aws-iam-managed-policies 0.0.492 → 0.0.493

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/managedPolicies.json +1097 -216
  2. package/package.json +1 -1
package/dist/managedPolicies.json CHANGED
@@ -137073,8 +137073,8 @@
137073
137073
  },
137074
137074
  "CloudWatchReadOnlyAccess": {
137075
137075
  "arn": "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
137076
- "latestVersionId": "v13",
137077
- "versionsCount": 13,
137076
+ "latestVersionId": "v14",
137077
+ "versionsCount": 14,
137078
137078
  "versions": {
137079
137079
  "v1": {
137080
137080
  "createdDate": "2015-02-06T18:40:01.000Z",
@@ -137743,15 +137743,134 @@
137743
137743
  }
137744
137744
  ]
137745
137745
  }
137746
+ },
137747
+ "v14": {
137748
+ "createdDate": "2015-02-06T18:40:01.000Z",
137749
+ "document": {
137750
+ "Version": "2012-10-17",
137751
+ "Statement": [
137752
+ {
137753
+ "Sid": "CloudWatchReadOnlyAccessPermissions",
137754
+ "Effect": "Allow",
137755
+ "Action": [
137756
+ "application-autoscaling:DescribeScalingPolicies",
137757
+ "application-signals:BatchGet*",
137758
+ "application-signals:Get*",
137759
+ "application-signals:List*",
137760
+ "autoscaling:Describe*",
137761
+ "cloudtrail:ListChannels",
137762
+ "cloudwatch:BatchGet*",
137763
+ "cloudwatch:Describe*",
137764
+ "cloudwatch:GenerateQuery",
137765
+ "cloudwatch:Get*",
137766
+ "cloudwatch:List*",
137767
+ "logs:Get*",
137768
+ "logs:List*",
137769
+ "logs:StartQuery",
137770
+ "logs:StopQuery",
137771
+ "logs:Describe*",
137772
+ "logs:TestMetricFilter",
137773
+ "logs:FilterLogEvents",
137774
+ "logs:StartLiveTail",
137775
+ "logs:StopLiveTail",
137776
+ "oam:ListSinks",
137777
+ "observabilityadmin:GetCentralizationRuleForOrganization",
137778
+ "observabilityadmin:ListCentralizationRulesForOrganization",
137779
+ "observabilityadmin:GetTelemetryEvaluationStatus",
137780
+ "observabilityadmin:GetTelemetryEvaluationStatusForOrganization",
137781
+ "observabilityadmin:GetTelemetryRule",
137782
+ "observabilityadmin:GetTelemetryRuleForOrganization",
137783
+ "observabilityadmin:ListResourceTelemetry",
137784
+ "observabilityadmin:ListResourceTelemetryForOrganization",
137785
+ "observabilityadmin:ListTelemetryRules",
137786
+ "observabilityadmin:ListTelemetryRulesForOrganization",
137787
+ "observabilityadmin:GetTelemetryEnrichmentStatus",
137788
+ "observabilityadmin:ListTagsForResource",
137789
+ "observabilityadmin:GetTelemetryPipeline",
137790
+ "observabilityadmin:ListTelemetryPipelines",
137791
+ "observabilityadmin:TestTelemetryPipeline",
137792
+ "observabilityadmin:ValidateTelemetryPipelineConfiguration",
137793
+ "observabilityadmin:GetS3TableIntegration",
137794
+ "observabilityadmin:ListS3TableIntegrations",
137795
+ "sns:Get*",
137796
+ "sns:List*",
137797
+ "rum:BatchGet*",
137798
+ "rum:Get*",
137799
+ "rum:List*",
137800
+ "synthetics:Describe*",
137801
+ "synthetics:Get*",
137802
+ "synthetics:List*",
137803
+ "xray:BatchGet*",
137804
+ "xray:Get*",
137805
+ "xray:List*",
137806
+ "xray:StartTraceRetrieval",
137807
+ "xray:CancelTraceRetrieval"
137808
+ ],
137809
+ "Resource": "*"
137810
+ },
137811
+ {
137812
+ "Sid": "OAMReadPermissions",
137813
+ "Effect": "Allow",
137814
+ "Action": [
137815
+ "oam:ListAttachedLinks"
137816
+ ],
137817
+ "Resource": "arn:aws:oam:*:*:sink/*"
137818
+ },
137819
+ {
137820
+ "Sid": "CloudWatchReadOnlyGetRolePermissions",
137821
+ "Effect": "Allow",
137822
+ "Action": "iam:GetRole",
137823
+ "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals"
137824
+ },
137825
+ {
137826
+ "Sid": "CloudWatchCloudTrailPermissions",
137827
+ "Effect": "Allow",
137828
+ "Action": [
137829
+ "cloudtrail:GetChannel"
137830
+ ],
137831
+ "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/application-signals/*"
137832
+ },
137833
+ {
137834
+ "Sid": "CloudWatchServiceQuotaPermissions",
137835
+ "Effect": "Allow",
137836
+ "Action": [
137837
+ "servicequotas:GetServiceQuota"
137838
+ ],
137839
+ "Resource": [
137840
+ "arn:aws:servicequotas:*:*:s3/*",
137841
+ "arn:aws:servicequotas:*:*:dynamodb/*",
137842
+ "arn:aws:servicequotas:*:*:kinesis/*",
137843
+ "arn:aws:servicequotas:*:*:sns/*",
137844
+ "arn:aws:servicequotas:*:*:bedrock/*",
137845
+ "arn:aws:servicequotas:*:*:lambda/*",
137846
+ "arn:aws:servicequotas:*:*:fargate/*",
137847
+ "arn:aws:servicequotas:*:*:elasticloadbalancing/*",
137848
+ "arn:aws:servicequotas:*:*:ec2/*"
137849
+ ]
137850
+ },
137851
+ {
137852
+ "Sid": "CloudWatchResourceExplorerPermissions",
137853
+ "Effect": "Allow",
137854
+ "Action": [
137855
+ "resource-explorer-2:ListIndexes",
137856
+ "resource-explorer-2:Search"
137857
+ ],
137858
+ "Resource": [
137859
+ "arn:aws:resource-explorer-2:*::view/AWSServiceViewForApplicationSignals/service-view",
137860
+ "arn:aws:resource-explorer-2:*::view/AWSServiceViewForApplicationSignalsOrgScopeProd/service-view"
137861
+ ]
137862
+ }
137863
+ ]
137864
+ }
137746
137865
  }
137747
137866
  },
137748
137867
  "createdDate": "2015-02-06T18:40:01.000Z",
137749
- "lastUpdatedDate": "2025-11-20T19:34:11.000Z"
137868
+ "lastUpdatedDate": "2025-12-02T16:49:09.000Z"
137750
137869
  },
137751
137870
  "CloudWatchLogsFullAccess": {
137752
137871
  "arn": "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess",
137753
- "latestVersionId": "v3",
137754
- "versionsCount": 3,
137872
+ "latestVersionId": "v4",
137873
+ "versionsCount": 4,
137755
137874
  "versions": {
137756
137875
  "v1": {
137757
137876
  "createdDate": "2015-02-06T18:40:02.000Z",
@@ -137802,15 +137921,36 @@
137802
137921
  }
137803
137922
  ]
137804
137923
  }
137924
+ },
137925
+ "v4": {
137926
+ "createdDate": "2015-02-06T18:40:02.000Z",
137927
+ "document": {
137928
+ "Version": "2012-10-17",
137929
+ "Statement": [
137930
+ {
137931
+ "Sid": "CloudWatchLogsFullAccess",
137932
+ "Effect": "Allow",
137933
+ "Action": [
137934
+ "logs:*",
137935
+ "cloudwatch:GenerateQuery",
137936
+ "cloudwatch:GenerateQueryResultsSummary",
137937
+ "observabilityadmin:GetS3TableIntegration",
137938
+ "observabilityadmin:ListS3TableIntegrations",
137939
+ "observabilityadmin:ListTelemetryPipelines"
137940
+ ],
137941
+ "Resource": "*"
137942
+ }
137943
+ ]
137944
+ }
137805
137945
  }
137806
137946
  },
137807
137947
  "createdDate": "2015-02-06T18:40:02.000Z",
137808
- "lastUpdatedDate": "2025-05-20T17:07:06.000Z"
137948
+ "lastUpdatedDate": "2025-12-02T16:34:08.000Z"
137809
137949
  },
137810
137950
  "CloudWatchLogsReadOnlyAccess": {
137811
137951
  "arn": "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess",
137812
- "latestVersionId": "v7",
137813
- "versionsCount": 7,
137952
+ "latestVersionId": "v8",
137953
+ "versionsCount": 8,
137814
137954
  "versions": {
137815
137955
  "v1": {
137816
137956
  "createdDate": "2015-02-06T18:40:03.000Z",
@@ -137960,10 +138100,39 @@
137960
138100
  }
137961
138101
  ]
137962
138102
  }
138103
+ },
138104
+ "v8": {
138105
+ "createdDate": "2015-02-06T18:40:03.000Z",
138106
+ "document": {
138107
+ "Version": "2012-10-17",
138108
+ "Statement": [
138109
+ {
138110
+ "Sid": "CloudWatchLogsReadOnlyAccess",
138111
+ "Effect": "Allow",
138112
+ "Action": [
138113
+ "logs:Describe*",
138114
+ "logs:Get*",
138115
+ "logs:List*",
138116
+ "logs:StartQuery",
138117
+ "logs:StopQuery",
138118
+ "logs:TestMetricFilter",
138119
+ "logs:FilterLogEvents",
138120
+ "logs:StartLiveTail",
138121
+ "logs:StopLiveTail",
138122
+ "cloudwatch:GenerateQuery",
138123
+ "cloudwatch:GenerateQueryResultsSummary",
138124
+ "observabilityadmin:ListS3TableIntegrations",
138125
+ "observabilityadmin:GetS3TableIntegration",
138126
+ "observabilityadmin:ListTelemetryPipelines"
138127
+ ],
138128
+ "Resource": "*"
138129
+ }
138130
+ ]
138131
+ }
137963
138132
  }
137964
138133
  },
137965
138134
  "createdDate": "2015-02-06T18:40:03.000Z",
137966
- "lastUpdatedDate": "2025-05-20T16:52:06.000Z"
138135
+ "lastUpdatedDate": "2025-12-02T16:34:10.000Z"
137967
138136
  },
137968
138137
  "AWSDirectConnectFullAccess": {
137969
138138
  "arn": "arn:aws:iam::aws:policy/AWSDirectConnectFullAccess",
@@ -743575,8 +743744,8 @@
743575
743744
  },
743576
743745
  "CloudWatchFullAccessV2": {
743577
743746
  "arn": "arn:aws:iam::aws:policy/CloudWatchFullAccessV2",
743578
- "latestVersionId": "v6",
743579
- "versionsCount": 6,
743747
+ "latestVersionId": "v7",
743748
+ "versionsCount": 7,
743580
743749
  "versions": {
743581
743750
  "v1": {
743582
743751
  "createdDate": "2023-08-01T11:32:57.000Z",
@@ -744137,10 +744306,232 @@
744137
744306
  }
744138
744307
  ]
744139
744308
  }
744309
+ },
744310
+ "v7": {
744311
+ "createdDate": "2023-08-01T11:32:57.000Z",
744312
+ "document": {
744313
+ "Version": "2012-10-17",
744314
+ "Statement": [
744315
+ {
744316
+ "Sid": "CloudWatchFullAccessPermissions",
744317
+ "Effect": "Allow",
744318
+ "Action": [
744319
+ "application-autoscaling:DescribeScalingPolicies",
744320
+ "application-signals:*",
744321
+ "autoscaling:DescribeAutoScalingGroups",
744322
+ "autoscaling:DescribePolicies",
744323
+ "cloudwatch:*",
744324
+ "logs:*",
744325
+ "sns:CreateTopic",
744326
+ "sns:ListSubscriptions",
744327
+ "sns:ListSubscriptionsByTopic",
744328
+ "sns:ListTopics",
744329
+ "sns:Subscribe",
744330
+ "iam:GetPolicy",
744331
+ "iam:GetPolicyVersion",
744332
+ "iam:GetRole",
744333
+ "oam:ListSinks",
744334
+ "observabilityadmin:GetCentralizationRuleForOrganization",
744335
+ "observabilityadmin:ListCentralizationRulesForOrganization",
744336
+ "observabilityadmin:CreateCentralizationRuleForOrganization",
744337
+ "observabilityadmin:UpdateCentralizationRuleForOrganization",
744338
+ "observabilityadmin:DeleteCentralizationRuleForOrganization",
744339
+ "observabilityadmin:StartTelemetryEvaluation",
744340
+ "observabilityadmin:GetTelemetryEvaluationStatus",
744341
+ "observabilityadmin:ListResourceTelemetry",
744342
+ "observabilityadmin:StopTelemetryEvaluation",
744343
+ "observabilityadmin:StartTelemetryEvaluationForOrganization",
744344
+ "observabilityadmin:GetTelemetryEvaluationStatusForOrganization",
744345
+ "observabilityadmin:ListResourceTelemetryForOrganization",
744346
+ "observabilityadmin:StopTelemetryEvaluationForOrganization",
744347
+ "observabilityadmin:CreateTelemetryRule",
744348
+ "observabilityadmin:GetTelemetryRule",
744349
+ "observabilityadmin:ListTelemetryRules",
744350
+ "observabilityadmin:UpdateTelemetryRule",
744351
+ "observabilityadmin:DeleteTelemetryRule",
744352
+ "observabilityadmin:CreateTelemetryRuleForOrganization",
744353
+ "observabilityadmin:GetTelemetryRuleForOrganization",
744354
+ "observabilityadmin:ListTelemetryRulesForOrganization",
744355
+ "observabilityadmin:UpdateTelemetryRuleForOrganization",
744356
+ "observabilityadmin:DeleteTelemetryRuleForOrganization",
744357
+ "observabilityadmin:GetTelemetryEnrichmentStatus",
744358
+ "observabilityadmin:StartTelemetryEnrichment",
744359
+ "observabilityadmin:StopTelemetryEnrichment",
744360
+ "observabilityadmin:TagResource",
744361
+ "observabilityadmin:UntagResource",
744362
+ "observabilityadmin:ListTagsForResource",
744363
+ "observabilityadmin:CreateTelemetryPipeline",
744364
+ "observabilityadmin:GetTelemetryPipeline",
744365
+ "observabilityadmin:UpdateTelemetryPipeline",
744366
+ "observabilityadmin:DeleteTelemetryPipeline",
744367
+ "observabilityadmin:ListTelemetryPipelines",
744368
+ "observabilityadmin:TestTelemetryPipeline",
744369
+ "observabilityadmin:ValidateTelemetryPipelineConfiguration",
744370
+ "observabilityadmin:CreateS3TableIntegration",
744371
+ "observabilityadmin:GetS3TableIntegration",
744372
+ "observabilityadmin:ListS3TableIntegrations",
744373
+ "observabilityadmin:DeleteS3TableIntegration",
744374
+ "rum:*",
744375
+ "synthetics:*",
744376
+ "xray:*"
744377
+ ],
744378
+ "Resource": "*"
744379
+ },
744380
+ {
744381
+ "Sid": "CloudWatchApplicationSignalsServiceLinkedRolePermissions",
744382
+ "Effect": "Allow",
744383
+ "Action": "iam:CreateServiceLinkedRole",
744384
+ "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals",
744385
+ "Condition": {
744386
+ "StringLike": {
744387
+ "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com"
744388
+ }
744389
+ }
744390
+ },
744391
+ {
744392
+ "Sid": "EventsServicePermissions",
744393
+ "Effect": "Allow",
744394
+ "Action": "iam:CreateServiceLinkedRole",
744395
+ "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
744396
+ "Condition": {
744397
+ "StringLike": {
744398
+ "iam:AWSServiceName": "events.amazonaws.com"
744399
+ }
744400
+ }
744401
+ },
744402
+ {
744403
+ "Sid": "OAMReadPermissions",
744404
+ "Effect": "Allow",
744405
+ "Action": [
744406
+ "oam:ListAttachedLinks"
744407
+ ],
744408
+ "Resource": "arn:aws:oam:*:*:sink/*"
744409
+ },
744410
+ {
744411
+ "Sid": "CloudWatchCloudTrailPermissions",
744412
+ "Effect": "Allow",
744413
+ "Action": [
744414
+ "cloudtrail:CreateServiceLinkedChannel",
744415
+ "cloudtrail:GetChannel"
744416
+ ],
744417
+ "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/application-signals/*"
744418
+ },
744419
+ {
744420
+ "Sid": "CloudWatchApplicationSignalsCloudTrailListPermissions",
744421
+ "Effect": "Allow",
744422
+ "Action": [
744423
+ "cloudtrail:ListChannels"
744424
+ ],
744425
+ "Resource": "*"
744426
+ },
744427
+ {
744428
+ "Sid": "CloudWatchServiceQuotaPermissions",
744429
+ "Effect": "Allow",
744430
+ "Action": [
744431
+ "servicequotas:GetServiceQuota"
744432
+ ],
744433
+ "Resource": [
744434
+ "arn:aws:servicequotas:*:*:s3/*",
744435
+ "arn:aws:servicequotas:*:*:dynamodb/*",
744436
+ "arn:aws:servicequotas:*:*:kinesis/*",
744437
+ "arn:aws:servicequotas:*:*:sns/*",
744438
+ "arn:aws:servicequotas:*:*:bedrock/*",
744439
+ "arn:aws:servicequotas:*:*:lambda/*",
744440
+ "arn:aws:servicequotas:*:*:fargate/*",
744441
+ "arn:aws:servicequotas:*:*:elasticloadbalancing/*",
744442
+ "arn:aws:servicequotas:*:*:ec2/*"
744443
+ ]
744444
+ },
744445
+ {
744446
+ "Sid": "CloudWatchResourceExplorerPermissions",
744447
+ "Effect": "Allow",
744448
+ "Action": [
744449
+ "resource-explorer-2:ListIndexes",
744450
+ "resource-explorer-2:Search"
744451
+ ],
744452
+ "Resource": [
744453
+ "arn:aws:resource-explorer-2:*::view/AWSServiceViewForApplicationSignals/service-view",
744454
+ "arn:aws:resource-explorer-2:*::view/AWSServiceViewForApplicationSignalsOrgScopeProd/service-view"
744455
+ ]
744456
+ },
744457
+ {
744458
+ "Sid": "CloudWatchResourceExplorerSLRPermissions",
744459
+ "Effect": "Allow",
744460
+ "Action": [
744461
+ "iam:CreateServiceLinkedRole"
744462
+ ],
744463
+ "Resource": "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer",
744464
+ "Condition": {
744465
+ "StringEquals": {
744466
+ "iam:AWSServiceName": [
744467
+ "resource-explorer-2.amazonaws.com"
744468
+ ]
744469
+ }
744470
+ }
744471
+ },
744472
+ {
744473
+ "Sid": "CloudWatchResourceExplorerCreateIndexPermissions",
744474
+ "Effect": "Allow",
744475
+ "Action": [
744476
+ "resource-explorer-2:CreateIndex"
744477
+ ],
744478
+ "Resource": "arn:aws:resource-explorer-2:*:*:index/*"
744479
+ },
744480
+ {
744481
+ "Effect": "Allow",
744482
+ "Action": "iam:PassRole",
744483
+ "Resource": "*",
744484
+ "Condition": {
744485
+ "StringEquals": {
744486
+ "iam:PassedToService": "logs.amazonaws.com"
744487
+ },
744488
+ "ArnLike": {
744489
+ "iam:AssociatedResourceArn": "arn:aws:observabilityadmin:*:*:s3tableintegration/*"
744490
+ }
744491
+ }
744492
+ },
744493
+ {
744494
+ "Effect": "Allow",
744495
+ "Action": "iam:PassRole",
744496
+ "Resource": "*",
744497
+ "Condition": {
744498
+ "StringEquals": {
744499
+ "iam:PassedToService": [
744500
+ "logs.amazonaws.com",
744501
+ "telemetry-pipelines.observabilityadmin.amazonaws.com"
744502
+ ]
744503
+ },
744504
+ "ArnLike": {
744505
+ "iam:AssociatedResourceArn": "arn:aws:observabilityadmin:*:*:telemetry-pipeline/*"
744506
+ }
744507
+ }
744508
+ },
744509
+ {
744510
+ "Effect": "Allow",
744511
+ "Action": [
744512
+ "s3tables:CreateTableBucket",
744513
+ "s3tables:PutTableBucketEncryption"
744514
+ ],
744515
+ "Resource": "arn:aws:s3tables:*:*:bucket/aws-cloudwatch",
744516
+ "Condition": {
744517
+ "ForAnyValue:StringEquals": {
744518
+ "aws:CalledVia": "observabilityadmin.amazonaws.com"
744519
+ }
744520
+ }
744521
+ },
744522
+ {
744523
+ "Effect": "Allow",
744524
+ "Action": [
744525
+ "s3tables:PutTableBucketPolicy"
744526
+ ],
744527
+ "Resource": "arn:aws:s3tables:*:*:bucket/aws-cloudwatch"
744528
+ }
744529
+ ]
744530
+ }
744140
744531
  }
744141
744532
  },
744142
744533
  "createdDate": "2023-08-01T11:32:57.000Z",
744143
- "lastUpdatedDate": "2025-11-20T19:34:08.000Z"
744534
+ "lastUpdatedDate": "2025-12-02T16:49:09.000Z"
744144
744535
  },
744145
744536
  "AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy": {
744146
744537
  "arn": "arn:aws:iam::aws:policy/service-role/AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy",
@@ -958751,8 +959142,8 @@
958751
959142
  },
958752
959143
  "BedrockAgentCoreFullAccess": {
958753
959144
  "arn": "arn:aws:iam::aws:policy/BedrockAgentCoreFullAccess",
958754
- "latestVersionId": "v4",
958755
- "versionsCount": 4,
959145
+ "latestVersionId": "v5",
959146
+ "versionsCount": 5,
958756
959147
  "versions": {
958757
959148
  "v1": {
958758
959149
  "createdDate": "2025-07-16T13:37:07.000Z",
@@ -959215,260 +959606,605 @@
959215
959606
  "iam:AWSServiceName": "network.bedrock-agentcore.amazonaws.com"
959216
959607
  }
959217
959608
  }
959218
- }
959219
- ]
959220
- }
959221
- },
959222
- "v3": {
959223
- "createdDate": "2025-07-16T13:37:07.000Z",
959224
- "document": {
959225
- "Version": "2012-10-17",
959226
- "Statement": [
959227
- {
959228
- "Sid": "BedrockAgentCoreFullAccess",
959229
- "Effect": "Allow",
959230
- "Action": [
959231
- "bedrock-agentcore:*"
959232
- ],
959233
- "Resource": "arn:aws:bedrock-agentcore:*:*:*"
959234
- },
959235
- {
959236
- "Sid": "IAMListAccess",
959237
- "Effect": "Allow",
959238
- "Action": [
959239
- "iam:GetRole",
959240
- "iam:GetRolePolicy",
959241
- "iam:ListAttachedRolePolicies",
959242
- "iam:ListRolePolicies",
959243
- "iam:ListRoles"
959244
- ],
959245
- "Resource": "arn:aws:iam::*:role/*"
959609
+ }
959610
+ ]
959611
+ }
959612
+ },
959613
+ "v3": {
959614
+ "createdDate": "2025-07-16T13:37:07.000Z",
959615
+ "document": {
959616
+ "Version": "2012-10-17",
959617
+ "Statement": [
959618
+ {
959619
+ "Sid": "BedrockAgentCoreFullAccess",
959620
+ "Effect": "Allow",
959621
+ "Action": [
959622
+ "bedrock-agentcore:*"
959623
+ ],
959624
+ "Resource": "arn:aws:bedrock-agentcore:*:*:*"
959625
+ },
959626
+ {
959627
+ "Sid": "IAMListAccess",
959628
+ "Effect": "Allow",
959629
+ "Action": [
959630
+ "iam:GetRole",
959631
+ "iam:GetRolePolicy",
959632
+ "iam:ListAttachedRolePolicies",
959633
+ "iam:ListRolePolicies",
959634
+ "iam:ListRoles"
959635
+ ],
959636
+ "Resource": "arn:aws:iam::*:role/*"
959637
+ },
959638
+ {
959639
+ "Sid": "BedrockAgentCorePassRoleAccess",
959640
+ "Effect": "Allow",
959641
+ "Action": "iam:PassRole",
959642
+ "Resource": "arn:aws:iam::*:role/*BedrockAgentCore*",
959643
+ "Condition": {
959644
+ "StringEquals": {
959645
+ "iam:PassedToService": "bedrock-agentcore.amazonaws.com"
959646
+ }
959647
+ }
959648
+ },
959649
+ {
959650
+ "Sid": "SecretsManagerAccess",
959651
+ "Effect": "Allow",
959652
+ "Action": [
959653
+ "secretsmanager:CreateSecret",
959654
+ "secretsmanager:PutSecretValue",
959655
+ "secretsmanager:GetSecretValue",
959656
+ "secretsmanager:DeleteSecret"
959657
+ ],
959658
+ "Resource": "arn:aws:secretsmanager:*:*:secret:bedrock-agentcore*"
959659
+ },
959660
+ {
959661
+ "Sid": "BedrockAgentCoreKMSReadAccess",
959662
+ "Effect": "Allow",
959663
+ "Action": [
959664
+ "kms:ListKeys",
959665
+ "kms:DescribeKey"
959666
+ ],
959667
+ "Resource": [
959668
+ "arn:aws:kms:*:*:key/*"
959669
+ ],
959670
+ "Condition": {
959671
+ "StringEquals": {
959672
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
959673
+ }
959674
+ }
959675
+ },
959676
+ {
959677
+ "Sid": "BedrockAgentCoreKMSAccess",
959678
+ "Effect": "Allow",
959679
+ "Action": [
959680
+ "kms:Decrypt",
959681
+ "kms:GenerateDataKey"
959682
+ ],
959683
+ "Resource": [
959684
+ "arn:aws:kms:*:*:key/*"
959685
+ ],
959686
+ "Condition": {
959687
+ "StringEquals": {
959688
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
959689
+ },
959690
+ "ForAnyValue:StringEquals": {
959691
+ "aws:CalledVia": [
959692
+ "bedrock-agentcore.amazonaws.com"
959693
+ ]
959694
+ }
959695
+ }
959696
+ },
959697
+ {
959698
+ "Sid": "BedrockAgentCoreS3Access",
959699
+ "Effect": "Allow",
959700
+ "Action": [
959701
+ "s3:GetObject"
959702
+ ],
959703
+ "Resource": [
959704
+ "arn:aws:s3:::bedrock-agentcore-gateway-*"
959705
+ ],
959706
+ "Condition": {
959707
+ "StringEquals": {
959708
+ "aws:CalledViaLast": "bedrock-agentcore.amazonaws.com",
959709
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
959710
+ }
959711
+ }
959712
+ },
959713
+ {
959714
+ "Sid": "BedrockAgentCoreGatewayLambdaAccess",
959715
+ "Effect": "Allow",
959716
+ "Action": [
959717
+ "lambda:ListFunctions"
959718
+ ],
959719
+ "Resource": [
959720
+ "arn:aws:lambda:*:*:*"
959721
+ ]
959722
+ },
959723
+ {
959724
+ "Sid": "LoggingAccess",
959725
+ "Effect": "Allow",
959726
+ "Action": [
959727
+ "logs:Get*",
959728
+ "logs:List*",
959729
+ "logs:StartQuery",
959730
+ "logs:StopQuery",
959731
+ "logs:Describe*",
959732
+ "logs:TestMetricFilter",
959733
+ "logs:FilterLogEvents"
959734
+ ],
959735
+ "Resource": [
959736
+ "arn:aws:logs:*:*:log-group:/aws/bedrock-agentcore/*",
959737
+ "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
959738
+ "arn:aws:logs:*:*:log-group:aws/spans:*"
959739
+ ]
959740
+ },
959741
+ {
959742
+ "Sid": "ObservabilityReadOnlyPermissions",
959743
+ "Effect": "Allow",
959744
+ "Action": [
959745
+ "application-autoscaling:DescribeScalingPolicies",
959746
+ "application-signals:BatchGet*",
959747
+ "application-signals:Get*",
959748
+ "application-signals:List*",
959749
+ "autoscaling:Describe*",
959750
+ "cloudwatch:BatchGet*",
959751
+ "cloudwatch:Describe*",
959752
+ "cloudwatch:GenerateQuery",
959753
+ "cloudwatch:Get*",
959754
+ "cloudwatch:List*",
959755
+ "oam:ListSinks",
959756
+ "rum:BatchGet*",
959757
+ "rum:Get*",
959758
+ "rum:List*",
959759
+ "synthetics:Describe*",
959760
+ "synthetics:Get*",
959761
+ "synthetics:List*",
959762
+ "xray:BatchGet*",
959763
+ "xray:Get*",
959764
+ "xray:List*",
959765
+ "xray:StartTraceRetrieval",
959766
+ "xray:CancelTraceRetrieval",
959767
+ "logs:DescribeLogGroups",
959768
+ "logs:StartLiveTail",
959769
+ "logs:StopLiveTail"
959770
+ ],
959771
+ "Resource": "*"
959772
+ },
959773
+ {
959774
+ "Sid": "TransactionSearchXRayPermissions",
959775
+ "Effect": "Allow",
959776
+ "Action": [
959777
+ "xray:GetTraceSegmentDestination",
959778
+ "xray:UpdateTraceSegmentDestination",
959779
+ "xray:GetIndexingRules",
959780
+ "xray:UpdateIndexingRule"
959781
+ ],
959782
+ "Resource": "*"
959783
+ },
959784
+ {
959785
+ "Sid": "TransactionSearchLogGroupPermissions",
959786
+ "Effect": "Allow",
959787
+ "Action": [
959788
+ "logs:CreateLogGroup",
959789
+ "logs:CreateLogStream",
959790
+ "logs:PutRetentionPolicy"
959791
+ ],
959792
+ "Resource": [
959793
+ "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
959794
+ "arn:aws:logs:*:*:log-group:aws/spans:*"
959795
+ ]
959796
+ },
959797
+ {
959798
+ "Sid": "TransactionSearchLogsPermissions",
959799
+ "Effect": "Allow",
959800
+ "Action": [
959801
+ "logs:DescribeResourcePolicies"
959802
+ ],
959803
+ "Resource": [
959804
+ "*"
959805
+ ],
959806
+ "Condition": {
959807
+ "StringEquals": {
959808
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
959809
+ }
959810
+ }
959811
+ },
959812
+ {
959813
+ "Sid": "TransactionSearchApplicationSignalsPermissions",
959814
+ "Effect": "Allow",
959815
+ "Action": [
959816
+ "application-signals:StartDiscovery"
959817
+ ],
959818
+ "Resource": "*"
959819
+ },
959820
+ {
959821
+ "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions",
959822
+ "Effect": "Allow",
959823
+ "Action": "iam:CreateServiceLinkedRole",
959824
+ "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals",
959825
+ "Condition": {
959826
+ "StringLike": {
959827
+ "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com"
959828
+ }
959829
+ }
959830
+ },
959831
+ {
959832
+ "Sid": "CloudWatchApplicationSignalsGetRolePermissions",
959833
+ "Effect": "Allow",
959834
+ "Action": "iam:GetRole",
959835
+ "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals"
959836
+ },
959837
+ {
959838
+ "Sid": "CreateBedrockAgentCoreNetworkServiceLinkedRolePermissions",
959839
+ "Effect": "Allow",
959840
+ "Action": "iam:CreateServiceLinkedRole",
959841
+ "Resource": "arn:aws:iam::*:role/aws-service-role/network.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreNetwork",
959842
+ "Condition": {
959843
+ "StringEquals": {
959844
+ "iam:AWSServiceName": "network.bedrock-agentcore.amazonaws.com"
959845
+ }
959846
+ }
959847
+ },
959848
+ {
959849
+ "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRolePermissions",
959850
+ "Effect": "Allow",
959851
+ "Action": "iam:CreateServiceLinkedRole",
959852
+ "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity",
959853
+ "Condition": {
959854
+ "StringEquals": {
959855
+ "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com"
959856
+ }
959857
+ }
959858
+ }
959859
+ ]
959860
+ }
959861
+ },
959862
+ "v4": {
959863
+ "createdDate": "2025-07-16T13:37:07.000Z",
959864
+ "document": {
959865
+ "Version": "2012-10-17",
959866
+ "Statement": [
959867
+ {
959868
+ "Sid": "BedrockAgentCoreFullAccess",
959869
+ "Effect": "Allow",
959870
+ "Action": [
959871
+ "bedrock-agentcore:*"
959872
+ ],
959873
+ "Resource": "arn:aws:bedrock-agentcore:*:*:*"
959874
+ },
959875
+ {
959876
+ "Sid": "IAMListAccess",
959877
+ "Effect": "Allow",
959878
+ "Action": [
959879
+ "iam:GetRole",
959880
+ "iam:GetRolePolicy",
959881
+ "iam:ListAttachedRolePolicies",
959882
+ "iam:ListRolePolicies",
959883
+ "iam:ListRoles"
959884
+ ],
959885
+ "Resource": "arn:aws:iam::*:role/*"
959886
+ },
959887
+ {
959888
+ "Sid": "BedrockAgentCorePassRoleAccess",
959889
+ "Effect": "Allow",
959890
+ "Action": "iam:PassRole",
959891
+ "Resource": "arn:aws:iam::*:role/*BedrockAgentCore*",
959892
+ "Condition": {
959893
+ "StringEquals": {
959894
+ "iam:PassedToService": "bedrock-agentcore.amazonaws.com"
959895
+ }
959896
+ }
959897
+ },
959898
+ {
959899
+ "Sid": "SecretsManagerAccess",
959900
+ "Effect": "Allow",
959901
+ "Action": [
959902
+ "secretsmanager:CreateSecret",
959903
+ "secretsmanager:PutSecretValue",
959904
+ "secretsmanager:GetSecretValue",
959905
+ "secretsmanager:DeleteSecret"
959906
+ ],
959907
+ "Resource": "arn:aws:secretsmanager:*:*:secret:bedrock-agentcore*"
959908
+ },
959909
+ {
959910
+ "Sid": "BedrockAgentCoreKMSReadAccess",
959911
+ "Effect": "Allow",
959912
+ "Action": [
959913
+ "kms:ListKeys",
959914
+ "kms:DescribeKey"
959915
+ ],
959916
+ "Resource": [
959917
+ "arn:aws:kms:*:*:key/*"
959918
+ ],
959919
+ "Condition": {
959920
+ "StringEquals": {
959921
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
959922
+ }
959923
+ }
959924
+ },
959925
+ {
959926
+ "Sid": "BedrockAgentCoreKMSAccess",
959927
+ "Effect": "Allow",
959928
+ "Action": [
959929
+ "kms:Decrypt",
959930
+ "kms:GenerateDataKey",
959931
+ "kms:ListGrants"
959932
+ ],
959933
+ "Resource": [
959934
+ "arn:aws:kms:*:*:key/*"
959935
+ ],
959936
+ "Condition": {
959937
+ "StringEquals": {
959938
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
959939
+ },
959940
+ "ForAnyValue:StringEquals": {
959941
+ "aws:CalledVia": [
959942
+ "bedrock-agentcore.amazonaws.com"
959943
+ ]
959944
+ }
959945
+ }
959946
+ },
959947
+ {
959948
+ "Sid": "BedrockAgentCoreKMSGrantsAccess",
959949
+ "Effect": "Allow",
959950
+ "Action": [
959951
+ "kms:CreateGrant"
959952
+ ],
959953
+ "Resource": [
959954
+ "arn:aws:kms:*:*:key/*"
959955
+ ],
959956
+ "Condition": {
959957
+ "StringEquals": {
959958
+ "kms:GrantConstraintType": "EncryptionContextSubset"
959959
+ },
959960
+ "StringLike": {
959961
+ "kms:ViaService": [
959962
+ "bedrock-agentcore.*.amazonaws.com"
959963
+ ],
959964
+ "kms:EncryptionContext:aws:bedrock-agentcore-gateway:arn": "arn:aws:bedrock-agentcore:*:*:gateway/*"
959965
+ },
959966
+ "ForAllValues:StringEquals": {
959967
+ "kms:GrantOperations": [
959968
+ "Decrypt",
959969
+ "GenerateDataKey"
959970
+ ]
959971
+ }
959972
+ }
959973
+ },
959974
+ {
959975
+ "Sid": "BedrockAgentCoreS3Access",
959976
+ "Effect": "Allow",
959977
+ "Action": [
959978
+ "s3:GetObject"
959979
+ ],
959980
+ "Resource": [
959981
+ "arn:aws:s3:::bedrock-agentcore-gateway-*"
959982
+ ],
959983
+ "Condition": {
959984
+ "StringEquals": {
959985
+ "aws:CalledViaLast": "bedrock-agentcore.amazonaws.com",
959986
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
959987
+ }
959988
+ }
959989
+ },
959990
+ {
959991
+ "Sid": "BedrockAgentCoreGatewayLambdaAccess",
959992
+ "Effect": "Allow",
959993
+ "Action": [
959994
+ "lambda:ListFunctions"
959995
+ ],
959996
+ "Resource": [
959997
+ "arn:aws:lambda:*:*:*"
959998
+ ]
959999
+ },
960000
+ {
960001
+ "Sid": "LoggingAccess",
960002
+ "Effect": "Allow",
960003
+ "Action": [
960004
+ "logs:Get*",
960005
+ "logs:List*",
960006
+ "logs:StartQuery",
960007
+ "logs:StopQuery",
960008
+ "logs:Describe*",
960009
+ "logs:TestMetricFilter",
960010
+ "logs:FilterLogEvents"
960011
+ ],
960012
+ "Resource": [
960013
+ "arn:aws:logs:*:*:log-group:/aws/bedrock-agentcore/*",
960014
+ "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
960015
+ "arn:aws:logs:*:*:log-group:aws/spans:*"
960016
+ ]
960017
+ },
960018
+ {
960019
+ "Sid": "ObservabilityReadOnlyPermissions",
960020
+ "Effect": "Allow",
960021
+ "Action": [
960022
+ "application-autoscaling:DescribeScalingPolicies",
960023
+ "application-signals:BatchGet*",
960024
+ "application-signals:Get*",
960025
+ "application-signals:List*",
960026
+ "autoscaling:Describe*",
960027
+ "cloudwatch:BatchGet*",
960028
+ "cloudwatch:Describe*",
960029
+ "cloudwatch:GenerateQuery",
960030
+ "cloudwatch:Get*",
960031
+ "cloudwatch:List*",
960032
+ "oam:ListSinks",
960033
+ "rum:BatchGet*",
960034
+ "rum:Get*",
960035
+ "rum:List*",
960036
+ "synthetics:Describe*",
960037
+ "synthetics:Get*",
960038
+ "synthetics:List*",
960039
+ "xray:BatchGet*",
960040
+ "xray:Get*",
960041
+ "xray:List*",
960042
+ "xray:StartTraceRetrieval",
960043
+ "xray:CancelTraceRetrieval",
960044
+ "logs:DescribeLogGroups",
960045
+ "logs:StartLiveTail",
960046
+ "logs:StopLiveTail"
960047
+ ],
960048
+ "Resource": "*"
960049
+ },
960050
+ {
960051
+ "Sid": "TransactionSearchXRayPermissions",
960052
+ "Effect": "Allow",
960053
+ "Action": [
960054
+ "xray:GetTraceSegmentDestination",
960055
+ "xray:UpdateTraceSegmentDestination",
960056
+ "xray:GetIndexingRules",
960057
+ "xray:UpdateIndexingRule"
960058
+ ],
960059
+ "Resource": "*"
960060
+ },
960061
+ {
960062
+ "Sid": "TransactionSearchLogGroupPermissions",
960063
+ "Effect": "Allow",
960064
+ "Action": [
960065
+ "logs:CreateLogGroup",
960066
+ "logs:CreateLogStream",
960067
+ "logs:PutRetentionPolicy"
960068
+ ],
960069
+ "Resource": [
960070
+ "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
960071
+ "arn:aws:logs:*:*:log-group:aws/spans:*"
960072
+ ]
960073
+ },
960074
+ {
960075
+ "Sid": "TransactionSearchLogsPermissions",
960076
+ "Effect": "Allow",
960077
+ "Action": [
960078
+ "logs:DescribeResourcePolicies",
960079
+ "logs:PutResourcePolicy"
960080
+ ],
960081
+ "Resource": [
960082
+ "*"
960083
+ ],
960084
+ "Condition": {
960085
+ "StringEquals": {
960086
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
960087
+ }
960088
+ }
960089
+ },
960090
+ {
960091
+ "Sid": "TransactionSearchApplicationSignalsPermissions",
960092
+ "Effect": "Allow",
960093
+ "Action": [
960094
+ "application-signals:StartDiscovery"
960095
+ ],
960096
+ "Resource": "*"
960097
+ },
960098
+ {
960099
+ "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions",
960100
+ "Effect": "Allow",
960101
+ "Action": "iam:CreateServiceLinkedRole",
960102
+ "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals",
960103
+ "Condition": {
960104
+ "StringLike": {
960105
+ "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com"
960106
+ }
960107
+ }
960108
+ },
960109
+ {
960110
+ "Sid": "CloudWatchApplicationSignalsGetRolePermissions",
960111
+ "Effect": "Allow",
960112
+ "Action": "iam:GetRole",
960113
+ "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals"
960114
+ },
960115
+ {
960116
+ "Sid": "CreateBedrockAgentCoreNetworkServiceLinkedRolePermissions",
960117
+ "Effect": "Allow",
960118
+ "Action": "iam:CreateServiceLinkedRole",
960119
+ "Resource": "arn:aws:iam::*:role/aws-service-role/network.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreNetwork",
960120
+ "Condition": {
960121
+ "StringEquals": {
960122
+ "iam:AWSServiceName": "network.bedrock-agentcore.amazonaws.com"
960123
+ }
960124
+ }
959246
960125
  },
959247
960126
  {
959248
- "Sid": "BedrockAgentCorePassRoleAccess",
960127
+ "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRolePermissions",
959249
960128
  "Effect": "Allow",
959250
- "Action": "iam:PassRole",
959251
- "Resource": "arn:aws:iam::*:role/*BedrockAgentCore*",
960129
+ "Action": "iam:CreateServiceLinkedRole",
960130
+ "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity",
959252
960131
  "Condition": {
959253
960132
  "StringEquals": {
959254
- "iam:PassedToService": "bedrock-agentcore.amazonaws.com"
960133
+ "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com"
959255
960134
  }
959256
960135
  }
959257
960136
  },
959258
960137
  {
959259
- "Sid": "SecretsManagerAccess",
960138
+ "Sid": "CloudWatchApplicationSignalsCloudTrailPermissions",
959260
960139
  "Effect": "Allow",
959261
960140
  "Action": [
959262
- "secretsmanager:CreateSecret",
959263
- "secretsmanager:PutSecretValue",
959264
- "secretsmanager:GetSecretValue",
959265
- "secretsmanager:DeleteSecret"
960141
+ "cloudtrail:CreateServiceLinkedChannel"
959266
960142
  ],
959267
- "Resource": "arn:aws:secretsmanager:*:*:secret:bedrock-agentcore*"
960143
+ "Resource": "arn:aws:cloudtrail:*:*:channel/aws-service-channel/application-signals/*"
959268
960144
  },
959269
960145
  {
959270
- "Sid": "BedrockAgentCoreKMSReadAccess",
960146
+ "Sid": "BedrockAgentCoreRuntimeS3WriteAccess",
959271
960147
  "Effect": "Allow",
959272
960148
  "Action": [
959273
- "kms:ListKeys",
959274
- "kms:DescribeKey"
960149
+ "s3:CreateBucket",
960150
+ "s3:PutBucketPolicy",
960151
+ "s3:PutBucketVersioning",
960152
+ "s3:PutObject"
959275
960153
  ],
959276
960154
  "Resource": [
959277
- "arn:aws:kms:*:*:key/*"
960155
+ "arn:aws:s3:::bedrock-agentcore-runtime-*"
959278
960156
  ],
959279
960157
  "Condition": {
959280
960158
  "StringEquals": {
959281
- "aws:ResourceAccount": "${aws:PrincipalAccount}"
960159
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
959282
960160
  }
959283
960161
  }
959284
960162
  },
959285
960163
  {
959286
- "Sid": "BedrockAgentCoreKMSAccess",
960164
+ "Sid": "BedrockAgentCoreRuntimeS3ReadAccess",
959287
960165
  "Effect": "Allow",
959288
960166
  "Action": [
959289
- "kms:Decrypt",
959290
- "kms:GenerateDataKey"
959291
- ],
959292
- "Resource": [
959293
- "arn:aws:kms:*:*:key/*"
960167
+ "s3:GetObject",
960168
+ "s3:GetObjectVersion",
960169
+ "s3:ListBucket",
960170
+ "s3:ListBucketVersions"
959294
960171
  ],
960172
+ "Resource": "arn:aws:s3:::*",
959295
960173
  "Condition": {
959296
960174
  "StringEquals": {
959297
- "aws:ResourceAccount": "${aws:PrincipalAccount}"
959298
- },
959299
- "ForAnyValue:StringEquals": {
959300
- "aws:CalledVia": [
959301
- "bedrock-agentcore.amazonaws.com"
959302
- ]
960175
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
959303
960176
  }
959304
960177
  }
959305
960178
  },
959306
960179
  {
959307
- "Sid": "BedrockAgentCoreS3Access",
960180
+ "Sid": "BedrockAgentCoreRuntimeS3ListAccess",
959308
960181
  "Effect": "Allow",
959309
960182
  "Action": [
959310
- "s3:GetObject"
959311
- ],
959312
- "Resource": [
959313
- "arn:aws:s3:::bedrock-agentcore-gateway-*"
960183
+ "s3:ListAllMyBuckets"
959314
960184
  ],
960185
+ "Resource": "*",
959315
960186
  "Condition": {
959316
960187
  "StringEquals": {
959317
- "aws:CalledViaLast": "bedrock-agentcore.amazonaws.com",
959318
960188
  "s3:ResourceAccount": "${aws:PrincipalAccount}"
959319
960189
  }
959320
960190
  }
959321
960191
  },
959322
960192
  {
959323
- "Sid": "BedrockAgentCoreGatewayLambdaAccess",
959324
- "Effect": "Allow",
959325
- "Action": [
959326
- "lambda:ListFunctions"
959327
- ],
959328
- "Resource": [
959329
- "arn:aws:lambda:*:*:*"
959330
- ]
959331
- },
959332
- {
959333
- "Sid": "LoggingAccess",
959334
- "Effect": "Allow",
959335
- "Action": [
959336
- "logs:Get*",
959337
- "logs:List*",
959338
- "logs:StartQuery",
959339
- "logs:StopQuery",
959340
- "logs:Describe*",
959341
- "logs:TestMetricFilter",
959342
- "logs:FilterLogEvents"
959343
- ],
959344
- "Resource": [
959345
- "arn:aws:logs:*:*:log-group:/aws/bedrock-agentcore/*",
959346
- "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
959347
- "arn:aws:logs:*:*:log-group:aws/spans:*"
959348
- ]
959349
- },
959350
- {
959351
- "Sid": "ObservabilityReadOnlyPermissions",
959352
- "Effect": "Allow",
959353
- "Action": [
959354
- "application-autoscaling:DescribeScalingPolicies",
959355
- "application-signals:BatchGet*",
959356
- "application-signals:Get*",
959357
- "application-signals:List*",
959358
- "autoscaling:Describe*",
959359
- "cloudwatch:BatchGet*",
959360
- "cloudwatch:Describe*",
959361
- "cloudwatch:GenerateQuery",
959362
- "cloudwatch:Get*",
959363
- "cloudwatch:List*",
959364
- "oam:ListSinks",
959365
- "rum:BatchGet*",
959366
- "rum:Get*",
959367
- "rum:List*",
959368
- "synthetics:Describe*",
959369
- "synthetics:Get*",
959370
- "synthetics:List*",
959371
- "xray:BatchGet*",
959372
- "xray:Get*",
959373
- "xray:List*",
959374
- "xray:StartTraceRetrieval",
959375
- "xray:CancelTraceRetrieval",
959376
- "logs:DescribeLogGroups",
959377
- "logs:StartLiveTail",
959378
- "logs:StopLiveTail"
959379
- ],
959380
- "Resource": "*"
959381
- },
959382
- {
959383
- "Sid": "TransactionSearchXRayPermissions",
959384
- "Effect": "Allow",
959385
- "Action": [
959386
- "xray:GetTraceSegmentDestination",
959387
- "xray:UpdateTraceSegmentDestination",
959388
- "xray:GetIndexingRules",
959389
- "xray:UpdateIndexingRule"
959390
- ],
959391
- "Resource": "*"
959392
- },
959393
- {
959394
- "Sid": "TransactionSearchLogGroupPermissions",
960193
+ "Sid": "BedrockAgentCoreRuntimeECRAccess",
959395
960194
  "Effect": "Allow",
959396
960195
  "Action": [
959397
- "logs:CreateLogGroup",
959398
- "logs:CreateLogStream",
959399
- "logs:PutRetentionPolicy"
960196
+ "ecr:DescribeRepositories",
960197
+ "ecr:DescribeImages",
960198
+ "ecr:ListImages"
959400
960199
  ],
959401
960200
  "Resource": [
959402
- "arn:aws:logs:*:*:log-group:/aws/application-signals/data:*",
959403
- "arn:aws:logs:*:*:log-group:aws/spans:*"
960201
+ "arn:aws:ecr:*:*:repository/*"
959404
960202
  ]
959405
- },
959406
- {
959407
- "Sid": "TransactionSearchLogsPermissions",
959408
- "Effect": "Allow",
959409
- "Action": [
959410
- "logs:DescribeResourcePolicies"
959411
- ],
959412
- "Resource": [
959413
- "*"
959414
- ],
959415
- "Condition": {
959416
- "StringEquals": {
959417
- "aws:ResourceAccount": "${aws:PrincipalAccount}"
959418
- }
959419
- }
959420
- },
959421
- {
959422
- "Sid": "TransactionSearchApplicationSignalsPermissions",
959423
- "Effect": "Allow",
959424
- "Action": [
959425
- "application-signals:StartDiscovery"
959426
- ],
959427
- "Resource": "*"
959428
- },
959429
- {
959430
- "Sid": "CloudWatchApplicationSignalsCreateServiceLinkedRolePermissions",
959431
- "Effect": "Allow",
959432
- "Action": "iam:CreateServiceLinkedRole",
959433
- "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals",
959434
- "Condition": {
959435
- "StringLike": {
959436
- "iam:AWSServiceName": "application-signals.cloudwatch.amazonaws.com"
959437
- }
959438
- }
959439
- },
959440
- {
959441
- "Sid": "CloudWatchApplicationSignalsGetRolePermissions",
959442
- "Effect": "Allow",
959443
- "Action": "iam:GetRole",
959444
- "Resource": "arn:aws:iam::*:role/aws-service-role/application-signals.cloudwatch.amazonaws.com/AWSServiceRoleForCloudWatchApplicationSignals"
959445
- },
959446
- {
959447
- "Sid": "CreateBedrockAgentCoreNetworkServiceLinkedRolePermissions",
959448
- "Effect": "Allow",
959449
- "Action": "iam:CreateServiceLinkedRole",
959450
- "Resource": "arn:aws:iam::*:role/aws-service-role/network.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreNetwork",
959451
- "Condition": {
959452
- "StringEquals": {
959453
- "iam:AWSServiceName": "network.bedrock-agentcore.amazonaws.com"
959454
- }
959455
- }
959456
- },
959457
- {
959458
- "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRolePermissions",
959459
- "Effect": "Allow",
959460
- "Action": "iam:CreateServiceLinkedRole",
959461
- "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity",
959462
- "Condition": {
959463
- "StringEquals": {
959464
- "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com"
959465
- }
959466
- }
959467
960203
  }
959468
960204
  ]
959469
960205
  }
959470
960206
  },
959471
- "v4": {
960207
+ "v5": {
959472
960208
  "createdDate": "2025-07-16T13:37:07.000Z",
959473
960209
  "document": {
959474
960210
  "Version": "2012-10-17",
@@ -959606,6 +960342,16 @@
959606
960342
  "arn:aws:lambda:*:*:*"
959607
960343
  ]
959608
960344
  },
960345
+ {
960346
+ "Sid": "BedrockAgentCoreGatewayApiGateway",
960347
+ "Effect": "Allow",
960348
+ "Action": [
960349
+ "apigateway:GET"
960350
+ ],
960351
+ "Resource": [
960352
+ "arn:aws:apigateway:*::/restapis/*/stages/*/exports/*"
960353
+ ]
960354
+ },
959609
960355
  {
959610
960356
  "Sid": "LoggingAccess",
959611
960357
  "Effect": "Allow",
@@ -959809,13 +960555,47 @@
959809
960555
  "Resource": [
959810
960556
  "arn:aws:ecr:*:*:repository/*"
959811
960557
  ]
960558
+ },
960559
+ {
960560
+ "Sid": "AgentCoreEvaluationCloudWatchLogCreate",
960561
+ "Effect": "Allow",
960562
+ "Action": [
960563
+ "logs:CreateLogGroup"
960564
+ ],
960565
+ "Resource": [
960566
+ "arn:aws:logs:*:*:log-group:/aws/bedrock-agentcore/evaluations/*"
960567
+ ]
960568
+ },
960569
+ {
960570
+ "Sid": "AgentCoreEvaluationCloudWatchLogIndexAccess",
960571
+ "Effect": "Allow",
960572
+ "Action": [
960573
+ "logs:PutIndexPolicy",
960574
+ "logs:DescribeIndexPolicies"
960575
+ ],
960576
+ "Resource": [
960577
+ "arn:aws:logs:*:*:log-group:aws/spans",
960578
+ "arn:aws:logs:*:*:log-group:aws/spans:*"
960579
+ ]
960580
+ },
960581
+ {
960582
+ "Sid": "AgentCoreEvaluationBedrockInvokeAccess",
960583
+ "Effect": "Allow",
960584
+ "Action": [
960585
+ "bedrock:InvokeModel",
960586
+ "bedrock:InvokeModelWithResponseStream"
960587
+ ],
960588
+ "Resource": [
960589
+ "arn:aws:bedrock:*::foundation-model/*",
960590
+ "arn:aws:bedrock:*:*:inference-profile/*"
960591
+ ]
959812
960592
  }
959813
960593
  ]
959814
960594
  }
959815
960595
  }
959816
960596
  },
959817
960597
  "createdDate": "2025-07-16T13:37:07.000Z",
959818
- "lastUpdatedDate": "2025-11-03T21:04:07.000Z"
960598
+ "lastUpdatedDate": "2025-12-02T13:34:12.000Z"
959819
960599
  },
959820
960600
  "AWSRolesAnywhereFullAccess": {
959821
960601
  "arn": "arn:aws:iam::aws:policy/AWSRolesAnywhereFullAccess",
@@ -979770,5 +980550,106 @@
979770
980550
  },
979771
980551
  "createdDate": "2025-12-01T00:34:10.000Z",
979772
980552
  "lastUpdatedDate": "2025-12-01T00:34:10.000Z"
980553
+ },
980554
+ "SecurityAgentWebAppAPIPolicy": {
980555
+ "arn": "arn:aws:iam::aws:policy/service-role/SecurityAgentWebAppAPIPolicy",
980556
+ "latestVersionId": "v1",
980557
+ "versionsCount": 1,
980558
+ "versions": {
980559
+ "v1": {
980560
+ "createdDate": "2025-12-02T15:04:06.000Z",
980561
+ "document": {
980562
+ "Version": "2012-10-17",
980563
+ "Statement": [
980564
+ {
980565
+ "Sid": "ApplicationAccess",
980566
+ "Effect": "Allow",
980567
+ "Action": [
980568
+ "securityagent:ListAgentInstances",
980569
+ "securityagent:ListControls"
980570
+ ],
980571
+ "Resource": "*",
980572
+ "Condition": {
980573
+ "StringEquals": {
980574
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
980575
+ }
980576
+ }
980577
+ },
980578
+ {
980579
+ "Sid": "AgentInstanceAccess",
980580
+ "Effect": "Allow",
980581
+ "Action": [
980582
+ "securityagent:AddArtifact",
980583
+ "securityagent:BatchDeletePentests",
980584
+ "securityagent:BatchGetAgentInstances",
980585
+ "securityagent:BatchGetArtifactMetadata",
980586
+ "securityagent:BatchGetFindings",
980587
+ "securityagent:BatchGetPentestJobs",
980588
+ "securityagent:BatchGetPentests",
980589
+ "securityagent:BatchGetTasks",
980590
+ "securityagent:CreateDocumentReview",
980591
+ "securityagent:CreatePentest",
980592
+ "securityagent:DeleteArtifact",
980593
+ "securityagent:GetArtifact",
980594
+ "securityagent:GetCodeReviewTask",
980595
+ "securityagent:GetDocReviewTask",
980596
+ "securityagent:GetDocumentReview",
980597
+ "securityagent:GetDocumentReviewArtifact",
980598
+ "securityagent:ListArtifacts",
980599
+ "securityagent:ListControls",
980600
+ "securityagent:ListDiscoveredEndpoints",
980601
+ "securityagent:ListDocumentReviewComments",
980602
+ "securityagent:ListDocumentReviews",
980603
+ "securityagent:ListFindings",
980604
+ "securityagent:ListIntegratedResources",
980605
+ "securityagent:ListPentestJobsForPentest",
980606
+ "securityagent:ListPentests",
980607
+ "securityagent:ListTasks",
980608
+ "securityagent:StartPentestExecution",
980609
+ "securityagent:StopPentestExecution",
980610
+ "securityagent:UpdateFinding",
980611
+ "securityagent:UpdatePentest"
980612
+ ],
980613
+ "Resource": "arn:aws:securityagent:*:*:agent-instance*",
980614
+ "Condition": {
980615
+ "StringEquals": {
980616
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
980617
+ }
980618
+ }
980619
+ }
980620
+ ]
980621
+ }
980622
+ }
980623
+ },
980624
+ "createdDate": "2025-12-02T15:04:06.000Z",
980625
+ "lastUpdatedDate": "2025-12-02T15:04:06.000Z"
980626
+ },
980627
+ "AWSLambdaBasicDurableExecutionRolePolicy": {
980628
+ "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy",
980629
+ "latestVersionId": "v1",
980630
+ "versionsCount": 1,
980631
+ "versions": {
980632
+ "v1": {
980633
+ "createdDate": "2025-12-02T15:04:12.000Z",
980634
+ "document": {
980635
+ "Version": "2012-10-17",
980636
+ "Statement": [
980637
+ {
980638
+ "Effect": "Allow",
980639
+ "Action": [
980640
+ "logs:CreateLogGroup",
980641
+ "logs:CreateLogStream",
980642
+ "logs:PutLogEvents",
980643
+ "lambda:CheckpointDurableExecution",
980644
+ "lambda:GetDurableExecutionState"
980645
+ ],
980646
+ "Resource": "*"
980647
+ }
980648
+ ]
980649
+ }
980650
+ }
980651
+ },
980652
+ "createdDate": "2025-12-02T15:04:12.000Z",
980653
+ "lastUpdatedDate": "2025-12-02T15:04:12.000Z"
979773
980654
  }
979774
980655
  }