@cloud-copilot/iam-data
Version:
731 lines • 21.8 kB
JSON
{
"createlandingzone": {
"name": "CreateLandingZone",
"description": "Grants permission to create a landing zone",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"controltower:TagResource"
]
},
"createmanagedaccount": {
"name": "CreateManagedAccount",
"isPermissionOnly": true,
"description": "Grants permission to create an account managed by AWS Control Tower",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"deletelandingzone": {
"name": "DeleteLandingZone",
"description": "Grants permission to delete AWS Control Tower landing zone",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "LandingZone",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deregistermanagedaccount": {
"name": "DeregisterManagedAccount",
"isPermissionOnly": true,
"description": "Grants permission to deregister an account created through the account factory from AWS Control Tower",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"deregisterorganizationalunit": {
"name": "DeregisterOrganizationalUnit",
"isPermissionOnly": true,
"description": "Grants permission to deregister an organizational unit from AWS Control Tower management",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describeaccountfactoryconfig": {
"name": "DescribeAccountFactoryConfig",
"isPermissionOnly": true,
"description": "Grants permission to describe the current account factory configuration",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describecoreservice": {
"name": "DescribeCoreService",
"isPermissionOnly": true,
"description": "Grants permission to describe resources managed by core accounts in AWS Control Tower",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describeguardrail": {
"name": "DescribeGuardrail",
"isPermissionOnly": true,
"description": "Grants permission to describe a guardrail",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describeguardrailfortarget": {
"name": "DescribeGuardrailForTarget",
"isPermissionOnly": true,
"description": "Grants permission to describe a guardrail for a organizational unit",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describelandingzoneconfiguration": {
"name": "DescribeLandingZoneConfiguration",
"isPermissionOnly": true,
"description": "Grants permission to describe the current Landing Zone configuration",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describemanagedaccount": {
"name": "DescribeManagedAccount",
"isPermissionOnly": true,
"description": "Grants permission to describe an account created through account factory",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describemanagedorganizationalunit": {
"name": "DescribeManagedOrganizationalUnit",
"isPermissionOnly": true,
"description": "Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describeregisterorganizationalunitoperation": {
"name": "DescribeRegisterOrganizationalUnitOperation",
"isPermissionOnly": true,
"description": "Grants permission to describe a Register Organizational Unit Operation",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"describesinglesignon": {
"name": "DescribeSingleSignOn",
"isPermissionOnly": true,
"description": "Grants permission to describe the current AWS Control Tower IAM Identity Center configuration",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"disablebaseline": {
"name": "DisableBaseline",
"description": "Grants permission to disable a Baseline on a target",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"disablecontrol": {
"name": "DisableControl",
"description": "Grants permission to remove a control from an organizational unit",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledControl",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"disableguardrail": {
"name": "DisableGuardrail",
"isPermissionOnly": true,
"description": "Grants permission to disable a guardrail from an organizational unit",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"enablebaseline": {
"name": "EnableBaseline",
"description": "Grants permission to enable a Baseline on a target",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"controltower:TagResource"
]
},
"enablecontrol": {
"name": "EnableControl",
"description": "Grants permission to activate a control for an organizational unit",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledControl",
"required": false,
"conditionKeys": [],
"dependentActions": [
"controltower:TagResource"
]
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"enableguardrail": {
"name": "EnableGuardrail",
"isPermissionOnly": true,
"description": "Grants permission to enable a guardrail to an organizational unit",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getaccountinfo": {
"name": "GetAccountInfo",
"isPermissionOnly": true,
"description": "Grants permission to describe an account email and validate that it exists",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getavailableupdates": {
"name": "GetAvailableUpdates",
"isPermissionOnly": true,
"description": "Grants permission to list available updates for the current AWS Control Tower deployment",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getbaseline": {
"name": "GetBaseline",
"description": "Grants permission to get Baseline details",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Baseline",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getbaselineoperation": {
"name": "GetBaselineOperation",
"description": "Grants permission to get the current status of a particular Baseline operation",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getcontroloperation": {
"name": "GetControlOperation",
"description": "Grants permission to get the current status of a particular EnabledControl or DisableControl operation",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getenabledbaseline": {
"name": "GetEnabledBaseline",
"description": "Grants permission to get an enabled Baseline",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getenabledcontrol": {
"name": "GetEnabledControl",
"description": "Grants permission to get an enabled control from an organizational unit",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "EnabledControl",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getguardrailcompliancestatus": {
"name": "GetGuardrailComplianceStatus",
"isPermissionOnly": true,
"description": "Grants permission to get the current compliance status of a guardrail",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"gethomeregion": {
"name": "GetHomeRegion",
"isPermissionOnly": true,
"description": "Grants permission to get the home region of the AWS Control Tower setup",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getlandingzone": {
"name": "GetLandingZone",
"description": "Grants permission to get the current status of the landing zone setup",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "LandingZone",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getlandingzonedriftstatus": {
"name": "GetLandingZoneDriftStatus",
"description": "Grants permission to get the current landing zone drift status",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getlandingzoneoperation": {
"name": "GetLandingZoneOperation",
"description": "Grants permission to get the current status of a particular landing zone operation",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getlandingzonestatus": {
"name": "GetLandingZoneStatus",
"isPermissionOnly": true,
"description": "Grants permission to get the current status of the landing zone setup",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listbaselines": {
"name": "ListBaselines",
"description": "Grants permission to list Baselines",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listcontroloperations": {
"name": "ListControlOperations",
"description": "Grants permission to list all control operations",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listdirectorygroups": {
"name": "ListDirectoryGroups",
"isPermissionOnly": true,
"description": "Grants permission to list the current directory groups available through IAM Identity Center",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listdriftdetails": {
"name": "ListDriftDetails",
"description": "Grants permission to list occurrences of drift in AWS Control Tower",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listenabledbaselines": {
"name": "ListEnabledBaselines",
"description": "Grants permission to list enabled Baselines",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listenabledcontrols": {
"name": "ListEnabledControls",
"description": "Grants permission to list all enabled controls in a specified organizational unit",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listenabledguardrails": {
"name": "ListEnabledGuardrails",
"isPermissionOnly": true,
"description": "Grants permission to list currently enabled guardrails",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listextendgovernanceprecheckdetails": {
"name": "ListExtendGovernancePrecheckDetails",
"isPermissionOnly": true,
"description": "Grants permission to list Precheck details for an Organizational Unit",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listexternalconfigrulecompliance": {
"name": "ListExternalConfigRuleCompliance",
"description": "Grants permission to list the compliance of external AWS Config rules",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listguardrailviolations": {
"name": "ListGuardrailViolations",
"isPermissionOnly": true,
"description": "Grants permission to list existing guardrail violations",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listguardrails": {
"name": "ListGuardrails",
"isPermissionOnly": true,
"description": "Grants permission to list all available guardrails",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listguardrailsfortarget": {
"name": "ListGuardrailsForTarget",
"isPermissionOnly": true,
"description": "Grants permission to list guardrails and their current state for a organizational unit",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listlandingzoneoperations": {
"name": "ListLandingZoneOperations",
"description": "Grants permission to list all landing zone operations",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listlandingzones": {
"name": "ListLandingZones",
"description": "Grants permission to list all landing zones",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listmanagedaccounts": {
"name": "ListManagedAccounts",
"isPermissionOnly": true,
"description": "Grants permission to list accounts managed through AWS Control Tower",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listmanagedaccountsforguardrail": {
"name": "ListManagedAccountsForGuardrail",
"isPermissionOnly": true,
"description": "Grants permission to list managed accounts with a specified guardrail applied",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listmanagedaccountsforparent": {
"name": "ListManagedAccountsForParent",
"isPermissionOnly": true,
"description": "Grants permission to list managed accounts under an organizational unit",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listmanagedorganizationalunits": {
"name": "ListManagedOrganizationalUnits",
"isPermissionOnly": true,
"description": "Grants permission to list organizational units managed by AWS Control Tower",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listmanagedorganizationalunitsforguardrail": {
"name": "ListManagedOrganizationalUnitsForGuardrail",
"isPermissionOnly": true,
"description": "Grants permission to list managed organizational units that have a specified guardrail applied",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"listtagsforresource": {
"name": "ListTagsForResource",
"description": "Grants permission to list the tags for a resource",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "EnabledControl",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "LandingZone",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"manageorganizationalunit": {
"name": "ManageOrganizationalUnit",
"isPermissionOnly": true,
"description": "Grants permission to set up an organizational unit to be managed by AWS Control Tower",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"performprelaunchchecks": {
"name": "PerformPreLaunchChecks",
"isPermissionOnly": true,
"description": "Grants permission to perform validations in an account",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"resetenabledbaseline": {
"name": "ResetEnabledBaseline",
"description": "Grants permission to reset an enabled Baseline",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"resetenabledcontrol": {
"name": "ResetEnabledControl",
"description": "Grants permission to reset an enabled control for an organizational unit",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledControl",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"resetlandingzone": {
"name": "ResetLandingZone",
"description": "Grants permission to reset a landing zone",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "LandingZone",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"setuplandingzone": {
"name": "SetupLandingZone",
"isPermissionOnly": true,
"description": "Grants permission to set up or update AWS Control Tower landing zone",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"tagresource": {
"name": "TagResource",
"description": "Grants permission to add tags to a resource",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "EnabledControl",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "LandingZone",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"untagresource": {
"name": "UntagResource",
"description": "Grants permission to remove tags from a resource",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "EnabledControl",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "LandingZone",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:TagKeys"
],
"dependentActions": []
},
"updateaccountfactoryconfig": {
"name": "UpdateAccountFactoryConfig",
"isPermissionOnly": true,
"description": "Grants permission to update the account factory configuration",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"updateenabledbaseline": {
"name": "UpdateEnabledBaseline",
"description": "Grants permission to update an enabled Baseline",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledBaseline",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"updateenabledcontrol": {
"name": "UpdateEnabledControl",
"description": "Grants permission to update an enabled control for an organizational unit",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "EnabledControl",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"updatelandingzone": {
"name": "UpdateLandingZone",
"description": "Grants permission to update a landing zone",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "LandingZone",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
}
}