ACM Private CAs:
- acm-pca:PutPolicy: Puts a policy on an ACM Private CA.
- acm-pca:DeletePolicy: Deletes the policy for an ACM Private CA.
CloudWatch Logs:
- logs:PutResourcePolicy: Creates or updates a resource policy allowing other AWS services to put log events to this account
- logs:DeleteResourcePolicy: Deletes a resource policy from this account. This revokes the access of the identities in that policy to put log events to this account.