Raynos/policy.json

## policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:*",
                "route53domains:*",
                "cloudfront:ListDistributions",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticbeanstalk:DescribeEnvironments",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetBucketWebsite",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeRegions",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "apigateway:GET",
            "Resource": "arn:aws:apigateway:*::/domainnames"
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:*"
            ],
            "Resource": "arn:aws:apigateway:*::/*"
        },
        {
            "Action": [
                "logs:Describe*",
                "logs:Get*",
                "logs:List*",
                "logs:StartQuery",
                "logs:StopQuery",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Action": [
                "acm:ListCertificates",
                "cloudfront:*",
                "iam:ListServerCertificates",
                "waf:ListWebACLs",
                "waf:GetWebACL",
                "wafv2:ListWebACLs",
                "wafv2:GetWebACL",
                "kinesis:ListStreams"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kinesis:DescribeStream"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Action": [
                "iam:ListRoles"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:*"
        },
        {
            "Action": [
                "dynamodb:*",
                "dax:*",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingActivities",
                "application-autoscaling:DescribeScalingPolicies",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:RegisterScalableTarget",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:PutMetricAlarm",
                "datapipeline:ActivatePipeline",
                "datapipeline:CreatePipeline",
                "datapipeline:DeletePipeline",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:PutPipelineDefinition",
                "datapipeline:QueryObjects",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "iam:GetRole",
                "iam:ListRoles",
                "kms:DescribeKey",
                "kms:ListAliases",
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sns:SetTopicAttributes",
                "lambda:CreateFunction",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "lambda:CreateEventSourceMapping",
                "lambda:DeleteEventSourceMapping",
                "lambda:GetFunctionConfiguration",
                "lambda:DeleteFunction",
                "resource-groups:ListGroups",
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:GetGroupQuery",
                "resource-groups:DeleteGroup",
                "resource-groups:CreateGroup",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "cloudwatch:GetInsightRuleReport",
            "Effect": "Allow",
            "Resource": "arn:aws:cloudwatch:*:*:insight-rule/DynamoDBContributorInsights*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "application-autoscaling.amazonaws.com",
                        "dax.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "replication.dynamodb.amazonaws.com",
                        "dax.amazonaws.com",
                        "dynamodb.application-autoscaling.amazonaws.com",
                        "contributorinsights.dynamodb.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudwatch:*",
                "cognito-identity:ListIdentityPools",
                "cognito-sync:GetCognitoEvents",
                "cognito-sync:SetCognitoEvents",
                "dynamodb:*",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "events:*",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PassRole",
                "iot:AttachPrincipalPolicy",
                "iot:AttachThingPrincipal",
                "iot:CreateKeysAndCertificate",
                "iot:CreatePolicy",
                "iot:CreateThing",
                "iot:CreateTopicRule",
                "iot:DescribeEndpoint",
                "iot:GetTopicRule",
                "iot:ListPolicies",
                "iot:ListThings",
                "iot:ListTopicRules",
                "iot:ReplaceTopicRule",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "kinesis:PutRecord",
                "kms:ListAliases",
                "lambda:*",
                "logs:*",
                "s3:*",
                "sns:ListSubscriptions",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sns:Publish",
                "sns:Subscribe",
                "sns:Unsubscribe",
                "sqs:ListQueues",
                "sqs:SendMessage",
                "tag:GetResources",
                "xray:PutTelemetryRecords",
                "xray:PutTraceSegments"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*",
                "route53domains:*",
                "cloudfront:ListDistributions",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticbeanstalk:DescribeEnvironments",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:GetBucketWebsite",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeRegions",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "apigateway:GET",
            "Resource": "arn:aws:apigateway:*::/domainnames"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreateRole",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "acm:RequestCertificate"
            ],
            "Resource": "*"
        }
    ]
}
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"route53:*",
	"route53domains:*",
	"cloudfront:ListDistributions",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticbeanstalk:DescribeEnvironments",
	"s3:ListBucket",
	"s3:GetBucketLocation",
	"s3:GetBucketWebsite",
	"ec2:DescribeVpcs",
	"ec2:DescribeVpcEndpoints",
	"ec2:DescribeRegions",
	"sns:ListTopics",
	"sns:ListSubscriptionsByTopic",
	"cloudwatch:DescribeAlarms",
	"cloudwatch:GetMetricStatistics"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": "apigateway:GET",
	"Resource": "arn:aws:apigateway:*::/domainnames"
	},
	{
	"Effect": "Allow",
	"Action": [
	"apigateway:*"
	],
	"Resource": "arn:aws:apigateway:::/"
	},
	{
	"Action": [
	"logs:Describe*",
	"logs:Get*",
	"logs:List*",
	"logs:StartQuery",
	"logs:StopQuery",
	"logs:TestMetricFilter",
	"logs:FilterLogEvents"
	],
	"Effect": "Allow",
	"Resource": "*"
	},
	{
	"Action": [
	"s3:ListAllMyBuckets"
	],
	"Effect": "Allow",
	"Resource": "arn:aws:s3:::*"
	},
	{
	"Action": [
	"acm:ListCertificates",
	"cloudfront:*",
	"iam:ListServerCertificates",
	"waf:ListWebACLs",
	"waf:GetWebACL",
	"wafv2:ListWebACLs",
	"wafv2:GetWebACL",
	"kinesis:ListStreams"
	],
	"Effect": "Allow",
	"Resource": "*"
	},
	{
	"Action": [
	"kinesis:DescribeStream"
	],
	"Effect": "Allow",
	"Resource": "arn:aws:kinesis:::*"
	},
	{
	"Action": [
	"iam:ListRoles"
	],
	"Effect": "Allow",
	"Resource": "arn:aws:iam:::"
	},
	{
	"Action": [
	"dynamodb:*",
	"dax:*",
	"application-autoscaling:DeleteScalingPolicy",
	"application-autoscaling:DeregisterScalableTarget",
	"application-autoscaling:DescribeScalableTargets",
	"application-autoscaling:DescribeScalingActivities",
	"application-autoscaling:DescribeScalingPolicies",
	"application-autoscaling:PutScalingPolicy",
	"application-autoscaling:RegisterScalableTarget",
	"cloudwatch:DeleteAlarms",
	"cloudwatch:DescribeAlarmHistory",
	"cloudwatch:DescribeAlarms",
	"cloudwatch:DescribeAlarmsForMetric",
	"cloudwatch:GetMetricStatistics",
	"cloudwatch:ListMetrics",
	"cloudwatch:PutMetricAlarm",
	"datapipeline:ActivatePipeline",
	"datapipeline:CreatePipeline",
	"datapipeline:DeletePipeline",
	"datapipeline:DescribeObjects",
	"datapipeline:DescribePipelines",
	"datapipeline:GetPipelineDefinition",
	"datapipeline:ListPipelines",
	"datapipeline:PutPipelineDefinition",
	"datapipeline:QueryObjects",
	"ec2:DescribeVpcs",
	"ec2:DescribeSubnets",
	"ec2:DescribeSecurityGroups",
	"iam:GetRole",
	"iam:ListRoles",
	"kms:DescribeKey",
	"kms:ListAliases",
	"sns:CreateTopic",
	"sns:DeleteTopic",
	"sns:ListSubscriptions",
	"sns:ListSubscriptionsByTopic",
	"sns:ListTopics",
	"sns:Subscribe",
	"sns:Unsubscribe",
	"sns:SetTopicAttributes",
	"lambda:CreateFunction",
	"lambda:ListFunctions",
	"lambda:ListEventSourceMappings",
	"lambda:CreateEventSourceMapping",
	"lambda:DeleteEventSourceMapping",
	"lambda:GetFunctionConfiguration",
	"lambda:DeleteFunction",
	"resource-groups:ListGroups",
	"resource-groups:ListGroupResources",
	"resource-groups:GetGroup",
	"resource-groups:GetGroupQuery",
	"resource-groups:DeleteGroup",
	"resource-groups:CreateGroup",
	"tag:GetResources"
	],
	"Effect": "Allow",
	"Resource": "*"
	},
	{
	"Action": "cloudwatch:GetInsightRuleReport",
	"Effect": "Allow",
	"Resource": "arn:aws:cloudwatch:::insight-rule/DynamoDBContributorInsights*"
	},
	{
	"Action": [
	"iam:PassRole"
	],
	"Effect": "Allow",
	"Resource": "*",
	"Condition": {
	"StringLike": {
	"iam:PassedToService": [
	"application-autoscaling.amazonaws.com",
	"dax.amazonaws.com"
	]
	}
	}
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:CreateServiceLinkedRole"
	],
	"Resource": "*",
	"Condition": {
	"StringEquals": {
	"iam:AWSServiceName": [
	"replication.dynamodb.amazonaws.com",
	"dax.amazonaws.com",
	"dynamodb.application-autoscaling.amazonaws.com",
	"contributorinsights.dynamodb.amazonaws.com"
	]
	}
	}
	},
	{
	"Effect": "Allow",
	"Action": "s3:*",
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"acm:DescribeCertificate",
	"acm:ListCertificates",
	"acm:GetCertificate",
	"acm:ListTagsForCertificate"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"acm:DescribeCertificate",
	"acm:ListCertificates",
	"acm:GetCertificate",
	"acm:ListTagsForCertificate"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"cloudformation:DescribeChangeSet",
	"cloudformation:DescribeStackResources",
	"cloudformation:DescribeStacks",
	"cloudformation:GetTemplate",
	"cloudformation:ListStackResources",
	"cloudwatch:*",
	"cognito-identity:ListIdentityPools",
	"cognito-sync:GetCognitoEvents",
	"cognito-sync:SetCognitoEvents",
	"dynamodb:*",
	"ec2:DescribeSecurityGroups",
	"ec2:DescribeSubnets",
	"ec2:DescribeVpcs",
	"events:*",
	"iam:GetPolicy",
	"iam:GetPolicyVersion",
	"iam:GetRole",
	"iam:GetRolePolicy",
	"iam:ListAttachedRolePolicies",
	"iam:ListRolePolicies",
	"iam:ListRoles",
	"iam:PassRole",
	"iot:AttachPrincipalPolicy",
	"iot:AttachThingPrincipal",
	"iot:CreateKeysAndCertificate",
	"iot:CreatePolicy",
	"iot:CreateThing",
	"iot:CreateTopicRule",
	"iot:DescribeEndpoint",
	"iot:GetTopicRule",
	"iot:ListPolicies",
	"iot:ListThings",
	"iot:ListTopicRules",
	"iot:ReplaceTopicRule",
	"kinesis:DescribeStream",
	"kinesis:ListStreams",
	"kinesis:PutRecord",
	"kms:ListAliases",
	"lambda:*",
	"logs:*",
	"s3:*",
	"sns:ListSubscriptions",
	"sns:ListSubscriptionsByTopic",
	"sns:ListTopics",
	"sns:Publish",
	"sns:Subscribe",
	"sns:Unsubscribe",
	"sqs:ListQueues",
	"sqs:SendMessage",
	"tag:GetResources",
	"xray:PutTelemetryRecords",
	"xray:PutTraceSegments"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": [
	"route53:*",
	"route53domains:*",
	"cloudfront:ListDistributions",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticbeanstalk:DescribeEnvironments",
	"s3:ListBucket",
	"s3:GetBucketLocation",
	"s3:GetBucketWebsite",
	"ec2:DescribeVpcs",
	"ec2:DescribeVpcEndpoints",
	"ec2:DescribeRegions",
	"sns:ListTopics",
	"sns:ListSubscriptionsByTopic",
	"cloudwatch:DescribeAlarms",
	"cloudwatch:GetMetricStatistics"
	],
	"Resource": "*"
	},
	{
	"Effect": "Allow",
	"Action": "apigateway:GET",
	"Resource": "arn:aws:apigateway:*::/domainnames"
	},
	{
	"Effect": "Allow",
	"Action": [
	"iam:AttachRolePolicy",
	"iam:CreateRole",
	"iam:PassRole",
	"iam:PutRolePolicy",
	"iam:DeleteRolePolicy",
	"acm:RequestCertificate"
	],
	"Resource": "*"
	}
	]
	}