@k9securityio/k9-cdk
Version:
Provision strong AWS security policies easily using the AWS CDK.
813 lines • 25.2 kB
JSON
{
"Athena": {
"administer-resource": [
"athena:CreateDataCatalog",
"athena:CreateWorkGroup",
"athena:DeleteDataCatalog",
"athena:StopQueryExecution",
"athena:UpdateDataCatalog",
"athena:UpdateWorkGroup"
],
"read-config": [
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetDatabase",
"athena:GetDataCatalog",
"athena:GetNamedQuery",
"athena:GetQueryExecution",
"athena:GetTableMetadata",
"athena:GetWorkGroup",
"athena:ListDatabases",
"athena:ListDataCatalogs",
"athena:ListNamedQueries",
"athena:ListQueryExecutions",
"athena:ListTableMetadata",
"athena:ListTagsForResource",
"athena:ListWorkGroups"
],
"read-data": [
"athena:GetQueryResults",
"athena:GetQueryResultsStream"
],
"write-data": [
"athena:CreateNamedQuery",
"athena:DeleteNamedQuery",
"athena:DeleteWorkGroup",
"athena:StartQueryExecution",
"athena:TagResource",
"athena:UntagResource"
]
},
"CloudTrail": {
"administer-resource": [
"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:PutEventSelectors",
"cloudtrail:PutInsightSelectors",
"cloudtrail:RemoveTags",
"cloudtrail:StartLogging",
"cloudtrail:StopLogging",
"cloudtrail:UpdateTrail"
],
"delete-data": [
"cloudtrail:DeleteTrail"
],
"read-config": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListPublicKeys",
"cloudtrail:ListTags",
"cloudtrail:ListTrails"
],
"read-data": [
"cloudtrail:LookupEvents"
]
},
"DynamoDB": {
"administer-resource": [
"dynamodb:CreateBackup",
"dynamodb:DeleteResourcePolicy",
"dynamodb:DeleteTableReplica",
"dynamodb:DisableKinesisStreamingDestination",
"dynamodb:EnableKinesisStreamingDestination",
"dynamodb:ExportTableToPointInTime",
"dynamodb:PutResourcePolicy",
"dynamodb:RestoreTableToPointInTime",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateContributorInsights",
"dynamodb:UpdateKinesisStreamingDestination",
"dynamodb:UpdateTable",
"dynamodb:UpdateTableReplicaAutoScaling",
"dynamodb:UpdateTimeToLive"
],
"delete-data": [
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DeleteTableReplica",
"dynamodb:PartiQLDelete"
],
"read-config": [
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeContributorInsights",
"dynamodb:DescribeExport",
"dynamodb:DescribeKinesisStreamingDestination",
"dynamodb:DescribeTable",
"dynamodb:DescribeTableReplicaAutoScaling",
"dynamodb:DescribeTimeToLive",
"dynamodb:GetResourcePolicy",
"dynamodb:ListTagsOfResource"
],
"read-data": [
"dynamodb:BatchGetItem",
"dynamodb:ConditionCheckItem",
"dynamodb:GetItem",
"dynamodb:PartiQLSelect",
"dynamodb:Query",
"dynamodb:Scan"
],
"write-data": [
"dynamodb:BatchWriteItem",
"dynamodb:PartiQLInsert",
"dynamodb:PartiQLUpdate",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
]
},
"DynamoDB Accelerator (DAX)": {
"administer-resource": [
"dax:CreateCluster",
"dax:CreateParameterGroup",
"dax:CreateSubnetGroup",
"dax:DecreaseReplicationFactor",
"dax:IncreaseReplicationFactor",
"dax:RebootNode",
"dax:TagResource",
"dax:UntagResource",
"dax:UpdateCluster",
"dax:UpdateParameterGroup",
"dax:UpdateSubnetGroup"
],
"delete-data": [
"dax:DeleteCluster",
"dax:DeleteItem",
"dax:DeleteParameterGroup",
"dax:DeleteSubnetGroup"
],
"read-config": [
"dax:DescribeClusters",
"dax:DescribeDefaultParameters",
"dax:DescribeEvents",
"dax:DescribeParameterGroups",
"dax:DescribeParameters",
"dax:DescribeSubnetGroups",
"dax:ListTags"
],
"read-data": [
"dax:BatchGetItem",
"dax:ConditionCheckItem",
"dax:GetItem",
"dax:Query",
"dax:Scan"
],
"write-data": [
"dax:BatchWriteItem",
"dax:PutItem",
"dax:UpdateItem"
]
},
"DynamoDB Streams": {
"read-config": [
"dynamodbstreams:DescribeStream",
"dynamodbstreams:ListStreams"
],
"read-data": [
"dynamodbstreams:GetRecords",
"dynamodbstreams:GetShardIterator"
]
},
"IAM": {
"administer-resource": [
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateAccountAlias",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateServiceLinkedRole",
"iam:CreateServiceSpecificCredential",
"iam:CreateUser",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteServerCertificate",
"iam:DeleteServiceLinkedRole",
"iam:DeleteServiceSpecificCredential",
"iam:DeleteSigningCertificate",
"iam:DeleteSSHPublicKey",
"iam:DeleteUser",
"iam:DeleteUserPermissionsBoundary",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:ResetServiceSpecificCredential",
"iam:ResyncMFADevice",
"iam:SetDefaultPolicyVersion",
"iam:SetSecurityTokenServicePreferences",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"iam:UpdateSAMLProvider",
"iam:UpdateServerCertificate",
"iam:UpdateServiceSpecificCredential",
"iam:UpdateSigningCertificate",
"iam:UpdateSSHPublicKey",
"iam:UpdateUser",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate",
"iam:UploadSSHPublicKey"
],
"read-config": [
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServerCertificate",
"iam:GetSSHPublicKey",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListSAMLProviders",
"iam:ListServerCertificates",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListSSHPublicKeys",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListUserTags",
"iam:ListVirtualMFADevices"
],
"read-data": [
"iam:GenerateCredentialReport",
"iam:GenerateOrganizationsAccessReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetOrganizationsAccessReport",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"write-data": [
"iam:AddClientIDToOpenIDConnectProvider",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser"
]
},
"KMS": {
"administer-resource": [
"kms:CancelKeyDeletion",
"kms:ConnectCustomKeyStore",
"kms:CreateAlias",
"kms:CreateCustomKeyStore",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:DisableKey",
"kms:DisableKeyRotation",
"kms:DisconnectCustomKeyStore",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:RevokeGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:UpdateAlias",
"kms:UpdateCustomKeyStore",
"kms:UpdateKeyDescription"
],
"delete-data": [
"kms:DeleteCustomKeyStore",
"kms:DeleteImportedKeyMaterial"
],
"read-config": [
"kms:DescribeCustomKeyStores",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:GetParametersForImport",
"kms:GetPublicKey",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeyPolicies",
"kms:ListKeys",
"kms:ListResourceTags",
"kms:ListRetirableGrants"
],
"read-data": [
"kms:Decrypt",
"kms:Verify"
],
"write-data": [
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateRandom",
"kms:ImportKeyMaterial",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:Sign"
]
},
"RDS": {
"administer-resource": [
"rds:AddRoleToDBCluster",
"rds:AddRoleToDBInstance",
"rds:AddSourceIdentifierToSubscription",
"rds:AddTagsToResource",
"rds:ApplyPendingMaintenanceAction",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:BacktrackDBCluster",
"rds:CopyDBClusterParameterGroup",
"rds:CopyDBClusterSnapshot",
"rds:CopyDBParameterGroup",
"rds:CopyDBSnapshot",
"rds:CopyOptionGroup",
"rds:CreateDBCluster",
"rds:CreateDBClusterEndpoint",
"rds:CreateDBClusterParameterGroup",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBInstance",
"rds:CreateDBInstanceReadReplica",
"rds:CreateDBParameterGroup",
"rds:CreateDBProxy",
"rds:CreateDBSecurityGroup",
"rds:CreateDBSnapshot",
"rds:CreateDBSubnetGroup",
"rds:CreateEventSubscription",
"rds:CreateGlobalCluster",
"rds:CreateOptionGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBClusterEndpoint",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBInstance",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBProxy",
"rds:DeleteDBSecurityGroup",
"rds:DeleteDBSubnetGroup",
"rds:DeleteEventSubscription",
"rds:DeleteGlobalCluster",
"rds:DeregisterDBProxyTargets",
"rds:FailoverDBCluster",
"rds:ModifyCurrentDBClusterCapacity",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterEndpoint",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyDBProxy",
"rds:ModifyDBProxyTargetGroup",
"rds:ModifyDBSnapshot",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyDBSubnetGroup",
"rds:ModifyEventSubscription",
"rds:ModifyGlobalCluster",
"rds:ModifyOptionGroup",
"rds:PromoteReadReplica",
"rds:PromoteReadReplicaDBCluster",
"rds:PurchaseReservedDBInstancesOffering",
"rds:RebootDBInstance",
"rds:RegisterDBProxyTargets",
"rds:RemoveFromGlobalCluster",
"rds:RemoveRoleFromDBCluster",
"rds:RemoveRoleFromDBInstance",
"rds:RemoveSourceIdentifierFromSubscription",
"rds:RemoveTagsFromResource",
"rds:ResetDBClusterParameterGroup",
"rds:ResetDBParameterGroup",
"rds:RestoreDBClusterFromS3",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBClusterToPointInTime",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:RestoreDBInstanceFromS3",
"rds:RestoreDBInstanceToPointInTime",
"rds:RevokeDBSecurityGroupIngress",
"rds:StartActivityStream",
"rds:StartDBCluster",
"rds:StartDBInstance",
"rds:StopActivityStream",
"rds:StopDBCluster",
"rds:StopDBInstance"
],
"delete-data": [
"rds:DeleteDBCluster",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBInstanceAutomatedBackup",
"rds:DeleteDBSnapshot",
"rds:DeleteGlobalCluster",
"rds:DeleteOptionGroup"
],
"read-config": [
"rds:DescribeAccountAttributes",
"rds:DescribeCertificates",
"rds:DescribeDBClusterBacktracks",
"rds:DescribeDBClusterEndpoints",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstanceAutomatedBackups",
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBProxies",
"rds:DescribeDBProxyTargetGroups",
"rds:DescribeDBProxyTargets",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEngineDefaultClusterParameters",
"rds:DescribeEngineDefaultParameters",
"rds:DescribeEventCategories",
"rds:DescribeEvents",
"rds:DescribeEventSubscriptions",
"rds:DescribeExportTasks",
"rds:DescribeGlobalClusters",
"rds:DescribeOptionGroupOptions",
"rds:DescribeOptionGroups",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeReservedDBInstances",
"rds:DescribeReservedDBInstancesOfferings",
"rds:DescribeSourceRegions",
"rds:DescribeValidDBInstanceModifications",
"rds:ListTagsForResource"
],
"read-data": [
"rds:CrossRegionCommunication",
"rds:DownloadCompleteDBLogFile",
"rds:DownloadDBLogFilePortion",
"rds:RestoreDBClusterFromSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot"
],
"write-data": [
"rds:CancelExportTask",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBSnapshot",
"rds:CrossRegionCommunication",
"rds:StartExportTask"
]
},
"RDS Data": {
"write-data": [
"rds-data:BatchExecuteStatement",
"rds-data:BeginTransaction",
"rds-data:CommitTransaction",
"rds-data:ExecuteSql",
"rds-data:ExecuteStatement",
"rds-data:RollbackTransaction"
]
},
"RDS DB": {
"use-resource": [
"rds-db:connect"
]
},
"Redshift": {
"administer-resource": [
"redshift:AcceptReservedNodeExchange",
"redshift:AuthorizeClusterSecurityGroupIngress",
"redshift:AuthorizeSnapshotAccess",
"redshift:BatchDeleteClusterSnapshots",
"redshift:BatchModifyClusterSnapshots",
"redshift:CancelQuerySession",
"redshift:CancelResize",
"redshift:CopyClusterSnapshot",
"redshift:CreateCluster",
"redshift:CreateClusterParameterGroup",
"redshift:CreateClusterSecurityGroup",
"redshift:CreateClusterSnapshot",
"redshift:CreateClusterSubnetGroup",
"redshift:CreateClusterUser",
"redshift:CreateEventSubscription",
"redshift:CreateHsmClientCertificate",
"redshift:CreateHsmConfiguration",
"redshift:CreateSnapshotCopyGrant",
"redshift:CreateSnapshotSchedule",
"redshift:DeleteCluster",
"redshift:DeleteClusterParameterGroup",
"redshift:DeleteClusterSecurityGroup",
"redshift:DeleteClusterSnapshot",
"redshift:DeleteClusterSubnetGroup",
"redshift:DeleteEventSubscription",
"redshift:DeleteHsmClientCertificate",
"redshift:DeleteHsmConfiguration",
"redshift:DeleteSnapshotCopyGrant",
"redshift:DeleteSnapshotSchedule",
"redshift:DisableLogging",
"redshift:DisableSnapshotCopy",
"redshift:EnableLogging",
"redshift:EnableSnapshotCopy",
"redshift:JoinGroup",
"redshift:ModifyCluster",
"redshift:ModifyClusterDbRevision",
"redshift:ModifyClusterIamRoles",
"redshift:ModifyClusterMaintenance",
"redshift:ModifyClusterParameterGroup",
"redshift:ModifyClusterSnapshot",
"redshift:ModifyClusterSnapshotSchedule",
"redshift:ModifyClusterSubnetGroup",
"redshift:ModifyEventSubscription",
"redshift:ModifyScheduledAction",
"redshift:ModifySnapshotCopyRetentionPeriod",
"redshift:ModifySnapshotSchedule",
"redshift:PauseCluster",
"redshift:PurchaseReservedNodeOffering",
"redshift:RebootCluster",
"redshift:ResetClusterParameterGroup",
"redshift:ResizeCluster",
"redshift:RestoreFromClusterSnapshot",
"redshift:RestoreTableFromClusterSnapshot",
"redshift:ResumeCluster",
"redshift:RevokeClusterSecurityGroupIngress",
"redshift:RevokeSnapshotAccess",
"redshift:RotateEncryptionKey"
],
"delete-data": [
"redshift:BatchDeleteClusterSnapshots",
"redshift:DeleteCluster",
"redshift:DeleteClusterSnapshot"
],
"read-config": [
"redshift:DescribeAccountAttributes",
"redshift:DescribeClusterDbRevisions",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusterTracks",
"redshift:DescribeClusterVersions",
"redshift:DescribeDefaultClusterParameters",
"redshift:DescribeEventCategories",
"redshift:DescribeEvents",
"redshift:DescribeEventSubscriptions",
"redshift:DescribeHsmClientCertificates",
"redshift:DescribeHsmConfigurations",
"redshift:DescribeLoggingStatus",
"redshift:DescribeNodeConfigurationOptions",
"redshift:DescribeOrderableClusterOptions",
"redshift:DescribeQuery",
"redshift:DescribeReservedNodeOfferings",
"redshift:DescribeReservedNodes",
"redshift:DescribeResize",
"redshift:DescribeSavedQueries",
"redshift:DescribeScheduledActions",
"redshift:DescribeSnapshotCopyGrants",
"redshift:DescribeSnapshotSchedules",
"redshift:DescribeStorage",
"redshift:DescribeTable",
"redshift:DescribeTableRestoreStatus",
"redshift:DescribeTags",
"redshift:GetReservedNodeExchangeOfferings",
"redshift:ListDatabases",
"redshift:ListSavedQueries",
"redshift:ListSchemas",
"redshift:ListTables"
],
"read-data": [
"redshift:FetchResults",
"redshift:ViewQueriesFromConsole"
],
"use-resource": [
"redshift:GetClusterCredentials"
],
"write-data": [
"redshift:CancelQuery",
"redshift:CopyClusterSnapshot",
"redshift:CreateSavedQuery",
"redshift:CreateScheduledAction",
"redshift:CreateTags",
"redshift:DeleteSavedQueries",
"redshift:DeleteScheduledAction",
"redshift:DeleteTags",
"redshift:ExecuteQuery",
"redshift:ModifySavedQuery",
"redshift:ViewQueriesInConsole"
]
},
"S3": {
"administer-resource": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccelerateConfiguration",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObjectAcl",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectVersionAcl",
"s3:PutReplicationConfiguration"
],
"delete-data": [
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging"
],
"read-config": [
"s3:GetAccelerateConfiguration",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionTagging",
"s3:GetReplicationConfiguration",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts"
],
"read-data": [
"s3:GetObject",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTorrent",
"s3:ListBucket"
],
"write-data": [
"s3:AbortMultipartUpload",
"s3:InitiateReplication",
"s3:PutBucketTagging",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:RestoreObject"
]
},
"SQS": {
"administer-resource": [
"sqs:AddPermission",
"sqs:CancelMessageMoveTask",
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:PurgeQueue",
"sqs:RemovePermission",
"sqs:SetQueueAttributes",
"sqs:StartMessageMoveTask",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"delete-data": [
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:PurgeQueue"
],
"read-config": [
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListDeadLetterSourceQueues",
"sqs:ListMessageMoveTasks",
"sqs:ListQueues",
"sqs:ListQueueTags"
],
"read-data": [
"sqs:ReceiveMessage"
],
"write-data": [
"sqs:ChangeMessageVisibility",
"sqs:SendMessage"
]
},
"STS": {
"read-data": [
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:GetFederationToken",
"sts:GetServiceBearerToken",
"sts:GetSessionToken"
],
"use-resource": [
"sts:AssumeRole",
"sts:AssumeRoleWithSAML",
"sts:AssumeRoleWithWebIdentity"
],
"write-data": [
"sts:DecodeAuthorizationMessage",
"sts:TagSession"
]
}
}