Created
February 6, 2023 21:05
-
-
Save alicancakil/4cd53302b0f4d8c0d360dea91e7b9d13 to your computer and use it in GitHub Desktop.
arn:aws:iam::aws:policy/SecurityAudit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Resource": "*", | |
| "Action": [ | |
| "a4b:ListSkills", | |
| "access-analyzer:GetAnalyzedResource", | |
| "access-analyzer:GetAnalyzer", | |
| "access-analyzer:GetArchiveRule", | |
| "access-analyzer:GetFinding", | |
| "access-analyzer:ListAnalyzedResources", | |
| "access-analyzer:ListAnalyzers", | |
| "access-analyzer:ListArchiveRules", | |
| "access-analyzer:ListFindings", | |
| "access-analyzer:ListTagsForResource", | |
| "acm-pca:DescribeCertificateAuthority", | |
| "acm-pca:DescribeCertificateAuthorityAuditReport", | |
| "acm-pca:ListCertificateAuthorities", | |
| "acm-pca:ListPermissions", | |
| "acm:Describe*", | |
| "acm:List*", | |
| "airflow:ListEnvironments", | |
| "application-autoscaling:Describe*", | |
| "appmesh:Describe*", | |
| "appsync:GetApiCache", | |
| "appmesh:List*", | |
| "appsync:List*", | |
| "athena:GetWorkGroup", | |
| "athena:List*", | |
| "autoscaling-plans:DescribeScalingPlans", | |
| "autoscaling:Describe*", | |
| "backup:DescribeRegionSettings", | |
| "backup:ListBackupVaults", | |
| "batch:DescribeComputeEnvironments", | |
| "batch:DescribeJobDefinitions", | |
| "chime:List*", | |
| "cloud9:Describe*", | |
| "cloud9:ListEnvironments", | |
| "clouddirectory:ListDirectories", | |
| "cloudformation:DescribeStack*", | |
| "cloudformation:GetStackPolicy", | |
| "cloudformation:GetTemplate", | |
| "cloudformation:ListStack*", | |
| "cloudfront:Get*", | |
| "cloudfront:List*", | |
| "cloudhsm:ListHapgs", | |
| "cloudhsm:ListHsms", | |
| "cloudhsm:ListLunaClients", | |
| "cloudsearch:DescribeDomainEndpointOptions", | |
| "cloudsearch:DescribeDomains", | |
| "cloudsearch:DescribeServiceAccessPolicies", | |
| "cloudtrail:DescribeTrails", | |
| "cloudtrail:GetEventSelectors", | |
| "cloudtrail:GetTrail", | |
| "cloudtrail:GetTrailStatus", | |
| "cloudtrail:ListTags", | |
| "cloudtrail:LookupEvents", | |
| "cloudwatch:Describe*", | |
| "cloudwatch:ListTagsForResource", | |
| "codeartifact:GetRepositoryPermissionsPolicy", | |
| "codeartifact:ListRepositories", | |
| "codebuild:BatchGetProjects", | |
| "codebuild:ListProjects", | |
| "codecommit:BatchGetRepositories", | |
| "codecommit:GetBranch", | |
| "codecommit:GetObjectIdentifier", | |
| "codecommit:GetRepository", | |
| "codecommit:GetRepositoryTriggers", | |
| "codecommit:List*", | |
| "codedeploy:Batch*", | |
| "codedeploy:Get*", | |
| "codedeploy:List*", | |
| "codepipeline:GetJobDetails", | |
| "codepipeline:GetPipeline", | |
| "codepipeline:GetPipelineExecution", | |
| "codepipeline:GetPipelineState", | |
| "codepipeline:ListPipelines", | |
| "codestar:Describe*", | |
| "codestar:List*", | |
| "cognito-identity:Describe*", | |
| "cognito-identity:ListIdentityPools", | |
| "cognito-identity:ListTagsForResource", | |
| "cognito-idp:Describe*", | |
| "cognito-idp:ListDevices", | |
| "cognito-idp:ListGroups", | |
| "cognito-idp:ListIdentityProviders", | |
| "cognito-idp:ListResourceServers", | |
| "cognito-idp:ListTagsForResource", | |
| "cognito-idp:ListUserImportJobs", | |
| "cognito-idp:ListUserPoolClients", | |
| "cognito-idp:ListUserPools", | |
| "cognito-idp:ListUsers", | |
| "cognito-idp:ListUsersInGroup", | |
| "cognito-sync:Describe*", | |
| "cognito-sync:List*", | |
| "comprehend:Describe*", | |
| "comprehend:List*", | |
| "config:BatchGetAggregateResourceConfig", | |
| "config:BatchGetResourceConfig", | |
| "config:Deliver*", | |
| "config:Describe*", | |
| "config:Get*", | |
| "config:List*", | |
| "datapipeline:DescribeObjects", | |
| "datapipeline:DescribePipelines", | |
| "datapipeline:EvaluateExpression", | |
| "datapipeline:GetPipelineDefinition", | |
| "datapipeline:ListPipelines", | |
| "datapipeline:QueryObjects", | |
| "datapipeline:ValidatePipelineDefinition", | |
| "datasync:Describe*", | |
| "datasync:List*", | |
| "dax:Describe*", | |
| "dax:ListTags", | |
| "detective:GetGraphIngestState", | |
| "detective:ListGraphs", | |
| "detective:ListMembers", | |
| "directconnect:Describe*", | |
| "dms:Describe*", | |
| "dms:ListTagsForResource", | |
| "ds:DescribeDirectories", | |
| "dynamodb:DescribeContinuousBackups", | |
| "dynamodb:DescribeGlobalTable", | |
| "dynamodb:DescribeTable", | |
| "dynamodb:DescribeTimeToLive", | |
| "dynamodb:ListBackups", | |
| "dynamodb:ListGlobalTables", | |
| "dynamodb:ListStreams", | |
| "dynamodb:ListTables", | |
| "dynamodb:ListTagsOfResource", | |
| "ec2:Describe*", | |
| "ec2:GetEbsEncryptionByDefault", | |
| "ec2:GetManagedPrefixListAssociations", | |
| "ec2:GetManagedPrefixListEntries", | |
| "ec2:GetNetworkInsightsAccessScopeAnalysisFindings", | |
| "ec2:GetNetworkInsightsAccessScopeContent", | |
| "ec2:GetTransitGatewayAttachmentPropagations", | |
| "ec2:GetTransitGatewayMulticastDomainAssociations", | |
| "ec2:GetTransitGatewayPrefixListReferences", | |
| "ec2:GetTransitGatewayRouteTableAssociations", | |
| "ec2:GetTransitGatewayRouteTablePropagations", | |
| "ecr-public:DescribeImageTags", | |
| "ecr-public:DescribeImages", | |
| "ecr-public:DescribeRegistries", | |
| "ecr-public:DescribeRepositories", | |
| "ecr-public:GetRegistryCatalogData", | |
| "ecr-public:GetRepositoryCatalogData", | |
| "ecr-public:GetRepositoryPolicy", | |
| "ecr:DescribeImageScanFindings", | |
| "ecr:DescribeImages", | |
| "ecr:DescribeRepositories", | |
| "ecr:GetLifecyclePolicy", | |
| "ecr:GetRepositoryPolicy", | |
| "ecr:ListImages", | |
| "ecr:ListTagsForResource", | |
| "ecs:Describe*", | |
| "ecs:List*", | |
| "eks:DescribeCluster", | |
| "eks:DescribeNodeGroup", | |
| "eks:ListClusters", | |
| "eks:ListNodeGroups", | |
| "elasticache:Describe*", | |
| "elasticache:ListTagsForResource", | |
| "elasticbeanstalk:Describe*", | |
| "elasticbeanstalk:DescribeApplications", | |
| "elasticbeanstalk:ListTagsForResource", | |
| "elasticfilesystem:DescribeFileSystems", | |
| "elasticfilesystem:DescribeMountTargetSecurityGroups", | |
| "elasticfilesystem:DescribeMountTargets", | |
| "elasticloadbalancing:Describe*", | |
| "elasticmapreduce:Describe*", | |
| "elasticmapreduce:GetBlockPublicAccessConfiguration", | |
| "elasticmapreduce:ListClusters", | |
| "elasticmapreduce:ListInstances", | |
| "elasticmapreduce:ListSecurityConfigurations", | |
| "elasticloadbalancing:Describe*", | |
| "es:Describe*", | |
| "es:GetCompatibleVersions", | |
| "es:ListDomainNames", | |
| "es:ListElasticsearchInstanceTypeDetails", | |
| "es:ListElasticsearchVersions", | |
| "es:ListTags", | |
| "events:Describe*", | |
| "events:List*", | |
| "events:TestEventPattern", | |
| "firehose:Describe*", | |
| "firehose:List*", | |
| "fms:ListComplianceStatus", | |
| "fms:ListPolicies", | |
| "forecast:ListDatasets", | |
| "fsx:Describe*", | |
| "fsx:List*", | |
| "gamelift:ListBuilds", | |
| "gamelift:ListFleets", | |
| "glacier:DescribeVault", | |
| "glacier:GetVaultAccessPolicy", | |
| "glacier:GetVaultLock", | |
| "glacier:ListVaults", | |
| "globalaccelerator:Describe*", | |
| "globalaccelerator:List*", | |
| "glue:GetCrawlers", | |
| "glue:GetDataCatalogEncryptionSettings", | |
| "glue:GetDatabases", | |
| "glue:GetDevEndpoints", | |
| "glue:GetJobs", | |
| "glue:GetResourcePolicy", | |
| "greengrass:List*", | |
| "guardduty:DescribePublishingDestination", | |
| "guardduty:Get*", | |
| "guardduty:List*", | |
| "iam:GenerateCredentialReport", | |
| "iam:GenerateServiceLastAccessedDetails", | |
| "iam:Get*", | |
| "iam:List*", | |
| "iam:SimulateCustomPolicy", | |
| "iam:SimulatePrincipalPolicy", | |
| "inspector:Describe*", | |
| "inspector:Get*", | |
| "inspector:List*", | |
| "inspector:Preview*", | |
| "inspector2:BatchGetAccountStatus", | |
| "inspector2:BatchGetFreeTrialInfo", | |
| "inspector2:DescribeOrganizationConfiguration", | |
| "inspector2:GetDelegatedAdminAccount", | |
| "inspector2:GetFindingsReportStatus", | |
| "inspector2:GetMember", | |
| "inspector2:ListAccountPermissions", | |
| "inspector2:ListCoverage", | |
| "inspector2:ListCoverageStatistics", | |
| "inspector2:ListDelegatedAdminAccounts", | |
| "inspector2:ListFilters", | |
| "inspector2:ListFindings", | |
| "inspector2:ListFindingAggregations", | |
| "inspector2:GetFindingsReportStatus", | |
| "inspector2:ListTagsForResource", | |
| "inspector2:ListUsageTotals", | |
| "iot:Describe*", | |
| "iot:GetPolicy", | |
| "iot:GetPolicyVersion", | |
| "iot:List*", | |
| "iotsitewise:DescribeGatewayCapabilityConfiguration", | |
| "iotsitewise:ListGateways", | |
| "kafka:Describe*", | |
| "kafka:List*", | |
| "kafka-cluster:Describe*", | |
| "kafkaconnect:Describe*", | |
| "kafkaconnect:List*", | |
| "kendra:DescribeIndex", | |
| "kendra:ListIndices", | |
| "kinesis:DescribeLimits", | |
| "kinesis:DescribeStream", | |
| "kinesis:DescribeStreamConsumer", | |
| "kinesis:DescribeStreamSummary", | |
| "kinesis:ListStreamConsumers", | |
| "kinesis:ListStreams", | |
| "kinesis:ListTagsForStream", | |
| "kinesisanalytics:ListApplications", | |
| "kms:Describe*", | |
| "kms:Get*", | |
| "kms:List*", | |
| "lambda:GetAccountSettings", | |
| "lambda:GetFunctionConfiguration", | |
| "lambda:GetFunctionEventInvokeConfig", | |
| "lambda:GetLayerVersionPolicy", | |
| "lambda:GetPolicy", | |
| "lambda:List*", | |
| "lex:DescribeBot", | |
| "lex:ListBots", | |
| "license-manager:List*", | |
| "lightsail:GetInstances", | |
| "lightsail:GetLoadBalancers", | |
| "logs:Describe*", | |
| "logs:ListTagsLogGroup", | |
| "machinelearning:DescribeMLModels", | |
| "managedblockchain:ListNetworks", | |
| "mediaconnect:Describe*", | |
| "mediaconnect:List*", | |
| "medialive:ListChannels", | |
| "mediapackage:DescribeOriginEndpoint", | |
| "mediapackage:ListOriginEndpoints", | |
| "mediastore:GetContainerPolicy", | |
| "mediastore:GetCorsPolicy", | |
| "mediastore:ListContainers", | |
| "mq:DescribeBroker", | |
| "mq:DescribeBrokerEngineTypes", | |
| "mq:DescribeBrokerInstanceOptions", | |
| "mq:DescribeConfiguration", | |
| "mq:DescribeConfigurationRevision", | |
| "mq:DescribeUser", | |
| "mq:ListBrokers", | |
| "mq:ListConfigurationRevisions", | |
| "mq:ListConfigurations", | |
| "mq:ListTags", | |
| "mq:ListUsers", | |
| "network-firewall:ListFirewalls", | |
| "opsworks-cm:DescribeServers", | |
| "opsworks:DescribeStacks", | |
| "organizations:Describe*", | |
| "organizations:List*", | |
| "qldb:DescribeJournalS3Export", | |
| "qldb:DescribeLedger", | |
| "qldb:ListJournalS3Exports", | |
| "qldb:ListJournalS3ExportsForLedger", | |
| "quicksight:Describe*", | |
| "quicksight:List*", | |
| "ram:List*", | |
| "rds:Describe*", | |
| "rds:DownloadDBLogFilePortion", | |
| "rds:ListTagsForResource", | |
| "redshift:Describe*", | |
| "rekognition:Describe*", | |
| "rekognition:List*", | |
| "robomaker:Describe*", | |
| "robomaker:List*", | |
| "route53:Get*", | |
| "route53:List*", | |
| "route53domains:GetDomainDetail", | |
| "route53domains:GetOperationDetail", | |
| "route53domains:ListDomains", | |
| "route53domains:ListOperations", | |
| "route53domains:ListTagsForDomain", | |
| "route53resolver:Get*", | |
| "route53resolver:List*", | |
| "s3:GetAccelerateConfiguration", | |
| "s3:GetAccessPoint", | |
| "s3:GetAccessPointPolicy", | |
| "s3:GetAccessPointPolicyStatus", | |
| "s3:GetAccountPublicAccessBlock", | |
| "s3:GetAnalyticsConfiguration", | |
| "s3:GetBucket*", | |
| "s3:GetEncryptionConfiguration", | |
| "s3:GetInventoryConfiguration", | |
| "s3:GetLifecycleConfiguration", | |
| "s3:GetMetricsConfiguration", | |
| "s3:GetObjectAcl", | |
| "s3:GetObjectVersionAcl", | |
| "s3:GetReplicationConfiguration", | |
| "s3:ListAccessPoints", | |
| "s3:ListAllMyBuckets", | |
| "sagemaker:Describe*", | |
| "sagemaker:List*", | |
| "schemas:DescribeCodeBinding", | |
| "schemas:DescribeDiscoverer", | |
| "schemas:DescribeRegistry", | |
| "schemas:DescribeSchema", | |
| "schemas:GetResourcePolicy", | |
| "schemas:ListDiscoverers", | |
| "schemas:ListRegistries", | |
| "schemas:ListSchemaVersions", | |
| "schemas:ListSchemas", | |
| "schemas:ListTagsForResource", | |
| "sdb:DomainMetadata", | |
| "sdb:ListDomains", | |
| "secretsmanager:DescribeSecret", | |
| "secretsmanager:GetResourcePolicy", | |
| "secretsmanager:ListSecretVersionIds", | |
| "secretsmanager:ListSecrets", | |
| "securityhub:Describe*", | |
| "securityhub:Get*", | |
| "securityhub:List*", | |
| "serverlessrepo:GetApplicationPolicy", | |
| "serverlessrepo:List*", | |
| "servicequotas:GetAWSDefaultServiceQuota", | |
| "servicequotas:GetAssociationForServiceQuotaTemplate", | |
| "servicequotas:GetRequestedServiceQuotaChange", | |
| "servicequotas:GetServiceQuota", | |
| "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate", | |
| "servicequotas:ListAWSDefaultServiceQuotas", | |
| "servicequotas:ListRequestedServiceQuotaChangeHistory", | |
| "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", | |
| "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate", | |
| "servicequotas:ListServiceQuotas", | |
| "servicequotas:ListServices", | |
| "servicequotas:ListTagsForResource", | |
| "ses:Describe*", | |
| "ses:GetIdentityDkimAttributes", | |
| "ses:GetIdentityPolicies", | |
| "ses:GetIdentityVerificationAttributes", | |
| "ses:ListConfigurationSets", | |
| "ses:ListIdentities", | |
| "ses:ListIdentityPolicies", | |
| "ses:ListReceiptRuleSets", | |
| "ses:ListVerifiedEmailAddresses", | |
| "shield:Describe*", | |
| "shield:List*", | |
| "snowball:ListClusters", | |
| "snowball:ListJobs", | |
| "sns:GetTopicAttributes", | |
| "sns:ListSubscriptions", | |
| "sns:ListSubscriptionsByTopic", | |
| "sns:ListTagsForResource", | |
| "sns:ListTopics", | |
| "sqs:GetQueueAttributes", | |
| "sqs:ListDeadLetterSourceQueues", | |
| "sqs:ListQueueTags", | |
| "sqs:ListQueues", | |
| "ssm:Describe*", | |
| "ssm:GetAutomationExecution", | |
| "ssm:ListAssociationVersions", | |
| "ssm:ListAssociations", | |
| "ssm:ListCommands", | |
| "ssm:ListComplianceItems", | |
| "ssm:ListComplianceSummaries", | |
| "ssm:ListDocumentMetadataHistory", | |
| "ssm:ListDocumentVersions", | |
| "ssm:ListDocuments", | |
| "ssm:ListInventoryEntries", | |
| "ssm:ListOpsMetadata", | |
| "ssm:ListResourceComplianceSummaries", | |
| "ssm:ListResourceDataSync", | |
| "ssm:ListTagsForResource", | |
| "sso:DescribeAccountAssignmentCreationStatus", | |
| "sso:DescribePermissionsPolicies", | |
| "sso:DescribePermissionSet", | |
| "sso:List*", | |
| "states:DescribeStateMachine", | |
| "states:ListStateMachines", | |
| "storagegateway:DescribeBandwidthRateLimit", | |
| "storagegateway:DescribeCache", | |
| "storagegateway:DescribeCachediSCSIVolumes", | |
| "storagegateway:DescribeGatewayInformation", | |
| "storagegateway:DescribeMaintenanceStartTime", | |
| "storagegateway:DescribeNFSFileShares", | |
| "storagegateway:DescribeSnapshotSchedule", | |
| "storagegateway:DescribeStorediSCSIVolumes", | |
| "storagegateway:DescribeTapeArchives", | |
| "storagegateway:DescribeTapeRecoveryPoints", | |
| "storagegateway:DescribeTapes", | |
| "storagegateway:DescribeUploadBuffer", | |
| "storagegateway:DescribeVTLDevices", | |
| "storagegateway:DescribeWorkingStorage", | |
| "storagegateway:List*", | |
| "sts:GetAccessKeyInfo", | |
| "support:DescribeTrustedAdvisorCheckRefreshStatuses", | |
| "support:DescribeTrustedAdvisorCheckResult", | |
| "support:DescribeTrustedAdvisorCheckSummaries", | |
| "support:DescribeTrustedAdvisorChecks", | |
| "tag:GetResources", | |
| "tag:GetTagKeys", | |
| "transfer:Describe*", | |
| "transfer:List*", | |
| "translate:List*", | |
| "trustedadvisor:Describe*", | |
| "waf-regional:GetWebACL", | |
| "waf-regional:ListResourcesForWebACL", | |
| "waf-regional:ListTagsForResource", | |
| "waf-regional:ListWebACLs", | |
| "waf:GetWebACL", | |
| "waf:ListTagsForResource", | |
| "waf:ListWebACLs", | |
| "wafv2:GetWebACL", | |
| "wafv2:ListAvailableManagedRuleGroups", | |
| "wafv2:ListIPSets", | |
| "wafv2:ListLoggingConfigurations", | |
| "wafv2:ListRegexPatternSets", | |
| "wafv2:ListResourcesForWebACL", | |
| "wafv2:ListRuleGroups", | |
| "wafv2:ListTagsForResource", | |
| "wafv2:ListWebACLs", | |
| "workdocs:DescribeResourcePermissions", | |
| "workspaces:Describe*", | |
| "xray:GetEncryptionConfig", | |
| "xray:GetGroup", | |
| "xray:GetGroups", | |
| "xray:GetSamplingRules", | |
| "xray:GetSamplingTargets", | |
| "xray:GetTraceSummaries", | |
| "xray:ListTagsForResource" | |
| ] | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "apigateway:GET" | |
| ], | |
| "Resource": [ | |
| "arn:aws:apigateway:*::/apis", | |
| "arn:aws:apigateway:*::/apis/*/routes", | |
| "arn:aws:apigateway:*::/apis/*/stages", | |
| "arn:aws:apigateway:*::/apis/*/stages/*", | |
| "arn:aws:apigateway:*::/clientcertificates", | |
| "arn:aws:apigateway:*::/clientcertificates/*", | |
| "arn:aws:apigateway:*::/domainnames", | |
| "arn:aws:apigateway:*::/restapis", | |
| "arn:aws:apigateway:*::/restapis/*/authorizers", | |
| "arn:aws:apigateway:*::/restapis/*/authorizers/*", | |
| "arn:aws:apigateway:*::/restapis/*/documentation/versions", | |
| "arn:aws:apigateway:*::/restapis/*/resources", | |
| "arn:aws:apigateway:*::/restapis/*/resources/*", | |
| "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*", | |
| "arn:aws:apigateway:*::/restapis/*/stages", | |
| "arn:aws:apigateway:*::/restapis/*/stages/*", | |
| "arn:aws:apigateway:*::/tags/*", | |
| "arn:aws:apigateway:*::/vpclinks" | |
| ] | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment