ACM Private CAs:
- acm-pca:PutPolicy: Puts a policy on an ACM Private CA.
- acm-pca:DeletePolicy: Deletes the policy for an ACM Private CA.
CloudWatch Logs:
- logs:PutResourcePolicy: Creates or updates a resource policy allowing other AWS services to put log events to this account
- logs:DeleteResourcePolicy: Deletes a resource policy from this account. This revokes the access of the identities in that policy to put log events to this account.
Elastic Container Registry (ECR):
- ecr:SetRepositoryPolicy: Grants permission to apply a repository policy on a specified repository to control access permissions
- ecr:DeleteRepositoryPolicy: Grants permission to delete the repository policy from a specified repository
- ecr:PutRegistryPolicy: Grants permission to update the registry policy
- ecr:DeleteRegistryPolicy: Grants permission to delete the registry policy
Elastic File System (EFS):
- elasticfilesystem:PutFileSystemPolicy: Grants permission to apply a resource-level policy that defines the actions allowed or denied from given actors for the specified file system
- es:UpdateElasticsearchDomainConfig: Grants permission to modify the configuration of an Amazon ES domain, which includes the Resource-Based Policy (RBP) content. The RBP can be modified to allow access from external IAM principals or from the internet.
Glacier Vault:
- glacier:SetVaultAccessPolicy: Configures an access policy for a vault and will overwrite an existing policy.
IAM Roles:
- iam:UpdateAssumeRolePolicy: Grants permission to update the policy that grants an IAM entity permission to assume a role
KMS Keys:
- kms:PutKeyPolicy: Controls permission to replace the key policy for the specified customer master key
Lambda Functions:
- lambda:AddPermission: Grants permission to give an AWS service or another account permission to use an AWS Lambda function
- lambda:RemovePermission: Grants permission to revoke function-use permission from an AWS service or another account
Lambda Layers:
- lambda:AddLayerVersionPermission: Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer
- lambda:RemoveLayerVersionPermission: Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer
S3 Buckets:
- s3:PutBucketPolicy: Grants permission to add or replace a bucket policy on a bucket.
Secrets Manager Secrets:
- secretsmanager:PutResourcePolicy: Enables the user to attach a resource policy to a secret.
- secretsmanager:DeleteResourcePolicy: Enables the user to delete the resource policy attached to a secret.
SES Authorized Senders:
- ses:PutIdentityPolicy: Adds or updates a sending authorization policy for the specified identity (an email address or a domain)
- ses:DeleteIdentityPolicy: Deletes the policy associated with the identity
SNS Topics:
- sns:AddPermission: Adds a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions.
- sns:RemovePermission: Removes a statement from a topic's access control policy.
SQS Queues:
- sqs:AddPermission: Adds a permission to a queue for a specific principal.
- sqs:RemovePermission: Revokes any permissions in the queue policy that matches the specified Label parameter.
EBS Snapshots:
- ec2:ModifySnapshotAttribute: Grants permission to add or remove permission settings for a snapshot
EC2 AMIs:
- ec2:ModifyImageAttribute: Grants permission to modify an attribute of an Amazon Machine Image (AMI)
RDS Snapshots:
- rds:ModifyDBSnapshotAttribute: Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB snapshot. This includes the ability to share snapshots with other AWS Accounts.
- rds:ModifyDBClusterSnapshotAttribute: Grants permission to add an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot. This includes the ability to share snapshots with other AWS Accounts.