aws-iam-managed-policies 0.0.310 → 0.0.312

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/managedPolicies.json +3006 -13
  2. package/package.json +1 -1
package/dist/managedPolicies.json CHANGED
@@ -230040,8 +230040,8 @@
230040
230040
  },
230041
230041
  "AWSCloud9User": {
230042
230042
  "arn": "arn:aws:iam::aws:policy/AWSCloud9User",
230043
- "latestVersionId": "v6",
230044
- "versionsCount": 6,
230043
+ "latestVersionId": "v7",
230044
+ "versionsCount": 7,
230045
230045
  "versions": {
230046
230046
  "v1": {
230047
230047
  "createdDate": "2017-11-30T16:16:17.000Z",
@@ -230507,10 +230507,110 @@
230507
230507
  }
230508
230508
  ]
230509
230509
  }
230510
+ },
230511
+ "v7": {
230512
+ "createdDate": "2017-11-30T16:16:17.000Z",
230513
+ "document": {
230514
+ "Version": "2012-10-17",
230515
+ "Statement": [
230516
+ {
230517
+ "Effect": "Allow",
230518
+ "Action": [
230519
+ "cloud9:UpdateUserSettings",
230520
+ "cloud9:GetUserSettings",
230521
+ "cloud9:GetMigrationExperiences",
230522
+ "iam:GetUser",
230523
+ "iam:ListUsers",
230524
+ "ec2:DescribeVpcs",
230525
+ "ec2:DescribeSubnets",
230526
+ "ec2:DescribeInstanceTypeOfferings",
230527
+ "ec2:DescribeRouteTables"
230528
+ ],
230529
+ "Resource": "*"
230530
+ },
230531
+ {
230532
+ "Effect": "Allow",
230533
+ "Action": [
230534
+ "cloud9:CreateEnvironmentEC2",
230535
+ "cloud9:CreateEnvironmentSSH"
230536
+ ],
230537
+ "Resource": "*",
230538
+ "Condition": {
230539
+ "Null": {
230540
+ "cloud9:OwnerArn": "true"
230541
+ }
230542
+ }
230543
+ },
230544
+ {
230545
+ "Effect": "Allow",
230546
+ "Action": [
230547
+ "cloud9:GetUserPublicKey"
230548
+ ],
230549
+ "Resource": "*",
230550
+ "Condition": {
230551
+ "Null": {
230552
+ "cloud9:UserArn": "true"
230553
+ }
230554
+ }
230555
+ },
230556
+ {
230557
+ "Effect": "Allow",
230558
+ "Action": [
230559
+ "cloud9:DescribeEnvironmentMemberships"
230560
+ ],
230561
+ "Resource": [
230562
+ "*"
230563
+ ],
230564
+ "Condition": {
230565
+ "Null": {
230566
+ "cloud9:UserArn": "true",
230567
+ "cloud9:EnvironmentId": "true"
230568
+ }
230569
+ }
230570
+ },
230571
+ {
230572
+ "Effect": "Allow",
230573
+ "Action": [
230574
+ "iam:CreateServiceLinkedRole"
230575
+ ],
230576
+ "Resource": "*",
230577
+ "Condition": {
230578
+ "StringLike": {
230579
+ "iam:AWSServiceName": "cloud9.amazonaws.com"
230580
+ }
230581
+ }
230582
+ },
230583
+ {
230584
+ "Effect": "Allow",
230585
+ "Action": [
230586
+ "ssm:StartSession",
230587
+ "ssm:GetConnectionStatus"
230588
+ ],
230589
+ "Resource": "arn:aws:ec2:*:*:instance/*",
230590
+ "Condition": {
230591
+ "StringLike": {
230592
+ "ssm:resourceTag/aws:cloud9:environment": "*"
230593
+ },
230594
+ "StringEquals": {
230595
+ "aws:CalledViaFirst": "cloud9.amazonaws.com"
230596
+ }
230597
+ }
230598
+ },
230599
+ {
230600
+ "Effect": "Allow",
230601
+ "Action": [
230602
+ "ssm:StartSession"
230603
+ ],
230604
+ "Resource": [
230605
+ "arn:aws:ssm:*:*:document/*"
230606
+ ]
230607
+ }
230608
+ ]
230609
+ }
230510
230610
  }
230511
230611
  },
230512
230612
  "createdDate": "2017-11-30T16:16:17.000Z",
230513
- "lastUpdatedDate": "2023-10-11T13:24:10.000Z"
230613
+ "lastUpdatedDate": "2025-01-27T10:07:06.000Z"
230514
230614
  },
230515
230615
  "AWSCloud9Administrator": {
230516
230616
  "arn": "arn:aws:iam::aws:policy/AWSCloud9Administrator",
@@ -230720,8 +230820,8 @@
230720
230820
  },
230721
230821
  "AWSCloud9EnvironmentMember": {
230722
230822
  "arn": "arn:aws:iam::aws:policy/AWSCloud9EnvironmentMember",
230723
- "latestVersionId": "v3",
230724
- "versionsCount": 3,
230823
+ "latestVersionId": "v4",
230824
+ "versionsCount": 4,
230725
230825
  "versions": {
230726
230826
  "v1": {
230727
230827
  "createdDate": "2017-11-30T16:18:28.000Z",
@@ -230868,10 +230968,69 @@
230868
230968
  }
230869
230969
  ]
230870
230970
  }
230971
+ },
230972
+ "v4": {
230973
+ "createdDate": "2017-11-30T16:18:28.000Z",
230974
+ "document": {
230975
+ "Version": "2012-10-17",
230976
+ "Statement": [
230977
+ {
230978
+ "Effect": "Allow",
230979
+ "Action": [
230980
+ "cloud9:GetUserSettings",
230981
+ "cloud9:UpdateUserSettings",
230982
+ "cloud9:GetMigrationExperiences",
230983
+ "iam:GetUser",
230984
+ "iam:ListUsers"
230985
+ ],
230986
+ "Resource": "*"
230987
+ },
230988
+ {
230989
+ "Effect": "Allow",
230990
+ "Action": [
230991
+ "cloud9:DescribeEnvironmentMemberships"
230992
+ ],
230993
+ "Resource": [
230994
+ "*"
230995
+ ],
230996
+ "Condition": {
230997
+ "Null": {
230998
+ "cloud9:UserArn": "true",
230999
+ "cloud9:EnvironmentId": "true"
231000
+ }
231001
+ }
231002
+ },
231003
+ {
231004
+ "Effect": "Allow",
231005
+ "Action": [
231006
+ "ssm:StartSession",
231007
+ "ssm:GetConnectionStatus"
231008
+ ],
231009
+ "Resource": "arn:aws:ec2:*:*:instance/*",
231010
+ "Condition": {
231011
+ "StringLike": {
231012
+ "ssm:resourceTag/aws:cloud9:environment": "*"
231013
+ },
231014
+ "StringEquals": {
231015
+ "aws:CalledViaFirst": "cloud9.amazonaws.com"
231016
+ }
231017
+ }
231018
+ },
231019
+ {
231020
+ "Effect": "Allow",
231021
+ "Action": [
231022
+ "ssm:StartSession"
231023
+ ],
231024
+ "Resource": [
231025
+ "arn:aws:ssm:*:*:document/*"
231026
+ ]
231027
+ }
231028
+ ]
231029
+ }
230871
231030
  }
230872
231031
  },
230873
231032
  "createdDate": "2017-11-30T16:18:28.000Z",
230874
- "lastUpdatedDate": "2023-10-11T12:13:40.000Z"
231033
+ "lastUpdatedDate": "2025-01-27T10:07:07.000Z"
230875
231034
  },
230876
231035
  "AlexaForBusinessFullAccess": {
230877
231036
  "arn": "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess",
@@ -548415,8 +548574,8 @@
548415
548574
  },
548416
548575
  "AWSIncidentManagerServiceRolePolicy": {
548417
548576
  "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSIncidentManagerServiceRolePolicy",
548418
- "latestVersionId": "v2",
548419
- "versionsCount": 2,
548577
+ "latestVersionId": "v3",
548578
+ "versionsCount": 3,
548420
548579
  "versions": {
548421
548580
  "v1": {
548422
548581
  "createdDate": "2021-05-10T03:34:45.000Z",
@@ -548494,10 +548653,58 @@
548494
548653
  }
548495
548654
  ]
548496
548655
  }
548656
+ },
548657
+ "v3": {
548658
+ "createdDate": "2021-05-10T03:34:45.000Z",
548659
+ "document": {
548660
+ "Version": "2012-10-17",
548661
+ "Statement": [
548662
+ {
548663
+ "Sid": "UpdateIncidentRecordPermissions",
548664
+ "Effect": "Allow",
548665
+ "Action": [
548666
+ "ssm-incidents:ListIncidentRecords",
548667
+ "ssm-incidents:CreateTimelineEvent"
548668
+ ],
548669
+ "Resource": "*"
548670
+ },
548671
+ {
548672
+ "Sid": "RelatedOpsItemPermissions",
548673
+ "Effect": "Allow",
548674
+ "Action": [
548675
+ "ssm:CreateOpsItem",
548676
+ "ssm:AssociateOpsItemRelatedItem"
548677
+ ],
548678
+ "Resource": "*"
548679
+ },
548680
+ {
548681
+ "Sid": "IncidentEngagementPermissions",
548682
+ "Effect": "Allow",
548683
+ "Action": "ssm-contacts:StartEngagement",
548684
+ "Resource": "*"
548685
+ },
548686
+ {
548687
+ "Sid": "PutMetricDataPermission",
548688
+ "Effect": "Allow",
548689
+ "Action": [
548690
+ "cloudwatch:PutMetricData"
548691
+ ],
548692
+ "Resource": "*",
548693
+ "Condition": {
548694
+ "StringEquals": {
548695
+ "cloudwatch:namespace": [
548696
+ "AWS/IncidentManager",
548697
+ "AWS/Usage"
548698
+ ]
548699
+ }
548700
+ }
548701
+ }
548702
+ ]
548703
+ }
548497
548704
  }
548498
548705
  },
548499
548706
  "createdDate": "2021-05-10T03:34:45.000Z",
548500
- "lastUpdatedDate": "2022-12-05T02:11:58.000Z"
548707
+ "lastUpdatedDate": "2025-01-28T02:52:06.000Z"
548501
548708
  },
548502
548709
  "AWSIncidentManagerResolverAccess": {
548503
548710
  "arn": "arn:aws:iam::aws:policy/AWSIncidentManagerResolverAccess",
@@ -687183,8 +687390,8 @@
687183
687390
  },
687184
687391
  "SageMakerStudioProjectProvisioningRolePolicy": {
687185
687392
  "arn": "arn:aws:iam::aws:policy/service-role/SageMakerStudioProjectProvisioningRolePolicy",
687186
- "latestVersionId": "v6",
687187
- "versionsCount": 6,
687393
+ "latestVersionId": "v7",
687394
+ "versionsCount": 7,
687188
687395
  "versions": {
687189
687396
  "v1": {
687190
687397
  "createdDate": "2024-11-20T21:58:39.000Z",
@@ -700973,7 +701180,2558 @@
700973
701180
  }
700974
701181
  },
700975
701182
  {
700976
- "Sid": "IamRolePermissionsForSageMakerStudioQueryExecutionRole",
701183
+ "Sid": "IamRolePermissionsForSageMakerStudioQueryExecutionRole",
701184
+ "Effect": "Allow",
701185
+ "Action": [
701186
+ "iam:GetRole",
701187
+ "iam:CreateRole",
701188
+ "iam:DetachRolePolicy",
701189
+ "iam:DeleteRolePolicy",
701190
+ "iam:AttachRolePolicy"
701191
+ ],
701192
+ "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole",
701193
+ "Condition": {
701194
+ "StringEquals": {
701195
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701196
+ "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePermissionsBoundary"
701197
+ }
701198
+ }
701199
+ },
701200
+ {
701201
+ "Sid": "IamTagRolePermissionsForSageMakerStudioQueryExecutionRole",
701202
+ "Effect": "Allow",
701203
+ "Action": "iam:TagRole",
701204
+ "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole",
701205
+ "Condition": {
701206
+ "StringEquals": {
701207
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701208
+ },
701209
+ "ForAllValues:StringLike": {
701210
+ "aws:TagKeys": [
701211
+ "CreatedForUseWithSageMakerStudio",
701212
+ "SageMakerStudioQueryExecutionRole"
701213
+ ]
701214
+ }
701215
+ }
701216
+ }
701217
+ ]
701218
+ }
701219
+ },
701220
+ "v7": {
701221
+ "createdDate": "2024-11-20T21:58:39.000Z",
701222
+ "document": {
701223
+ "Version": "2012-10-17",
701224
+ "Statement": [
701225
+ {
701226
+ "Sid": "CloudFormationStackCreationAndTagging",
701227
+ "Effect": "Allow",
701228
+ "Action": [
701229
+ "cloudformation:CreateStack",
701230
+ "cloudformation:TagResource"
701231
+ ],
701232
+ "Resource": [
701233
+ "arn:aws:cloudformation:*:*:stack/DataZone*"
701234
+ ],
701235
+ "Condition": {
701236
+ "StringEquals": {
701237
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701238
+ },
701239
+ "Null": {
701240
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
701241
+ "aws:TagKeys": "false"
701242
+ },
701243
+ "ForAllValues:StringLike": {
701244
+ "aws:TagKeys": [
701245
+ "AmazonDataZone*"
701246
+ ]
701247
+ }
701248
+ }
701249
+ },
701250
+ {
701251
+ "Sid": "CloudFormationStackManagement",
701252
+ "Effect": "Allow",
701253
+ "Action": [
701254
+ "cloudformation:DescribeStacks",
701255
+ "cloudformation:DescribeStackEvents",
701256
+ "cloudformation:UpdateStack"
701257
+ ],
701258
+ "Resource": [
701259
+ "arn:aws:cloudformation:*:*:stack/DataZone*"
701260
+ ],
701261
+ "Condition": {
701262
+ "StringEquals": {
701263
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701264
+ },
701265
+ "Null": {
701266
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701267
+ }
701268
+ }
701269
+ },
701270
+ {
701271
+ "Sid": "CloudFormationStackDeletion",
701272
+ "Effect": "Allow",
701273
+ "Action": [
701274
+ "cloudformation:DeleteStack"
701275
+ ],
701276
+ "Resource": [
701277
+ "arn:aws:cloudformation:*:*:stack/DataZone*"
701278
+ ],
701279
+ "Condition": {
701280
+ "StringEquals": {
701281
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701282
+ }
701283
+ }
701284
+ },
701285
+ {
701286
+ "Sid": "CloudFormationListStacks",
701287
+ "Effect": "Allow",
701288
+ "Action": [
701289
+ "cloudformation:DescribeStacks"
701290
+ ],
701291
+ "Resource": [
701292
+ "arn:aws:cloudformation:*:*:stack/DataZone*"
701293
+ ],
701294
+ "Condition": {
701295
+ "StringEquals": {
701296
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701297
+ }
701298
+ }
701299
+ },
701300
+ {
701301
+ "Sid": "LakeFormationPermissionsForDataLakeValidation",
701302
+ "Effect": "Allow",
701303
+ "Action": [
701304
+ "lakeformation:GetDataLakeSettings",
701305
+ "lakeformation:PutDataLakeSettings",
701306
+ "lakeformation:RevokePermissions",
701307
+ "lakeformation:ListPermissions"
701308
+ ],
701309
+ "Resource": "*"
701310
+ },
701311
+ {
701312
+ "Sid": "LakeFormationPermissionsForDataLakeResourceGrant",
701313
+ "Effect": "Allow",
701314
+ "Action": [
701315
+ "lakeformation:RegisterResource",
701316
+ "lakeformation:DeregisterResource",
701317
+ "lakeformation:GrantPermissions",
701318
+ "lakeformation:ListResources"
701319
+ ],
701320
+ "Resource": "*"
701321
+ },
701322
+ {
701323
+ "Sid": "PermissionsToGetBlueprintTemplates",
701324
+ "Effect": "Allow",
701325
+ "Action": "s3:GetObject",
701326
+ "Resource": "*",
701327
+ "Condition": {
701328
+ "StringNotEquals": {
701329
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701330
+ },
701331
+ "StringEquals": {
701332
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
701333
+ }
701334
+ }
701335
+ },
701336
+ {
701337
+ "Sid": "CodeCommitCreationAndTagging",
701338
+ "Effect": "Allow",
701339
+ "Action": [
701340
+ "codecommit:CreateRepository",
701341
+ "codecommit:TagResource"
701342
+ ],
701343
+ "Resource": "arn:aws:codecommit:*:*:datazone*",
701344
+ "Condition": {
701345
+ "StringEquals": {
701346
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701347
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701348
+ },
701349
+ "Null": {
701350
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
701351
+ "aws:TagKeys": "false"
701352
+ },
701353
+ "ForAllValues:StringLike": {
701354
+ "aws:TagKeys": [
701355
+ "AmazonDataZone*"
701356
+ ]
701357
+ }
701358
+ }
701359
+ },
701360
+ {
701361
+ "Sid": "CodeCommitDeletion",
701362
+ "Effect": "Allow",
701363
+ "Action": [
701364
+ "codecommit:DeleteRepository",
701365
+ "codecommit:UpdateRepositoryEncryptionKey",
701366
+ "codecommit:PutRepositoryTriggers"
701367
+ ],
701368
+ "Resource": "arn:aws:codecommit:*:*:datazone*",
701369
+ "Condition": {
701370
+ "StringEquals": {
701371
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701372
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701373
+ },
701374
+ "Null": {
701375
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701376
+ }
701377
+ }
701378
+ },
701379
+ {
701380
+ "Sid": "CodeCommitAccess",
701381
+ "Effect": "Allow",
701382
+ "Action": [
701383
+ "codecommit:GetBranch",
701384
+ "codecommit:CreateCommit",
701385
+ "codecommit:GetRepository",
701386
+ "codecommit:GetFile"
701387
+ ],
701388
+ "Resource": "arn:aws:codecommit:*:*:datazone*",
701389
+ "Condition": {
701390
+ "StringEquals": {
701391
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701392
+ }
701393
+ }
701394
+ },
701395
+ {
701396
+ "Sid": "CodeCommitListRepositories",
701397
+ "Effect": "Allow",
701398
+ "Action": [
701399
+ "codecommit:ListRepositories"
701400
+ ],
701401
+ "Resource": "*"
701402
+ },
701403
+ {
701404
+ "Sid": "CodeCommitKmsPermissions",
701405
+ "Effect": "Allow",
701406
+ "Action": [
701407
+ "kms:Decrypt",
701408
+ "kms:ReEncryptTo",
701409
+ "kms:ReEncryptFrom",
701410
+ "kms:GenerateDataKey"
701411
+ ],
701412
+ "Resource": "*",
701413
+ "Condition": {
701414
+ "StringEquals": {
701415
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701416
+ },
701417
+ "StringLike": {
701418
+ "kms:ViaService": [
701419
+ "codecommit.*.amazonaws.com"
701420
+ ]
701421
+ },
701422
+ "Null": {
701423
+ "kms:EncryptionContext:aws:codecommit:id": "false"
701424
+ }
701425
+ }
701426
+ },
701427
+ {
701428
+ "Sid": "GetIAMRole",
701429
+ "Effect": "Allow",
701430
+ "Action": [
701431
+ "iam:GetRole"
701432
+ ],
701433
+ "Resource": [
701434
+ "arn:aws:iam::*:role/datazone*",
701435
+ "arn:aws:iam::*:role/AmazonBedrockExecution*",
701436
+ "arn:aws:iam::*:role/BedrockStudio*",
701437
+ "arn:aws:iam::*:role/AmazonBedrockConsumptionRole*",
701438
+ "arn:aws:iam::*:role/AmazonBedrockEvaluation*"
701439
+ ],
701440
+ "Condition": {
701441
+ "StringEquals": {
701442
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701443
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701444
+ }
701445
+ }
701446
+ },
701447
+ {
701448
+ "Sid": "IAMRoleAndPolicyManagement",
701449
+ "Effect": "Allow",
701450
+ "Action": [
701451
+ "iam:CreateRole",
701452
+ "iam:DetachRolePolicy",
701453
+ "iam:DeleteRolePolicy",
701454
+ "iam:AttachRolePolicy",
701455
+ "iam:PutRolePolicy"
701456
+ ],
701457
+ "Resource": [
701458
+ "arn:aws:iam::*:role/datazone*",
701459
+ "arn:aws:iam::*:role/AmazonBedrockExecution*",
701460
+ "arn:aws:iam::*:role/BedrockStudio*",
701461
+ "arn:aws:iam::*:role/AmazonBedrockConsumptionRole*",
701462
+ "arn:aws:iam::*:role/AmazonBedrockEvaluation*"
701463
+ ],
701464
+ "Condition": {
701465
+ "StringEquals": {
701466
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701467
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701468
+ "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePermissionsBoundary"
701469
+ },
701470
+ "Null": {
701471
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701472
+ }
701473
+ }
701474
+ },
701475
+ {
701476
+ "Sid": "IAMRoleAndPolicyManagementFromDataZone",
701477
+ "Effect": "Allow",
701478
+ "Action": [
701479
+ "iam:DeleteRolePolicy",
701480
+ "iam:PutRolePolicy"
701481
+ ],
701482
+ "Resource": [
701483
+ "arn:aws:iam::*:role/datazone*"
701484
+ ],
701485
+ "Condition": {
701486
+ "StringEquals": {
701487
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701488
+ "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePermissionsBoundary"
701489
+ },
701490
+ "Null": {
701491
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701492
+ }
701493
+ }
701494
+ },
701495
+ {
701496
+ "Sid": "IAMRoleCreation",
701497
+ "Effect": "Allow",
701498
+ "Action": [
701499
+ "iam:CreateRole"
701500
+ ],
701501
+ "Resource": [
701502
+ "arn:aws:iam::*:role/datazone*",
701503
+ "arn:aws:iam::*:role/AmazonBedrock*"
701504
+ ],
701505
+ "Condition": {
701506
+ "StringEquals": {
701507
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701508
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701509
+ },
701510
+ "Null": {
701511
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701512
+ }
701513
+ }
701514
+ },
701515
+ {
701516
+ "Sid": "IAMRoleManagement",
701517
+ "Effect": "Allow",
701518
+ "Action": [
701519
+ "iam:DetachRolePolicy",
701520
+ "iam:AttachRolePolicy"
701521
+ ],
701522
+ "Resource": [
701523
+ "arn:aws:iam::*:role/datazone*"
701524
+ ],
701525
+ "Condition": {
701526
+ "StringEquals": {
701527
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701528
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701529
+ },
701530
+ "Null": {
701531
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701532
+ },
701533
+ "ArnEquals": {
701534
+ "iam:PolicyARN": [
701535
+ "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePolicy",
701536
+ "arn:aws:iam::aws:policy/SageMakerStudioProjectRoleMachineLearningPolicy",
701537
+ "arn:aws:iam::aws:policy/service-role/SageMakerStudioEMRServiceRolePolicy",
701538
+ "arn:aws:iam::aws:policy/service-role/SageMakerStudioEMRInstanceRolePolicy",
701539
+ "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2"
701540
+ ]
701541
+ }
701542
+ }
701543
+ },
701544
+ {
701545
+ "Sid": "IAMRoleManagementForBedrock",
701546
+ "Effect": "Allow",
701547
+ "Action": [
701548
+ "iam:AttachRolePolicy",
701549
+ "iam:DetachRolePolicy"
701550
+ ],
701551
+ "Resource": "arn:aws:iam::*:role/AmazonBedrock*",
701552
+ "Condition": {
701553
+ "StringEquals": {
701554
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701555
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701556
+ },
701557
+ "Null": {
701558
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701559
+ },
701560
+ "ArnEquals": {
701561
+ "iam:PolicyARN": [
701562
+ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
701563
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEAgentServiceRolePolicy",
701564
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEChatAppUserRolePolicy",
701565
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEFlowServiceRolePolicy",
701566
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEFunctionExecutionRolePolicy",
701567
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEKnowledgeBaseServiceRolePolicy",
701568
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEKnowledgeBaseCustomResourcePolicy",
701569
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEPromptUserRolePolicy",
701570
+ "arn:aws:iam::aws:policy/service-role/AmazonBedrockIDEEvaluationJobServiceRolePolicy"
701571
+ ]
701572
+ }
701573
+ }
701574
+ },
701575
+ {
701576
+ "Sid": "IAMRoleTagging",
701577
+ "Effect": "Allow",
701578
+ "Action": "iam:TagRole",
701579
+ "Resource": [
701580
+ "arn:aws:iam::*:role/datazone_usr_role_*",
701581
+ "arn:aws:iam::*:role/datazone-partner-apps-*",
701582
+ "arn:aws:iam::*:role/datazone_redshift_serverless_admin_role_*",
701583
+ "arn:aws:iam::*:role/AmazonBedrockExecution*",
701584
+ "arn:aws:iam::*:role/BedrockStudio*",
701585
+ "arn:aws:iam::*:role/AmazonBedrockConsumptionRole*",
701586
+ "arn:aws:iam::*:role/AmazonBedrockEvaluation*",
701587
+ "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole"
701588
+ ],
701589
+ "Condition": {
701590
+ "StringEquals": {
701591
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701592
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701593
+ },
701594
+ "Null": {
701595
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
701596
+ "aws:TagKeys": "false"
701597
+ },
701598
+ "ForAllValues:StringLike": {
701599
+ "aws:TagKeys": [
701600
+ "AmazonDataZone*",
701601
+ "AmazonBedrockManaged",
701602
+ "RedshiftDb*",
701603
+ "EnableAmazonBedrockIDEPermissions",
701604
+ "EnableGlueWorkloadsPermissions",
701605
+ "EnableSageMakerMLWorkloadsPermissions",
701606
+ "DomainBucketName",
701607
+ "KmsKeyId",
701608
+ "LogGroupName",
701609
+ "RoleName",
701610
+ "vpcArn",
701611
+ "VpcId",
701612
+ "CreatedForUseWithSageMakerStudio",
701613
+ "SageMakerStudioQueryExecutionRole"
701614
+ ]
701615
+ }
701616
+ }
701617
+ },
701618
+ {
701619
+ "Sid": "IAMRoleTaggingForBedrock",
701620
+ "Effect": "Allow",
701621
+ "Action": "iam:TagRole",
701622
+ "Resource": "arn:aws:iam::*:role/AmazonBedrock*",
701623
+ "Condition": {
701624
+ "StringEquals": {
701625
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701626
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701627
+ },
701628
+ "Null": {
701629
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701630
+ },
701631
+ "ForAllValues:StringLike": {
701632
+ "aws:TagKeys": [
701633
+ "AmazonDataZone*",
701634
+ "AmazonBedrockManaged",
701635
+ "DomainBucketName",
701636
+ "KmsKeyId",
701637
+ "AgentId",
701638
+ "AgentAliasId",
701639
+ "AppDefinitionPath",
701640
+ "PromptId",
701641
+ "PromptVersion",
701642
+ "PromptDefinitionPath",
701643
+ "OpenSearchServerlessCollectionId"
701644
+ ]
701645
+ }
701646
+ }
701647
+ },
701648
+ {
701649
+ "Sid": "IAMRoleTaggingForRedshift",
701650
+ "Effect": "Allow",
701651
+ "Action": "iam:TagRole",
701652
+ "Resource": [
701653
+ "arn:aws:iam::*:role/datazone_usr_role_*"
701654
+ ],
701655
+ "Condition": {
701656
+ "StringEquals": {
701657
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701658
+ },
701659
+ "Null": {
701660
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
701661
+ "aws:TagKeys": "false"
701662
+ },
701663
+ "ForAllValues:StringLike": {
701664
+ "aws:TagKeys": [
701665
+ "RedshiftDb*"
701666
+ ]
701667
+ }
701668
+ }
701669
+ },
701670
+ {
701671
+ "Sid": "IAMRoleTaggingForEmr",
701672
+ "Effect": "Allow",
701673
+ "Action": "iam:TagRole",
701674
+ "Resource": [
701675
+ "arn:aws:iam::*:role/datazone_emr_service_role_*",
701676
+ "arn:aws:iam::*:role/datazone_emr_ec2_instance_role_*"
701677
+ ],
701678
+ "Condition": {
701679
+ "StringEquals": {
701680
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701681
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701682
+ },
701683
+ "Null": {
701684
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
701685
+ "aws:TagKeys": "false"
701686
+ },
701687
+ "ForAllValues:StringLike": {
701688
+ "aws:TagKeys": [
701689
+ "AmazonDataZone*",
701690
+ "DataZone*",
701691
+ "for-use-with-amazon-emr-managed-policies",
701692
+ "DomainBucketName",
701693
+ "KmsKeyId"
701694
+ ]
701695
+ }
701696
+ }
701697
+ },
701698
+ {
701699
+ "Sid": "IamManageRoles",
701700
+ "Effect": "Allow",
701701
+ "Action": [
701702
+ "iam:DeleteRole",
701703
+ "iam:ListRolePolicies",
701704
+ "iam:GetRolePolicy",
701705
+ "iam:ListAttachedRolePolicies"
701706
+ ],
701707
+ "Resource": [
701708
+ "arn:aws:iam::*:role/datazone*",
701709
+ "arn:aws:iam::*:role/AmazonBedrockExecution*",
701710
+ "arn:aws:iam::*:role/BedrockStudio*",
701711
+ "arn:aws:iam::*:role/AmazonBedrockConsumptionRole*",
701712
+ "arn:aws:iam::*:role/AmazonBedrockEvaluation*"
701713
+ ],
701714
+ "Condition": {
701715
+ "StringEquals": {
701716
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701717
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701718
+ },
701719
+ "Null": {
701720
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701721
+ }
701722
+ }
701723
+ },
701724
+ {
701725
+ "Sid": "IamManageRolesFromDataZone",
701726
+ "Effect": "Allow",
701727
+ "Action": [
701728
+ "iam:GetRole",
701729
+ "iam:UpdateAssumeRolePolicy"
701730
+ ],
701731
+ "Resource": [
701732
+ "arn:aws:iam::*:role/datazone_usr_role_*"
701733
+ ],
701734
+ "Condition": {
701735
+ "StringEquals": {
701736
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701737
+ },
701738
+ "Null": {
701739
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
701740
+ }
701741
+ }
701742
+ },
701743
+ {
701744
+ "Sid": "IamAttachPolicyFromService",
701745
+ "Effect": "Allow",
701746
+ "Action": [
701747
+ "iam:AttachRolePolicy"
701748
+ ],
701749
+ "Resource": [
701750
+ "arn:aws:iam::*:role/datazone*"
701751
+ ],
701752
+ "Condition": {
701753
+ "StringEquals": {
701754
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701755
+ "iam:PermissionsBoundary": "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePermissionsBoundary"
701756
+ }
701757
+ }
701758
+ },
701759
+ {
701760
+ "Sid": "IamDetachPolicyFromService",
701761
+ "Effect": "Allow",
701762
+ "Action": [
701763
+ "iam:DetachRolePolicy"
701764
+ ],
701765
+ "Resource": [
701766
+ "arn:aws:iam::*:role/datazone*"
701767
+ ],
701768
+ "Condition": {
701769
+ "StringEquals": {
701770
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701771
+ }
701772
+ }
701773
+ },
701774
+ {
701775
+ "Sid": "IAMPolicyManagementFromService",
701776
+ "Effect": "Allow",
701777
+ "Action": [
701778
+ "iam:DeletePolicy",
701779
+ "iam:CreatePolicy",
701780
+ "iam:ListPolicies",
701781
+ "iam:GetPolicy",
701782
+ "iam:GetPolicyVersion",
701783
+ "iam:CreatePolicyVersion",
701784
+ "iam:ListPolicyVersions",
701785
+ "iam:DeletePolicyVersion"
701786
+ ],
701787
+ "Resource": [
701788
+ "arn:aws:iam::*:policy/datazone*",
701789
+ "arn:aws:iam::*:policy/connector-manage-access-policy*",
701790
+ "arn:aws:iam::*:policy/SageMakerStudioQueryExecutionRolePolicy"
701791
+ ],
701792
+ "Condition": {
701793
+ "StringEquals": {
701794
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701795
+ }
701796
+ }
701797
+ },
701798
+ {
701799
+ "Sid": "IAMPolicyManagementWithoutRequiredResources",
701800
+ "Effect": "Allow",
701801
+ "Action": [
701802
+ "iam:ListPolicies"
701803
+ ],
701804
+ "Resource": "*"
701805
+ },
701806
+ {
701807
+ "Sid": "GlueConnectionTypeUnrestrictedAccess",
701808
+ "Effect": "Allow",
701809
+ "Action": [
701810
+ "glue:ListConnectionTypes",
701811
+ "glue:DescribeConnectionType"
701812
+ ],
701813
+ "Resource": "*"
701814
+ },
701815
+ {
701816
+ "Sid": "IAMInstanceProfileManagement",
701817
+ "Effect": "Allow",
701818
+ "Action": [
701819
+ "iam:GetInstanceProfile",
701820
+ "iam:CreateInstanceProfile",
701821
+ "iam:AddRoleToInstanceProfile",
701822
+ "iam:RemoveRoleFromInstanceProfile",
701823
+ "iam:DeleteInstanceProfile"
701824
+ ],
701825
+ "Resource": "arn:aws:iam::*:instance-profile/datazone_emr_ec2_instance_profile_*",
701826
+ "Condition": {
701827
+ "StringEquals": {
701828
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701829
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701830
+ }
701831
+ }
701832
+ },
701833
+ {
701834
+ "Sid": "IamPassRole",
701835
+ "Effect": "Allow",
701836
+ "Action": "iam:PassRole",
701837
+ "Resource": [
701838
+ "arn:aws:iam::*:role/datazone_usr_role_*",
701839
+ "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole"
701840
+ ],
701841
+ "Condition": {
701842
+ "StringEquals": {
701843
+ "aws:CalledViaFirst": [
701844
+ "cloudformation.amazonaws.com",
701845
+ "glue.amazonaws.com"
701846
+ ],
701847
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701848
+ "iam:PassedToService": [
701849
+ "glue.amazonaws.com",
701850
+ "lakeformation.amazonaws.com",
701851
+ "redshift-serverless.amazonaws.com",
701852
+ "redshift.amazonaws.com",
701853
+ "emr-serverless.amazonaws.com",
701854
+ "airflow.amazonaws.com"
701855
+ ]
701856
+ }
701857
+ }
701858
+ },
701859
+ {
701860
+ "Sid": "IamPassRoleFromDataZone",
701861
+ "Effect": "Allow",
701862
+ "Action": "iam:PassRole",
701863
+ "Resource": [
701864
+ "arn:aws:iam::*:role/datazone_usr_role_*"
701865
+ ],
701866
+ "Condition": {
701867
+ "StringEquals": {
701868
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701869
+ "iam:PassedToService": [
701870
+ "sagemaker.amazonaws.com",
701871
+ "redshift-serverless.amazonaws.com"
701872
+ ]
701873
+ }
701874
+ }
701875
+ },
701876
+ {
701877
+ "Sid": "IamPassRoleForGlueCatalog",
701878
+ "Effect": "Allow",
701879
+ "Action": "iam:PassRole",
701880
+ "Resource": [
701881
+ "arn:aws:iam::*:role/datazone_usr_role_*",
701882
+ "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole"
701883
+ ],
701884
+ "Condition": {
701885
+ "StringEquals": {
701886
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701887
+ "iam:PassedToService": [
701888
+ "glue.amazonaws.com",
701889
+ "lakeformation.amazonaws.com"
701890
+ ]
701891
+ }
701892
+ }
701893
+ },
701894
+ {
701895
+ "Sid": "IamPassRoleForEmrServiceRole",
701896
+ "Effect": "Allow",
701897
+ "Action": "iam:PassRole",
701898
+ "Resource": [
701899
+ "arn:aws:iam::*:role/datazone_emr_service_role_*"
701900
+ ],
701901
+ "Condition": {
701902
+ "StringEquals": {
701903
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701904
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701905
+ "iam:PassedToService": [
701906
+ "elasticmapreduce.amazonaws.com"
701907
+ ]
701908
+ }
701909
+ }
701910
+ },
701911
+ {
701912
+ "Sid": "IamPassRoleForEmrInstanceRole",
701913
+ "Effect": "Allow",
701914
+ "Action": "iam:PassRole",
701915
+ "Resource": [
701916
+ "arn:aws:iam::*:role/datazone_emr_ec2_instance_role_*"
701917
+ ],
701918
+ "Condition": {
701919
+ "StringEquals": {
701920
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701921
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701922
+ "iam:PassedToService": [
701923
+ "ec2.amazonaws.com"
701924
+ ]
701925
+ }
701926
+ }
701927
+ },
701928
+ {
701929
+ "Sid": "IamPassRoleToBedrock",
701930
+ "Effect": "Allow",
701931
+ "Action": "iam:PassRole",
701932
+ "Resource": [
701933
+ "arn:aws:iam::*:role/AmazonBedrockExecution*",
701934
+ "arn:aws:iam::*:role/BedrockStudio*"
701935
+ ],
701936
+ "Condition": {
701937
+ "StringEquals": {
701938
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701939
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701940
+ "iam:PassedToService": "bedrock.amazonaws.com"
701941
+ }
701942
+ }
701943
+ },
701944
+ {
701945
+ "Sid": "IamPassRoleToLambda",
701946
+ "Effect": "Allow",
701947
+ "Action": "iam:PassRole",
701948
+ "Resource": [
701949
+ "arn:aws:iam::*:role/AmazonBedrockExecution*",
701950
+ "arn:aws:iam::*:role/BedrockStudio*"
701951
+ ],
701952
+ "Condition": {
701953
+ "StringEquals": {
701954
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701955
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701956
+ "iam:PassedToService": "lambda.amazonaws.com"
701957
+ }
701958
+ }
701959
+ },
701960
+ {
701961
+ "Sid": "IamCreateServiceLinkedRoleForAoss",
701962
+ "Effect": "Allow",
701963
+ "Action": "iam:CreateServiceLinkedRole",
701964
+ "Resource": "arn:aws:iam::*:role/aws-service-role/observability.aoss.amazonaws.com/AWSServiceRoleForAmazonOpenSearchServerless",
701965
+ "Condition": {
701966
+ "StringEquals": {
701967
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
701968
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
701969
+ "iam:AWSServiceName": "observability.aoss.amazonaws.com"
701970
+ }
701971
+ }
701972
+ },
701973
+ {
701974
+ "Sid": "GlueDefaultDatabaseCreation",
701975
+ "Effect": "Allow",
701976
+ "Action": [
701977
+ "glue:CreateDatabase",
701978
+ "glue:GetDatabase"
701979
+ ],
701980
+ "Resource": [
701981
+ "arn:aws:glue:*:*:database/default",
701982
+ "arn:aws:glue:*:*:catalog"
701983
+ ],
701984
+ "Condition": {
701985
+ "StringEquals": {
701986
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
701987
+ }
701988
+ }
701989
+ },
701990
+ {
701991
+ "Sid": "GlueDatabaseCreationFromCloudFormation",
701992
+ "Effect": "Allow",
701993
+ "Action": [
701994
+ "glue:CreateDatabase"
701995
+ ],
701996
+ "Resource": [
701997
+ "arn:aws:glue:*:*:database/*",
701998
+ "arn:aws:glue:*:*:catalog"
701999
+ ],
702000
+ "Condition": {
702001
+ "StringEquals": {
702002
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702003
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702004
+ }
702005
+ }
702006
+ },
702007
+ {
702008
+ "Sid": "GlueGetDatabaseForTagging",
702009
+ "Effect": "Allow",
702010
+ "Action": [
702011
+ "glue:GetDatabase"
702012
+ ],
702013
+ "Resource": [
702014
+ "arn:aws:glue:*:*:database/*",
702015
+ "arn:aws:glue:*:*:catalog"
702016
+ ],
702017
+ "Condition": {
702018
+ "StringEquals": {
702019
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702020
+ }
702021
+ }
702022
+ },
702023
+ {
702024
+ "Sid": "GlueDatabaseDeletion",
702025
+ "Effect": "Allow",
702026
+ "Action": [
702027
+ "glue:DeleteDatabase"
702028
+ ],
702029
+ "Resource": "*",
702030
+ "Condition": {
702031
+ "StringEquals": {
702032
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702033
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702034
+ }
702035
+ }
702036
+ },
702037
+ {
702038
+ "Sid": "TagGlueResources",
702039
+ "Effect": "Allow",
702040
+ "Action": [
702041
+ "glue:TagResource"
702042
+ ],
702043
+ "Resource": "*",
702044
+ "Condition": {
702045
+ "StringEquals": {
702046
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702047
+ },
702048
+ "Null": {
702049
+ "aws:RequestTag/AmazonDataZoneProject": "false",
702050
+ "aws:TagKeys": "false"
702051
+ },
702052
+ "ForAllValues:StringLike": {
702053
+ "aws:TagKeys": [
702054
+ "AmazonDataZone*"
702055
+ ]
702056
+ }
702057
+ }
702058
+ },
702059
+ {
702060
+ "Sid": "GetGlueConnectionToAllowTagging",
702061
+ "Effect": "Allow",
702062
+ "Action": "glue:GetConnection",
702063
+ "Resource": [
702064
+ "arn:aws:glue:*:*:catalog",
702065
+ "arn:aws:glue:*:*:connection/datazone-glue-network-connection-*"
702066
+ ],
702067
+ "Condition": {
702068
+ "StringEquals": {
702069
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702070
+ }
702071
+ }
702072
+ },
702073
+ {
702074
+ "Sid": "GlueConnectionCreateAndDelete",
702075
+ "Effect": "Allow",
702076
+ "Action": [
702077
+ "glue:CreateConnection",
702078
+ "glue:DeleteConnection"
702079
+ ],
702080
+ "Resource": [
702081
+ "arn:aws:glue:*:*:connection/datazone-glue-network-connection-*",
702082
+ "arn:aws:glue:*:*:catalog"
702083
+ ],
702084
+ "Condition": {
702085
+ "StringEquals": {
702086
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
702087
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
702088
+ }
702089
+ }
702090
+ },
702091
+ {
702092
+ "Sid": "FederatedDataGlueConnectionPermissions",
702093
+ "Action": [
702094
+ "glue:PassConnection",
702095
+ "glue:GetConnections",
702096
+ "glue:GetTags"
702097
+ ],
702098
+ "Resource": [
702099
+ "arn:aws:glue:*:*:connection/*",
702100
+ "arn:aws:glue:*:*:catalog/*"
702101
+ ],
702102
+ "Effect": "Allow",
702103
+ "Condition": {
702104
+ "Null": {
702105
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702106
+ }
702107
+ }
702108
+ },
702109
+ {
702110
+ "Sid": "FederatedDataAthenaConnectionPermissions",
702111
+ "Action": [
702112
+ "athena:CreateDataCatalog"
702113
+ ],
702114
+ "Resource": "arn:aws:athena:*:*:datacatalog/*",
702115
+ "Effect": "Allow",
702116
+ "Condition": {
702117
+ "Null": {
702118
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702119
+ }
702120
+ }
702121
+ },
702122
+ {
702123
+ "Sid": "FederatedDataGetConnectionPermissions",
702124
+ "Effect": "Allow",
702125
+ "Action": [
702126
+ "glue:GetConnection"
702127
+ ],
702128
+ "Resource": [
702129
+ "arn:aws:glue:*:*:connection/*",
702130
+ "arn:aws:glue:*:*:catalog/*"
702131
+ ]
702132
+ },
702133
+ {
702134
+ "Sid": "FederatedDataConnectionTaggingPermissions",
702135
+ "Effect": "Allow",
702136
+ "Action": [
702137
+ "athena:TagResource"
702138
+ ],
702139
+ "Resource": "arn:aws:athena:*:*:datacatalog/*",
702140
+ "Condition": {
702141
+ "Null": {
702142
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
702143
+ "aws:TagKeys": "false"
702144
+ },
702145
+ "ForAllValues:StringLike": {
702146
+ "aws:TagKeys": [
702147
+ "AmazonDataZone*",
702148
+ "federated_athena*"
702149
+ ]
702150
+ }
702151
+ }
702152
+ },
702153
+ {
702154
+ "Sid": "FederatedDataConnectionGlueCreateConnection",
702155
+ "Effect": "Allow",
702156
+ "Action": [
702157
+ "glue:CreateConnection"
702158
+ ],
702159
+ "Resource": [
702160
+ "arn:aws:glue:*:*:catalog",
702161
+ "arn:aws:glue:*:*:connection/*"
702162
+ ],
702163
+ "Condition": {
702164
+ "StringEquals": {
702165
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702166
+ },
702167
+ "Null": {
702168
+ "aws:RequestTag/AmazonDataZoneProject": "false"
702169
+ }
702170
+ }
702171
+ },
702172
+ {
702173
+ "Sid": "FederatedDataConnectionGlueManageConnection",
702174
+ "Effect": "Allow",
702175
+ "Action": [
702176
+ "glue:DeleteConnection",
702177
+ "glue:UpdateConnection"
702178
+ ],
702179
+ "Resource": [
702180
+ "arn:aws:glue:*:*:connection/*"
702181
+ ],
702182
+ "Condition": {
702183
+ "StringEquals": {
702184
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702185
+ },
702186
+ "Null": {
702187
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702188
+ }
702189
+ }
702190
+ },
702191
+ {
702192
+ "Sid": "FederatedDataConnectionGlueManageConnectionOnCatalog",
702193
+ "Effect": "Allow",
702194
+ "Action": [
702195
+ "glue:DeleteConnection",
702196
+ "glue:UpdateConnection"
702197
+ ],
702198
+ "Resource": [
702199
+ "arn:aws:glue:*:*:catalog"
702200
+ ],
702201
+ "Condition": {
702202
+ "StringEquals": {
702203
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702204
+ }
702205
+ }
702206
+ },
702207
+ {
702208
+ "Sid": "GlueKmsPermissions",
702209
+ "Effect": "Allow",
702210
+ "Action": [
702211
+ "kms:Decrypt"
702212
+ ],
702213
+ "Resource": "*",
702214
+ "Condition": {
702215
+ "StringEquals": {
702216
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
702217
+ "kms:EncryptionContext:glue_catalog_id": "${aws:PrincipalAccount}"
702218
+ },
702219
+ "StringLike": {
702220
+ "kms:ViaService": [
702221
+ "glue.*.amazonaws.com"
702222
+ ]
702223
+ }
702224
+ }
702225
+ },
702226
+ {
702227
+ "Sid": "FederatedDBAthenaServerlessPermission",
702228
+ "Effect": "Allow",
702229
+ "Action": [
702230
+ "serverlessrepo:GetCloudFormationTemplate",
702231
+ "serverlessrepo:CreateCloudFormationTemplate"
702232
+ ],
702233
+ "Resource": [
702234
+ "arn:aws:serverlessrepo:*:*:applications/Athena*"
702235
+ ]
702236
+ },
702237
+ {
702238
+ "Sid": "FederatedDBECRPermission",
702239
+ "Effect": "Allow",
702240
+ "Action": [
702241
+ "imagebuilder:GetComponent",
702242
+ "imagebuilder:GetContainerRecipe",
702243
+ "ecr:GetAuthorizationToken",
702244
+ "ecr:BatchGetImage",
702245
+ "ecr:BatchCheckLayerAvailability",
702246
+ "ecr:GetDownloadUrlForLayer"
702247
+ ],
702248
+ "Resource": [
702249
+ "arn:aws:ecr:*:*:repository/athena-federation-repository*"
702250
+ ],
702251
+ "Condition": {
702252
+ "StringEquals": {
702253
+ "aws:CalledViaLast": "lambda.amazonaws.com"
702254
+ }
702255
+ }
702256
+ },
702257
+ {
702258
+ "Sid": "FederatedDBAthenaCFNPermission",
702259
+ "Effect": "Allow",
702260
+ "Action": [
702261
+ "cloudformation:CreateChangeSet",
702262
+ "cloudformation:DeleteChangeSet"
702263
+ ],
702264
+ "Resource": [
702265
+ "arn:aws:cloudformation:*:*:transform/Serverless*"
702266
+ ],
702267
+ "Condition": {
702268
+ "StringEquals": {
702269
+ "aws:CalledViaLast": "cloudformation.amazonaws.com"
702270
+ }
702271
+ }
702272
+ },
702273
+ {
702274
+ "Sid": "FederatedDBAthenaLambdaPermission",
702275
+ "Effect": "Allow",
702276
+ "Action": [
702277
+ "lambda:CreateFunction",
702278
+ "lambda:DeleteFunction"
702279
+ ],
702280
+ "Resource": [
702281
+ "arn:aws:lambda:*:*:function:athenafederatedcatalog*"
702282
+ ],
702283
+ "Condition": {
702284
+ "StringEquals": {
702285
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
702286
+ "aws:CalledViaLast": "cloudformation.amazonaws.com"
702287
+ },
702288
+ "Null": {
702289
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702290
+ }
702291
+ }
702292
+ },
702293
+ {
702294
+ "Sid": "FederatedDBAthenaGetFunctionLambdaPermission",
702295
+ "Effect": "Allow",
702296
+ "Action": [
702297
+ "lambda:GetFunction"
702298
+ ],
702299
+ "Resource": [
702300
+ "arn:aws:lambda:*:*:function:athenafederatedcatalog*"
702301
+ ],
702302
+ "Condition": {
702303
+ "StringEquals": {
702304
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
702305
+ "aws:CalledViaLast": [
702306
+ "athena.amazonaws.com",
702307
+ "cloudformation.amazonaws.com"
702308
+ ]
702309
+ }
702310
+ }
702311
+ },
702312
+ {
702313
+ "Sid": "FederatedDBAthenaUpdateLambdaPermission",
702314
+ "Effect": "Allow",
702315
+ "Action": [
702316
+ "lambda:GetFunctionConfiguration",
702317
+ "lambda:UpdateFunctionConfiguration"
702318
+ ],
702319
+ "Resource": [
702320
+ "arn:aws:lambda:*:*:function:athenafederatedcatalog*"
702321
+ ],
702322
+ "Condition": {
702323
+ "StringEquals": {
702324
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702325
+ },
702326
+ "Null": {
702327
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702328
+ }
702329
+ }
702330
+ },
702331
+ {
702332
+ "Sid": "FederatedDBAthenaLambdaTaggingPermission",
702333
+ "Effect": "Allow",
702334
+ "Action": [
702335
+ "lambda:TagResource"
702336
+ ],
702337
+ "Resource": [
702338
+ "arn:aws:lambda:*:*:function:athenafederatedcatalog*"
702339
+ ],
702340
+ "Condition": {
702341
+ "StringEquals": {
702342
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
702343
+ "aws:CalledViaLast": "cloudformation.amazonaws.com"
702344
+ },
702345
+ "Null": {
702346
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
702347
+ "aws:TagKeys": "false"
702348
+ },
702349
+ "ForAllValues:StringLike": {
702350
+ "aws:TagKeys": [
702351
+ "AmazonDataZone*",
702352
+ "aws:cloudformation:*",
702353
+ "federated_athena*",
702354
+ "lambda:createdBy"
702355
+ ]
702356
+ }
702357
+ }
702358
+ },
702359
+ {
702360
+ "Sid": "FederatedDBAthenaS3Permission",
702361
+ "Effect": "Allow",
702362
+ "Action": [
702363
+ "s3:GetObject"
702364
+ ],
702365
+ "Resource": [
702366
+ "arn:aws:s3:::awsserverlessrepo*"
702367
+ ],
702368
+ "Condition": {
702369
+ "StringLike": {
702370
+ "aws:CalledViaLast": [
702371
+ "lambda.amazonaws.com"
702372
+ ]
702373
+ }
702374
+ }
702375
+ },
702376
+ {
702377
+ "Sid": "FederatedDBGlueS3Permission",
702378
+ "Effect": "Allow",
702379
+ "Action": [
702380
+ "s3:ListBucket"
702381
+ ],
702382
+ "Resource": [
702383
+ "arn:aws:s3:::*"
702384
+ ],
702385
+ "Condition": {
702386
+ "StringEquals": {
702387
+ "aws:CalledViaLast": [
702388
+ "glue.amazonaws.com"
702389
+ ],
702390
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702391
+ },
702392
+ "Null": {
702393
+ "s3:prefix": "true"
702394
+ }
702395
+ }
702396
+ },
702397
+ {
702398
+ "Sid": "FederatedDBAthenaCommonPermission",
702399
+ "Effect": "Allow",
702400
+ "Action": [
702401
+ "cloudformation:CreateStack",
702402
+ "cloudformation:DeleteStack",
702403
+ "cloudformation:DescribeStacks"
702404
+ ],
702405
+ "Resource": "arn:aws:cloudformation:*:*:stack/athenafederatedcatalog*",
702406
+ "Condition": {
702407
+ "Null": {
702408
+ "aws:ResourceTag/federated_athena_datacatalog": "false"
702409
+ }
702410
+ }
702411
+ },
702412
+ {
702413
+ "Sid": "DataCatalogAccessForFederatedDatabase",
702414
+ "Effect": "Allow",
702415
+ "Action": [
702416
+ "athena:DeleteDataCatalog",
702417
+ "athena:GetDataCatalog",
702418
+ "athena:UpdateDataCatalog"
702419
+ ],
702420
+ "Resource": "arn:aws:athena:*:*:datacatalog/*",
702421
+ "Condition": {
702422
+ "StringEquals": {
702423
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702424
+ }
702425
+ }
702426
+ },
702427
+ {
702428
+ "Sid": "IamPassProjectRoleToLambdaForFederatedDataConnection",
702429
+ "Effect": "Allow",
702430
+ "Action": "iam:PassRole",
702431
+ "Resource": [
702432
+ "arn:aws:iam::*:role/datazone_usr_role_*"
702433
+ ],
702434
+ "Condition": {
702435
+ "StringEquals": {
702436
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
702437
+ "iam:PassedToService": [
702438
+ "lambda.amazonaws.com"
702439
+ ]
702440
+ }
702441
+ }
702442
+ },
702443
+ {
702444
+ "Sid": "IamGetRoleProvisioningRoleForFederatedDataConnection",
702445
+ "Action": [
702446
+ "iam:GetRole"
702447
+ ],
702448
+ "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole",
702449
+ "Effect": "Allow"
702450
+ },
702451
+ {
702452
+ "Sid": "GlueCatalogCreation",
702453
+ "Effect": "Allow",
702454
+ "Action": [
702455
+ "glue:CreateCatalog"
702456
+ ],
702457
+ "Resource": [
702458
+ "arn:aws:glue:*:*:catalog",
702459
+ "arn:aws:glue:*:*:catalog/*"
702460
+ ],
702461
+ "Condition": {
702462
+ "StringEquals": {
702463
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702464
+ },
702465
+ "Null": {
702466
+ "aws:RequestTag/AmazonDataZoneProject": "false"
702467
+ }
702468
+ }
702469
+ },
702470
+ {
702471
+ "Sid": "GlueCatalogManagement",
702472
+ "Effect": "Allow",
702473
+ "Action": [
702474
+ "glue:GetCatalog",
702475
+ "glue:GetCatalogs",
702476
+ "glue:UpdateCatalog",
702477
+ "glue:DeleteCatalog",
702478
+ "glue:GetDatabase"
702479
+ ],
702480
+ "Resource": [
702481
+ "arn:aws:glue:*:*:catalog",
702482
+ "arn:aws:glue:*:*:catalog/*"
702483
+ ],
702484
+ "Condition": {
702485
+ "StringEquals": {
702486
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702487
+ }
702488
+ }
702489
+ },
702490
+ {
702491
+ "Sid": "RedShiftPermissionsForGlueCatalogs",
702492
+ "Effect": "Allow",
702493
+ "Action": [
702494
+ "redshift-serverless:CreateNamespace",
702495
+ "redshift-serverless:CreateWorkgroup",
702496
+ "redshift-serverless:DeleteNamespace",
702497
+ "redshift-serverless:DeleteWorkgroup",
702498
+ "redshift-serverless:ListTagsForResource"
702499
+ ],
702500
+ "Resource": [
702501
+ "arn:aws:redshift-serverless:*:*:namespace/*",
702502
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
702503
+ ],
702504
+ "Condition": {
702505
+ "StringEquals": {
702506
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702507
+ }
702508
+ }
702509
+ },
702510
+ {
702511
+ "Sid": "RedShiftDataSharePermissionsForGlueCatalogs",
702512
+ "Effect": "Allow",
702513
+ "Action": [
702514
+ "redshift:AssociateDataShareConsumer",
702515
+ "redshift:AuthorizeDataShare"
702516
+ ],
702517
+ "Resource": [
702518
+ "arn:aws:redshift:*:*:datashare:*/*"
702519
+ ],
702520
+ "Condition": {
702521
+ "ForAnyValue:StringLike": {
702522
+ "aws:CalledVia": [
702523
+ "redshift-serverless.amazonaws.com",
702524
+ "glue.amazonaws.com"
702525
+ ]
702526
+ },
702527
+ "StringEquals": {
702528
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702529
+ }
702530
+ }
702531
+ },
702532
+ {
702533
+ "Sid": "RedShiftStagingBucketCreation",
702534
+ "Effect": "Allow",
702535
+ "Action": [
702536
+ "s3:CreateBucket",
702537
+ "s3:DeleteBucket",
702538
+ "s3:PutBucketPolicy",
702539
+ "s3:PutEncryptionConfiguration",
702540
+ "s3:PutLifecycleConfiguration",
702541
+ "s3:PutBucketVersioning",
702542
+ "s3:PutBucketTagging"
702543
+ ],
702544
+ "Resource": "arn:aws:s3:::redshift-staging-bucket-*",
702545
+ "Condition": {
702546
+ "StringEquals": {
702547
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702548
+ }
702549
+ }
702550
+ },
702551
+ {
702552
+ "Sid": "RedshiftServerlessTaggingForGlueCatalog",
702553
+ "Effect": "Allow",
702554
+ "Action": [
702555
+ "redshift-serverless:TagResource"
702556
+ ],
702557
+ "Resource": [
702558
+ "arn:aws:redshift-serverless:*:*:namespace/*",
702559
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
702560
+ ],
702561
+ "Condition": {
702562
+ "StringEquals": {
702563
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702564
+ },
702565
+ "Null": {
702566
+ "aws:RequestTag/AmazonDataZoneProject": "false",
702567
+ "aws:TagKeys": "false"
702568
+ },
702569
+ "ForAllValues:StringLike": {
702570
+ "aws:TagKeys": [
702571
+ "AmazonDataZone*"
702572
+ ]
702573
+ }
702574
+ }
702575
+ },
702576
+ {
702577
+ "Sid": "SecurityGroupCreation",
702578
+ "Effect": "Allow",
702579
+ "Action": [
702580
+ "ec2:CreateSecurityGroup"
702581
+ ],
702582
+ "Resource": [
702583
+ "arn:aws:ec2:*:*:security-group/*",
702584
+ "arn:aws:ec2:*:*:vpc/*"
702585
+ ],
702586
+ "Condition": {
702587
+ "StringEquals": {
702588
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702589
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702590
+ },
702591
+ "Null": {
702592
+ "aws:TagKeys": "true"
702593
+ }
702594
+ }
702595
+ },
702596
+ {
702597
+ "Sid": "SecurityGroupAuthorize",
702598
+ "Effect": "Allow",
702599
+ "Action": [
702600
+ "ec2:AuthorizeSecurityGroupEgress",
702601
+ "ec2:AuthorizeSecurityGroupIngress"
702602
+ ],
702603
+ "Resource": [
702604
+ "arn:aws:ec2:*:*:security-group/*"
702605
+ ],
702606
+ "Condition": {
702607
+ "StringEquals": {
702608
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702609
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702610
+ },
702611
+ "Null": {
702612
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702613
+ }
702614
+ }
702615
+ },
702616
+ {
702617
+ "Sid": "SecurityGroupManagement",
702618
+ "Effect": "Allow",
702619
+ "Action": [
702620
+ "ec2:DeleteSecurityGroup",
702621
+ "ec2:RevokeSecurityGroupEgress",
702622
+ "ec2:RevokeSecurityGroupIngress"
702623
+ ],
702624
+ "Resource": [
702625
+ "arn:aws:ec2:*:*:security-group/*"
702626
+ ],
702627
+ "Condition": {
702628
+ "StringEquals": {
702629
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702630
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702631
+ }
702632
+ }
702633
+ },
702634
+ {
702635
+ "Sid": "SecurityGroupIngressRevokeForEMR",
702636
+ "Effect": "Allow",
702637
+ "Action": [
702638
+ "ec2:RevokeSecurityGroupIngress"
702639
+ ],
702640
+ "Resource": [
702641
+ "arn:aws:ec2:*:*:security-group/*"
702642
+ ],
702643
+ "Condition": {
702644
+ "Null": {
702645
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702646
+ }
702647
+ }
702648
+ },
702649
+ {
702650
+ "Sid": "EC2ResourceTagging",
702651
+ "Effect": "Allow",
702652
+ "Action": "ec2:CreateTags",
702653
+ "Resource": [
702654
+ "arn:aws:ec2:*:*:security-group/*"
702655
+ ],
702656
+ "Condition": {
702657
+ "StringEquals": {
702658
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702659
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702660
+ },
702661
+ "Null": {
702662
+ "aws:TagKeys": "false"
702663
+ },
702664
+ "ForAllValues:StringLike": {
702665
+ "aws:TagKeys": [
702666
+ "AmazonDataZone*",
702667
+ "for-use-with-amazon-emr-managed-policies",
702668
+ "aws:cloudformation:*"
702669
+ ]
702670
+ }
702671
+ }
702672
+ },
702673
+ {
702674
+ "Sid": "DescribeNetworksPermissions",
702675
+ "Effect": "Allow",
702676
+ "Action": [
702677
+ "ec2:DescribeVpcs",
702678
+ "ec2:DescribeSecurityGroups",
702679
+ "ec2:DescribeNatGateways",
702680
+ "ec2:DescribeRouteTables",
702681
+ "ec2:DescribeSubnets"
702682
+ ],
702683
+ "Resource": "*"
702684
+ },
702685
+ {
702686
+ "Sid": "DescribeLogGroups",
702687
+ "Effect": "Allow",
702688
+ "Action": "logs:DescribeLogGroups",
702689
+ "Resource": "*",
702690
+ "Condition": {
702691
+ "StringEquals": {
702692
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
702693
+ }
702694
+ }
702695
+ },
702696
+ {
702697
+ "Sid": "LogGroupCreation",
702698
+ "Effect": "Allow",
702699
+ "Action": [
702700
+ "logs:CreateLogGroup",
702701
+ "logs:TagResource"
702702
+ ],
702703
+ "Resource": [
702704
+ "arn:aws:logs:*:*:log-group:datazone-*",
702705
+ "arn:aws:logs:*:*:log-group:/aws/lambda/amazon-bedrock-ide-*"
702706
+ ],
702707
+ "Condition": {
702708
+ "StringEquals": {
702709
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702710
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702711
+ },
702712
+ "Null": {
702713
+ "aws:RequestTag/AmazonDataZoneProject": "false",
702714
+ "aws:TagKeys": "false"
702715
+ },
702716
+ "ForAllValues:StringLike": {
702717
+ "aws:TagKeys": [
702718
+ "AmazonDataZone*",
702719
+ "AmazonBedrockManaged"
702720
+ ]
702721
+ }
702722
+ }
702723
+ },
702724
+ {
702725
+ "Sid": "LogGroupPutRetentionPolicy",
702726
+ "Effect": "Allow",
702727
+ "Action": "logs:PutRetentionPolicy",
702728
+ "Resource": [
702729
+ "arn:aws:logs:*:*:log-group:datazone-*",
702730
+ "arn:aws:logs:*:*:log-group:/aws/lambda/amazon-bedrock-ide-*"
702731
+ ],
702732
+ "Condition": {
702733
+ "StringEquals": {
702734
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702735
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702736
+ }
702737
+ }
702738
+ },
702739
+ {
702740
+ "Sid": "ManageLogGroups",
702741
+ "Effect": "Allow",
702742
+ "Action": [
702743
+ "logs:DeleteLogGroup",
702744
+ "logs:DeleteRetentionPolicy",
702745
+ "logs:GetDataProtectionPolicy",
702746
+ "logs:PutDataProtectionPolicy",
702747
+ "logs:DeleteDataProtectionPolicy",
702748
+ "logs:AssociateKmsKey",
702749
+ "logs:DisassociateKmsKey",
702750
+ "logs:ListTagsForResource"
702751
+ ],
702752
+ "Resource": [
702753
+ "arn:aws:logs:*:*:log-group:datazone-*",
702754
+ "arn:aws:logs:*:*:log-group:/aws/lambda/amazon-bedrock-ide-*"
702755
+ ],
702756
+ "Condition": {
702757
+ "StringEquals": {
702758
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702759
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702760
+ },
702761
+ "Null": {
702762
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702763
+ }
702764
+ }
702765
+ },
702766
+ {
702767
+ "Sid": "AthenaWorkgroupCreationAndTagging",
702768
+ "Effect": "Allow",
702769
+ "Action": [
702770
+ "athena:CreateWorkGroup",
702771
+ "athena:TagResource"
702772
+ ],
702773
+ "Resource": "arn:aws:athena:*:*:workgroup/*",
702774
+ "Condition": {
702775
+ "StringEquals": {
702776
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702777
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702778
+ },
702779
+ "Null": {
702780
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
702781
+ "aws:TagKeys": "false"
702782
+ },
702783
+ "ForAllValues:StringLike": {
702784
+ "aws:TagKeys": [
702785
+ "AmazonDataZone*"
702786
+ ]
702787
+ }
702788
+ }
702789
+ },
702790
+ {
702791
+ "Sid": "AthenaWorkgroupDeletion",
702792
+ "Effect": "Allow",
702793
+ "Action": [
702794
+ "athena:DeleteWorkGroup",
702795
+ "athena:GetWorkGroup"
702796
+ ],
702797
+ "Resource": "arn:aws:athena:*:*:workgroup/*",
702798
+ "Condition": {
702799
+ "StringEquals": {
702800
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702801
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702802
+ },
702803
+ "Null": {
702804
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702805
+ }
702806
+ }
702807
+ },
702808
+ {
702809
+ "Sid": "RedshiftServerlessCreationAndTagging",
702810
+ "Effect": "Allow",
702811
+ "Action": [
702812
+ "redshift-serverless:CreateNamespace",
702813
+ "redshift-serverless:CreateWorkgroup",
702814
+ "redshift-serverless:TagResource"
702815
+ ],
702816
+ "Resource": [
702817
+ "arn:aws:redshift-serverless:*:*:namespace/*",
702818
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
702819
+ ],
702820
+ "Condition": {
702821
+ "StringEquals": {
702822
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702823
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702824
+ },
702825
+ "Null": {
702826
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
702827
+ "aws:TagKeys": "false"
702828
+ },
702829
+ "ForAllValues:StringLike": {
702830
+ "aws:TagKeys": [
702831
+ "AmazonDataZone*"
702832
+ ]
702833
+ }
702834
+ }
702835
+ },
702836
+ {
702837
+ "Sid": "RedshiftServerlessListTags",
702838
+ "Effect": "Allow",
702839
+ "Action": [
702840
+ "redshift-serverless:ListTagsForResource"
702841
+ ],
702842
+ "Resource": [
702843
+ "arn:aws:redshift-serverless:*:*:namespace/*",
702844
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
702845
+ ],
702846
+ "Condition": {
702847
+ "StringEquals": {
702848
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
702849
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702850
+ }
702851
+ }
702852
+ },
702853
+ {
702854
+ "Sid": "AllowSecretManagement",
702855
+ "Effect": "Allow",
702856
+ "Action": [
702857
+ "secretsmanager:CreateSecret",
702858
+ "secretsmanager:DeleteSecret",
702859
+ "secretsmanager:UpdateSecret"
702860
+ ],
702861
+ "Resource": "*",
702862
+ "Condition": {
702863
+ "Null": {
702864
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
702865
+ "aws:ResourceTag/CreatedBy": "false"
702866
+ }
702867
+ }
702868
+ },
702869
+ {
702870
+ "Sid": "AllowDescribeSecretPerProject",
702871
+ "Effect": "Allow",
702872
+ "Action": [
702873
+ "secretsmanager:DescribeSecret"
702874
+ ],
702875
+ "Resource": "*",
702876
+ "Condition": {
702877
+ "Null": {
702878
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702879
+ }
702880
+ }
702881
+ },
702882
+ {
702883
+ "Sid": "AllowDescribeSecretTaggedForAllProjects",
702884
+ "Effect": "Allow",
702885
+ "Action": [
702886
+ "secretsmanager:DescribeSecret"
702887
+ ],
702888
+ "Resource": "*",
702889
+ "Condition": {
702890
+ "StringEquals": {
702891
+ "aws:ResourceTag/for-use-with-all-datazone-projects": "true"
702892
+ }
702893
+ }
702894
+ },
702895
+ {
702896
+ "Sid": "AllowSecretTagging",
702897
+ "Effect": "Allow",
702898
+ "Action": [
702899
+ "secretsmanager:TagResource"
702900
+ ],
702901
+ "Resource": "*",
702902
+ "Condition": {
702903
+ "Null": {
702904
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
702905
+ "aws:ResourceTag/CreatedBy": "false",
702906
+ "aws:TagKeys": "false"
702907
+ },
702908
+ "ForAllValues:StringLike": {
702909
+ "aws:TagKeys": [
702910
+ "AmazonDataZone*",
702911
+ "CreatedBy"
702912
+ ]
702913
+ }
702914
+ }
702915
+ },
702916
+ {
702917
+ "Sid": "SecretsManagerKmsPermissions",
702918
+ "Effect": "Allow",
702919
+ "Action": [
702920
+ "kms:GenerateDataKey",
702921
+ "kms:Decrypt"
702922
+ ],
702923
+ "Resource": "*",
702924
+ "Condition": {
702925
+ "StringLike": {
702926
+ "kms:ViaService": [
702927
+ "secretsmanager.*.amazonaws.com"
702928
+ ]
702929
+ },
702930
+ "StringEquals": {
702931
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702932
+ },
702933
+ "Null": {
702934
+ "kms:EncryptionContext:SecretARN": "false"
702935
+ }
702936
+ }
702937
+ },
702938
+ {
702939
+ "Sid": "ServiceLinkedRoleCreation",
702940
+ "Effect": "Allow",
702941
+ "Action": "iam:CreateServiceLinkedRole",
702942
+ "Resource": [
702943
+ "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift",
702944
+ "arn:aws:iam::*:role/aws-service-role/sagemaker.amazonaws.com/AWSServiceRoleForAmazonSageMakerNotebooks",
702945
+ "arn:aws:iam::*:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWSServiceRoleForAmazonEMRServerless",
702946
+ "arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA",
702947
+ "arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com/AWSServiceRoleForEMRCleanup"
702948
+ ]
702949
+ },
702950
+ {
702951
+ "Sid": "RedshiftServerlessCreationPermissions",
702952
+ "Effect": "Allow",
702953
+ "Action": [
702954
+ "redshift-serverless:ListNamespaces",
702955
+ "redshift-serverless:ListWorkgroups",
702956
+ "redshift:GetResourcePolicy"
702957
+ ],
702958
+ "Resource": "*",
702959
+ "Condition": {
702960
+ "StringEquals": {
702961
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
702962
+ }
702963
+ }
702964
+ },
702965
+ {
702966
+ "Sid": "EC2PermissionsForGlueCatalog",
702967
+ "Effect": "Allow",
702968
+ "Action": [
702969
+ "ec2:DescribeAccountAttributes",
702970
+ "ec2:DescribeAvailabilityZones"
702971
+ ],
702972
+ "Resource": "*"
702973
+ },
702974
+ {
702975
+ "Sid": "RedshiftServerlessCreateDatabaseRole",
702976
+ "Effect": "Allow",
702977
+ "Action": [
702978
+ "redshift-data:ExecuteStatement",
702979
+ "redshift:GetResourcePolicy",
702980
+ "redshift-serverless:GetCredentials"
702981
+ ],
702982
+ "Resource": [
702983
+ "arn:aws:redshift-serverless:*:*:namespace/*",
702984
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
702985
+ ],
702986
+ "Condition": {
702987
+ "StringEquals": {
702988
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
702989
+ },
702990
+ "Null": {
702991
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
702992
+ }
702993
+ }
702994
+ },
702995
+ {
702996
+ "Sid": "RedshiftDataDescribeStatement",
702997
+ "Effect": "Allow",
702998
+ "Action": [
702999
+ "redshift-data:DescribeStatement",
703000
+ "redshift-data:GetStatementResult"
703001
+ ],
703002
+ "Resource": "*"
703003
+ },
703004
+ {
703005
+ "Sid": "RedshiftDatashareDescribe",
703006
+ "Effect": "Allow",
703007
+ "Action": [
703008
+ "redshift:DescribeDataSharesForConsumer",
703009
+ "redshift:DescribeDataShares"
703010
+ ],
703011
+ "Resource": "*"
703012
+ },
703013
+ {
703014
+ "Sid": "RedshiftServerlessValidation",
703015
+ "Effect": "Allow",
703016
+ "Action": [
703017
+ "redshift-serverless:GetNamespace",
703018
+ "redshift-serverless:GetWorkgroup"
703019
+ ],
703020
+ "Resource": [
703021
+ "arn:aws:redshift-serverless:*:*:namespace/*",
703022
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
703023
+ ],
703024
+ "Condition": {
703025
+ "StringEquals": {
703026
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703027
+ }
703028
+ }
703029
+ },
703030
+ {
703031
+ "Sid": "RedshiftServerlessManagement",
703032
+ "Effect": "Allow",
703033
+ "Action": [
703034
+ "redshift-serverless:UpdateNamespace",
703035
+ "redshift-serverless:UpdateWorkgroup",
703036
+ "redshift-serverless:UntagResource"
703037
+ ],
703038
+ "Resource": [
703039
+ "arn:aws:redshift-serverless:*:*:namespace/*",
703040
+ "arn:aws:redshift-serverless:*:*:workgroup/*"
703041
+ ],
703042
+ "Condition": {
703043
+ "StringEquals": {
703044
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703045
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703046
+ },
703047
+ "Null": {
703048
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703049
+ }
703050
+ }
703051
+ },
703052
+ {
703053
+ "Sid": "RedshiftKmsPermissions",
703054
+ "Effect": "Allow",
703055
+ "Action": [
703056
+ "kms:Decrypt",
703057
+ "kms:Encrypt",
703058
+ "kms:GenerateDataKey"
703059
+ ],
703060
+ "Resource": "*",
703061
+ "Condition": {
703062
+ "StringLike": {
703063
+ "kms:ViaService": [
703064
+ "redshift-serverless.*.amazonaws.com"
703065
+ ]
703066
+ },
703067
+ "StringEquals": {
703068
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703069
+ },
703070
+ "Null": {
703071
+ "kms:EncryptionContext:aws:redshift-serverless:arn": "false"
703072
+ }
703073
+ }
703074
+ },
703075
+ {
703076
+ "Sid": "GetRandomPasswordForSecret",
703077
+ "Effect": "Allow",
703078
+ "Action": "secretsmanager:GetRandomPassword",
703079
+ "Resource": "*",
703080
+ "Condition": {
703081
+ "StringEquals": {
703082
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
703083
+ }
703084
+ }
703085
+ },
703086
+ {
703087
+ "Sid": "ManageSecretPermissionsForBedrockApp",
703088
+ "Effect": "Allow",
703089
+ "Action": [
703090
+ "secretsmanager:DescribeSecret",
703091
+ "secretsmanager:CreateSecret",
703092
+ "secretsmanager:UpdateSecret",
703093
+ "secretsmanager:DeleteSecret",
703094
+ "secretsmanager:GetResourcePolicy",
703095
+ "secretsmanager:PutResourcePolicy",
703096
+ "secretsmanager:DeleteResourcePolicy",
703097
+ "secretsmanager:TagResource"
703098
+ ],
703099
+ "Resource": "arn:aws:secretsmanager:*:*:secret:amazon-bedrock-ide/*",
703100
+ "Condition": {
703101
+ "StringEquals": {
703102
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703103
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703104
+ },
703105
+ "Null": {
703106
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703107
+ }
703108
+ }
703109
+ },
703110
+ {
703111
+ "Sid": "ManagedRedshiftAdminSecretPermissions",
703112
+ "Effect": "Allow",
703113
+ "Action": [
703114
+ "secretsmanager:CreateSecret",
703115
+ "secretsmanager:RotateSecret",
703116
+ "secretsmanager:DescribeSecret",
703117
+ "secretsmanager:UpdateSecret",
703118
+ "secretsmanager:DeleteSecret"
703119
+ ],
703120
+ "Resource": "arn:aws:secretsmanager:*:*:secret:redshift!*",
703121
+ "Condition": {
703122
+ "StringEquals": {
703123
+ "aws:CalledViaFirst": [
703124
+ "cloudformation.amazonaws.com"
703125
+ ],
703126
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703127
+ }
703128
+ }
703129
+ },
703130
+ {
703131
+ "Sid": "ManagedRedshiftAdminSecretTaggingPermissions",
703132
+ "Effect": "Allow",
703133
+ "Action": [
703134
+ "secretsmanager:TagResource"
703135
+ ],
703136
+ "Resource": "arn:aws:secretsmanager:*:*:secret:redshift!*",
703137
+ "Condition": {
703138
+ "Null": {
703139
+ "aws:TagKeys": "false"
703140
+ },
703141
+ "ForAllValues:StringLike": {
703142
+ "aws:TagKeys": [
703143
+ "Redshift",
703144
+ "aws:secretsmanager:*",
703145
+ "aws:redshift-serverless:*",
703146
+ "AmazonDataZone*",
703147
+ "datazone.rs.workgroup"
703148
+ ]
703149
+ },
703150
+ "StringEquals": {
703151
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703152
+ }
703153
+ }
703154
+ },
703155
+ {
703156
+ "Sid": "SageMakerDomainCreationAndTagging",
703157
+ "Effect": "Allow",
703158
+ "Action": [
703159
+ "sagemaker:CreateDomain",
703160
+ "sagemaker:AddTags"
703161
+ ],
703162
+ "Resource": "arn:aws:sagemaker:*:*:domain/*",
703163
+ "Condition": {
703164
+ "StringEquals": {
703165
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703166
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703167
+ },
703168
+ "Null": {
703169
+ "aws:RequestTag/AmazonDataZoneProject": "false"
703170
+ }
703171
+ }
703172
+ },
703173
+ {
703174
+ "Sid": "SageMakerDomainDeletion",
703175
+ "Effect": "Allow",
703176
+ "Action": "sagemaker:DeleteDomain",
703177
+ "Resource": "arn:aws:sagemaker:*:*:domain/*",
703178
+ "Condition": {
703179
+ "StringEquals": {
703180
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703181
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703182
+ },
703183
+ "Null": {
703184
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703185
+ }
703186
+ }
703187
+ },
703188
+ {
703189
+ "Sid": "SageMakerDomainManagement",
703190
+ "Effect": "Allow",
703191
+ "Action": [
703192
+ "sagemaker:ListDomains",
703193
+ "sagemaker:DescribeDomain"
703194
+ ],
703195
+ "Resource": "*",
703196
+ "Condition": {
703197
+ "StringEquals": {
703198
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
703199
+ }
703200
+ }
703201
+ },
703202
+ {
703203
+ "Sid": "SageMakerAppDeletion",
703204
+ "Effect": "Allow",
703205
+ "Action": "sagemaker:DeleteApp",
703206
+ "Resource": [
703207
+ "arn:aws:sagemaker:*:*:app/*/*/jupyterlab/*",
703208
+ "arn:aws:sagemaker:*:*:app/*/*/JupyterLab/*"
703209
+ ],
703210
+ "Condition": {
703211
+ "StringEquals": {
703212
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703213
+ },
703214
+ "Null": {
703215
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703216
+ }
703217
+ }
703218
+ },
703219
+ {
703220
+ "Sid": "SageMakerSpaceDeletion",
703221
+ "Effect": "Allow",
703222
+ "Action": "sagemaker:DeleteSpace",
703223
+ "Resource": "arn:aws:sagemaker:*:*:space/*",
703224
+ "Condition": {
703225
+ "StringEquals": {
703226
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703227
+ },
703228
+ "Null": {
703229
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703230
+ }
703231
+ }
703232
+ },
703233
+ {
703234
+ "Sid": "SageMakerUserProfileDeletion",
703235
+ "Effect": "Allow",
703236
+ "Action": "sagemaker:DeleteUserProfile",
703237
+ "Resource": "arn:aws:sagemaker:*:*:user-profile/*",
703238
+ "Condition": {
703239
+ "StringEquals": {
703240
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703241
+ },
703242
+ "Null": {
703243
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703244
+ }
703245
+ }
703246
+ },
703247
+ {
703248
+ "Sid": "EMRServerlessApplicationCreationAndTagging",
703249
+ "Effect": "Allow",
703250
+ "Action": [
703251
+ "emr-serverless:CreateApplication",
703252
+ "emr-serverless:TagResource"
703253
+ ],
703254
+ "Resource": [
703255
+ "arn:aws:emr-serverless:*:*:*"
703256
+ ],
703257
+ "Condition": {
703258
+ "StringEquals": {
703259
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703260
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703261
+ },
703262
+ "Null": {
703263
+ "aws:ResourceTag/AmazonDataZoneProject": "false",
703264
+ "aws:TagKeys": "false"
703265
+ },
703266
+ "ForAllValues:StringLike": {
703267
+ "aws:TagKeys": [
703268
+ "AmazonDataZone*"
703269
+ ]
703270
+ }
703271
+ }
703272
+ },
703273
+ {
703274
+ "Sid": "EMRServerlessApplicationManagement",
703275
+ "Effect": "Allow",
703276
+ "Action": [
703277
+ "emr-serverless:GetApplication",
703278
+ "emr-serverless:DeleteApplication"
703279
+ ],
703280
+ "Resource": [
703281
+ "arn:aws:emr-serverless:*:*:/applications/*"
703282
+ ],
703283
+ "Condition": {
703284
+ "StringEquals": {
703285
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703286
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703287
+ },
703288
+ "Null": {
703289
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703290
+ }
703291
+ }
703292
+ },
703293
+ {
703294
+ "Sid": "CreateNetworkInterfaceForEMRServerless",
703295
+ "Effect": "Allow",
703296
+ "Action": "ec2:CreateNetworkInterface",
703297
+ "Resource": [
703298
+ "arn:aws:ec2:*:*:network-interface/*",
703299
+ "arn:aws:ec2:*:*:subnet/*",
703300
+ "arn:aws:ec2:*:*:security-group/*"
703301
+ ],
703302
+ "Condition": {
703303
+ "StringEquals": {
703304
+ "aws:CalledViaLast": "ops.emr-serverless.amazonaws.com",
703305
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703306
+ }
703307
+ }
703308
+ },
703309
+ {
703310
+ "Sid": "SageMakerMlflowTrackingServerCreation",
703311
+ "Effect": "Allow",
703312
+ "Action": [
703313
+ "sagemaker:CreateMlflowTrackingServer",
703314
+ "sagemaker:AddTags"
703315
+ ],
703316
+ "Resource": "arn:aws:sagemaker:*:*:mlflow-tracking-server/*",
703317
+ "Condition": {
703318
+ "StringEquals": {
703319
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703320
+ },
703321
+ "Null": {
703322
+ "aws:RequestTag/AmazonDataZoneProject": "false"
703323
+ }
703324
+ }
703325
+ },
703326
+ {
703327
+ "Sid": "SageMakerMlflowTrackingServerDescribe",
703328
+ "Effect": "Allow",
703329
+ "Action": "sagemaker:DescribeMlflowTrackingServer",
703330
+ "Resource": "arn:aws:sagemaker:*:*:mlflow-tracking-server/*"
703331
+ },
703332
+ {
703333
+ "Sid": "SageMakerMlflowTrackingServerDeletion",
703334
+ "Effect": "Allow",
703335
+ "Action": [
703336
+ "sagemaker:DeleteMlflowTrackingServer"
703337
+ ],
703338
+ "Resource": "arn:aws:sagemaker:*:*:mlflow-tracking-server/*",
703339
+ "Condition": {
703340
+ "StringEquals": {
703341
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703342
+ },
703343
+ "Null": {
703344
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703345
+ }
703346
+ }
703347
+ },
703348
+ {
703349
+ "Sid": "ManageAossAccessPoliciesForBedrock",
703350
+ "Effect": "Allow",
703351
+ "Action": [
703352
+ "aoss:GetAccessPolicy",
703353
+ "aoss:CreateAccessPolicy",
703354
+ "aoss:DeleteAccessPolicy",
703355
+ "aoss:UpdateAccessPolicy"
703356
+ ],
703357
+ "Resource": "*",
703358
+ "Condition": {
703359
+ "StringEquals": {
703360
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
703361
+ },
703362
+ "StringLikeIfExists": {
703363
+ "aoss:collection": "bedrock-ide-*",
703364
+ "aoss:index": "bedrock-ide-*"
703365
+ }
703366
+ }
703367
+ },
703368
+ {
703369
+ "Sid": "ManageAossSecurityPoliciesForBedrock",
703370
+ "Effect": "Allow",
703371
+ "Action": [
703372
+ "aoss:GetSecurityPolicy",
703373
+ "aoss:CreateSecurityPolicy",
703374
+ "aoss:DeleteSecurityPolicy",
703375
+ "aoss:UpdateSecurityPolicy"
703376
+ ],
703377
+ "Resource": "*",
703378
+ "Condition": {
703379
+ "StringEquals": {
703380
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
703381
+ },
703382
+ "StringLikeIfExists": {
703383
+ "aoss:collection": "bedrock-ide-*"
703384
+ }
703385
+ }
703386
+ },
703387
+ {
703388
+ "Sid": "GetAossCollectionsForBedrock",
703389
+ "Effect": "Allow",
703390
+ "Action": "aoss:BatchGetCollection",
703391
+ "Resource": "*",
703392
+ "Condition": {
703393
+ "StringEquals": {
703394
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703395
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703396
+ }
703397
+ }
703398
+ },
703399
+ {
703400
+ "Sid": "ManageAossCollectionsForBedrock",
703401
+ "Effect": "Allow",
703402
+ "Action": [
703403
+ "aoss:CreateCollection",
703404
+ "aoss:UpdateCollection",
703405
+ "aoss:DeleteCollection",
703406
+ "aoss:TagResource"
703407
+ ],
703408
+ "Resource": "*",
703409
+ "Condition": {
703410
+ "StringEquals": {
703411
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703412
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703413
+ },
703414
+ "Null": {
703415
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703416
+ }
703417
+ }
703418
+ },
703419
+ {
703420
+ "Sid": "GetBedrockCfnResourceDefinitionS3Permissions",
703421
+ "Effect": "Allow",
703422
+ "Action": [
703423
+ "s3:GetObject",
703424
+ "s3:GetObjectVersion"
703425
+ ],
703426
+ "Resource": "arn:aws:s3:::*/dzd_*/*/genAI/*",
703427
+ "Condition": {
703428
+ "StringEquals": {
703429
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703430
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703431
+ }
703432
+ }
703433
+ },
703434
+ {
703435
+ "Sid": "GetBedrockResources",
703436
+ "Effect": "Allow",
703437
+ "Action": [
703438
+ "bedrock:GetAgent",
703439
+ "bedrock:GetKnowledgeBase",
703440
+ "bedrock:GetGuardrail",
703441
+ "bedrock:GetPrompt",
703442
+ "bedrock:GetFlow",
703443
+ "bedrock:GetFlowAlias",
703444
+ "bedrock:ListTagsForResource"
703445
+ ],
703446
+ "Resource": "*",
703447
+ "Condition": {
703448
+ "StringEquals": {
703449
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703450
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703451
+ }
703452
+ }
703453
+ },
703454
+ {
703455
+ "Sid": "ManageBedrockResources",
703456
+ "Effect": "Allow",
703457
+ "Action": [
703458
+ "bedrock:CreateAgent",
703459
+ "bedrock:UpdateAgent",
703460
+ "bedrock:PrepareAgent",
703461
+ "bedrock:DeleteAgent",
703462
+ "bedrock:ListAgentAliases",
703463
+ "bedrock:GetAgentAlias",
703464
+ "bedrock:CreateAgentAlias",
703465
+ "bedrock:UpdateAgentAlias",
703466
+ "bedrock:DeleteAgentAlias",
703467
+ "bedrock:ListAgentActionGroups",
703468
+ "bedrock:GetAgentActionGroup",
703469
+ "bedrock:CreateAgentActionGroup",
703470
+ "bedrock:UpdateAgentActionGroup",
703471
+ "bedrock:DeleteAgentActionGroup",
703472
+ "bedrock:ListAgentKnowledgeBases",
703473
+ "bedrock:GetAgentKnowledgeBase",
703474
+ "bedrock:AssociateAgentKnowledgeBase",
703475
+ "bedrock:DisassociateAgentKnowledgeBase",
703476
+ "bedrock:UpdateAgentKnowledgeBase",
703477
+ "bedrock:CreateKnowledgeBase",
703478
+ "bedrock:UpdateKnowledgeBase",
703479
+ "bedrock:DeleteKnowledgeBase",
703480
+ "bedrock:ListDataSources",
703481
+ "bedrock:GetDataSource",
703482
+ "bedrock:CreateDataSource",
703483
+ "bedrock:UpdateDataSource",
703484
+ "bedrock:DeleteDataSource",
703485
+ "bedrock:CreateGuardrail",
703486
+ "bedrock:UpdateGuardrail",
703487
+ "bedrock:DeleteGuardrail",
703488
+ "bedrock:CreateGuardrailVersion",
703489
+ "bedrock:CreatePrompt",
703490
+ "bedrock:UpdatePrompt",
703491
+ "bedrock:DeletePrompt",
703492
+ "bedrock:CreatePromptVersion",
703493
+ "bedrock:CreateFlow",
703494
+ "bedrock:UpdateFlow",
703495
+ "bedrock:PrepareFlow",
703496
+ "bedrock:DeleteFlow",
703497
+ "bedrock:ListFlowAliases",
703498
+ "bedrock:GetFlowAlias",
703499
+ "bedrock:CreateFlowAlias",
703500
+ "bedrock:UpdateFlowAlias",
703501
+ "bedrock:DeleteFlowAlias",
703502
+ "bedrock:ListFlowVersions",
703503
+ "bedrock:GetFlowVersion",
703504
+ "bedrock:CreateFlowVersion",
703505
+ "bedrock:DeleteFlowVersion",
703506
+ "bedrock:TagResource"
703507
+ ],
703508
+ "Resource": "*",
703509
+ "Condition": {
703510
+ "StringEquals": {
703511
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703512
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703513
+ },
703514
+ "Null": {
703515
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703516
+ }
703517
+ }
703518
+ },
703519
+ {
703520
+ "Sid": "TagBedrockTestAliases",
703521
+ "Effect": "Allow",
703522
+ "Action": "bedrock:TagResource",
703523
+ "Resource": [
703524
+ "arn:aws:bedrock:*:*:agent-alias/*/TSTALIASID",
703525
+ "arn:aws:bedrock:*:*:flow/*/alias/TSTALIASID"
703526
+ ],
703527
+ "Condition": {
703528
+ "StringEquals": {
703529
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703530
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703531
+ },
703532
+ "Null": {
703533
+ "aws:RequestTag/AmazonDataZoneProject": "false"
703534
+ }
703535
+ }
703536
+ },
703537
+ {
703538
+ "Sid": "ListBedrockEvaluationJobsFromServicePermissions",
703539
+ "Effect": "Allow",
703540
+ "Action": "bedrock:ListEvaluationJobs",
703541
+ "Resource": "*"
703542
+ },
703543
+ {
703544
+ "Sid": "ManageBedrockEvaluationJobsFromServicePermissions",
703545
+ "Effect": "Allow",
703546
+ "Action": "bedrock:BatchDeleteEvaluationJob",
703547
+ "Resource": "*",
703548
+ "Condition": {
703549
+ "StringEquals": {
703550
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703551
+ },
703552
+ "Null": {
703553
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703554
+ }
703555
+ }
703556
+ },
703557
+ {
703558
+ "Sid": "CreateFunctionPermissionsForBedrockApp",
703559
+ "Effect": "Allow",
703560
+ "Action": [
703561
+ "lambda:CreateFunction",
703562
+ "lambda:InvokeFunction",
703563
+ "lambda:DeleteFunction",
703564
+ "lambda:UpdateFunctionCode",
703565
+ "lambda:GetFunctionConfiguration",
703566
+ "lambda:UpdateFunctionConfiguration",
703567
+ "lambda:ListVersionsByFunction",
703568
+ "lambda:PublishVersion",
703569
+ "lambda:GetPolicy",
703570
+ "lambda:AddPermission",
703571
+ "lambda:TagResource"
703572
+ ],
703573
+ "Resource": "arn:aws:lambda:*:*:function:amazon-bedrock-ide-*",
703574
+ "Condition": {
703575
+ "StringEquals": {
703576
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703577
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703578
+ },
703579
+ "Null": {
703580
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703581
+ }
703582
+ }
703583
+ },
703584
+ {
703585
+ "Sid": "ManageFunctionPermissionsForBedrockApp",
703586
+ "Effect": "Allow",
703587
+ "Action": [
703588
+ "lambda:GetFunction",
703589
+ "lambda:ListTags",
703590
+ "lambda:RemovePermission"
703591
+ ],
703592
+ "Resource": "arn:aws:lambda:*:*:function:amazon-bedrock-ide-*",
703593
+ "Condition": {
703594
+ "StringEquals": {
703595
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com",
703596
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703597
+ }
703598
+ }
703599
+ },
703600
+ {
703601
+ "Sid": "EMRSecurityConfigurationManagement",
703602
+ "Effect": "Allow",
703603
+ "Action": [
703604
+ "elasticmapreduce:CreateSecurityConfiguration",
703605
+ "elasticmapreduce:DeleteSecurityConfiguration"
703606
+ ],
703607
+ "Resource": "*",
703608
+ "Condition": {
703609
+ "StringEquals": {
703610
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
703611
+ }
703612
+ }
703613
+ },
703614
+ {
703615
+ "Sid": "EMRClusterManagement",
703616
+ "Effect": "Allow",
703617
+ "Action": [
703618
+ "elasticmapreduce:AddJobFlowSteps",
703619
+ "elasticmapreduce:AddTags",
703620
+ "elasticmapreduce:DescribeJobFlows",
703621
+ "elasticmapreduce:ListInstanceFleets",
703622
+ "elasticmapreduce:RunJobFlow",
703623
+ "elasticmapreduce:SetTerminationProtection",
703624
+ "elasticmapreduce:TerminateJobFlows",
703625
+ "elasticmapreduce:DescribeCluster"
703626
+ ],
703627
+ "Resource": "arn:aws:elasticmapreduce:*:*:cluster/*",
703628
+ "Condition": {
703629
+ "StringEquals": {
703630
+ "aws:CalledViaFirst": "cloudformation.amazonaws.com"
703631
+ },
703632
+ "Null": {
703633
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703634
+ }
703635
+ }
703636
+ },
703637
+ {
703638
+ "Sid": "AirflowEnvironmentActions",
703639
+ "Effect": "Allow",
703640
+ "Action": [
703641
+ "airflow:CreateEnvironment",
703642
+ "airflow:DeleteEnvironment",
703643
+ "airflow:TagResource"
703644
+ ],
703645
+ "Resource": "*",
703646
+ "Condition": {
703647
+ "Null": {
703648
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
703649
+ }
703650
+ }
703651
+ },
703652
+ {
703653
+ "Sid": "AirflowEnvironmentActionsWithoutRestrictions",
703654
+ "Effect": "Allow",
703655
+ "Action": [
703656
+ "airflow:GetEnvironment"
703657
+ ],
703658
+ "Resource": "*"
703659
+ },
703660
+ {
703661
+ "Sid": "AirflowS3BucketActions",
703662
+ "Effect": "Allow",
703663
+ "Action": [
703664
+ "s3:GetEncryptionConfiguration"
703665
+ ],
703666
+ "Resource": [
703667
+ "arn:aws:s3:::*"
703668
+ ],
703669
+ "Condition": {
703670
+ "StringEquals": {
703671
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703672
+ }
703673
+ }
703674
+ },
703675
+ {
703676
+ "Sid": "AirflowVpcEndpointActions",
703677
+ "Effect": "Allow",
703678
+ "Action": [
703679
+ "ec2:CreateVpcEndpoint"
703680
+ ],
703681
+ "Resource": [
703682
+ "arn:aws:ec2:*:*:vpc-endpoint/*",
703683
+ "arn:aws:ec2:*:*:vpc/*",
703684
+ "arn:aws:ec2:*:*:subnet/*",
703685
+ "arn:aws:ec2:*:*:security-group/*"
703686
+ ]
703687
+ },
703688
+ {
703689
+ "Sid": "AirflowNetworkInterfaceActions",
703690
+ "Effect": "Allow",
703691
+ "Action": [
703692
+ "ec2:CreateNetworkInterface"
703693
+ ],
703694
+ "Resource": [
703695
+ "arn:aws:ec2:*:*:subnet/*",
703696
+ "arn:aws:ec2:*:*:network-interface/*"
703697
+ ]
703698
+ },
703699
+ {
703700
+ "Sid": "AirflowKmsCreateGrant",
703701
+ "Effect": "Allow",
703702
+ "Action": [
703703
+ "kms:CreateGrant"
703704
+ ],
703705
+ "Resource": "*",
703706
+ "Condition": {
703707
+ "StringLike": {
703708
+ "kms:ViaService": [
703709
+ "airflow.*.amazonaws.com"
703710
+ ]
703711
+ },
703712
+ "StringEquals": {
703713
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703714
+ },
703715
+ "Null": {
703716
+ "kms:EncryptionContextKeys": "false"
703717
+ }
703718
+ }
703719
+ },
703720
+ {
703721
+ "Sid": "KmsDescribeKey",
703722
+ "Effect": "Allow",
703723
+ "Action": [
703724
+ "kms:DescribeKey"
703725
+ ],
703726
+ "Resource": "*",
703727
+ "Condition": {
703728
+ "StringEquals": {
703729
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703730
+ }
703731
+ }
703732
+ },
703733
+ {
703734
+ "Sid": "IamRolePermissionsForSageMakerStudioQueryExecutionRoleWithBoundary",
700977
703735
  "Effect": "Allow",
700978
703736
  "Action": [
700979
703737
  "iam:GetRole",
@@ -700990,6 +703748,38 @@
700990
703748
  }
700991
703749
  }
700992
703750
  },
703751
+ {
703752
+ "Sid": "IamRolePermissionsForCreatingSageMakerStudioQueryExecutionRole",
703753
+ "Effect": "Allow",
703754
+ "Action": [
703755
+ "iam:CreateRole"
703756
+ ],
703757
+ "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole",
703758
+ "Condition": {
703759
+ "StringEquals": {
703760
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703761
+ }
703762
+ }
703763
+ },
703764
+ {
703765
+ "Sid": "IamRolePermissionsForSageMakerStudioQueryExecutionRole",
703766
+ "Effect": "Allow",
703767
+ "Action": [
703768
+ "iam:DetachRolePolicy",
703769
+ "iam:AttachRolePolicy"
703770
+ ],
703771
+ "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole",
703772
+ "Condition": {
703773
+ "StringEquals": {
703774
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703775
+ },
703776
+ "ArnEquals": {
703777
+ "iam:PolicyARN": [
703778
+ "arn:aws:iam::aws:policy/service-role/SageMakerStudioQueryExecutionRolePolicy"
703779
+ ]
703780
+ }
703781
+ }
703782
+ },
700993
703783
  {
700994
703784
  "Sid": "IamTagRolePermissionsForSageMakerStudioQueryExecutionRole",
700995
703785
  "Effect": "Allow",
@@ -701006,13 +703796,26 @@
701006
703796
  ]
701007
703797
  }
701008
703798
  }
703799
+ },
703800
+ {
703801
+ "Sid": "IamListAttachedPoliciesForSageMakerStudioQueryExecutionRole",
703802
+ "Effect": "Allow",
703803
+ "Action": [
703804
+ "iam:ListAttachedRolePolicies"
703805
+ ],
703806
+ "Resource": "arn:aws:iam::*:role/SageMakerStudioQueryExecutionRole",
703807
+ "Condition": {
703808
+ "StringEquals": {
703809
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
703810
+ }
703811
+ }
701009
703812
  }
701010
703813
  ]
701011
703814
  }
701012
703815
  }
701013
703816
  },
701014
703817
  "createdDate": "2024-11-20T21:58:39.000Z",
701015
- "lastUpdatedDate": "2025-01-03T00:52:07.000Z"
703818
+ "lastUpdatedDate": "2025-01-31T19:52:06.000Z"
701016
703819
  },
701017
703820
  "SageMakerStudioProjectUserRolePolicy": {
701018
703821
  "arn": "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePolicy",
@@ -717119,5 +719922,195 @@
717119
719922
  },
717120
719923
  "createdDate": "2025-01-17T18:37:06.000Z",
717121
719924
  "lastUpdatedDate": "2025-01-17T18:37:06.000Z"
719925
+ },
719926
+ "SageMakerStudioQueryExecutionRolePolicy": {
719927
+ "arn": "arn:aws:iam::aws:policy/service-role/SageMakerStudioQueryExecutionRolePolicy",
719928
+ "latestVersionId": "v1",
719929
+ "versionsCount": 1,
719930
+ "versions": {
719931
+ "v1": {
719932
+ "createdDate": "2025-01-31T19:52:07.000Z",
719933
+ "document": {
719934
+ "Version": "2012-10-17",
719935
+ "Statement": [
719936
+ {
719937
+ "Sid": "GlueGetConnectionOnCatalog",
719938
+ "Effect": "Allow",
719939
+ "Action": [
719940
+ "glue:GetConnection"
719941
+ ],
719942
+ "Resource": [
719943
+ "arn:aws:glue:*:*:catalog"
719944
+ ]
719945
+ },
719946
+ {
719947
+ "Sid": "GlueGetConnectionsForProject",
719948
+ "Effect": "Allow",
719949
+ "Action": [
719950
+ "glue:GetConnection",
719951
+ "glue:GetConnections",
719952
+ "glue:GetTags"
719953
+ ],
719954
+ "Resource": "arn:aws:glue:*:*:connection/*",
719955
+ "Condition": {
719956
+ "Null": {
719957
+ "aws:ResourceTag/AmazonDataZoneProject": "false"
719958
+ }
719959
+ }
719960
+ },
719961
+ {
719962
+ "Sid": "S3GetObjectForAthenaSpillBucket",
719963
+ "Effect": "Allow",
719964
+ "Action": [
719965
+ "s3:GetObject"
719966
+ ],
719967
+ "Resource": [
719968
+ "arn:aws:s3:::*/dzd_*/*/dev/sys/athena/*"
719969
+ ],
719970
+ "Condition": {
719971
+ "StringEquals": {
719972
+ "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true"
719973
+ }
719974
+ }
719975
+ },
719976
+ {
719977
+ "Sid": "S3ListBucketOwnershipCheckForAthenaSpillBucket",
719978
+ "Effect": "Allow",
719979
+ "Action": [
719980
+ "s3:ListBucket"
719981
+ ],
719982
+ "Resource": [
719983
+ "arn:aws:s3:::amazon-sagemaker-*"
719984
+ ],
719985
+ "Condition": {
719986
+ "StringEquals": {
719987
+ "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true"
719988
+ }
719989
+ }
719990
+ },
719991
+ {
719992
+ "Sid": "InvokeFunctionPermissionsForAthenaCatalogLambda",
719993
+ "Effect": "Allow",
719994
+ "Action": "lambda:InvokeFunction",
719995
+ "Resource": "arn:aws:lambda:*:*:function:*",
719996
+ "Condition": {
719997
+ "StringEquals": {
719998
+ "aws:PrincipalTag/SageMakerStudioQueryExecutionRole": "true",
719999
+ "aws:ResourceTag/federated_athena_datacatalog": "true"
720000
+ }
720001
+ }
720002
+ }
720003
+ ]
720004
+ }
720005
+ }
720006
+ },
720007
+ "createdDate": "2025-01-31T19:52:07.000Z",
720008
+ "lastUpdatedDate": "2025-01-31T19:52:07.000Z"
720009
+ },
720010
+ "SageMakerStudioEMRServiceRolePolicy": {
720011
+ "arn": "arn:aws:iam::aws:policy/service-role/SageMakerStudioEMRServiceRolePolicy",
720012
+ "latestVersionId": "v1",
720013
+ "versionsCount": 1,
720014
+ "versions": {
720015
+ "v1": {
720016
+ "createdDate": "2025-01-31T19:52:07.000Z",
720017
+ "document": {
720018
+ "Version": "2012-10-17",
720019
+ "Statement": [
720020
+ {
720021
+ "Sid": "PassRoleToEMREC2InstanceRole",
720022
+ "Effect": "Allow",
720023
+ "Action": "iam:PassRole",
720024
+ "Resource": "arn:aws:iam::*:role/datazone_emr_ec2_instance_role_${aws:PrincipalTag/AmazonDataZoneProject}_${aws:PrincipalTag/AmazonDataZoneEnvironment}",
720025
+ "Condition": {
720026
+ "StringLike": {
720027
+ "iam:PassedToService": "ec2.amazonaws.com"
720028
+ },
720029
+ "StringNotEquals": {
720030
+ "aws:PrincipalTag/AmazonDataZoneProject": "",
720031
+ "aws:PrincipalTag/AmazonDataZoneEnvironment": ""
720032
+ },
720033
+ "Null": {
720034
+ "aws:PrincipalTag/AmazonDataZoneProject": "false"
720035
+ },
720036
+ "StringEquals": {
720037
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
720038
+ }
720039
+ }
720040
+ },
720041
+ {
720042
+ "Sid": "EMRKMSPermissions",
720043
+ "Effect": "Allow",
720044
+ "Action": [
720045
+ "kms:CreateGrant",
720046
+ "kms:ReEncryptFrom",
720047
+ "kms:ReEncryptTo",
720048
+ "kms:Decrypt",
720049
+ "kms:Encrypt",
720050
+ "kms:GenerateDataKeyWithoutPlaintext"
720051
+ ],
720052
+ "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
720053
+ "Condition": {
720054
+ "StringLike": {
720055
+ "kms:ViaService": [
720056
+ "ec2.*.amazonaws.com"
720057
+ ]
720058
+ },
720059
+ "StringEquals": {
720060
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
720061
+ },
720062
+ "Null": {
720063
+ "kms:EncryptionContextKeys": "false"
720064
+ }
720065
+ }
720066
+ },
720067
+ {
720068
+ "Sid": "AllowGenerateDataKeyForEbsEncryption",
720069
+ "Effect": "Allow",
720070
+ "Action": "kms:GenerateDataKey",
720071
+ "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
720072
+ "Condition": {
720073
+ "StringEquals": {
720074
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
720075
+ }
720076
+ }
720077
+ },
720078
+ {
720079
+ "Sid": "AllowEMRForKMSManagement",
720080
+ "Effect": "Allow",
720081
+ "Action": [
720082
+ "kms:ListGrants",
720083
+ "kms:RevokeGrant",
720084
+ "kms:DescribeKey"
720085
+ ],
720086
+ "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
720087
+ "Condition": {
720088
+ "StringLike": {
720089
+ "kms:ViaService": [
720090
+ "ec2.*.amazonaws.com"
720091
+ ]
720092
+ },
720093
+ "StringEquals": {
720094
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
720095
+ }
720096
+ }
720097
+ },
720098
+ {
720099
+ "Sid": "AllowEMRToListKmsAliases",
720100
+ "Effect": "Allow",
720101
+ "Action": "kms:ListAliases",
720102
+ "Resource": "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
720103
+ "Condition": {
720104
+ "StringEquals": {
720105
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
720106
+ }
720107
+ }
720108
+ }
720109
+ ]
720110
+ }
720111
+ }
720112
+ },
720113
+ "createdDate": "2025-01-31T19:52:07.000Z",
720114
+ "lastUpdatedDate": "2025-01-31T19:52:07.000Z"
717122
720115
  }
717123
720116
  }