-
-
Save teichopsia/5824369152f392a2df78b551ec326520 to your computer and use it in GitHub Desktop.
SecurityAudit IAM privileges expanded
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
acm:ListCertificates | |
application-autoscaling:DescribeScalableTargets | |
application-autoscaling:DescribeScalingActivities | |
application-autoscaling:DescribeScalingPolicies | |
application-autoscaling:DescribeScheduledActions | |
autoscaling:DescribeAccountLimits | |
autoscaling:DescribeAdjustmentTypes | |
autoscaling:DescribeAutoScalingGroups | |
autoscaling:DescribeAutoScalingInstances | |
autoscaling:DescribeAutoScalingNotificationTypes | |
autoscaling:DescribeLaunchConfigurations | |
autoscaling:DescribeLifecycleHookTypes | |
autoscaling:DescribeLifecycleHooks | |
autoscaling:DescribeLoadBalancerTargetGroups | |
autoscaling:DescribeLoadBalancers | |
autoscaling:DescribeMetricCollectionTypes | |
autoscaling:DescribeNotificationConfigurations | |
autoscaling:DescribePolicies | |
autoscaling:DescribeScalingActivities | |
autoscaling:DescribeScalingProcessTypes | |
autoscaling:DescribeScheduledActions | |
autoscaling:DescribeTags | |
autoscaling:DescribeTerminationPolicyTypes | |
batch:DescribeComputeEnvironments | |
batch:DescribeJobDefinitions | |
clouddirectory:ListDirectories | |
cloudformation:DescribeStackEvents | |
cloudformation:DescribeStackInstance | |
cloudformation:DescribeStackResource | |
cloudformation:DescribeStackResources | |
cloudformation:DescribeStackSet | |
cloudformation:DescribeStackSetOperation | |
cloudformation:DescribeStacks | |
cloudformation:GetStackPolicy | |
cloudformation:GetTemplate | |
cloudformation:GetTemplateSummary | |
cloudformation:ListStackInstances | |
cloudformation:ListStackResources | |
cloudformation:ListStackSetOperationResults | |
cloudformation:ListStackSetOperations | |
cloudformation:ListStackSets | |
cloudformation:ListStacks | |
cloudfront:GetCloudFrontOriginAccessIdentity | |
cloudfront:GetCloudFrontOriginAccessIdentityConfig | |
cloudfront:GetDistribution | |
cloudfront:GetDistributionConfig | |
cloudfront:GetInvalidation | |
cloudfront:GetStreamingDistribution | |
cloudfront:GetStreamingDistributionConfig | |
cloudfront:ListCloudFrontOriginAccessIdentities | |
cloudfront:ListDistributions | |
cloudfront:ListDistributionsByWebACLId | |
cloudfront:ListInvalidations | |
cloudfront:ListStreamingDistributions | |
cloudfront:ListTagsForResource | |
cloudhsm:ListHapgs | |
cloudhsm:ListHsms | |
cloudhsm:ListLunaClients | |
cloudsearch:DescribeDomains | |
cloudsearch:DescribeServiceAccessPolicies | |
cloudtrail:DescribeTrails | |
cloudtrail:GetTrailStatus | |
cloudtrail:ListTags | |
cloudwatch:DescribeAlarmHistory | |
cloudwatch:DescribeAlarms | |
cloudwatch:DescribeAlarmsForMetric | |
codebuild:ListProjects | |
codecommit:BatchGetRepositories | |
codecommit:GetBranch | |
codecommit:GetObjectIdentifier | |
codecommit:GetRepository | |
codecommit:GetRepositoryTriggers | |
codecommit:ListBranches | |
codecommit:ListPullRequests | |
codecommit:ListRepositories | |
codedeploy:BatchGetApplicationRevisions | |
codedeploy:BatchGetApplications | |
codedeploy:BatchGetDeploymentGroups | |
codedeploy:BatchGetDeploymentInstances | |
codedeploy:BatchGetDeployments | |
codedeploy:BatchGetOnPremisesInstances | |
codedeploy:GetApplication | |
codedeploy:GetApplicationRevision | |
codedeploy:GetDeployment | |
codedeploy:GetDeploymentConfig | |
codedeploy:GetDeploymentGroup | |
codedeploy:GetDeploymentInstance | |
codedeploy:GetOnPremisesInstance | |
codedeploy:ListApplicationRevisions | |
codedeploy:ListApplications | |
codedeploy:ListDeploymentConfigs | |
codedeploy:ListDeploymentGroups | |
codedeploy:ListDeploymentInstances | |
codedeploy:ListDeployments | |
codedeploy:ListOnPremisesInstances | |
codepipeline:ListPipelines | |
cognito-identity:ListIdentityPools | |
cognito-idp:ListUserPools | |
config:DeliverConfigSnapshot | |
config:DescribeAggregateComplianceByConfigRules | |
config:DescribeAggregationAuthorizations | |
config:DescribeComplianceByConfigRule | |
config:DescribeComplianceByResource | |
config:DescribeConfigRuleEvaluationStatus | |
config:DescribeConfigRules | |
config:DescribeConfigurationAggregatorSourcesStatus | |
config:DescribeConfigurationAggregators | |
config:DescribeConfigurationRecorderStatus | |
config:DescribeConfigurationRecorders | |
config:DescribeDeliveryChannelStatus | |
config:DescribeDeliveryChannels | |
config:DescribePendingAggregationRequests | |
config:GetAggregateComplianceDetailsByConfigRule | |
config:GetAggregateConfigRuleComplianceSummary | |
config:GetComplianceDetailsByConfigRule | |
config:GetComplianceDetailsByResource | |
config:GetComplianceSummaryByConfigRule | |
config:GetComplianceSummaryByResourceType | |
config:GetResourceConfigHistory | |
config:GetResources | |
config:GetTagKeys | |
datapipeline:DescribeObjects | |
datapipeline:DescribePipelines | |
datapipeline:EvaluateExpression | |
datapipeline:GetPipelineDefinition | |
datapipeline:ListPipelines | |
datapipeline:QueryObjects | |
datapipeline:ValidatePipelineDefinition | |
directconnect:DescribeConnectionLoa | |
directconnect:DescribeConnections | |
directconnect:DescribeConnectionsOnInterconnect | |
directconnect:DescribeInterconnectLoa | |
directconnect:DescribeInterconnects | |
directconnect:DescribeLocations | |
directconnect:DescribeVirtualGateways | |
directconnect:DescribeVirtualInterfaces | |
ds:DescribeDirectories | |
dynamodb:ListStreams | |
dynamodb:ListTables | |
ec2:DescribeAccountAttributes | |
ec2:DescribeAddresses | |
ec2:DescribeAvailabilityZones | |
ec2:DescribeBundleTasks | |
ec2:DescribeClassicLinkInstances | |
ec2:DescribeConversionTasks | |
ec2:DescribeCustomerGateways | |
ec2:DescribeDhcpOptions | |
ec2:DescribeEgressOnlyInternetGateways | |
ec2:DescribeElasticGpus | |
ec2:DescribeExportTasks | |
ec2:DescribeFlowLogs | |
ec2:DescribeFpgaImageAttribute | |
ec2:DescribeFpgaImages | |
ec2:DescribeHostReservationOfferings | |
ec2:DescribeHostReservations | |
ec2:DescribeHosts | |
ec2:DescribeIamInstanceProfileAssociations | |
ec2:DescribeIdFormat | |
ec2:DescribeIdentityIdFormat | |
ec2:DescribeImageAttribute | |
ec2:DescribeImages | |
ec2:DescribeImportImageTasks | |
ec2:DescribeImportSnapshotTasks | |
ec2:DescribeInstanceAttribute | |
ec2:DescribeInstanceCreditSpecifications | |
ec2:DescribeInstanceStatus | |
ec2:DescribeInstances | |
ec2:DescribeInternetGateways | |
ec2:DescribeKeyPairs | |
ec2:DescribeLaunchTemplateVersions | |
ec2:DescribeLaunchTemplates | |
ec2:DescribeMovingAddresses | |
ec2:DescribeNatGateways | |
ec2:DescribeNetworkAcls | |
ec2:DescribeNetworkInterfaceAttribute | |
ec2:DescribeNetworkInterfacePermissions | |
ec2:DescribeNetworkInterfaces | |
ec2:DescribePlacementGroups | |
ec2:DescribePrefixLists | |
ec2:DescribeRegions | |
ec2:DescribeReservedInstances | |
ec2:DescribeReservedInstancesListings | |
ec2:DescribeReservedInstancesModifications | |
ec2:DescribeReservedInstancesOfferings | |
ec2:DescribeRouteTables | |
ec2:DescribeScheduledInstanceAvailability | |
ec2:DescribeScheduledInstances | |
ec2:DescribeSecurityGroupReferences | |
ec2:DescribeSecurityGroups | |
ec2:DescribeSnapshotAttribute | |
ec2:DescribeSnapshots | |
ec2:DescribeSpotDatafeedSubscription | |
ec2:DescribeSpotFleetInstances | |
ec2:DescribeSpotFleetRequestHistory | |
ec2:DescribeSpotFleetRequests | |
ec2:DescribeSpotInstanceRequests | |
ec2:DescribeSpotPriceHistory | |
ec2:DescribeStaleSecurityGroups | |
ec2:DescribeSubnets | |
ec2:DescribeTags | |
ec2:DescribeVolumeAttribute | |
ec2:DescribeVolumeStatus | |
ec2:DescribeVolumes | |
ec2:DescribeVolumesModifications | |
ec2:DescribeVpcAttribute | |
ec2:DescribeVpcClassicLink | |
ec2:DescribeVpcClassicLinkDnsSupport | |
ec2:DescribeVpcEndpointConnectionNotifications | |
ec2:DescribeVpcEndpointConnections | |
ec2:DescribeVpcEndpointServiceConfigurations | |
ec2:DescribeVpcEndpointServicePermissions | |
ec2:DescribeVpcEndpointServices | |
ec2:DescribeVpcEndpoints | |
ec2:DescribeVpcPeeringConnections | |
ec2:DescribeVpcs | |
ec2:DescribeVpnConnections | |
ec2:DescribeVpnGateways | |
ecr:DescribeRepositories | |
ecr:GetRepositoryPolicy | |
ecs:DescribeClusters | |
ecs:DescribeContainerInstances | |
ecs:DescribeServices | |
ecs:DescribeTaskDefinition | |
ecs:DescribeTasks | |
ecs:ListClusters | |
ecs:ListContainerInstances | |
ecs:ListServices | |
ecs:ListTaskDefinitionFamilies | |
ecs:ListTaskDefinitions | |
ecs:ListTasks | |
elasticache:DescribeCacheClusters | |
elasticache:DescribeCacheEngineVersions | |
elasticache:DescribeCacheParameterGroups | |
elasticache:DescribeCacheParameters | |
elasticache:DescribeCacheSecurityGroups | |
elasticache:DescribeCacheSubnetGroups | |
elasticache:DescribeEngineDefaultParameters | |
elasticache:DescribeEvents | |
elasticache:DescribeReplicationGroups | |
elasticache:DescribeReservedCacheNodes | |
elasticache:DescribeReservedCacheNodesOfferings | |
elasticache:DescribeSnapshots | |
elasticbeanstalk:DescribeApplicationVersions | |
elasticbeanstalk:DescribeApplications | |
elasticbeanstalk:DescribeConfigurationOptions | |
elasticbeanstalk:DescribeConfigurationSettings | |
elasticbeanstalk:DescribeEnvironmentHealth | |
elasticbeanstalk:DescribeEnvironmentManagedActionHistory | |
elasticbeanstalk:DescribeEnvironmentManagedActions | |
elasticbeanstalk:DescribeEnvironmentResources | |
elasticbeanstalk:DescribeEnvironments | |
elasticbeanstalk:DescribeEvents | |
elasticbeanstalk:DescribeInstancesHealth | |
elasticbeanstalk:DescribePlatformVersion | |
elasticfilesystem:DescribeFileSystems | |
elasticloadbalancing:DescribeAccountLimits | |
elasticloadbalancing:DescribeInstanceHealth | |
elasticloadbalancing:DescribeListenerCertificates | |
elasticloadbalancing:DescribeListeners | |
elasticloadbalancing:DescribeLoadBalancerAttributes | |
elasticloadbalancing:DescribeLoadBalancerPolicies | |
elasticloadbalancing:DescribeLoadBalancerPolicyTypes | |
elasticloadbalancing:DescribeLoadBalancers | |
elasticloadbalancing:DescribeRules | |
elasticloadbalancing:DescribeSSLPolicies | |
elasticloadbalancing:DescribeTags | |
elasticloadbalancing:DescribeTargetGroupAttributes | |
elasticloadbalancing:DescribeTargetGroups | |
elasticloadbalancing:DescribeTargetHealth | |
elasticmapreduce:DescribeJobFlows | |
elasticmapreduce:ListClusters | |
elasticmapreduce:ListInstances | |
es:DescribeElasticsearchDomain | |
es:DescribeElasticsearchDomainConfig | |
es:DescribeElasticsearchDomains | |
es:DescribeElasticsearchInstanceTypeLimits | |
es:ListDomainNames | |
events:DescribeEventBus | |
events:ListRules | |
firehose:DescribeDeliveryStream | |
firehose:ListDeliveryStreams | |
gamelift:ListBuilds | |
gamelift:ListFleets | |
glacier:DescribeVault | |
glacier:GetVaultAccessPolicy | |
glacier:ListVaults | |
iam:GenerateCredentialReport | |
iam:GenerateServiceLastAccessedDetails | |
iam:GetAccessKeyLastUsed | |
iam:GetAccountAuthorizationDetails | |
iam:GetAccountPasswordPolicy | |
iam:GetAccountSummary | |
iam:GetContextKeysForCustomPolicy | |
iam:GetContextKeysForPrincipalPolicy | |
iam:GetCredentialReport | |
iam:GetGroup | |
iam:GetGroupPolicy | |
iam:GetInstanceProfile | |
iam:GetLoginProfile | |
iam:GetOpenIDConnectProvider | |
iam:GetPolicy | |
iam:GetPolicyVersion | |
iam:GetRole | |
iam:GetRolePolicy | |
iam:GetSAMLProvider | |
iam:GetSSHPublicKey | |
iam:GetServerCertificate | |
iam:GetServiceLastAccessedDetails | |
iam:GetServiceLastAccessedDetailsWithEntities | |
iam:GetServiceLinkedRoleDeletionStatus | |
iam:GetUser | |
iam:GetUserPolicy | |
iam:ListAccessKeys | |
iam:ListAccountAliases | |
iam:ListAttachedGroupPolicies | |
iam:ListAttachedRolePolicies | |
iam:ListAttachedUserPolicies | |
iam:ListEntitiesForPolicy | |
iam:ListGroupPolicies | |
iam:ListGroups | |
iam:ListGroupsForUser | |
iam:ListInstanceProfiles | |
iam:ListInstanceProfilesForRole | |
iam:ListMFADevices | |
iam:ListOpenIDConnectProviders | |
iam:ListPolicies | |
iam:ListPoliciesGrantingServiceAccess | |
iam:ListPolicyVersions | |
iam:ListRolePolicies | |
iam:ListRoles | |
iam:ListSAMLProviders | |
iam:ListSSHPublicKeys | |
iam:ListServerCertificates | |
iam:ListServiceSpecificCredentials | |
iam:ListSigningCertificates | |
iam:ListUserPolicies | |
iam:ListUsers | |
iam:ListVirtualMFADevices | |
iot:DescribeEndpoint | |
iot:ListThings | |
iot:ListThingsInThingGroup | |
kinesis:ListStreams | |
kinesisanalytics:ListApplications | |
kms:DescribeKey | |
kms:GenerateDataKey | |
kms:GenerateDataKeyWithoutPlaintext | |
kms:GenerateRandom | |
kms:GetKeyPolicy | |
kms:GetKeyRotationStatus | |
kms:GetParametersForImport | |
kms:ListAliases | |
kms:ListGrants | |
kms:ListKeyPolicies | |
kms:ListKeys | |
kms:ListResourceTags | |
kms:ListRetirableGrants | |
lambda:GetAccountSettings | |
lambda:GetPolicy | |
lambda:ListFunctions | |
logs:DescribeDestinations | |
logs:DescribeLogGroups | |
logs:DescribeMetricFilters | |
logs:DescribeResourcePolicies | |
machinelearning:DescribeMLModels | |
mediastore:GetContainerPolicy | |
mediastore:ListContainers | |
opsworks-cm:DescribeServers | |
rds:DescribeAccountAttributes | |
rds:DescribeCertificates | |
rds:DescribeDBClusterParameterGroups | |
rds:DescribeDBClusterParameters | |
rds:DescribeDBClusterSnapshotAttributes | |
rds:DescribeDBClusterSnapshots | |
rds:DescribeDBClusters | |
rds:DescribeDBEngineVersions | |
rds:DescribeDBInstances | |
rds:DescribeDBLogFiles | |
rds:DescribeDBParameterGroups | |
rds:DescribeDBParameters | |
rds:DescribeDBSecurityGroups | |
rds:DescribeDBSnapshotAttributes | |
rds:DescribeDBSnapshots | |
rds:DescribeDBSubnetGroups | |
rds:DescribeEngineDefaultClusterParameters | |
rds:DescribeEngineDefaultParameters | |
rds:DescribeEventCategories | |
rds:DescribeEventSubscriptions | |
rds:DescribeEvents | |
rds:DescribeOptionGroupOptions | |
rds:DescribeOptionGroups | |
rds:DescribeOrderableDBInstanceOptions | |
rds:DescribePendingMaintenanceActions | |
rds:DescribeReservedDBInstances | |
rds:DescribeReservedDBInstancesOfferings | |
rds:DownloadDBLogFilePortion | |
rds:ListTagsForResource | |
redshift:DescribeClusterParameterGroups | |
redshift:DescribeClusterParameters | |
redshift:DescribeClusterSecurityGroups | |
redshift:DescribeClusterSnapshots | |
redshift:DescribeClusterSubnetGroups | |
redshift:DescribeClusterVersions | |
redshift:DescribeClusters | |
redshift:DescribeDefaultClusterParameters | |
redshift:DescribeEventCategories | |
redshift:DescribeEventSubscriptions | |
redshift:DescribeEvents | |
redshift:DescribeHsmClientCertificates | |
redshift:DescribeHsmConfigurations | |
redshift:DescribeLoggingStatus | |
redshift:DescribeOrderableClusterOptions | |
redshift:DescribeReservedNodeOfferings | |
redshift:DescribeReservedNodes | |
redshift:DescribeResize | |
redshift:DescribeSnapshotCopyGrants | |
redshift:DescribeTableRestoreStatus | |
redshift:DescribeTags | |
route53:GetAccountLimit | |
route53:GetChange | |
route53:GetCheckerIpRanges | |
route53:GetGeoLocation | |
route53:GetHealthCheck | |
route53:GetHealthCheckCount | |
route53:GetHealthCheckLastFailureReason | |
route53:GetHealthCheckStatus | |
route53:GetHostedZone | |
route53:GetHostedZoneCount | |
route53:GetHostedZoneLimit | |
route53:GetQueryLoggingConfig | |
route53:GetReusableDelegationSet | |
route53:GetReusableDelegationSetLimit | |
route53:GetTrafficPolicy | |
route53:GetTrafficPolicyInstance | |
route53:GetTrafficPolicyInstanceCount | |
route53:ListGeoLocations | |
route53:ListHealthChecks | |
route53:ListHostedZones | |
route53:ListHostedZonesByName | |
route53:ListQueryLoggingConfigs | |
route53:ListResourceRecordSets | |
route53:ListReusableDelegationSets | |
route53:ListTagsForResource | |
route53:ListTagsForResources | |
route53:ListTrafficPolicies | |
route53:ListTrafficPolicyInstances | |
route53:ListTrafficPolicyInstancesByHostedZone | |
route53:ListTrafficPolicyInstancesByPolicy | |
route53:ListTrafficPolicyVersions | |
route53:ListVPCAssociationAuthorizations | |
route53domains:GetDomainDetail | |
route53domains:GetOperationDetail | |
route53domains:ListDomains | |
route53domains:ListOperations | |
route53domains:ListTagsForDomain | |
s3:GetAccelerateConfiguration | |
s3:GetAnalyticsConfiguration | |
s3:GetBucketAcl | |
s3:GetBucketCORS | |
s3:GetBucketLocation | |
s3:GetBucketLogging | |
s3:GetBucketNotification | |
s3:GetBucketPolicy | |
s3:GetBucketRequestPayment | |
s3:GetBucketTagging | |
s3:GetBucketVersioning | |
s3:GetBucketWebsite | |
s3:GetEncryptionConfiguration | |
s3:GetInventoryConfiguration | |
s3:GetLifecycleConfiguration | |
s3:GetMetricsConfiguration | |
s3:GetObjectAcl | |
s3:GetObjectVersionAcl | |
s3:GetReplicationConfiguration | |
s3:ListAllMyBuckets | |
sdb:DomainMetadata | |
sdb:ListDomains | |
serverlessrepo:GetApplicationPolicy | |
serverlessrepo:ListApplications | |
ses:DescribeActiveReceiptRuleSet | |
ses:DescribeConfigurationSet | |
ses:DescribeReceiptRule | |
ses:DescribeReceiptRuleSet | |
ses:GetIdentityDkimAttributes | |
ses:GetIdentityVerificationAttributes | |
ses:ListIdentities | |
snowball:ListClusters | |
snowball:ListJobs | |
sns:GetTopicAttributes | |
sns:ListSubscriptionsByTopic | |
sns:ListTopics | |
sqs:GetQueueAttributes | |
sqs:ListQueues | |
ssm:DescribeDocumentPermission | |
ssm:ListDocuments | |
states:DescribeActivity | |
states:DescribeExecution | |
states:DescribeStateMachine | |
states:DescribeStateMachineForExecution | |
states:ListStateMachines | |
storagegateway:DescribeBandwidthRateLimit | |
storagegateway:DescribeCache | |
storagegateway:DescribeCachediSCSIVolumes | |
storagegateway:DescribeGatewayInformation | |
storagegateway:DescribeMaintenanceStartTime | |
storagegateway:DescribeNFSFileShares | |
storagegateway:DescribeSnapshotSchedule | |
storagegateway:DescribeStorediSCSIVolumes | |
storagegateway:DescribeTapeArchives | |
storagegateway:DescribeTapeRecoveryPoints | |
storagegateway:DescribeTapes | |
storagegateway:DescribeUploadBuffer | |
storagegateway:DescribeVTLDevices | |
storagegateway:DescribeWorkingStorage | |
storagegateway:ListFileShares | |
storagegateway:ListGateways | |
storagegateway:ListLocalDisks | |
storagegateway:ListTagsForResource | |
storagegateway:ListTapes | |
storagegateway:ListVolumeInitiators | |
storagegateway:ListVolumeRecoveryPoints | |
storagegateway:ListVolumes | |
tag:GetResources | |
tag:GetTagKeys | |
trustedadvisor:DescribeCheckItems | |
trustedadvisor:DescribeCheckRefreshStatuses | |
trustedadvisor:DescribeCheckSummaries | |
trustedadvisor:DescribeNotificationPreferences | |
waf-regional:ListWebACLs | |
waf:ListWebACLs | |
workspaces:DescribeTags | |
workspaces:DescribeWorkspaceBundles | |
workspaces:DescribeWorkspaceDirectories | |
workspaces:DescribeWorkspaces | |
workspaces:DescribeWorkspacesConnectionStatus |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment