UNPKG

cdk-iam-floyd

Version:

AWS IAM policy statement generator with fluent interface for AWS CDK

github.com/udondan/iam-floyd

udondan/iam-floyd

487 lines 785 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.AwsManagedPolicy = void 0; /** Provides names of all AWS managed policies. */ class AwsManagedPolicy { } exports.AwsManagedPolicy = AwsManagedPolicy; /** Allow Access Analyzer to analyze resource metadata */ AwsManagedPolicy.AccessAnalyzerServiceRolePolicy = 'aws-service-role/AccessAnalyzerServiceRolePolicy'; /** Provides full access to AWS services and resources. */ AwsManagedPolicy.AdministratorAccess = 'AdministratorAccess'; /** Grants account administrative permissions while explicitly allowing direct access to resources needed by Amplify applications. */ AwsManagedPolicy.AdministratorAccessAmplify = 'AdministratorAccess-Amplify'; /** Grants account administrative permissions. Explicitly allows developers and administrators to gain direct access to resources they need to manage AWS Elastic Beanstalk applications */ AwsManagedPolicy.AdministratorAccessAWSElasticBeanstalk = 'AdministratorAccess-AWSElasticBeanstalk'; /** Provides ReadOnly permissions required by the Amazon AI Operations Assistant to do analysis on customer AWS resources during investigations. */ AwsManagedPolicy.AIOpsAssistantPolicy = 'AIOpsAssistantPolicy'; /** Grants full access to Amazon AI Operations service and its required permissions via AWS console. It also includes permissions to use identity-aware console sessions. */ AwsManagedPolicy.AIOpsConsoleAdminPolicy = 'AIOpsConsoleAdminPolicy'; /** Grants access to the Amazon AI Operations APIs for creating, updating, and deleting investigations, investigation events, and investigation resources. It also includes ReadOnly access to all AI Operations APIs and to use identity-aware sessions. */ AwsManagedPolicy.AIOpsOperatorAccess = 'AIOpsOperatorAccess'; /** Grants ReadOnly permissions to the Amazon AI Operations service and its required resources. */ AwsManagedPolicy.AIOpsReadOnlyAccess = 'AIOpsReadOnlyAccess'; /** Provide device setup access to AlexaForBusiness services */ AwsManagedPolicy.AlexaForBusinessDeviceSetup = 'AlexaForBusinessDeviceSetup'; /** Grants full access to AlexaForBusiness resources and access to related AWS Services */ AwsManagedPolicy.AlexaForBusinessFullAccess = 'AlexaForBusinessFullAccess'; /** Provide gateway execution access to AlexaForBusiness services */ AwsManagedPolicy.AlexaForBusinessGatewayExecution = 'AlexaForBusinessGatewayExecution'; /** Provide access to Lifesize AVS devices */ AwsManagedPolicy.AlexaForBusinessLifesizeDelegatedAccessPolicy = 'AlexaForBusinessLifesizeDelegatedAccessPolicy'; /** This policy enables Alexa for Business to perform automated tasks scheduled by your network profiles. */ AwsManagedPolicy.AlexaForBusinessNetworkProfileServicePolicy = 'aws-service-role/AlexaForBusinessNetworkProfileServicePolicy'; /** Provide access to Poly AVS devices */ AwsManagedPolicy.AlexaForBusinessPolyDelegatedAccessPolicy = 'AlexaForBusinessPolyDelegatedAccessPolicy'; /** Provide read only access to AlexaForBusiness services */ AwsManagedPolicy.AlexaForBusinessReadOnlyAccess = 'AlexaForBusinessReadOnlyAccess'; /** Provides full access to create/edit/delete APIs in Amazon API Gateway via the AWS Management Console. */ AwsManagedPolicy.AmazonAPIGatewayAdministrator = 'AmazonAPIGatewayAdministrator'; /** Provides full access to invoke APIs in Amazon API Gateway. */ AwsManagedPolicy.AmazonAPIGatewayInvokeFullAccess = 'AmazonAPIGatewayInvokeFullAccess'; /** Allows API Gateway to push logs to user's account. */ AwsManagedPolicy.AmazonAPIGatewayPushToCloudWatchLogs = 'service-role/AmazonAPIGatewayPushToCloudWatchLogs'; /** Provides full access to Amazon AppFlow and access to AWS services supported as flow source or destination (S3 and Redshift). Also provides access to KMS for encryption */ AwsManagedPolicy.AmazonAppFlowFullAccess = 'AmazonAppFlowFullAccess'; /** Provides read only access to Amazon Appflow flows */ AwsManagedPolicy.AmazonAppFlowReadOnlyAccess = 'AmazonAppFlowReadOnlyAccess'; /** Provides full access to Amazon AppStream via the AWS Management Console. */ AwsManagedPolicy.AmazonAppStreamFullAccess = 'AmazonAppStreamFullAccess'; /** Amazon AppStream 2.0 access to AWS Certificate Manager Private CA in customer accounts for certificate-based authentication */ AwsManagedPolicy.AmazonAppStreamPCAAccess = 'service-role/AmazonAppStreamPCAAccess'; /** Provides read only access to Amazon AppStream via the AWS Management Console. */ AwsManagedPolicy.AmazonAppStreamReadOnlyAccess = 'AmazonAppStreamReadOnlyAccess'; /** Default policy for Amazon AppStream service role. */ AwsManagedPolicy.AmazonAppStreamServiceAccess = 'service-role/AmazonAppStreamServiceAccess'; /** Provide full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. */ AwsManagedPolicy.AmazonAthenaFullAccess = 'AmazonAthenaFullAccess'; /** Provides access to perform all operations Amazon Augmented AI resources, including FlowDefinitions, HumanTaskUis and HumanLoops. Does not allow access for creating FlowDefinitions against the public-crowd Workteam. */ AwsManagedPolicy.AmazonAugmentedAIFullAccess = 'AmazonAugmentedAIFullAccess'; /** Provides access to perform all operations on HumanLoops. */ AwsManagedPolicy.AmazonAugmentedAIHumanLoopFullAccess = 'AmazonAugmentedAIHumanLoopFullAccess'; /** Provides access to perform all operations Amazon Augmented AI resources, including FlowDefinitions, HumanTaskUis and HumanLoops. Also provides access to those operations of services that are integrated with Amazon Augmented AI. */ AwsManagedPolicy.AmazonAugmentedAIIntegratedAPIAccess = 'AmazonAugmentedAIIntegratedAPIAccess'; /** Provides console full administrative access to Aurora DSQL */ AwsManagedPolicy.AmazonAuroraDSQLConsoleFullAccess = 'AmazonAuroraDSQLConsoleFullAccess'; /** Provides full administrative access to Aurora DSQL */ AwsManagedPolicy.AmazonAuroraDSQLFullAccess = 'AmazonAuroraDSQLFullAccess'; /** Provides read only access to Aurora DSQL */ AwsManagedPolicy.AmazonAuroraDSQLReadOnlyAccess = 'AmazonAuroraDSQLReadOnlyAccess'; /** Provides full access to Amazon Bedrock as well as limited access to related services that are required by it */ AwsManagedPolicy.AmazonBedrockFullAccess = 'AmazonBedrockFullAccess'; /** Provides read only access to Amazon Bedrock */ AwsManagedPolicy.AmazonBedrockReadOnly = 'AmazonBedrockReadOnly'; /** Defines the maximum permissions of IAM roles that Amazon Bedrock Studio creates for operating Amazon Bedrock Studio resources. */ AwsManagedPolicy.AmazonBedrockStudioPermissionsBoundary = 'AmazonBedrockStudioPermissionsBoundary'; /** Provides full access to Amazon Braket via the AWS Management Console and SDK. Also provides access to related services (e.g., S3, logs). */ AwsManagedPolicy.AmazonBraketFullAccess = 'AmazonBraketFullAccess'; /** Grants access to AWS Services and resources necessary for executing an Amazon Braket Job including S3, Cloudwatch, IAM and Braket */ AwsManagedPolicy.AmazonBraketJobsExecutionPolicy = 'AmazonBraketJobsExecutionPolicy'; /** Allows Amazon Braket to create and manage AWS resources on your behalf */ AwsManagedPolicy.AmazonBraketServiceRolePolicy = 'aws-service-role/AmazonBraketServiceRolePolicy'; /** Provides full access to Amazon Chime Admin Console via the AWS Management Console. */ AwsManagedPolicy.AmazonChimeFullAccess = 'AmazonChimeFullAccess'; /** Provides read only access to Amazon Chime Admin Console via the AWS Management Console. */ AwsManagedPolicy.AmazonChimeReadOnly = 'AmazonChimeReadOnly'; /** Provides access to Amazon Chime SDK operations */ AwsManagedPolicy.AmazonChimeSDK = 'AmazonChimeSDK'; /** Managed Policy For Amazon Chime SDK MediaPipelines Service Linked Role */ AwsManagedPolicy.AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy = 'aws-service-role/AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy'; /** Allows Amazon Chime SDK Messaging to access AWS resources and enable messaging functionality */ AwsManagedPolicy.AmazonChimeSDKMessagingServiceRolePolicy = 'aws-service-role/AmazonChimeSDKMessagingServiceRolePolicy'; /** Enables access to AWS Resources used or managed by Amazon Chime */ AwsManagedPolicy.AmazonChimeServiceRolePolicy = 'aws-service-role/AmazonChimeServiceRolePolicy'; /** Allows Amazon Chime to access Amazon Transcribe and Amazon Transcribe Medical on your behalf */ AwsManagedPolicy.AmazonChimeTranscriptionServiceLinkedRolePolicy = 'aws-service-role/AmazonChimeTranscriptionServiceLinkedRolePolicy'; /** Provides user management access to Amazon Chime Admin Console via the AWS Management Console. */ AwsManagedPolicy.AmazonChimeUserManagement = 'AmazonChimeUserManagement'; /** Managed policy for Service Linked Role for Amazon Chime VoiceConnector */ AwsManagedPolicy.AmazonChimeVoiceConnectorServiceLinkedRolePolicy = 'aws-service-role/AmazonChimeVoiceConnectorServiceLinkedRolePolicy'; /** Provides full access to Amazon Cloud Directory Service. */ AwsManagedPolicy.AmazonCloudDirectoryFullAccess = 'AmazonCloudDirectoryFullAccess'; /** Provides read only access to Amazon Cloud Directory Service. */ AwsManagedPolicy.AmazonCloudDirectoryReadOnlyAccess = 'AmazonCloudDirectoryReadOnlyAccess'; /** Provides full only access to Amazon CloudWatch Evidently. Also provides access to related Amazon S3, Amazon SNS, Amazon CloudWatch, and other related services. */ AwsManagedPolicy.AmazonCloudWatchEvidentlyFullAccess = 'AmazonCloudWatchEvidentlyFullAccess'; /** Provides read only access to Amazon CloudWatch Evidently */ AwsManagedPolicy.AmazonCloudWatchEvidentlyReadOnlyAccess = 'AmazonCloudWatchEvidentlyReadOnlyAccess'; /** Allows CloudWatch Evidently Service to manage associated AWS Resources on behalf of the customer */ AwsManagedPolicy.AmazonCloudWatchEvidentlyServiceRolePolicy = 'aws-service-role/AmazonCloudWatchEvidentlyServiceRolePolicy'; /** Grants full access permissions for the Amazon CloudWatch RUM service */ AwsManagedPolicy.AmazonCloudWatchRUMFullAccess = 'AmazonCloudWatchRUMFullAccess'; /** Grants read only permissions for the Amazon CloudWatch RUM service */ AwsManagedPolicy.AmazonCloudWatchRUMReadOnlyAccess = 'AmazonCloudWatchRUMReadOnlyAccess'; /** Grants permission to Amazon CloudWatch RUM Service to publish monitoring data to other relevant AWS services */ AwsManagedPolicy.AmazonCloudWatchRUMServiceRolePolicy = 'aws-service-role/AmazonCloudWatchRUMServiceRolePolicy'; /** Provides full access to Amazon CodeCatalyst */ AwsManagedPolicy.AmazonCodeCatalystFullAccess = 'AmazonCodeCatalystFullAccess'; /** Provides read only access to Amazon CodeCatalyst */ AwsManagedPolicy.AmazonCodeCatalystReadOnlyAccess = 'AmazonCodeCatalystReadOnlyAccess'; /** Allows Amazon CodeCatalyst to create, update, and resolve AWS Support cases on your behalf. */ AwsManagedPolicy.AmazonCodeCatalystSupportAccess = 'service-role/AmazonCodeCatalystSupportAccess'; /** Provides access required by Amazon CodeGuru Profiler agent. */ AwsManagedPolicy.AmazonCodeGuruProfilerAgentAccess = 'AmazonCodeGuruProfilerAgentAccess'; /** Provides full access to Amazon CodeGuru Profiler. */ AwsManagedPolicy.AmazonCodeGuruProfilerFullAccess = 'AmazonCodeGuruProfilerFullAccess'; /** Provides read only access to Amazon CodeGuru Profiler. */ AwsManagedPolicy.AmazonCodeGuruProfilerReadOnlyAccess = 'AmazonCodeGuruProfilerReadOnlyAccess'; /** Grants full access to Amazon CodeGuru Reviewer and scoped access to required dependencies. */ AwsManagedPolicy.AmazonCodeGuruReviewerFullAccess = 'AmazonCodeGuruReviewerFullAccess'; /** Provides read only access to Amazon CodeGuru Reviewer. */ AwsManagedPolicy.AmazonCodeGuruReviewerReadOnlyAccess = 'AmazonCodeGuruReviewerReadOnlyAccess'; /** A service-linked role required for Amazon CodeGuru Reviewer to access resources on your behalf. */ AwsManagedPolicy.AmazonCodeGuruReviewerServiceRolePolicy = 'aws-service-role/AmazonCodeGuruReviewerServiceRolePolicy'; /** Provides full access to Amazon CodeGuru Security. */ AwsManagedPolicy.AmazonCodeGuruSecurityFullAccess = 'AmazonCodeGuruSecurityFullAccess'; /** Provides access required for working with Amazon CodeGuru Security scans. */ AwsManagedPolicy.AmazonCodeGuruSecurityScanAccess = 'AmazonCodeGuruSecurityScanAccess'; /** Provides access to Amazon Cognito APIs to support developer authenticated identities from your authentication backend. */ AwsManagedPolicy.AmazonCognitoDeveloperAuthenticatedIdentities = 'AmazonCognitoDeveloperAuthenticatedIdentities'; /** Allows Amazon Cognito User Pools service to use your SES identities for email sending */ AwsManagedPolicy.AmazonCognitoIdpEmailServiceRolePolicy = 'aws-service-role/AmazonCognitoIdpEmailServiceRolePolicy'; /** Enables access to AWS Services and Resources used or managed by Amazon Cognito User Pools */ AwsManagedPolicy.AmazonCognitoIdpServiceRolePolicy = 'aws-service-role/AmazonCognitoIdpServiceRolePolicy'; /** Provides administrative access to existing Amazon Cognito resources. You will need AWS account admin privileges to create new Cognito resources. */ AwsManagedPolicy.AmazonCognitoPowerUser = 'AmazonCognitoPowerUser'; /** Provides read only access to Amazon Cognito resources. */ AwsManagedPolicy.AmazonCognitoReadOnly = 'AmazonCognitoReadOnly'; /** This policy defines the set of permissions allowed for unauthenticated identities for Cognito Identity Pools. This policy is not intended to be used as a stand alone permission policy. It is used as a guardrail against overly permissive policies attached for roles in an identity pool. Do not attach this policy to any roles, as Cognito Identity Service will automatically include it as a scoped down policy when creating credentials. The privileges to temporarily access other AWS resources through the enhanced flow will now be defined by the intersection of the role associated with the identity of the unauthenticated user provided by a service, and the privileges given in this managed policy that is owned by Cognito. */ AwsManagedPolicy.AmazonCognitoUnAuthedIdentitiesSessionPolicy = 'AmazonCognitoUnAuthedIdentitiesSessionPolicy'; /** This policy defines the set of permissions allowed for unauthenticated identities for Cognito Identity Pools. This does not need to be attached to your unauth role, as Cognito Identity Service will automatically include it as a scoped down policy when creating credentials. The privileges to temporarily access other AWS resources through the enhanced flow will now be defined by the intersection of the role associated with the identity of the unauthenticated user provided by a service, and the privileges given in this managed policy that is owned by Cognito. */ AwsManagedPolicy.AmazonCognitoUnauthenticatedIdentities = 'AmazonCognitoUnauthenticatedIdentities'; /** The purpose of this policy is to grant permissions to AWS Connect users required to use Connect resources. This policy provides full access to AWS Connect resources via the Connect Console and public APIs */ AwsManagedPolicy.AmazonConnectFullAccess = 'AmazonConnect_FullAccess'; /** Policy for Amazon Connect Campaigns service linked role */ AwsManagedPolicy.AmazonConnectCampaignsServiceLinkedRolePolicy = 'aws-service-role/AmazonConnectCampaignsServiceLinkedRolePolicy'; /** Grants permission to view the Amazon Connect instances in your AWS account. */ AwsManagedPolicy.AmazonConnectReadOnlyAccess = 'AmazonConnectReadOnlyAccess'; /** Allows Amazon Connect to create and manage AWS resources on your behalf. */ AwsManagedPolicy.AmazonConnectServiceLinkedRolePolicy = 'aws-service-role/AmazonConnectServiceLinkedRolePolicy'; /** Allows Amazon Connect to synchronize AWS resources across regions on your behalf. */ AwsManagedPolicy.AmazonConnectSynchronizationServiceRolePolicy = 'aws-service-role/AmazonConnectSynchronizationServiceRolePolicy'; /** Provides full access to Amazon Connect Voice ID */ AwsManagedPolicy.AmazonConnectVoiceIDFullAccess = 'AmazonConnectVoiceIDFullAccess'; /** Provides permissions to consume Amazon Bedrock models, including invoking Amazon Bedrock application inference profile created for particular Amazon DataZone domain. */ AwsManagedPolicy.AmazonDataZoneBedrockModelConsumptionPolicy = 'service-role/AmazonDataZoneBedrockModelConsumptionPolicy'; /** Provides permissions to manage Amazon Bedrock model access, including creating, tagging and deleting application inference profiles. */ AwsManagedPolicy.AmazonDataZoneBedrockModelManagementPolicy = 'service-role/AmazonDataZoneBedrockModelManagementPolicy'; /** Default policy for the Amazon DataZone's DomainExecutionRole service role. This role is used by Amazon DataZone to catalog, discover, govern, share, and analyze data in the Amazon DataZone domain. */ AwsManagedPolicy.AmazonDataZoneDomainExecutionRolePolicy = 'service-role/AmazonDataZoneDomainExecutionRolePolicy'; /** Amazon DataZone creates IAM roles for Environments to perform data analytics actions, and uses this policy when creating these roles to define the boundary of their permissions. */ AwsManagedPolicy.AmazonDataZoneEnvironmentRolePermissionsBoundary = 'AmazonDataZoneEnvironmentRolePermissionsBoundary'; /** Provides full access to Amazon DataZone via the AWS Management Console as well as limited access to related services that are required by it. */ AwsManagedPolicy.AmazonDataZoneFullAccess = 'AmazonDataZoneFullAccess'; /** Provides full access to Amazon DataZone, but does not allow the management of domains, users, or associated accounts. */ AwsManagedPolicy.AmazonDataZoneFullUserAccess = 'AmazonDataZoneFullUserAccess'; /** The policy grants permissions to allow Amazon DataZone to enable publishing and access grants to data. */ AwsManagedPolicy.AmazonDataZoneGlueManageAccessRolePolicy = 'service-role/AmazonDataZoneGlueManageAccessRolePolicy'; /** Amazon DataZone is a data management service that enables you to catalog, discover, govern, share, and analyze your data. With Amazon DataZone, you can share and access your data across accounts and supported regions. Amazon DataZone simplifies your experience across AWS services, including, but not limited to, Amazon Redshift, Amazon Athena, AWS Glue, and AWS Lake Formation. */ AwsManagedPolicy.AmazonDataZoneRedshiftGlueProvisioningPolicy = 'AmazonDataZoneRedshiftGlueProvisioningPolicy'; /** This policy gives Amazon DataZone permissions to publish Amazon Redshift data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to Amazon Redshift or Amazon Redshift Serverless published assets in the catalog. */ AwsManagedPolicy.AmazonDataZoneRedshiftManageAccessRolePolicy = 'service-role/AmazonDataZoneRedshiftManageAccessRolePolicy'; /** The AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary policy is the list of permissions that are permitted on an execution role created in a SageMaker environment provisioned by Amazon DataZone. */ AwsManagedPolicy.AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary = 'AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary'; /** The AmazonDataZoneSageMakerManageAccessRolePolicy policy grants Amazon DataZone the permissions required to grant user access to various resources in the SageMaker environment. */ AwsManagedPolicy.AmazonDataZoneSageMakerManageAccessRolePolicy = 'AmazonDataZoneSageMakerManageAccessRolePolicy'; /** The AmazonDataZoneSageMakerProvisioningRolePolicy policy grants Amazon DataZone the permissions required to interoperate with Amazon SageMaker. */ AwsManagedPolicy.AmazonDataZoneSageMakerProvisioningRolePolicy = 'AmazonDataZoneSageMakerProvisioningRolePolicy'; /** Provides full access to Amazon Detective service and scoped access to the console UI dependencies */ AwsManagedPolicy.AmazonDetectiveFullAccess = 'AmazonDetectiveFullAccess'; /** Provides investigator access to Amazon Detective service and scoped access to the console UI dependencies. This policy grants permission to dive into Detective for investigation purposes and limited write access to Guardduty. */ AwsManagedPolicy.AmazonDetectiveInvestigatorAccess = 'AmazonDetectiveInvestigatorAccess'; /** Provides member access to Amazon Detective service and scoped access to the console UI dependencies. */ AwsManagedPolicy.AmazonDetectiveMemberAccess = 'AmazonDetectiveMemberAccess'; /** Provides Organizations access to manage Delegated administrator for Amazon Detective and scoped access to the console UI dependencies. This also grants permission to create a service-linked role for Detective. */ AwsManagedPolicy.AmazonDetectiveOrganizationsAccess = 'AmazonDetectiveOrganizationsAccess'; /** Allows Amazon Detective to make service calls on your behalf */ AwsManagedPolicy.AmazonDetectiveServiceLinkedRolePolicy = 'aws-service-role/AmazonDetectiveServiceLinkedRolePolicy'; /** The policy grants full-access to the DevOps Guru console. */ AwsManagedPolicy.AmazonDevOpsGuruConsoleFullAccess = 'AmazonDevOpsGuruConsoleFullAccess'; /** Provides full access to Amazon DevOps Guru. */ AwsManagedPolicy.AmazonDevOpsGuruFullAccess = 'AmazonDevOpsGuruFullAccess'; /** Provide access to enable and manage Amazon DevOps Guru within an organization. */ AwsManagedPolicy.AmazonDevOpsGuruOrganizationsAccess = 'AmazonDevOpsGuruOrganizationsAccess'; /** Provides read only access to Amazon DevOps Guru Console. */ AwsManagedPolicy.AmazonDevOpsGuruReadOnlyAccess = 'AmazonDevOpsGuruReadOnlyAccess'; /** A service-linked role required for Amazon DevOpsGuru to access your resources. */ AwsManagedPolicy.AmazonDevOpsGuruServiceRolePolicy = 'aws-service-role/AmazonDevOpsGuruServiceRolePolicy'; /** Provides access to upload DMS replication logs to cloudwatch logs in customer account. */ AwsManagedPolicy.AmazonDMSCloudWatchLogsRole = 'service-role/AmazonDMSCloudWatchLogsRole'; /** Provides access to manage S3 settings for Redshift endpoints for DMS. */ AwsManagedPolicy.AmazonDMSRedshiftS3Role = 'service-role/AmazonDMSRedshiftS3Role'; /** Provides access to manage VPC settings for AWS managed customer configurations */ AwsManagedPolicy.AmazonDMSVPCManagementRole = 'service-role/AmazonDMSVPCManagementRole'; /** Allows Amazon DocumentDB-Elastic to manage AWS resources on your behalf. */ AwsManagedPolicy.AmazonDocDBElasticServiceRolePolicy = 'aws-service-role/AmazonDocDB-ElasticServiceRolePolicy'; /** Provides full access to manage Amazon DocumentDB with MongoDB compatibility using the AWS Management Console. Note this policy also grants full access to publish on all SNS topics within the account, permissions to create and edit Amazon EC2 instances and VPC configurations, permissions to view and list keys on Amazon KMS, and full access to Amazon RDS and Amazon Neptune. */ AwsManagedPolicy.AmazonDocDBConsoleFullAccess = 'AmazonDocDBConsoleFullAccess'; /** Provides full access to Amazon DocumentDB Elastic Clusters and other required permissions for its dependencies including EC2, KMS, SecretsManager, CloudWatch and IAM. */ AwsManagedPolicy.AmazonDocDBElasticFullAccess = 'AmazonDocDBElasticFullAccess'; /** Provides read-only access to Amazon DocDB-Elastic and CloudWatch metrics. */ AwsManagedPolicy.AmazonDocDBElasticReadOnlyAccess = 'AmazonDocDBElasticReadOnlyAccess'; /** Provides full access to Amazon DocumentDB with MongoDB compatibility. Note this policy also grants full access to publish on all SNS topics within the account and full access to Amazon RDS and Amazon Neptune. */ AwsManagedPolicy.AmazonDocDBFullAccess = 'AmazonDocDBFullAccess'; /** Provides read-only access to Amazon DocumentDB with MongoDB compatibility. Note that this policy also grants access to Amazon RDS and Amazon Neptune resources. */ AwsManagedPolicy.AmazonDocDBReadOnlyAccess = 'AmazonDocDBReadOnlyAccess'; /** Provides access to manage VPC settings for Amazon managed customer configurations */ AwsManagedPolicy.AmazonDRSVPCManagement = 'AmazonDRSVPCManagement'; /** Provides full access to Amazon DynamoDB via the AWS Management Console. */ AwsManagedPolicy.AmazonDynamoDBFullAccess = 'AmazonDynamoDBFullAccess'; /** Provides full access to Amazon DynamoDB */ AwsManagedPolicy.AmazonDynamoDBFullAccessV2 = 'AmazonDynamoDBFullAccess_v2'; /** This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBPipeline.html. Provides full access to Amazon DynamoDB including Export/Import using AWS Data Pipeline via the AWS Management Console. */ AwsManagedPolicy.AmazonDynamoDBFullAccesswithDataPipeline = 'AmazonDynamoDBFullAccesswithDataPipeline'; /** Provides read only access to Amazon DynamoDB via the AWS Management Console. */ AwsManagedPolicy.AmazonDynamoDBReadOnlyAccess = 'AmazonDynamoDBReadOnlyAccess'; /** IAM Policy that allows the CSI driver service account to make calls to related services such as EC2 on your behalf. */ AwsManagedPolicy.AmazonEBSCSIDriverPolicy = 'service-role/AmazonEBSCSIDriverPolicy'; /** Provides administrative access to Amazon ECR resources */ AwsManagedPolicy.AmazonEC2ContainerRegistryFullAccess = 'AmazonEC2ContainerRegistryFullAccess'; /** Provides full access to Amazon EC2 Container Registry repositories, but does not allow repository deletion or policy changes. */ AwsManagedPolicy.AmazonEC2ContainerRegistryPowerUser = 'AmazonEC2ContainerRegistryPowerUser'; /** Provides access to pull images from Amazon EC2 Container Registry repositories. */ AwsManagedPolicy.AmazonEC2ContainerRegistryPullOnly = 'AmazonEC2ContainerRegistryPullOnly'; /** Provides read-only access to Amazon EC2 Container Registry repositories. */ AwsManagedPolicy.AmazonEC2ContainerRegistryReadOnly = 'AmazonEC2ContainerRegistryReadOnly'; /** Policy to enable Task Autoscaling for Amazon EC2 Container Service */ AwsManagedPolicy.AmazonEC2ContainerServiceAutoscaleRole = 'service-role/AmazonEC2ContainerServiceAutoscaleRole'; /** Policy to enable CloudWatch Events for EC2 Container Service */ AwsManagedPolicy.AmazonEC2ContainerServiceEventsRole = 'service-role/AmazonEC2ContainerServiceEventsRole'; /** Default policy for the Amazon EC2 Role for Amazon EC2 Container Service. */ AwsManagedPolicy.AmazonEC2ContainerServiceforEC2Role = 'service-role/AmazonEC2ContainerServiceforEC2Role'; /** Default policy for Amazon ECS service role. */ AwsManagedPolicy.AmazonEC2ContainerServiceRole = 'service-role/AmazonEC2ContainerServiceRole'; /** Provides full access to Amazon EC2 via the AWS Management Console. */ AwsManagedPolicy.AmazonEC2FullAccess = 'AmazonEC2FullAccess'; /** Provides read only access to Amazon EC2 via the AWS Management Console. */ AwsManagedPolicy.AmazonEC2ReadOnlyAccess = 'AmazonEC2ReadOnlyAccess'; /** Provides EC2 access to S3 bucket to download revision. This role is needed by the CodeDeploy agent on EC2 instances. */ AwsManagedPolicy.AmazonEC2RoleforAWSCodeDeploy = 'service-role/AmazonEC2RoleforAWSCodeDeploy'; /** Provides EC2 limited access to S3 bucket to download revision. This role is needed by the CodeDeploy agent on EC2 instances. */ AwsManagedPolicy.AmazonEC2RoleforAWSCodeDeployLimited = 'service-role/AmazonEC2RoleforAWSCodeDeployLimited'; /** Default policy for the Amazon EC2 Role for Data Pipeline service role. */ AwsManagedPolicy.AmazonEC2RoleforDataPipelineRole = 'service-role/AmazonEC2RoleforDataPipelineRole'; /** This policy will soon be deprecated. Please use AmazonSSMManagedInstanceCore policy to enable AWS Systems Manager service core functionality on EC2 instances. For more information see https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html */ AwsManagedPolicy.AmazonEC2RoleforSSM = 'service-role/AmazonEC2RoleforSSM'; /** Managed policy for the Amazon LaunchWizard service role for EC2 */ AwsManagedPolicy.AmazonEC2RolePolicyForLaunchWizard = 'AmazonEC2RolePolicyForLaunchWizard'; /** Policy to enable Autoscaling for Amazon EC2 Spot Fleet */ AwsManagedPolicy.AmazonEC2SpotFleetAutoscaleRole = 'service-role/AmazonEC2SpotFleetAutoscaleRole'; /** Allows EC2 Spot Fleet to request, terminate and tag Spot Instances on your behalf. */ AwsManagedPolicy.AmazonEC2SpotFleetTaggingRole = 'service-role/AmazonEC2SpotFleetTaggingRole'; /** Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks. */ AwsManagedPolicy.AmazonECSFullAccess = 'AmazonECS_FullAccess'; /** Policy to enable Amazon ECS Compute to manage your EC2 instances and related resources as part of ECS managed instances */ AwsManagedPolicy.AmazonECSComputeServiceRolePolicy = 'aws-service-role/AmazonECSComputeServiceRolePolicy'; /** Provides administrative access to Private Certificate Authority, AWS Secrets Manager and other AWS Services required to manage ECS Service Connect TLS features on your behalf. */ AwsManagedPolicy.AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity = 'service-role/AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity'; /** Provides access to other AWS service resources required to manage volumes associated with ECS workloads on your behalf. */ AwsManagedPolicy.AmazonECSInfrastructureRolePolicyForVolumes = 'service-role/AmazonECSInfrastructureRolePolicyForVolumes'; /** Provides access to other AWS service resources required to manage VPC Lattice feature in ECS workloads on your behalf. */ AwsManagedPolicy.AmazonECSInfrastructureRolePolicyForVpcLattice = 'AmazonECSInfrastructureRolePolicyForVpcLattice'; /** Policy to enable Amazon ECS to manage your cluster. */ AwsManagedPolicy.AmazonECSServiceRolePolicy = 'aws-service-role/AmazonECSServiceRolePolicy'; /** Provides access to other AWS service resources that are required to run Amazon ECS tasks */ AwsManagedPolicy.AmazonECSTaskExecutionRolePolicy = 'service-role/AmazonECSTaskExecutionRolePolicy'; /** Provides management access to EFS resources and read access to EC2 */ AwsManagedPolicy.AmazonEFSCSIDriverPolicy = 'service-role/AmazonEFSCSIDriverPolicy'; /** This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set allows the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. More information on the AWS VPC CNI Plugin is available here: https://github.com/aws/amazon-vpc-cni-k8s */ AwsManagedPolicy.AmazonEKSCNIPolicy = 'AmazonEKS_CNI_Policy'; /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's block storage resources. */ AwsManagedPolicy.AmazonEKSBlockStoragePolicy = 'AmazonEKSBlockStoragePolicy'; /** This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces. */ AwsManagedPolicy.AmazonEKSClusterPolicy = 'AmazonEKSClusterPolicy'; /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's compute resources. */ AwsManagedPolicy.AmazonEKSComputePolicy = 'AmazonEKSComputePolicy'; /** This policy allows Amazon EKS to manage AWS resources for EKS connector */ AwsManagedPolicy.AmazonEKSConnectorServiceRolePolicy = 'aws-service-role/AmazonEKSConnectorServiceRolePolicy'; /** This policy enables the Amazon EKS Dashboard to access and display organization-wide information. The policy allows the EKS Dashboard service to gather information about your AWS Organizations structure and accounts. */ AwsManagedPolicy.AmazonEKSDashboardServiceRolePolicy = 'aws-service-role/AmazonEKSDashboardServiceRolePolicy'; /** Provides access to other AWS service resources that are required to run Amazon EKS pods on AWS Fargate */ AwsManagedPolicy.AmazonEKSFargatePodExecutionRolePolicy = 'AmazonEKSFargatePodExecutionRolePolicy'; /** This policy grants necessary permissions to Amazon EKS to run fargate tasks */ AwsManagedPolicy.AmazonEKSForFargateServiceRolePolicy = 'aws-service-role/AmazonEKSForFargateServiceRolePolicy'; /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's load balancing resources. */ AwsManagedPolicy.AmazonEKSLoadBalancingPolicy = 'AmazonEKSLoadBalancingPolicy'; /** This policy provides permissions to EKS local cluster's control-plane instances running in your account to manage resources on your behalf. */ AwsManagedPolicy.AmazonEKSLocalOutpostClusterPolicy = 'AmazonEKSLocalOutpostClusterPolicy'; /** Allows Amazon EKS Local to call AWS services on your behalf. */ AwsManagedPolicy.AmazonEKSLocalOutpostServiceRolePolicy = 'aws-service-role/AmazonEKSLocalOutpostServiceRolePolicy'; /** Policy attached to the EKS Cluster Role that grants permissions to manage the cluster's networking resources. */ AwsManagedPolicy.AmazonEKSNetworkingPolicy = 'AmazonEKSNetworkingPolicy'; /** This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters. */ AwsManagedPolicy.AmazonEKSServicePolicy = 'AmazonEKSServicePolicy'; /** A Service-Linked Role required for Amazon EKS to call AWS services on your behalf. */ AwsManagedPolicy.AmazonEKSServiceRolePolicy = 'aws-service-role/AmazonEKSServiceRolePolicy'; /** Policy used by VPC Resource Controller to manage ENI and IPs for worker nodes. */ AwsManagedPolicy.AmazonEKSVPCResourceController = 'AmazonEKSVPCResourceController'; /** This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. */ AwsManagedPolicy.AmazonEKSWorkerNodeMinimalPolicy = 'AmazonEKSWorkerNodeMinimalPolicy'; /** This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. */ AwsManagedPolicy.AmazonEKSWorkerNodePolicy = 'AmazonEKSWorkerNodePolicy'; /** Provides full access to Amazon ElastiCache via the AWS Management Console. */ AwsManagedPolicy.AmazonElastiCacheFullAccess = 'AmazonElastiCacheFullAccess'; /** Provides read only access to Amazon ElastiCache via the AWS Management Console. */ AwsManagedPolicy.AmazonElastiCacheReadOnlyAccess = 'AmazonElastiCacheReadOnlyAccess'; /** Provides administrative access to Amazon ECR Public resources */ AwsManagedPolicy.AmazonElasticContainerRegistryPublicFullAccess = 'AmazonElasticContainerRegistryPublicFullAccess'; /** Provides full access to Amazon ECR Public repositories, but does not allow repository deletion or policy changes. */ AwsManagedPolicy.AmazonElasticContainerRegistryPublicPowerUser = 'AmazonElasticContainerRegistryPublicPowerUser'; /** Provides read-only access to Amazon ECR Public repositories. */ AwsManagedPolicy.AmazonElasticContainerRegistryPublicReadOnly = 'AmazonElasticContainerRegistryPublicReadOnly'; /** Provides root client access to an Amazon EFS file system */ AwsManagedPolicy.AmazonElasticFileSystemClientFullAccess = 'AmazonElasticFileSystemClientFullAccess'; /** Provides read only client access to an Amazon EFS file system */ AwsManagedPolicy.AmazonElasticFileSystemClientReadOnlyAccess = 'AmazonElasticFileSystemClientReadOnlyAccess'; /** Provides read and write client access to an Amazon EFS file system */ AwsManagedPolicy.AmazonElasticFileSystemClientReadWriteAccess = 'AmazonElasticFileSystemClientReadWriteAccess'; /** Provides full access to Amazon EFS via the AWS Management Console. */ AwsManagedPolicy.AmazonElasticFileSystemFullAccess = 'AmazonElasticFileSystemFullAccess'; /** Provides read only access to Amazon EFS via the AWS Management Console. */ AwsManagedPolicy.AmazonElasticFileSystemReadOnlyAccess = 'AmazonElasticFileSystemReadOnlyAccess'; /** Allows Amazon Elastic File System to manage AWS resources on your behalf */ AwsManagedPolicy.AmazonElasticFileSystemServiceRolePolicy = 'aws-service-role/AmazonElasticFileSystemServiceRolePolicy'; /** Allows customers to use AWS Systems Manager to automatically manage Amazon EFS utilities (amazon-efs-utils) package on their EC2 instances, and use CloudWatchLog to get EFS file system mount success/failure notifications. */ AwsManagedPolicy.AmazonElasticFileSystemsUtils = 'AmazonElasticFileSystemsUtils'; /** Default policy for the Amazon Elastic MapReduce Editors service role. */ AwsManagedPolicy.AmazonElasticMapReduceEditorsRole = 'service-role/AmazonElasticMapReduceEditorsRole'; /** Amazon Elastic MapReduce for Auto Scaling. Role to allow Auto Scaling to add and remove instances from your EMR cluster. */ AwsManagedPolicy.AmazonElasticMapReduceforAutoScalingRole = 'service-role/AmazonElasticMapReduceforAutoScalingRole'; /** Default policy for the Amazon Elastic MapReduce for EC2 service role. */ AwsManagedPolicy.AmazonElasticMapReduceforEC2Role = 'service-role/AmazonElasticMapReduceforEC2Role'; /** This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html. Provides full access to Amazon Elastic MapReduce and underlying services that it requires such as EC2 and S3 */ AwsManagedPolicy.AmazonElasticMapReduceFullAccess = 'AmazonElasticMapReduceFullAccess'; /** Policy to allow EMR to create, describe and delete EC2 placement groups. */ AwsManagedPolicy.AmazonElasticMapReducePlacementGroupPolicy = 'AmazonElasticMapReducePlacementGroupPolicy'; /** Provides read only access to Amazon Elastic MapReduce via the AWS Management Console. */ AwsManagedPolicy.AmazonElasticMapReduceReadOnlyAccess = 'AmazonElasticMapReduceReadOnlyAccess'; /** This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html. Default policy for the Amazon Elastic MapReduce service role. */ AwsManagedPolicy.AmazonElasticMapReduceRole = 'service-role/AmazonElasticMapReduceRole'; /** Allow Amazon Elasticsearch Service to access other AWS services such as EC2 Networking APIs on your behalf. */ AwsManagedPolicy.AmazonElasticsearchServiceRolePolicy = 'aws-service-role/AmazonElasticsearchServiceRolePolicy'; /** Grants users full access to Elastic Transcoder and the access to associated services that is required for full Elastic Transcoder functionality. */ AwsManagedPolicy.AmazonElasticTranscoderFullAccess = 'AmazonElasticTranscoder_FullAccess'; /** Grants users permission to change presets, submit jobs, and view Elastic Transcoder settings. This policy also grants some read-only access to some other services required to use the Elastic Transcode console, including S3, IAM, and SNS. */ AwsManagedPolicy.AmazonElasticTranscoderJobsSubmitter = 'AmazonElasticTranscoder_JobsSubmitter'; /** Grants users read-only access to Elastic Transcoder and list access to related services. */ AwsManagedPolicy.AmazonElasticTranscoderReadOnlyAccess = 'AmazonElasticTranscoder_ReadOnlyAccess'; /** Default policy for the Amazon Elastic Transcoder service role. */ AwsManagedPolicy.AmazonElasticTranscoderRole = 'service-role/AmazonElasticTranscoderRole'; /** Allows the actions that EMR requires to terminate and delete AWS EC2 resources if the EMR Service role has lost that ability. */ AwsManagedPolicy.AmazonEMRCleanupPolicy = 'aws-service-role/AmazonEMRCleanupPolicy'; /** Allows access to other AWS service resources that are required to run Amazon EMR */ AwsManagedPolicy.AmazonEMRContainersServiceRolePolicy = 'aws-service-role/AmazonEMRContainersServiceRolePolicy'; /** Provides full access to Amazon EMR */ AwsManagedPolicy.AmazonEMRFullAccessPolicyV2 = 'AmazonEMRFullAccessPolicy_v2'; /** Provides read only access to Amazon EMR and the associated CloudWatch Metrics. */ AwsManagedPolicy.AmazonEMRReadOnlyAccessPolicyV2 = 'AmazonEMRReadOnlyAccessPolicy_v2'; /** Allows access to other AWS service resources that are required to run Amazon EMRServerless */ AwsManagedPolicy.AmazonEMRServerlessServiceRolePolicy = 'aws-service-role/AmazonEMRServerlessServiceRolePolicy'; /** This policy is used for the Amazon EMR Service Role and should NOT be used for any other IAM users or roles in your account. The policy grants permissions to create and manage resources associated with EMR and related services necessary for the operation of your EMR cluster. */ AwsManagedPolicy.AmazonEMRServicePolicyV2 = 'service-role/AmazonEMRServicePolicy_v2'; /** Provides limited access to the Amazon Cognito configuration service. */ AwsManagedPolicy.AmazonESCognitoAccess = 'AmazonESCognitoAccess'; /** Provides full access to the Amazon ES configuration service. */ AwsManagedPolicy.AmazonESFullAccess = 'AmazonESFullAccess'; /** Provides read-only access to the Amazon ES configuration service. */ AwsManagedPolicy.AmazonESReadOnlyAccess = 'AmazonESReadOnlyAccess'; /** Allows EventBridge to access Secret Manager resources on your behalf. */ AwsManagedPolicy.AmazonEventBridgeApiDestinationsServiceRolePolicy = 'aws-service-role/AmazonEventBridgeApiDestinationsServiceRolePolicy'; /** Provides full access to Amazon EventBridge. */ AwsManagedPolicy.AmazonEventBridgeFullAccess = 'AmazonEventBridgeFullAccess'; /** Provides full access to Amazon EventBridge Pipes. */ AwsManagedPolicy.AmazonEventBridgePipesFullAccess = 'AmazonEventBridgePipesFullAccess'; /** Provides read-only and operator (ability to Stop and Start running Pipes) access to Amazon EventBridge Pipes. */ AwsManagedPolicy.AmazonEventBridgePipesOperatorAccess = 'AmazonEventBridgePipesOperatorAccess'; /** Provides read-only access to Amazon EventBridge Pipes. */ AwsManagedPolicy.AmazonEventBridgePipesReadOnlyAccess = 'AmazonEventBridgePipesReadOnlyAccess'; /** Provides read only access to Amazon EventBridge. */ AwsManagedPolicy.AmazonEventBridgeReadOnlyAccess = 'AmazonEventBridgeReadOnlyAccess'; /** The AmazonEventBridgeSchedulerFullAccess managed policy grants permissions to use all EventBridge Scheduler actions for schedules, and schedule groups. */ AwsManagedPolicy.AmazonEventBridgeSchedulerFullAccess = 'AmazonEventBridgeSchedulerFullAccess'; /** The AmazonEventBridgeSchedulerReadOnlyAccess managed policy grants read-only permissions to view details about your schedules and schedule groups */ AwsManagedPolicy.AmazonEventBridgeSchedulerReadOnlyAccess = 'AmazonEventBridgeSchedulerReadOnlyAccess'; /** Provides full access to Amazon EventBridge Schemas. */ AwsManagedPolicy.AmazonEventBridgeSchemasFullAccess = 'AmazonEventBridgeSchemasFullAccess'; /** Provides read only access to Amazon EventBridge Schemas. */ AwsManagedPolicy.AmazonEventBridgeSchemasReadOnlyAccess = 'AmazonEventBridgeSchemasReadOnlyAccess'; /** Grants permissions to Managed Rules created by Amazon EventBridge schemas. */ AwsManagedPolicy.AmazonEventBridgeSchemasServiceRolePolicy = 'aws-service-role/AmazonEventBridgeSchemasServiceRolePolicy'; /** Grants permissions to EVS to manage resources on your behalf */ AwsManagedPolicy.AmazonEVSServiceRolePolicy = 'aws-service-role/AmazonEVSServiceRolePolicy'; /** Policy to enable AWS FIS to manage monitoring and resource selection for experiments. */ AwsManagedPolicy.AmazonFISServiceRolePolicy = 'aws-service-role/AmazonFISServiceRolePolicy'; /** Gives access to all actions for Amazon Forecast */ AwsManagedPolicy.AmazonForecastFullAccess = 'AmazonForecastFullAccess'; /** Gives access to all actions for Amazon Fraud Detector */ AwsManagedPolicy.AmazonFraudDetectorFullAccessPolicy = 'AmazonFraudDetectorFullAccessPolicy'; /** Full Access Policy for Amazon FreeRTOS */ AwsManagedPolicy.AmazonFreeRTOSFullAccess = 'AmazonFreeRTOSFullAccess'; /** Allows user to access Amazon FreeRTOS OTA Update */ AwsManagedPolicy.AmazonFreeRTOSOTAUpdate = 'service-role/AmazonFreeRTOSOTAUpdate'; /** Provides full access to Amazon FSx and access to related AWS services via the AWS Management Console. */ AwsManagedPolicy.AmazonFSxConsoleFullAccess = 'AmazonFSxConsoleFullAccess'; /** Provides read only access to Amazon FSx and access to related AWS services via the AWS Management Console. */ AwsManagedPolicy.AmazonFSxConsoleReadOnlyAccess = 'AmazonFSxConsoleReadOnlyAccess'; /** Provides full access to Amazon FSx and access to related AWS services. */ AwsManagedPolicy.AmazonFSxFullAccess = 'AmazonFSxFullAccess'; /** Provides read only access to Amazon FSx. */ AwsManagedPolicy.AmazonFSxReadOnlyAccess = 'AmazonFSxReadOnlyAccess'; /** Allows Amazon FSx to manage AWS resources on your behalf */ AwsManagedPolicy.AmazonFSxServiceRolePolicy = 'aws-service-role/AmazonFSxServiceRolePolicy'; /** Provides full access to Amazon Glacier via the AWS Management Console. */ AwsManagedPolicy.AmazonGlacierFullAccess = 'AmazonGlacierFullAccess'; /** Provides read only access to Amazon Glacier via the AWS Management Console. */ AwsManagedPolicy.AmazonGlacierReadOnlyAccess = 'AmazonGlacierReadOnlyAccess'; /** This policy grants access to Amazon Athena and the dependencies needed to enable querying and writing results to s3 from the Amazon Athena plugin in Amazon Grafana. */ AwsManagedPolicy.AmazonGrafanaAthenaAccess = 'service-role/AmazonGrafanaAthenaAccess'; /** This policy grants access to Amazon CloudWatch and the dependencies needed to use CloudWatch as a datasource within Amazon Managed Grafana. */ AwsManagedPolicy.AmazonGrafanaCloudWatchAccess = 'service-role/AmazonGrafanaCloudWatchAccess'; /** This policy grants scoped access to Amazon Redshift and the dependencies needed to use the Amazon Redshift plugin in Amazon Grafana. */ AwsManagedPolicy.AmazonGrafanaRedshiftAccess = 'service-role/AmazonGrafanaRedshiftAccess'; /** Provides access to AWS Resources managed or used by Amazon Grafana. */ AwsManagedPolicy.AmazonGrafanaServiceLinkedRolePolicy = 'aws-service-role/AmazonGrafanaServiceLinkedRolePolicy'; /** Provides full access to use Amazon GuardDuty. */ AwsManagedPolicy.AmazonGuardDutyFullAccess = 'AmazonGuardDutyFullAccess'; /** Provides full access to use Amazon GuardDuty */ AwsManagedPolicy.AmazonGuardDutyFullAccessV2 = 'AmazonGuardDutyFullAccess_v2'; /** GuardDuty malware protection uses the service-linked role (SLR) named AWSServiceRoleForAmazonGuardDutyMalwareProtection. This service-linked role allows GuardDuty malware protection to perform agent-less scans to detect malware. It allows GuardDuty to create snapshots in your account, and share the snapshots with the GuardDuty service account to scan for malware. It evaluates these shared snapshots and includes the retrieved EC2 instance metadata in the GuardDuty Malware Protection findings. The AWSServiceRoleForAmazonGuardDutyMalwareProtection service-linked role trusts the malware-protection.guardduty.amazonaws.com service to assume the role. */ AwsManagedPolicy.AmazonGuardDutyMalwareProtectionServiceRolePolicy = 'aws-service-role/AmazonGuardDutyMalwareProtectionServiceRolePolicy'; /** Provides read only access to Amazon GuardDuty resources */ AwsManagedPolicy.AmazonGuardDutyReadOnlyAccess = 'AmazonGuardDutyReadOnlyAccess'; /** Enable access to AWS Resources used or managed by Amazon Guard Duty */ AwsManagedPolicy.AmazonGuardDutyServiceRolePolicy = 'aws-service-role/AmazonGuardDutyServiceRolePolicy'; /** Provides full access to Amazon HealthLake service. */ AwsManagedPolicy.AmazonHealthLakeFullAccess = 'AmazonHealthLakeFullAccess'; /** Provides read only access to Amazon HealthLake service. */ AwsManagedPolicy.AmazonHealthLakeReadOnlyAccess = 'AmazonHealthLakeReadOnlyAccess'; /** Provides full access to Honeycode via the AWS Management Console and the SDK. */ AwsManagedPolicy.AmazonHoneycodeFullAccess = 'AmazonHoneycodeFullAccess'; /** Provides read only access to Honeycode via the AWS Management Console and the SDK. */ AwsManagedPolicy.AmazonHoneycodeReadOnlyAccess = 'AmazonHoneycodeReadOnlyAccess'; /** A service-linked role required for Amazon Honeycode to access your resources. */ AwsManagedPolicy.AmazonHoneycodeServiceRolePolicy = 'aws-service-role/AmazonHoneycodeServiceRolePolicy'; /** Provides full access to Honeycode Team Association via the AWS Management Console and the SDK. */ AwsManagedPolicy.AmazonHoneycodeTeamAssociationFullAccess = 'AmazonHoneycodeTeamAssociationFullAccess'; /** Provides read only access to Honeycode Team Association via the AWS Management Console and the SDK. */ AwsManagedPolicy.AmazonHoneycodeTeamAssociationReadOnlyAccess = 'AmazonHoneycodeTeamAssociationReadOnlyAccess'; /** Provides full access to Honeycode Workbook via the AWS Management Console and the SDK. */ AwsManagedPolicy.AmazonHoneycodeWorkbookFullAccess = 'AmazonHoneycodeWorkbookFullAccess'; /** Provides read only access to Honeycode Workbook via the AWS Management Console and the SDK. */ AwsManagedPolicy.AmazonHoneycodeWorkbookReadOnlyAccess = 'AmazonHoneycodeWorkbookReadOnlyAccess'; /** Grants Amazon Inspector access to AWS Services needed to perform agent-less security assessments */ AwsManagedPolicy.AmazonInspector2AgentlessServiceRolePolicy = 'aws-service-role/AmazonInspector2AgentlessServiceRolePolicy'; /** Provides full access to Amazon Inspector and access to other related services such as organizations. */ AwsManagedPolicy.AmazonInspector2FullAccess = 'AmazonInspector2FullAccess'; /** This is a managed policy that customer should attach to their roles to communicate with inspector service for CIS scans */ AwsManagedPolicy.AmazonInspector2ManagedCisPolicy = 'AmazonInspector2ManagedCisPolicy'; /** Provides read only access to the Amazon inspector2 service and relevant support services */ AwsManagedPolicy.AmazonInspector2ReadOnlyAccess = 'AmazonInspector2ReadOnlyAccess'; /** Grants Amazon Inspector access to AWS Services needed to perform security assessments */ AwsManagedPolicy.AmazonInspector2ServiceRolePolicy = 'aws-service-role/AmazonInspector2ServiceRolePolicy'; /** Provides full access to Amazon Inspector. */ AwsManagedPolicy.AmazonInspectorFullAccess = 'AmazonInspectorFullAccess'; /** Provides read only access to Amazon Inspector. */ AwsManagedPolicy.AmazonInspectorReadOnlyAccess = 'AmazonInspectorReadOnlyAccess'; /** Grants Amazon Inspector access to AWS Services needed to perform security assessments */ AwsManagedPolicy.AmazonInspectorServiceRolePolicy = 'aws-service-role/AmazonInspecto