserts or deletes IPSetDescriptor objects in an IPSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateIPSet"
},
{
"resource_types": "ratebasedrule",
"description": "Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRateBasedRule"
},
{
"resource_types": "regexmatchset",
"description": "Inserts or deletes RegexMatchTuple objects (filters) in a RegexMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRegexMatchSet"
},
{
"resource_types": "regexpatternset",
"description": "Inserts or deletes RegexPatternStrings in a RegexPatternSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRegexPatternSet"
},
{
"resource_types": "rule",
"description": "Inserts or deletes Predicate objects in a Rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRule"
},
{
"resource_types": "rulegroup",
"description": "Inserts or deletes ActivatedRule objects in a RuleGroup",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateRuleGroup"
},
{
"resource_types": "sizeconstraintset",
"description": "Inserts or deletes SizeConstraint objects (filters) in a SizeConstraintSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSizeConstraintSet"
},
{
"resource_types": "sqlinjectionmatchset",
"description": "Inserts or deletes SqlInjectionMatchTuple objects (filters) in a SqlInjectionMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateSqlInjectionMatchSet"
},
{
"resource_types": "webacl",
"description": "Inserts or deletes ActivatedRule objects in a WebACL",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "UpdateWebACL"
},
{
"resource_types": "xssmatchset",
"description": "Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateXssMatchSet"
}
]
},
{
"service_name": "Amazon Elastic MapReduce",
"privileges": [
{
"resource_types": "",
"description": "Adds instance groups to a running cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddInstanceGroups"
},
{
"resource_types": "",
"description": "Adds new steps to a running job flow",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddJobFlowSteps"
},
{
"resource_types": "",
"description": "Adds tags to an Amazon EMR resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "",
"description": "Cancels a pending step or steps in a running cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CancelSteps"
},
{
"resource_types": "",
"description": "Creates a security configuration which is stored in the service",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateSecurityConfiguration"
},
{
"resource_types": "",
"description": "Deletes a security configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteSecurityConfiguration"
},
{
"resource_types": "",
"description": "Provides cluster-level details including status, hardware and software configuration, VPC settings, and so on",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCluster"
},
{
"resource_types": "",
"description": "Provides the details of a security configuration by returning the configuration JSON",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSecurityConfiguration"
},
{
"resource_types": "",
"description": "Provides more detail about the cluster step",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeStep"
},
{
"resource_types": "",
"description": "Provides information about the bootstrap actions associated with a cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListBootstrapActions"
},
{
"resource_types": "",
"description": "Provides the status of all clusters visible to this AWS account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListClusters"
},
{
"resource_types": "",
"description": "Provides all available details about the instance groups in a cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInstanceGroups"
},
{
"resource_types": "",
"description": "Provides information about the cluster instances that Amazon EMR provisions on behalf of a user when it creates the cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListInstances"
},
{
"resource_types": "",
"description": "Lists all the security configurations visible to this account, providing their creation dates and times, and their names",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSecurityConfigurations"
},
{
"resource_types": "",
"description": "Provides a list of steps for the cluster",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSteps"
},
{
"resource_types": "",
"description": "Modifies the number of nodes and configuration settings of an instance group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyInstanceGroups"
},
{
"resource_types": "",
"description": "Modifies the number of nodes and configuration settings of an instance group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutAutoScalingPolicy"
},
{
"resource_types": "",
"description": "Removes an automatic scaling policy from a specified instance group within an EMR cluster",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveAutoScalingPolicy"
},
{
"resource_types": "",
"description": "Removes tags from an Amazon EMR resource",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "",
"description": "Creates and starts running a new job flow",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RunJobFlow"
},
{
"resource_types": "",
"description": "Locks a job flow so the Amazon EC2 instances in the cluster cannot be terminated by user intervention, an API call, or in the event of a job-flow error",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetTerminationProtection"
},
{
"resource_types": "",
"description": "Sets whether all AWS Identity and Access Management (IAM) users under your account can access the specified job flows",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetVisibleToAllUsers"
},
{
"resource_types": "",
"description": "Shuts a list of job flows down",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateJobFlows"
}
]
},
{
"service_name": "AWS Serverless Application Repository",
"privileges": []
},
{
"service_name": "Amazon WorkSpaces",
"privileges": [
{
"resource_types": "",
"description": "Creates tags for a WorkSpace",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "CreateTags"
},
{
"resource_types": "workspacebundle",
"description": "Creates one or more WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateWorkspaces"
},
{
"resource_types": "",
"description": "Deletes tags from a Workspace",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTags"
},
{
"resource_types": "",
"description": "Describes tags for a WorkSpace",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeTags"
},
{
"resource_types": "workspacebundle",
"description": "Obtains information about the WorkSpace bundles that are available to your account in the specified region",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeWorkspaceBundles"
},
{
"resource_types": "",
"description": "Retrieves information about the AWS Directory Service directories in the region that are registered with Amazon WorkSpaces and are available to your account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeWorkspaceDirectories"
},
{
"resource_types": "",
"description": "Obtains information about the specified WorkSpaces",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "DescribeWorkspaces"
},
{
"resource_types": "",
"description": "Describes the connection status of a specified WorkSpace",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeWorkspacesConnectionStatus"
},
{
"resource_types": "workspaceid",
"description": "Modifies the WorkSpace properties, including the running mode and AutoStop time",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyWorkspaceProperties"
},
{
"resource_types": "workspaceid",
"description": "Reboots the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebootWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Rebuilds the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RebuildWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Starts the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StartWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Stops the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "StopWorkspaces"
},
{
"resource_types": "workspaceid",
"description": "Terminates the specified WorkSpaces",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "TerminateWorkspaces"
}
]
},
{
"service_name": "Amazon SNS",
"privileges": [
{
"resource_types": "topic",
"description": "Adds a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "AddPermission"
},
{
"resource_types": "",
"description": "Accepts a phone number and indicates whether the phone holder has opted out of receiving SMS messages from your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "CheckIfPhoneNumberIsOptedOut"
},
{
"resource_types": "topic",
"description": "Verifies an endpoint owner's intent to receive messages by validating the token sent to the endpoint by an earlier Subscribe action",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ConfirmSubscription"
},
{
"resource_types": "",
"description": "Creates a platform application object for one of the supported push notification services, such as APNS and GCM, to which devices and mobile apps may register",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePlatformApplication"
},
{
"resource_types": "",
"description": "Creates an endpoint for a device and mobile app on one of the supported push notification services, such as GCM and APNS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreatePlatformEndpoint"
},
{
"resource_types": "topic",
"description": "Creates a topic to which notifications can be published",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTopic"
},
{
"resource_types": "",
"description": "Deletes the endpoint for a device and mobile app from Amazon SNS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteEndpoint"
},
{
"resource_types": "",
"description": "Deletes a platform application object for one of the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeletePlatformApplication"
},
{
"resource_types": "topic",
"description": "Deletes a topic and all its subscriptions",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTopic"
},
{
"resource_types": "",
"description": "Retrieves the endpoint attributes for a device on one of the supported push notification services, such as GCM and APNS",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetEndpointAttributes"
},
{
"resource_types": "",
"description": "Retrieves the attributes of the platform application object for the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetPlatformApplicationAttributes"
},
{
"resource_types": "",
"description": "Returns the settings for sending SMS messages from your account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSMSAttributes"
},
{
"resource_types": "",
"description": "Returns all of the properties of a subscription",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetSubscriptionAttributes"
},
{
"resource_types": "topic",
"description": "Returns all of the properties of a topic. Topic properties returned might differ based on the authorization of the user",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetTopicAttributes"
},
{
"resource_types": "",
"description": "Lists the endpoints and endpoint attributes for devices in a supported push notification service, such as GCM and APNS",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListEndpointsByPlatformApplication"
},
{
"resource_types": "",
"description": "Returns a list of phone numbers that are opted out, meaning you cannot send SMS messages to them",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListPhoneNumbersOptedOut"
},
{
"resource_types": "",
"description": "Lists the platform application objects for the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListPlatformApplications"
},
{
"resource_types": "",
"description": "Returns a list of the requester's subscriptions",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSubscriptions"
},
{
"resource_types": "topic",
"description": "Returns a list of the subscriptions to a specific topic",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListSubscriptionsByTopic"
},
{
"resource_types": "",
"description": "Returns a list of the requester's topics. Each call returns a limited list of topics, up to 100",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListTopics"
},
{
"resource_types": "",
"description": "Opts in a phone number that is currently opted out, which enables you to resume sending SMS messages to the number",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "OptInPhoneNumber"
},
{
"resource_types": "topic",
"description": "Sends a message to all of a topic's subscribed endpoints",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Publish"
},
{
"resource_types": "topic",
"description": "Removes a statement from a topic's access control policy",
"condition_keys": [],
"access_level": "Permissions management",
"dependent_actions": [],
"privilege": "RemovePermission"
},
{
"resource_types": "",
"description": "Sets the attributes for an endpoint for a device on one of the supported push notification services, such as GCM and APNS",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetEndpointAttributes"
},
{
"resource_types": "",
"description": "Sets the attributes of the platform application object for the supported push notification services, such as APNS and GCM",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetPlatformApplicationAttributes"
},
{
"resource_types": "",
"description": "Allows a subscription owner to set an attribute of the topic to a new value",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetSubscriptionAttributes"
},
{
"resource_types": "topic",
"description": "Allows a topic owner to set an attribute of the topic to a new value",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetTopicAttributes"
},
{
"resource_types": "topic",
"description": "Prepares to subscribe an endpoint by sending the endpoint a confirmation message",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Subscribe"
},
{
"resource_types": "",
"description": "Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Unsubscribe"
}
]
},
{
"service_name": "Amazon FreeRTOS",
"privileges": []
},
{
"service_name": "Amazon API Gateway",
"privileges": [
{
"resource_types": "execute-api-general",
"description": "Used to invalidate API cache upon a client request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "InvalidateCache"
},
{
"resource_types": "execute-api-general",
"description": "Used to invoke an API upon a client request",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "Invoke"
}
]
},
{
"service_name": "Amazon Connect",
"privileges": []
},
{
"service_name": "Elastic Load Balancing V2",
"privileges": [
{
"resource_types": "listener",
"description": "Adds the specified certificates to the specified secure listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AddListenerCertificates"
},
{
"resource_types": "loadbalancer/app",
"description": "Adds the specified tags to the specified load balancer. Each load balancer can have a maximum of 10 tags",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "AddTags"
},
{
"resource_types": "loadbalancer/app",
"description": "Creates a listener for the specified Application Load Balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateListener"
},
{
"resource_types": "loadbalancer/app",
"description": "Creates a load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateLoadBalancer"
},
{
"resource_types": "listener",
"description": "Creates a rule for the specified listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateRule"
},
{
"resource_types": "targetgroup",
"description": "Creates a target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateTargetGroup"
},
{
"resource_types": "listener",
"description": "Deletes the specified listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteListener"
},
{
"resource_types": "loadbalancer/app",
"description": "Deletes the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteLoadBalancer"
},
{
"resource_types": "listener-rule",
"description": "Deletes the specified rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteRule"
},
{
"resource_types": "targetgroup",
"description": "Deletes the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteTargetGroup"
},
{
"resource_types": "targetgroup",
"description": "Deregisters the specified targets from the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeregisterTargets"
},
{
"resource_types": "",
"description": "Describes the Elastic Load Balancing resource limits for the AWS account",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeAccountLimits"
},
{
"resource_types": "",
"description": "Describes the certificates for the specified secure listener",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeListenerCertificates"
},
{
"resource_types": "",
"description": "Describes the specified listeners or the listeners for the specified Application Load Balancer",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeListeners"
},
{
"resource_types": "",
"description": "Describes the attributes for the specified load balancer",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLoadBalancerAttributes"
},
{
"resource_types": "",
"description": "Describes the specified the load balancers. If no load balancers are specified, the call describes all of your load balancers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeLoadBalancers"
},
{
"resource_types": "",
"description": "Describes the specified rules or the rules for the specified listener",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeRules"
},
{
"resource_types": "",
"description": "Describes the specified policies or all policies used for SSL negotiation",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeSSLPolicies"
},
{
"resource_types": "",
"description": "Describes the tags associated with the specified load balancers",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTags"
},
{
"resource_types": "",
"description": "Describes the attributes for the specified target group",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTargetGroupAttributes"
},
{
"resource_types": "",
"description": "Describes the specified target groups or all of your target groups",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTargetGroups"
},
{
"resource_types": "",
"description": "Describes the health of the specified targets or all of your targets",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeTargetHealth"
},
{
"resource_types": "listener",
"description": "Modifies the specified properties of the specified listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyListener"
},
{
"resource_types": "loadbalancer/app",
"description": "Modifies the attributes of the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyLoadBalancerAttributes"
},
{
"resource_types": "listener-rule",
"description": "Modifies the specified rule",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyRule"
},
{
"resource_types": "targetgroup",
"description": "Modifies the health checks used when evaluating the health state of the targets in the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyTargetGroup"
},
{
"resource_types": "targetgroup",
"description": "Modifies the specified attributes of the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ModifyTargetGroupAttributes"
},
{
"resource_types": "targetgroup",
"description": "Registers the specified targets with the specified target group",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RegisterTargets"
},
{
"resource_types": "listener",
"description": "Removes the specified certificates of the specified secure listener",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RemoveListenerCertificates"
},
{
"resource_types": "loadbalancer/app",
"description": "Removes one or more tags from the specified load balancer",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "RemoveTags"
},
{
"resource_types": "loadbalancer/app",
"description": "Not found",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetIpAddressType"
},
{
"resource_types": "listener-rule",
"description": "Sets the priorities of the specified rules",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetRulePriorities"
},
{
"resource_types": "loadbalancer/app",
"description": "Associates the specified security groups with the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetSecurityGroups"
},
{
"resource_types": "loadbalancer/app",
"description": "Enables the Availability Zone for the specified subnets for the specified load balancer",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "SetSubnets"
}
]
},
{
"service_name": "Amazon Mobile Analytics",
"privileges": [
{
"resource_types": "",
"description": "The PutEvents operation records one or more events",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "PutEvents"
}
]
},
{
"service_name": "AWS Trusted Advisor",
"privileges": []
},
{
"service_name": "Amazon Macie",
"privileges": [
{
"resource_types": "",
"description": "Enables the user to associate a specified AWS account with Amazon Macie as a member account",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateMemberAccount"
},
{
"resource_types": "",
"description": "Enables the user to associate specified S3 resources with Amazon Macie for monitoring and data classification",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "AssociateS3Resources"
},
{
"resource_types": "",
"description": "Enables the user to remove the specified member account from Amazon Macie",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateMemberAccount"
},
{
"resource_types": "",
"description": "Enables the user to remove specified S3 resources from being monitored by Amazon Macie",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DisassociateS3Resources"
},
{
"resource_types": "",
"description": "Enables the user to list all Amazon Macie member accounts for the current Macie master account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListMemberAccounts"
},
{
"resource_types": "",
"description": "Enables the user to list all the S3 resources associated with Amazon Macie",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListS3Resources"
},
{
"resource_types": "",
"description": "Enables the user to update the classification types for the specified S3 resources",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateS3Resources"
}
]
},
{
"service_name": "Amazon Textract",
"privileges": [
{
"resource_types": "",
"description": "Detects instances of real-world document entities within an image provided as input",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "AnalyzeDocument"
},
{
"resource_types": "",
"description": "Detects text in document images",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "DetectDocumentText"
},
{
"resource_types": "",
"description": "Returns information about a document analysis job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocumentAnalysis"
},
{
"resource_types": "",
"description": "Returns information about a document text detection job",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetDocumentTextDetection"
},
{
"resource_types": "",
"description": "Starts an asynchronous job to detect instances of real-world document entities within an image or pdf provided as input",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "StartDocumentAnalysis"
},
{
"resource_types": "",
"description": "Starts an asynchronous job to detect text in document images or pdfs",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [
"s3:GetObject"
],
"privilege": "StartDocumentTextDetection"
}
]
},
{
"service_name": "AWS Certificate Manager Private Certificate Authority",
"privileges": [
{
"resource_types": "",
"description": "Creates an ACM Private CA and its associated private key and configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Creates an audit report for an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateCertificateAuthorityAuditReport"
},
{
"resource_types": "certificate-authority",
"description": "Deletes an ACM Private CA and its associated private key and configuration",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "DeleteCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Returns a list of the configuration and status fields contained in the specified ACM Private CA",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Returns the status and information about an ACM Private CA audit report",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "DescribeCertificateAuthorityAuditReport"
},
{
"resource_types": "certificate-authority",
"description": "Retrieves an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Retrieves an ACM Private CA certificate and certificate chain for the certificate authority specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificateAuthorityCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Retrieves an ACM Private CA certificate signing request (CSR) for the certificate-authority specified by an ARN",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "GetCertificateAuthorityCsr"
},
{
"resource_types": "certificate-authority",
"description": "Imports an SSL/TLS certificate into ACM Private CA for use as the CA certificate of an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "ImportCertificateAuthorityCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Issues an ACM Private CA certificate",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "IssueCertificate"
},
{
"resource_types": "",
"description": "Retrieves a list of the ACM Private CA certificate authority ARNs, and a summary of the status of each CA in the calling account",
"condition_keys": [],
"access_level": "List",
"dependent_actions": [],
"privilege": "ListCertificateAuthorities"
},
{
"resource_types": "certificate-authority",
"description": "Lists the tags that have been applied to the ACM Private CA certificate authority",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ListTags"
},
{
"resource_types": "certificate-authority",
"description": "Restores an ACM Private CA from the deleted state to the state it was in when deleted",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RestoreCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Revokes a certificate issued by an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "RevokeCertificate"
},
{
"resource_types": "certificate-authority",
"description": "Adds one or more tags to an ACM Private CA",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "TagCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Remove one or more tags from an ACM Private CA",
"condition_keys": [],
"access_level": "Tagging",
"dependent_actions": [],
"privilege": "UntagCertificateAuthority"
},
{
"resource_types": "certificate-authority",
"description": "Updates the configuration of an ACM Private CA",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "UpdateCertificateAuthority"
}
]
},
{
"service_name": "Amazon DynamoDB",
"privileges": [
{
"resource_types": "table",
"description": "Returns the attributes of one or more items from one or more tables",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "BatchGetItem"
},
{
"resource_types": "table",
"description": "Puts or deletes multiple items in one or more tables",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "BatchWriteItem"
},
{
"resource_types": "table",
"description": "The ConditionCheckItem operation checks the existence of a set of attributes for the item with the given primary key",
"condition_keys": [],
"access_level": "Read",
"dependent_actions": [],
"privilege": "ConditionCheckItem"
},
{
"resource_types": "table",
"description": "Creates a backup for an existing table",
"condition_keys": [],
"access_level": "Write",
"dependent_actions": [],
"privilege": "CreateBackup"
},
{
"resource_types": "global-table",
"description": "Enables the user to create a global table from an existing table",
"condition_keys": [],
"access_level": "Write",
"<