aws-iam-managed-policies 0.0.596 → 0.0.598

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/managedPolicies.json +1666 -348
  2. package/package.json +1 -1
package/dist/managedPolicies.json CHANGED
@@ -767749,8 +767749,8 @@
767749
767749
  },
767750
767750
  "AWSAuditManagerServiceRolePolicy": {
767751
767751
  "arn": "arn:aws:iam::aws:policy/aws-service-role/AWSAuditManagerServiceRolePolicy",
767752
- "latestVersionId": "v10",
767753
- "versionsCount": 10,
767752
+ "latestVersionId": "v11",
767753
+ "versionsCount": 11,
767754
767754
  "versions": {
767755
767755
  "v1": {
767756
767756
  "createdDate": "2020-12-08T15:12:12.000Z",
@@ -770033,10 +770033,304 @@
770033
770033
  }
770034
770034
  ]
770035
770035
  }
770036
+ },
770037
+ "v11": {
770038
+ "createdDate": "2020-12-08T15:12:12.000Z",
770039
+ "document": {
770040
+ "Version": "2012-10-17",
770041
+ "Statement": [
770042
+ {
770043
+ "Effect": "Allow",
770044
+ "Action": [
770045
+ "acm:GetAccountConfiguration",
770046
+ "acm:ListCertificates",
770047
+ "autoscaling:DescribeAutoScalingGroups",
770048
+ "backup:ListBackupPlans",
770049
+ "backup:ListRecoveryPointsByResource",
770050
+ "bedrock:GetCustomModel",
770051
+ "bedrock:GetFoundationModel",
770052
+ "bedrock:GetModelCustomizationJob",
770053
+ "bedrock:GetModelInvocationLoggingConfiguration",
770054
+ "bedrock:ListCustomModels",
770055
+ "bedrock:ListFoundationModels",
770056
+ "bedrock:ListGuardrails",
770057
+ "bedrock:ListModelCustomizationJobs",
770058
+ "cloudfront:GetDistribution",
770059
+ "cloudfront:GetDistributionConfig",
770060
+ "cloudfront:ListDistributions",
770061
+ "cloudtrail:GetTrail",
770062
+ "cloudtrail:ListTrails",
770063
+ "cloudtrail:DescribeTrails",
770064
+ "cloudtrail:LookupEvents",
770065
+ "cloudwatch:DescribeAlarms",
770066
+ "cloudwatch:DescribeAlarmsForMetric",
770067
+ "cloudwatch:GetMetricStatistics",
770068
+ "cloudwatch:ListMetrics",
770069
+ "cognito-idp:DescribeUserPool",
770070
+ "config:DescribeConfigRules",
770071
+ "config:DescribeDeliveryChannels",
770072
+ "config:ListDiscoveredResources",
770073
+ "directconnect:DescribeDirectConnectGateways",
770074
+ "directconnect:DescribeVirtualGateways",
770075
+ "dynamodb:DescribeContinuousBackups",
770076
+ "dynamodb:DescribeBackup",
770077
+ "dynamodb:DescribeTableReplicaAutoScaling",
770078
+ "dynamodb:DescribeTable",
770079
+ "dynamodb:ListBackups",
770080
+ "dynamodb:ListGlobalTables",
770081
+ "dynamodb:ListTables",
770082
+ "ec2:DescribeInstanceCreditSpecifications",
770083
+ "ec2:DescribeInstanceAttribute",
770084
+ "ec2:DescribeSecurityGroupRules",
770085
+ "ec2:DescribeVpcEndpointConnections",
770086
+ "ec2:DescribeVpcEndpointServiceConfigurations",
770087
+ "ec2:GetLaunchTemplateData",
770088
+ "ec2:DescribeAddresses",
770089
+ "ec2:DescribeCustomerGateways",
770090
+ "ec2:DescribeEgressOnlyInternetGateways",
770091
+ "ec2:DescribeFlowLogs",
770092
+ "ec2:DescribeInstances",
770093
+ "ec2:DescribeInternetGateways",
770094
+ "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
770095
+ "ec2:DescribeLocalGateways",
770096
+ "ec2:DescribeLocalGatewayVirtualInterfaces",
770097
+ "ec2:DescribeNatGateways",
770098
+ "ec2:DescribeNetworkAcls",
770099
+ "ec2:DescribeRouteTables",
770100
+ "ec2:DescribeSecurityGroups",
770101
+ "ec2:DescribeSnapshots",
770102
+ "ec2:DescribeTransitGateways",
770103
+ "ec2:DescribeVolumes",
770104
+ "ec2:DescribeVpcEndpoints",
770105
+ "ec2:DescribeVpcPeeringConnections",
770106
+ "ec2:DescribeVpcs",
770107
+ "ec2:DescribeVpnConnections",
770108
+ "ec2:DescribeVpnGateways",
770109
+ "ec2:GetEbsDefaultKmsKeyId",
770110
+ "ec2:GetEbsEncryptionByDefault",
770111
+ "ecs:DescribeClusters",
770112
+ "eks:DescribeAddonVersions",
770113
+ "elasticache:DescribeCacheClusters",
770114
+ "elasticache:DescribeServiceUpdates",
770115
+ "elasticfilesystem:DescribeAccessPoints",
770116
+ "elasticfilesystem:DescribeFileSystems",
770117
+ "elasticloadbalancing:DescribeLoadBalancers",
770118
+ "elasticloadbalancing:DescribeSslPolicies",
770119
+ "elasticloadbalancing:DescribeTargetGroups",
770120
+ "elasticmapreduce:ListClusters",
770121
+ "elasticmapreduce:ListSecurityConfigurations",
770122
+ "events:DescribeRule",
770123
+ "events:ListConnections",
770124
+ "events:ListEventBuses",
770125
+ "events:ListEventSources",
770126
+ "events:ListRules",
770127
+ "firehose:ListDeliveryStreams",
770128
+ "fsx:DescribeFileSystems",
770129
+ "guardduty:ListDetectors",
770130
+ "iam:GenerateCredentialReport",
770131
+ "iam:GetAccountAuthorizationDetails",
770132
+ "iam:GetAccessKeyLastUsed",
770133
+ "iam:GetCredentialReport",
770134
+ "iam:GetGroupPolicy",
770135
+ "iam:GetPolicy",
770136
+ "iam:GetPolicyVersion",
770137
+ "iam:GetRolePolicy",
770138
+ "iam:GetUser",
770139
+ "iam:GetUserPolicy",
770140
+ "iam:GetAccountPasswordPolicy",
770141
+ "iam:GetAccountSummary",
770142
+ "iam:ListAttachedGroupPolicies",
770143
+ "iam:ListAttachedUserPolicies",
770144
+ "iam:ListEntitiesForPolicy",
770145
+ "iam:ListGroupsForUser",
770146
+ "iam:ListGroupPolicies",
770147
+ "iam:ListGroups",
770148
+ "iam:ListOpenIdConnectProviders",
770149
+ "iam:ListPolicies",
770150
+ "iam:ListRolePolicies",
770151
+ "iam:ListRoles",
770152
+ "iam:ListSamlProviders",
770153
+ "iam:ListUserPolicies",
770154
+ "iam:ListUsers",
770155
+ "iam:ListVirtualMFADevices",
770156
+ "iam:ListPolicyVersions",
770157
+ "iam:ListAccessKeys",
770158
+ "iam:ListAttachedRolePolicies",
770159
+ "iam:ListMfaDeviceTags",
770160
+ "iam:ListMfaDevices",
770161
+ "kafka:ListClusters",
770162
+ "kafka:ListKafkaVersions",
770163
+ "kinesis:ListStreams",
770164
+ "kms:DescribeKey",
770165
+ "kms:GetKeyPolicy",
770166
+ "kms:GetKeyRotationStatus",
770167
+ "kms:ListGrants",
770168
+ "kms:ListKeyPolicies",
770169
+ "kms:ListKeys",
770170
+ "lambda:ListFunctions",
770171
+ "license-manager:ListAssociationsForLicenseConfiguration",
770172
+ "license-manager:ListLicenseConfigurations",
770173
+ "license-manager:ListUsageForLicenseConfiguration",
770174
+ "logs:DescribeDestinations",
770175
+ "logs:DescribeExportTasks",
770176
+ "logs:DescribeLogGroups",
770177
+ "logs:DescribeMetricFilters",
770178
+ "logs:DescribeResourcePolicies",
770179
+ "logs:FilterLogEvents",
770180
+ "logs:GetDataProtectionPolicy",
770181
+ "es:DescribeDomains",
770182
+ "es:DescribeDomain",
770183
+ "es:DescribeDomainConfig",
770184
+ "es:ListDomainNames",
770185
+ "organizations:DescribeOrganization",
770186
+ "organizations:DescribePolicy",
770187
+ "organizations:DescribeAccount",
770188
+ "rds:DescribeCertificates",
770189
+ "rds:DescribeDBClusterEndpoints",
770190
+ "rds:DescribeDBClusterParameterGroups",
770191
+ "rds:DescribeDBInstances",
770192
+ "rds:DescribeDBSecurityGroups",
770193
+ "rds:DescribeDBClusters",
770194
+ "rds:DescribeDBInstanceAutomatedBackups",
770195
+ "redshift:DescribeClusters",
770196
+ "redshift:DescribeClusterSnapshots",
770197
+ "redshift:DescribeLoggingStatus",
770198
+ "route53:GetQueryLoggingConfig",
770199
+ "sagemaker:DescribeAlgorithm",
770200
+ "sagemaker:DescribeFlowDefinition",
770201
+ "sagemaker:DescribeHumanTaskUi",
770202
+ "sagemaker:DescribeModelBiasJobDefinition",
770203
+ "sagemaker:DescribeModelCard",
770204
+ "sagemaker:DescribeModelQualityJobDefinition",
770205
+ "sagemaker:DescribeDomain",
770206
+ "sagemaker:DescribeEndpoint",
770207
+ "sagemaker:DescribeEndpointConfig",
770208
+ "sagemaker:DescribeLabelingJob",
770209
+ "sagemaker:DescribeModel",
770210
+ "sagemaker:DescribeTrainingJob",
770211
+ "sagemaker:DescribeUserProfile",
770212
+ "sagemaker:ListAlgorithms",
770213
+ "sagemaker:ListDomains",
770214
+ "sagemaker:ListEndpoints",
770215
+ "sagemaker:ListEndpointConfigs",
770216
+ "sagemaker:ListFlowDefinitions",
770217
+ "sagemaker:ListHumanTaskUis",
770218
+ "sagemaker:ListLabelingJobs",
770219
+ "sagemaker:ListModels",
770220
+ "sagemaker:ListModelBiasJobDefinitions",
770221
+ "sagemaker:ListModelCards",
770222
+ "sagemaker:ListModelQualityJobDefinitions",
770223
+ "sagemaker:ListMonitoringAlerts",
770224
+ "sagemaker:ListMonitoringSchedules",
770225
+ "sagemaker:ListTrainingJobs",
770226
+ "sagemaker:ListUserProfiles",
770227
+ "s3:GetBucketPublicAccessBlock",
770228
+ "s3:GetBucketVersioning",
770229
+ "s3:GetEncryptionConfiguration",
770230
+ "s3:GetLifecycleConfiguration",
770231
+ "s3:ListAllMyBuckets",
770232
+ "secretsmanager:DescribeSecret",
770233
+ "secretsmanager:ListSecrets",
770234
+ "securityhub:DescribeStandards",
770235
+ "sns:ListTagsForResource",
770236
+ "sns:ListTopics",
770237
+ "sqs:ListQueues",
770238
+ "waf-regional:GetRule",
770239
+ "waf-regional:GetWebAcl",
770240
+ "waf:GetRule",
770241
+ "waf:GetRuleGroup",
770242
+ "waf:ListActivatedRulesInRuleGroup",
770243
+ "waf:ListWebAcls",
770244
+ "wafv2:ListWebAcls",
770245
+ "waf-regional:GetLoggingConfiguration",
770246
+ "waf-regional:ListRuleGroups",
770247
+ "waf-regional:ListSubscribedRuleGroups",
770248
+ "waf-regional:ListWebACLs",
770249
+ "waf-regional:ListRules",
770250
+ "waf:ListRuleGroups",
770251
+ "waf:ListRules"
770252
+ ],
770253
+ "Resource": "*",
770254
+ "Sid": "APIsAccess"
770255
+ },
770256
+ {
770257
+ "Sid": "S3Access",
770258
+ "Effect": "Allow",
770259
+ "Action": [
770260
+ "s3:GetBucketAcl",
770261
+ "s3:GetBucketLogging",
770262
+ "s3:GetBucketOwnershipControls",
770263
+ "s3:GetBucketPolicy",
770264
+ "s3:GetBucketTagging"
770265
+ ],
770266
+ "Resource": "*",
770267
+ "Condition": {
770268
+ "StringEquals": {
770269
+ "aws:ResourceAccount": [
770270
+ "${aws:PrincipalAccount}"
770271
+ ]
770272
+ }
770273
+ }
770274
+ },
770275
+ {
770276
+ "Sid": "APIGatewayAccess",
770277
+ "Effect": "Allow",
770278
+ "Action": [
770279
+ "apigateway:GET"
770280
+ ],
770281
+ "Resource": [
770282
+ "arn:aws:apigateway:*::/restapis",
770283
+ "arn:aws:apigateway:*::/restapis/*/stages/*",
770284
+ "arn:aws:apigateway:*::/restapis/*/stages"
770285
+ ],
770286
+ "Condition": {
770287
+ "StringEquals": {
770288
+ "aws:ResourceAccount": [
770289
+ "${aws:PrincipalAccount}"
770290
+ ]
770291
+ }
770292
+ }
770293
+ },
770294
+ {
770295
+ "Sid": "CreateEventsAccess",
770296
+ "Effect": "Allow",
770297
+ "Action": [
770298
+ "events:PutRule"
770299
+ ],
770300
+ "Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver",
770301
+ "Condition": {
770302
+ "ForAllValues:StringEquals": {
770303
+ "events:detail-type": "Security Hub Findings - Imported",
770304
+ "events:source": [
770305
+ "aws.securityhub"
770306
+ ]
770307
+ },
770308
+ "Null": {
770309
+ "events:source": "false",
770310
+ "events:detail-type": "false"
770311
+ }
770312
+ }
770313
+ },
770314
+ {
770315
+ "Sid": "EventsAccess",
770316
+ "Effect": "Allow",
770317
+ "Action": [
770318
+ "events:DeleteRule",
770319
+ "events:DescribeRule",
770320
+ "events:EnableRule",
770321
+ "events:DisableRule",
770322
+ "events:ListTargetsByRule",
770323
+ "events:PutTargets",
770324
+ "events:RemoveTargets"
770325
+ ],
770326
+ "Resource": "arn:aws:events:*:*:rule/AuditManagerSecurityHubFindingsReceiver"
770327
+ }
770328
+ ]
770329
+ }
770036
770330
  }
770037
770331
  },
770038
770332
  "createdDate": "2020-12-08T15:12:12.000Z",
770039
- "lastUpdatedDate": "2024-09-24T23:22:25.000Z"
770333
+ "lastUpdatedDate": "2026-06-02T20:12:13.000Z"
770040
770334
  },
770041
770335
  "AmazonSageMakerEdgeDeviceFleetPolicy": {
770042
770336
  "arn": "arn:aws:iam::aws:policy/service-role/AmazonSageMakerEdgeDeviceFleetPolicy",
@@ -983770,8 +984064,8 @@
983770
984064
  },
983771
984065
  "AmazonEKSLoadBalancingPolicy": {
983772
984066
  "arn": "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy",
983773
- "latestVersionId": "v7",
983774
- "versionsCount": 7,
984067
+ "latestVersionId": "v8",
984068
+ "versionsCount": 8,
983775
984069
  "versions": {
983776
984070
  "v1": {
983777
984071
  "createdDate": "2024-10-30T20:18:06.000Z",
@@ -985478,143 +985772,141 @@
985478
985772
  }
985479
985773
  ]
985480
985774
  }
985481
- }
985482
- },
985483
- "createdDate": "2024-10-30T20:18:06.000Z",
985484
- "lastUpdatedDate": "2026-04-27T22:12:10.000Z"
985485
- },
985486
- "AmazonEKSBlockStoragePolicy": {
985487
- "arn": "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy",
985488
- "latestVersionId": "v1",
985489
- "versionsCount": 1,
985490
- "versions": {
985491
- "v1": {
985492
- "createdDate": "2024-10-30T20:18:13.000Z",
985775
+ },
985776
+ "v8": {
985777
+ "createdDate": "2024-10-30T20:18:06.000Z",
985493
985778
  "document": {
985494
985779
  "Version": "2012-10-17",
985495
985780
  "Statement": [
985496
985781
  {
985497
985782
  "Effect": "Allow",
985498
985783
  "Action": [
985499
- "ec2:AttachVolume",
985500
- "ec2:DetachVolume",
985501
- "ec2:ModifyVolume",
985502
- "ec2:EnableFastSnapshotRestores"
985784
+ "elasticloadbalancing:CreateLoadBalancer",
985785
+ "elasticloadbalancing:CreateTargetGroup",
985786
+ "elasticloadbalancing:CreateListener",
985787
+ "elasticloadbalancing:CreateRule",
985788
+ "ec2:CreateSecurityGroup"
985503
985789
  ],
985504
985790
  "Resource": "*",
985505
985791
  "Condition": {
985506
985792
  "StringEquals": {
985507
- "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985793
+ "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985794
+ },
985795
+ "ForAllValues:StringEquals": {
985796
+ "aws:TagKeys": [
985797
+ "eks:eks-cluster-name",
985798
+ "ingress.eks.amazonaws.com/stack",
985799
+ "ingress.eks.amazonaws.com/resource",
985800
+ "service.eks.amazonaws.com/stack",
985801
+ "service.eks.amazonaws.com/resource"
985802
+ ]
985508
985803
  }
985509
985804
  }
985510
985805
  },
985511
985806
  {
985512
985807
  "Effect": "Allow",
985513
- "Action": "ec2:CreateTags",
985514
- "Resource": "*",
985515
- "Condition": {
985516
- "StringEquals": {
985517
- "ec2:CreateAction": [
985518
- "CreateVolume",
985519
- "CreateSnapshot"
985520
- ]
985521
- }
985522
- }
985808
+ "Action": [
985809
+ "ec2:CreateSecurityGroup"
985810
+ ],
985811
+ "Resource": "arn:aws:ec2:*:*:vpc/*"
985523
985812
  },
985524
985813
  {
985525
985814
  "Effect": "Allow",
985526
985815
  "Action": [
985527
- "ec2:CreateVolume"
985816
+ "elasticloadbalancing:RegisterTargets"
985528
985817
  ],
985529
- "Resource": "arn:aws:ec2:*:*:volume/*",
985818
+ "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
985819
+ },
985820
+ {
985821
+ "Effect": "Allow",
985822
+ "Action": [
985823
+ "ec2:AuthorizeSecurityGroupIngress"
985824
+ ],
985825
+ "Resource": "arn:aws:ec2:*:*:security-group-rule/*",
985530
985826
  "Condition": {
985531
985827
  "StringEquals": {
985532
985828
  "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985533
- },
985534
- "ForAllValues:StringLike": {
985535
- "aws:TagKeys": [
985536
- "eks:eks-cluster-name",
985537
- "CSIVolumeName",
985538
- "ebs.csi.eks.amazonaws.com/cluster",
985539
- "kubernetes.io/cluster/*",
985540
- "kubernetes.io/created-for/*",
985541
- "Name",
985542
- "KubernetesCluster"
985543
- ]
985544
985829
  }
985545
985830
  }
985546
985831
  },
985547
985832
  {
985548
985833
  "Effect": "Allow",
985549
985834
  "Action": [
985550
- "ec2:CreateVolume"
985835
+ "ec2:AuthorizeSecurityGroupIngress",
985836
+ "ec2:RevokeSecurityGroupIngress"
985551
985837
  ],
985552
- "Resource": "arn:aws:ec2:*:*:snapshot/*"
985838
+ "Resource": "arn:aws:ec2:*:*:security-group/*",
985839
+ "Condition": {
985840
+ "StringLike": {
985841
+ "aws:ResourceTag/Name": "eks-cluster-sg*"
985842
+ }
985843
+ }
985553
985844
  },
985554
985845
  {
985555
985846
  "Effect": "Allow",
985556
985847
  "Action": [
985557
- "ec2:CreateSnapshot"
985848
+ "ec2:AuthorizeSecurityGroupIngress",
985849
+ "ec2:RevokeSecurityGroupIngress"
985558
985850
  ],
985559
- "Resource": "arn:aws:ec2:*:*:volume/*"
985851
+ "Resource": "arn:aws:ec2:*:*:security-group/*",
985852
+ "Condition": {
985853
+ "StringEquals": {
985854
+ "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985855
+ }
985856
+ }
985560
985857
  },
985561
985858
  {
985562
985859
  "Effect": "Allow",
985563
985860
  "Action": [
985564
- "ec2:CreateSnapshot"
985861
+ "elasticloadbalancing:AddTags"
985565
985862
  ],
985566
- "Resource": "arn:aws:ec2:*:*:snapshot/*",
985863
+ "Resource": "*",
985567
985864
  "Condition": {
985568
985865
  "StringEquals": {
985569
- "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985570
- },
985571
- "ForAllValues:StringLike": {
985572
- "aws:TagKeys": [
985573
- "eks:eks-cluster-name",
985574
- "CSIVolumeSnapshotName",
985575
- "ebs.csi.eks.amazonaws.com/cluster",
985576
- "kubernetes.io/cluster/*",
985577
- "Name"
985866
+ "elasticloadbalancing:CreateAction": [
985867
+ "CreateLoadBalancer",
985868
+ "CreateTargetGroup",
985869
+ "CreateListener",
985870
+ "CreateRule"
985578
985871
  ]
985579
985872
  }
985580
985873
  }
985581
- }
985582
- ]
985583
- }
985584
- }
985585
- },
985586
- "createdDate": "2024-10-30T20:18:13.000Z",
985587
- "lastUpdatedDate": "2024-10-30T20:18:13.000Z"
985588
- },
985589
- "AmazonEKSComputePolicy": {
985590
- "arn": "arn:aws:iam::aws:policy/AmazonEKSComputePolicy",
985591
- "latestVersionId": "v7",
985592
- "versionsCount": 7,
985593
- "versions": {
985594
- "v1": {
985595
- "createdDate": "2024-11-01T21:46:52.000Z",
985596
- "document": {
985597
- "Version": "2012-10-17",
985598
- "Statement": [
985874
+ },
985599
985875
  {
985600
985876
  "Effect": "Allow",
985601
985877
  "Action": [
985602
- "ec2:CreateFleet",
985603
- "ec2:RunInstances"
985878
+ "ec2:CreateTags"
985604
985879
  ],
985605
- "Resource": [
985606
- "arn:aws:ec2:*::image/*",
985607
- "arn:aws:ec2:*:*:security-group/*",
985608
- "arn:aws:ec2:*:*:subnet/*"
985609
- ]
985880
+ "Resource": "*",
985881
+ "Condition": {
985882
+ "StringEquals": {
985883
+ "ec2:CreateAction": [
985884
+ "CreateSecurityGroup",
985885
+ "AuthorizeSecurityGroupIngress"
985886
+ ]
985887
+ }
985888
+ }
985610
985889
  },
985611
985890
  {
985612
985891
  "Effect": "Allow",
985613
985892
  "Action": [
985614
- "ec2:CreateFleet",
985615
- "ec2:RunInstances"
985893
+ "elasticloadbalancing:ModifyLoadBalancerAttributes",
985894
+ "elasticloadbalancing:SetIpAddressType",
985895
+ "elasticloadbalancing:SetSecurityGroups",
985896
+ "elasticloadbalancing:SetSubnets",
985897
+ "elasticloadbalancing:SetRulePriorities",
985898
+ "elasticloadbalancing:ModifyTargetGroup",
985899
+ "elasticloadbalancing:ModifyTargetGroupAttributes",
985900
+ "elasticloadbalancing:ModifyListener",
985901
+ "elasticloadbalancing:AddListenerCertificates",
985902
+ "elasticloadbalancing:ModifyListenerAttributes",
985903
+ "elasticloadbalancing:RemoveListenerCertificates",
985904
+ "elasticloadbalancing:ModifyRule",
985905
+ "elasticloadbalancing:ModifyIpPools",
985906
+ "elasticloadbalancing:ModifyCapacityReservation",
985907
+ "elasticloadbalancing:DescribeLoadBalancers"
985616
985908
  ],
985617
- "Resource": "arn:aws:ec2:*:*:launch-template/*",
985909
+ "Resource": "*",
985618
985910
  "Condition": {
985619
985911
  "StringEquals": {
985620
985912
  "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
@@ -985624,156 +985916,205 @@
985624
985916
  {
985625
985917
  "Effect": "Allow",
985626
985918
  "Action": [
985627
- "ec2:CreateFleet",
985628
- "ec2:RunInstances",
985629
- "ec2:CreateLaunchTemplate"
985919
+ "wafv2:AssociateWebACL",
985920
+ "wafv2:DisassociateWebACL"
985630
985921
  ],
985631
- "Resource": "*",
985922
+ "Resource": [
985923
+ "arn:aws:wafv2:*:*:*/webacl/*/*",
985924
+ "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
985925
+ ]
985926
+ },
985927
+ {
985928
+ "Effect": "Allow",
985929
+ "Action": [
985930
+ "shield:CreateProtection",
985931
+ "shield:DeleteProtection"
985932
+ ],
985933
+ "Resource": "*"
985934
+ },
985935
+ {
985936
+ "Effect": "Allow",
985937
+ "Action": [
985938
+ "shield:TagResource"
985939
+ ],
985940
+ "Resource": "arn:aws:shield::*:protection/*",
985632
985941
  "Condition": {
985633
985942
  "StringEquals": {
985634
985943
  "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985635
985944
  },
985636
- "StringLike": {
985637
- "aws:RequestTag/eks:kubernetes-node-class-name": "*",
985638
- "aws:RequestTag/eks:kubernetes-node-pool-name": "*"
985639
- },
985640
- "ForAllValues:StringLike": {
985945
+ "ForAllValues:StringEquals": {
985641
985946
  "aws:TagKeys": [
985642
985947
  "eks:eks-cluster-name",
985643
- "eks:kubernetes-node-class-name",
985644
- "eks:kubernetes-node-pool-name",
985645
- "kubernetes.io/cluster/*"
985948
+ "ingress.eks.amazonaws.com/stack",
985949
+ "ingress.eks.amazonaws.com/resource",
985950
+ "service.eks.amazonaws.com/stack",
985951
+ "service.eks.amazonaws.com/resource"
985646
985952
  ]
985647
985953
  }
985648
985954
  }
985649
985955
  },
985650
985956
  {
985651
985957
  "Effect": "Allow",
985652
- "Action": "ec2:CreateTags",
985653
- "Resource": "*",
985654
- "Condition": {
985655
- "StringEquals": {
985656
- "ec2:CreateAction": [
985657
- "CreateFleet",
985658
- "RunInstances",
985659
- "CreateLaunchTemplate"
985660
- ]
985661
- }
985662
- }
985958
+ "Action": [
985959
+ "cognito-idp:DescribeUserPoolClient",
985960
+ "acm:ListCertificates",
985961
+ "acm:DescribeCertificate",
985962
+ "wafv2:GetWebACL",
985963
+ "wafv2:GetWebACLForResource",
985964
+ "elasticloadbalancing:SetWebAcl",
985965
+ "elasticloadbalancing:DescribeTargetGroups"
985966
+ ],
985967
+ "Resource": "*"
985663
985968
  },
985664
985969
  {
985665
985970
  "Effect": "Allow",
985666
- "Action": "iam:AddRoleToInstanceProfile",
985667
- "Resource": "arn:aws:iam::*:instance-profile/eks-compute-*"
985971
+ "Action": [
985972
+ "ec2:DescribeAccountAttributes",
985973
+ "ec2:DescribeAddresses",
985974
+ "ec2:DescribeInternetGateways",
985975
+ "ec2:DescribeSecurityGroups",
985976
+ "ec2:DescribeSubnets",
985977
+ "ec2:DescribeVpcs",
985978
+ "ec2:DescribeVpcClassicLink",
985979
+ "ec2:DescribeInstances",
985980
+ "ec2:DescribeNetworkInterfaces",
985981
+ "ec2:DescribeClassicLinkInstances",
985982
+ "ec2:DescribeRouteTables",
985983
+ "ec2:DescribeCoipPools",
985984
+ "ec2:GetCoipPoolUsage",
985985
+ "ec2:GetSecurityGroupsForVpc",
985986
+ "ec2:DescribeVpcPeeringConnections"
985987
+ ],
985988
+ "Resource": "*"
985668
985989
  },
985669
985990
  {
985670
985991
  "Effect": "Allow",
985671
- "Action": "iam:PassRole",
985672
- "Resource": "*",
985992
+ "Action": [
985993
+ "iam:CreateServiceLinkedRole"
985994
+ ],
985995
+ "Resource": "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
985673
985996
  "Condition": {
985674
985997
  "StringEquals": {
985675
- "iam:PassedToService": [
985676
- "ec2.amazonaws.com",
985677
- "ec2.amazonaws.com.cn"
985678
- ]
985998
+ "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
985679
985999
  }
985680
986000
  }
985681
986001
  }
985682
986002
  ]
985683
986003
  }
985684
- },
985685
- "v2": {
985686
- "createdDate": "2024-11-01T21:46:52.000Z",
986004
+ }
986005
+ },
986006
+ "createdDate": "2024-10-30T20:18:06.000Z",
986007
+ "lastUpdatedDate": "2026-06-03T22:12:23.000Z"
986008
+ },
986009
+ "AmazonEKSBlockStoragePolicy": {
986010
+ "arn": "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy",
986011
+ "latestVersionId": "v1",
986012
+ "versionsCount": 1,
986013
+ "versions": {
986014
+ "v1": {
986015
+ "createdDate": "2024-10-30T20:18:13.000Z",
985687
986016
  "document": {
985688
986017
  "Version": "2012-10-17",
985689
986018
  "Statement": [
985690
986019
  {
985691
986020
  "Effect": "Allow",
985692
986021
  "Action": [
985693
- "ec2:CreateFleet",
985694
- "ec2:RunInstances"
986022
+ "ec2:AttachVolume",
986023
+ "ec2:DetachVolume",
986024
+ "ec2:ModifyVolume",
986025
+ "ec2:EnableFastSnapshotRestores"
985695
986026
  ],
985696
- "Resource": [
985697
- "arn:aws:ec2:*::image/*",
985698
- "arn:aws:ec2:*:*:security-group/*",
985699
- "arn:aws:ec2:*:*:subnet/*"
985700
- ]
986027
+ "Resource": "*",
986028
+ "Condition": {
986029
+ "StringEquals": {
986030
+ "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986031
+ }
986032
+ }
985701
986033
  },
985702
986034
  {
985703
986035
  "Effect": "Allow",
985704
- "Action": [
985705
- "ec2:CreateFleet",
985706
- "ec2:RunInstances"
985707
- ],
985708
- "Resource": "arn:aws:ec2:*:*:launch-template/*",
986036
+ "Action": "ec2:CreateTags",
986037
+ "Resource": "*",
985709
986038
  "Condition": {
985710
986039
  "StringEquals": {
985711
- "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986040
+ "ec2:CreateAction": [
986041
+ "CreateVolume",
986042
+ "CreateSnapshot"
986043
+ ]
985712
986044
  }
985713
986045
  }
985714
986046
  },
985715
986047
  {
985716
986048
  "Effect": "Allow",
985717
986049
  "Action": [
985718
- "ec2:CreateFleet",
985719
- "ec2:RunInstances",
985720
- "ec2:CreateLaunchTemplate"
986050
+ "ec2:CreateVolume"
985721
986051
  ],
985722
- "Resource": "*",
986052
+ "Resource": "arn:aws:ec2:*:*:volume/*",
985723
986053
  "Condition": {
985724
986054
  "StringEquals": {
985725
986055
  "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
985726
986056
  },
985727
- "StringLike": {
985728
- "aws:RequestTag/eks:kubernetes-node-class-name": "*",
985729
- "aws:RequestTag/eks:kubernetes-node-pool-name": "*"
985730
- },
985731
986057
  "ForAllValues:StringLike": {
985732
986058
  "aws:TagKeys": [
985733
986059
  "eks:eks-cluster-name",
985734
- "eks:kubernetes-node-class-name",
985735
- "eks:kubernetes-node-pool-name",
985736
- "kubernetes.io/cluster/*"
986060
+ "CSIVolumeName",
986061
+ "ebs.csi.eks.amazonaws.com/cluster",
986062
+ "kubernetes.io/cluster/*",
986063
+ "kubernetes.io/created-for/*",
986064
+ "Name",
986065
+ "KubernetesCluster"
985737
986066
  ]
985738
986067
  }
985739
986068
  }
985740
986069
  },
985741
986070
  {
985742
986071
  "Effect": "Allow",
985743
- "Action": "ec2:CreateTags",
985744
- "Resource": "*",
985745
- "Condition": {
985746
- "StringEquals": {
985747
- "ec2:CreateAction": [
985748
- "CreateFleet",
985749
- "RunInstances",
985750
- "CreateLaunchTemplate"
985751
- ]
985752
- }
985753
- }
986072
+ "Action": [
986073
+ "ec2:CreateVolume"
986074
+ ],
986075
+ "Resource": "arn:aws:ec2:*:*:snapshot/*"
985754
986076
  },
985755
986077
  {
985756
986078
  "Effect": "Allow",
985757
- "Action": "iam:AddRoleToInstanceProfile",
985758
- "Resource": "arn:aws:iam::*:instance-profile/eks*"
986079
+ "Action": [
986080
+ "ec2:CreateSnapshot"
986081
+ ],
986082
+ "Resource": "arn:aws:ec2:*:*:volume/*"
985759
986083
  },
985760
986084
  {
985761
986085
  "Effect": "Allow",
985762
- "Action": "iam:PassRole",
985763
- "Resource": "*",
986086
+ "Action": [
986087
+ "ec2:CreateSnapshot"
986088
+ ],
986089
+ "Resource": "arn:aws:ec2:*:*:snapshot/*",
985764
986090
  "Condition": {
985765
986091
  "StringEquals": {
985766
- "iam:PassedToService": [
985767
- "ec2.amazonaws.com",
985768
- "ec2.amazonaws.com.cn"
986092
+ "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986093
+ },
986094
+ "ForAllValues:StringLike": {
986095
+ "aws:TagKeys": [
986096
+ "eks:eks-cluster-name",
986097
+ "CSIVolumeSnapshotName",
986098
+ "ebs.csi.eks.amazonaws.com/cluster",
986099
+ "kubernetes.io/cluster/*",
986100
+ "Name"
985769
986101
  ]
985770
986102
  }
985771
986103
  }
985772
986104
  }
985773
986105
  ]
985774
986106
  }
985775
- },
985776
- "v3": {
986107
+ }
986108
+ },
986109
+ "createdDate": "2024-10-30T20:18:13.000Z",
986110
+ "lastUpdatedDate": "2024-10-30T20:18:13.000Z"
986111
+ },
986112
+ "AmazonEKSComputePolicy": {
986113
+ "arn": "arn:aws:iam::aws:policy/AmazonEKSComputePolicy",
986114
+ "latestVersionId": "v7",
986115
+ "versionsCount": 7,
986116
+ "versions": {
986117
+ "v1": {
985777
986118
  "createdDate": "2024-11-01T21:46:52.000Z",
985778
986119
  "document": {
985779
986120
  "Version": "2012-10-17",
@@ -985785,7 +986126,6 @@
985785
986126
  "ec2:RunInstances"
985786
986127
  ],
985787
986128
  "Resource": [
985788
- "arn:aws:ec2:*:*:capacity-reservation/*",
985789
986129
  "arn:aws:ec2:*::image/*",
985790
986130
  "arn:aws:ec2:*:*:security-group/*",
985791
986131
  "arn:aws:ec2:*:*:subnet/*"
@@ -985847,7 +986187,7 @@
985847
986187
  {
985848
986188
  "Effect": "Allow",
985849
986189
  "Action": "iam:AddRoleToInstanceProfile",
985850
- "Resource": "arn:aws:iam::*:instance-profile/eks*"
986190
+ "Resource": "arn:aws:iam::*:instance-profile/eks-compute-*"
985851
986191
  },
985852
986192
  {
985853
986193
  "Effect": "Allow",
@@ -985861,25 +986201,102 @@
985861
986201
  ]
985862
986202
  }
985863
986203
  }
985864
- },
986204
+ }
986205
+ ]
986206
+ }
986207
+ },
986208
+ "v2": {
986209
+ "createdDate": "2024-11-01T21:46:52.000Z",
986210
+ "document": {
986211
+ "Version": "2012-10-17",
986212
+ "Statement": [
985865
986213
  {
985866
986214
  "Effect": "Allow",
985867
986215
  "Action": [
985868
- "iam:CreateServiceLinkedRole"
986216
+ "ec2:CreateFleet",
986217
+ "ec2:RunInstances"
985869
986218
  ],
985870
986219
  "Resource": [
985871
- "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
986220
+ "arn:aws:ec2:*::image/*",
986221
+ "arn:aws:ec2:*:*:security-group/*",
986222
+ "arn:aws:ec2:*:*:subnet/*"
986223
+ ]
986224
+ },
986225
+ {
986226
+ "Effect": "Allow",
986227
+ "Action": [
986228
+ "ec2:CreateFleet",
986229
+ "ec2:RunInstances"
985872
986230
  ],
986231
+ "Resource": "arn:aws:ec2:*:*:launch-template/*",
985873
986232
  "Condition": {
985874
986233
  "StringEquals": {
985875
- "iam:AWSServiceName": "spot.amazonaws.com"
986234
+ "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986235
+ }
986236
+ }
986237
+ },
986238
+ {
986239
+ "Effect": "Allow",
986240
+ "Action": [
986241
+ "ec2:CreateFleet",
986242
+ "ec2:RunInstances",
986243
+ "ec2:CreateLaunchTemplate"
986244
+ ],
986245
+ "Resource": "*",
986246
+ "Condition": {
986247
+ "StringEquals": {
986248
+ "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986249
+ },
986250
+ "StringLike": {
986251
+ "aws:RequestTag/eks:kubernetes-node-class-name": "*",
986252
+ "aws:RequestTag/eks:kubernetes-node-pool-name": "*"
986253
+ },
986254
+ "ForAllValues:StringLike": {
986255
+ "aws:TagKeys": [
986256
+ "eks:eks-cluster-name",
986257
+ "eks:kubernetes-node-class-name",
986258
+ "eks:kubernetes-node-pool-name",
986259
+ "kubernetes.io/cluster/*"
986260
+ ]
986261
+ }
986262
+ }
986263
+ },
986264
+ {
986265
+ "Effect": "Allow",
986266
+ "Action": "ec2:CreateTags",
986267
+ "Resource": "*",
986268
+ "Condition": {
986269
+ "StringEquals": {
986270
+ "ec2:CreateAction": [
986271
+ "CreateFleet",
986272
+ "RunInstances",
986273
+ "CreateLaunchTemplate"
986274
+ ]
986275
+ }
986276
+ }
986277
+ },
986278
+ {
986279
+ "Effect": "Allow",
986280
+ "Action": "iam:AddRoleToInstanceProfile",
986281
+ "Resource": "arn:aws:iam::*:instance-profile/eks*"
986282
+ },
986283
+ {
986284
+ "Effect": "Allow",
986285
+ "Action": "iam:PassRole",
986286
+ "Resource": "*",
986287
+ "Condition": {
986288
+ "StringEquals": {
986289
+ "iam:PassedToService": [
986290
+ "ec2.amazonaws.com",
986291
+ "ec2.amazonaws.com.cn"
986292
+ ]
985876
986293
  }
985877
986294
  }
985878
986295
  }
985879
986296
  ]
985880
986297
  }
985881
986298
  },
985882
- "v4": {
986299
+ "v3": {
985883
986300
  "createdDate": "2024-11-01T21:46:52.000Z",
985884
986301
  "document": {
985885
986302
  "Version": "2012-10-17",
@@ -985985,7 +986402,7 @@
985985
986402
  ]
985986
986403
  }
985987
986404
  },
985988
- "v5": {
986405
+ "v4": {
985989
986406
  "createdDate": "2024-11-01T21:46:52.000Z",
985990
986407
  "document": {
985991
986408
  "Version": "2012-10-17",
@@ -986091,7 +986508,7 @@
986091
986508
  ]
986092
986509
  }
986093
986510
  },
986094
- "v6": {
986511
+ "v5": {
986095
986512
  "createdDate": "2024-11-01T21:46:52.000Z",
986096
986513
  "document": {
986097
986514
  "Version": "2012-10-17",
@@ -986103,7 +986520,6 @@
986103
986520
  "ec2:RunInstances"
986104
986521
  ],
986105
986522
  "Resource": [
986106
- "arn:aws:ec2:*:*:placement-group/*",
986107
986523
  "arn:aws:ec2:*:*:capacity-reservation/*",
986108
986524
  "arn:aws:ec2:*::image/*",
986109
986525
  "arn:aws:ec2:*:*:security-group/*",
@@ -986198,7 +986614,7 @@
986198
986614
  ]
986199
986615
  }
986200
986616
  },
986201
- "v7": {
986617
+ "v6": {
986202
986618
  "createdDate": "2024-11-01T21:46:52.000Z",
986203
986619
  "document": {
986204
986620
  "Version": "2012-10-17",
@@ -986301,174 +986717,281 @@
986301
986717
  "iam:AWSServiceName": "spot.amazonaws.com"
986302
986718
  }
986303
986719
  }
986304
- },
986305
- {
986306
- "Effect": "Allow",
986307
- "Action": "ec2:DescribeCapacityReservations",
986308
- "Resource": "*"
986309
986720
  }
986310
986721
  ]
986311
986722
  }
986312
- }
986313
- },
986314
- "createdDate": "2024-11-01T21:46:52.000Z",
986315
- "lastUpdatedDate": "2026-05-18T21:12:10.000Z"
986316
- },
986317
- "GameLiftContainerFleetPolicy": {
986318
- "arn": "arn:aws:iam::aws:policy/GameLiftContainerFleetPolicy",
986319
- "latestVersionId": "v4",
986320
- "versionsCount": 4,
986321
- "versions": {
986322
- "v1": {
986323
- "createdDate": "2024-11-12T19:28:49.000Z",
986723
+ },
986724
+ "v7": {
986725
+ "createdDate": "2024-11-01T21:46:52.000Z",
986324
986726
  "document": {
986325
986727
  "Version": "2012-10-17",
986326
986728
  "Statement": [
986327
986729
  {
986328
- "Sid": "WriteGameSessionLogsToLogStream",
986329
986730
  "Effect": "Allow",
986330
986731
  "Action": [
986331
- "logs:CreateLogStream",
986332
- "logs:PutLogEvents",
986333
- "logs:PutRetentionPolicy"
986732
+ "ec2:CreateFleet",
986733
+ "ec2:RunInstances"
986334
986734
  ],
986335
- "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*"
986336
- },
986337
- {
986338
- "Sid": "CreateLogGroupToStoreGameSessionLogs",
986339
- "Effect": "Allow",
986340
- "Action": "logs:CreateLogGroup",
986341
- "Resource": "arn:aws:logs:*:*:log-group:gamelift-*"
986735
+ "Resource": [
986736
+ "arn:aws:ec2:*:*:placement-group/*",
986737
+ "arn:aws:ec2:*:*:capacity-reservation/*",
986738
+ "arn:aws:ec2:*::image/*",
986739
+ "arn:aws:ec2:*:*:security-group/*",
986740
+ "arn:aws:ec2:*:*:subnet/*"
986741
+ ]
986342
986742
  },
986343
986743
  {
986344
- "Sid": "WriteGameSessionLogsToS3Bucket",
986345
986744
  "Effect": "Allow",
986346
986745
  "Action": [
986347
- "s3:PutObject"
986348
- ],
986349
- "Resource": [
986350
- "arn:aws:s3:::gamelift-*"
986746
+ "ec2:CreateFleet",
986747
+ "ec2:RunInstances"
986351
986748
  ],
986749
+ "Resource": "arn:aws:ec2:*:*:launch-template/*",
986352
986750
  "Condition": {
986353
986751
  "StringEquals": {
986354
- "s3:ResourceAccount": "${aws:PrincipalAccount}"
986752
+ "aws:ResourceTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986355
986753
  }
986356
986754
  }
986357
986755
  },
986358
986756
  {
986359
- "Sid": "RetrieveComputeAuthToken",
986360
- "Effect": "Allow",
986361
- "Action": [
986362
- "gamelift:GetComputeAuthToken"
986363
- ],
986364
- "Resource": [
986365
- "arn:aws:gamelift:*:*:containerfleet/*"
986366
- ]
986367
- }
986368
- ]
986369
- }
986370
- },
986371
- "v2": {
986372
- "createdDate": "2024-11-12T19:28:49.000Z",
986373
- "document": {
986374
- "Version": "2012-10-17",
986375
- "Statement": [
986376
- {
986377
- "Sid": "WriteGameSessionLogsToLogStream",
986378
986757
  "Effect": "Allow",
986379
986758
  "Action": [
986380
- "logs:CreateLogStream",
986381
- "logs:PutLogEvents",
986382
- "logs:PutRetentionPolicy"
986759
+ "ec2:CreateFleet",
986760
+ "ec2:RunInstances",
986761
+ "ec2:CreateLaunchTemplate"
986383
986762
  ],
986384
- "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*"
986385
- },
986386
- {
986387
- "Sid": "CreateLogGroupToStoreGameSessionLogs",
986388
- "Effect": "Allow",
986389
- "Action": "logs:CreateLogGroup",
986390
- "Resource": "arn:aws:logs:*:*:log-group:gamelift-*"
986763
+ "Resource": "*",
986764
+ "Condition": {
986765
+ "StringEquals": {
986766
+ "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
986767
+ },
986768
+ "StringLike": {
986769
+ "aws:RequestTag/eks:kubernetes-node-class-name": "*",
986770
+ "aws:RequestTag/eks:kubernetes-node-pool-name": "*"
986771
+ },
986772
+ "ForAllValues:StringLike": {
986773
+ "aws:TagKeys": [
986774
+ "eks:eks-cluster-name",
986775
+ "eks:kubernetes-node-class-name",
986776
+ "eks:kubernetes-node-pool-name",
986777
+ "kubernetes.io/cluster/*"
986778
+ ]
986779
+ }
986780
+ }
986391
986781
  },
986392
986782
  {
986393
- "Sid": "WriteGameSessionLogsToS3Bucket",
986394
986783
  "Effect": "Allow",
986395
- "Action": [
986396
- "s3:PutObject",
986397
- "s3:GetBucketLocation"
986398
- ],
986399
- "Resource": [
986400
- "arn:aws:s3:::gamelift-*"
986401
- ],
986784
+ "Action": "ec2:CreateTags",
986785
+ "Resource": "*",
986402
986786
  "Condition": {
986403
986787
  "StringEquals": {
986404
- "s3:ResourceAccount": "${aws:PrincipalAccount}"
986788
+ "ec2:CreateAction": [
986789
+ "CreateFleet",
986790
+ "RunInstances",
986791
+ "CreateLaunchTemplate"
986792
+ ]
986405
986793
  }
986406
986794
  }
986407
986795
  },
986408
986796
  {
986409
- "Sid": "RetrieveComputeAuthToken",
986410
986797
  "Effect": "Allow",
986411
- "Action": [
986412
- "gamelift:GetComputeAuthToken"
986413
- ],
986414
- "Resource": [
986415
- "arn:aws:gamelift:*:*:containerfleet/*"
986416
- ]
986417
- }
986418
- ]
986419
- }
986420
- },
986421
- "v3": {
986422
- "createdDate": "2024-11-12T19:28:49.000Z",
986423
- "document": {
986424
- "Version": "2012-10-17",
986425
- "Statement": [
986426
- {
986427
- "Sid": "WriteGameSessionLogsToLogStream",
986428
- "Effect": "Allow",
986429
- "Action": [
986430
- "logs:CreateLogStream",
986431
- "logs:PutLogEvents",
986432
- "logs:PutRetentionPolicy"
986433
- ],
986434
- "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*"
986798
+ "Action": "iam:AddRoleToInstanceProfile",
986799
+ "Resource": "arn:aws:iam::*:instance-profile/eks*"
986435
986800
  },
986436
986801
  {
986437
- "Sid": "CreateLogGroupToStoreGameSessionLogs",
986438
986802
  "Effect": "Allow",
986439
- "Action": "logs:CreateLogGroup",
986440
- "Resource": "arn:aws:logs:*:*:log-group:gamelift-*"
986803
+ "Action": "iam:PassRole",
986804
+ "Resource": "*",
986805
+ "Condition": {
986806
+ "StringEquals": {
986807
+ "iam:PassedToService": [
986808
+ "ec2.amazonaws.com",
986809
+ "ec2.amazonaws.com.cn"
986810
+ ]
986811
+ }
986812
+ }
986441
986813
  },
986442
986814
  {
986443
- "Sid": "WriteGameSessionLogsToS3Bucket",
986444
986815
  "Effect": "Allow",
986445
986816
  "Action": [
986446
- "s3:PutObject",
986447
- "s3:GetBucketLocation"
986817
+ "iam:CreateServiceLinkedRole"
986448
986818
  ],
986449
986819
  "Resource": [
986450
- "arn:aws:s3:::gamelift-*"
986820
+ "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
986451
986821
  ],
986452
986822
  "Condition": {
986453
986823
  "StringEquals": {
986454
- "s3:ResourceAccount": "${aws:PrincipalAccount}"
986824
+ "iam:AWSServiceName": "spot.amazonaws.com"
986455
986825
  }
986456
986826
  }
986457
986827
  },
986458
986828
  {
986459
- "Sid": "RetrieveComputeAuthToken",
986460
986829
  "Effect": "Allow",
986461
- "Action": [
986462
- "gamelift:GetComputeAuthToken"
986463
- ],
986464
- "Resource": [
986465
- "arn:aws:gamelift:*:*:containerfleet/*"
986466
- ]
986830
+ "Action": "ec2:DescribeCapacityReservations",
986831
+ "Resource": "*"
986467
986832
  }
986468
986833
  ]
986469
986834
  }
986470
- },
986471
- "v4": {
986835
+ }
986836
+ },
986837
+ "createdDate": "2024-11-01T21:46:52.000Z",
986838
+ "lastUpdatedDate": "2026-05-18T21:12:10.000Z"
986839
+ },
986840
+ "GameLiftContainerFleetPolicy": {
986841
+ "arn": "arn:aws:iam::aws:policy/GameLiftContainerFleetPolicy",
986842
+ "latestVersionId": "v4",
986843
+ "versionsCount": 4,
986844
+ "versions": {
986845
+ "v1": {
986846
+ "createdDate": "2024-11-12T19:28:49.000Z",
986847
+ "document": {
986848
+ "Version": "2012-10-17",
986849
+ "Statement": [
986850
+ {
986851
+ "Sid": "WriteGameSessionLogsToLogStream",
986852
+ "Effect": "Allow",
986853
+ "Action": [
986854
+ "logs:CreateLogStream",
986855
+ "logs:PutLogEvents",
986856
+ "logs:PutRetentionPolicy"
986857
+ ],
986858
+ "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*"
986859
+ },
986860
+ {
986861
+ "Sid": "CreateLogGroupToStoreGameSessionLogs",
986862
+ "Effect": "Allow",
986863
+ "Action": "logs:CreateLogGroup",
986864
+ "Resource": "arn:aws:logs:*:*:log-group:gamelift-*"
986865
+ },
986866
+ {
986867
+ "Sid": "WriteGameSessionLogsToS3Bucket",
986868
+ "Effect": "Allow",
986869
+ "Action": [
986870
+ "s3:PutObject"
986871
+ ],
986872
+ "Resource": [
986873
+ "arn:aws:s3:::gamelift-*"
986874
+ ],
986875
+ "Condition": {
986876
+ "StringEquals": {
986877
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
986878
+ }
986879
+ }
986880
+ },
986881
+ {
986882
+ "Sid": "RetrieveComputeAuthToken",
986883
+ "Effect": "Allow",
986884
+ "Action": [
986885
+ "gamelift:GetComputeAuthToken"
986886
+ ],
986887
+ "Resource": [
986888
+ "arn:aws:gamelift:*:*:containerfleet/*"
986889
+ ]
986890
+ }
986891
+ ]
986892
+ }
986893
+ },
986894
+ "v2": {
986895
+ "createdDate": "2024-11-12T19:28:49.000Z",
986896
+ "document": {
986897
+ "Version": "2012-10-17",
986898
+ "Statement": [
986899
+ {
986900
+ "Sid": "WriteGameSessionLogsToLogStream",
986901
+ "Effect": "Allow",
986902
+ "Action": [
986903
+ "logs:CreateLogStream",
986904
+ "logs:PutLogEvents",
986905
+ "logs:PutRetentionPolicy"
986906
+ ],
986907
+ "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*"
986908
+ },
986909
+ {
986910
+ "Sid": "CreateLogGroupToStoreGameSessionLogs",
986911
+ "Effect": "Allow",
986912
+ "Action": "logs:CreateLogGroup",
986913
+ "Resource": "arn:aws:logs:*:*:log-group:gamelift-*"
986914
+ },
986915
+ {
986916
+ "Sid": "WriteGameSessionLogsToS3Bucket",
986917
+ "Effect": "Allow",
986918
+ "Action": [
986919
+ "s3:PutObject",
986920
+ "s3:GetBucketLocation"
986921
+ ],
986922
+ "Resource": [
986923
+ "arn:aws:s3:::gamelift-*"
986924
+ ],
986925
+ "Condition": {
986926
+ "StringEquals": {
986927
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
986928
+ }
986929
+ }
986930
+ },
986931
+ {
986932
+ "Sid": "RetrieveComputeAuthToken",
986933
+ "Effect": "Allow",
986934
+ "Action": [
986935
+ "gamelift:GetComputeAuthToken"
986936
+ ],
986937
+ "Resource": [
986938
+ "arn:aws:gamelift:*:*:containerfleet/*"
986939
+ ]
986940
+ }
986941
+ ]
986942
+ }
986943
+ },
986944
+ "v3": {
986945
+ "createdDate": "2024-11-12T19:28:49.000Z",
986946
+ "document": {
986947
+ "Version": "2012-10-17",
986948
+ "Statement": [
986949
+ {
986950
+ "Sid": "WriteGameSessionLogsToLogStream",
986951
+ "Effect": "Allow",
986952
+ "Action": [
986953
+ "logs:CreateLogStream",
986954
+ "logs:PutLogEvents",
986955
+ "logs:PutRetentionPolicy"
986956
+ ],
986957
+ "Resource": "arn:aws:logs:*:*:log-group:gamelift-*:log-stream:*"
986958
+ },
986959
+ {
986960
+ "Sid": "CreateLogGroupToStoreGameSessionLogs",
986961
+ "Effect": "Allow",
986962
+ "Action": "logs:CreateLogGroup",
986963
+ "Resource": "arn:aws:logs:*:*:log-group:gamelift-*"
986964
+ },
986965
+ {
986966
+ "Sid": "WriteGameSessionLogsToS3Bucket",
986967
+ "Effect": "Allow",
986968
+ "Action": [
986969
+ "s3:PutObject",
986970
+ "s3:GetBucketLocation"
986971
+ ],
986972
+ "Resource": [
986973
+ "arn:aws:s3:::gamelift-*"
986974
+ ],
986975
+ "Condition": {
986976
+ "StringEquals": {
986977
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
986978
+ }
986979
+ }
986980
+ },
986981
+ {
986982
+ "Sid": "RetrieveComputeAuthToken",
986983
+ "Effect": "Allow",
986984
+ "Action": [
986985
+ "gamelift:GetComputeAuthToken"
986986
+ ],
986987
+ "Resource": [
986988
+ "arn:aws:gamelift:*:*:containerfleet/*"
986989
+ ]
986990
+ }
986991
+ ]
986992
+ }
986993
+ },
986994
+ "v4": {
986472
986995
  "createdDate": "2024-11-12T19:28:49.000Z",
986473
986996
  "document": {
986474
986997
  "Version": "2012-10-17",
@@ -990070,8 +990593,8 @@
990070
990593
  },
990071
990594
  "AWSQuickSetupManagedInstanceProfileExecutionPolicy": {
990072
990595
  "arn": "arn:aws:iam::aws:policy/AWSQuickSetupManagedInstanceProfileExecutionPolicy",
990073
- "latestVersionId": "v7",
990074
- "versionsCount": 7,
990596
+ "latestVersionId": "v8",
990597
+ "versionsCount": 8,
990075
990598
  "versions": {
990076
990599
  "v1": {
990077
990600
  "createdDate": "2024-11-15T21:51:23.000Z",
@@ -990955,122 +991478,330 @@
990955
991478
  }
990956
991479
  ]
990957
991480
  }
990958
- }
990959
- },
990960
- "createdDate": "2024-11-15T21:51:23.000Z",
990961
- "lastUpdatedDate": "2026-02-12T18:01:22.000Z"
990962
- },
990963
- "AWSQuickSetupSSMLifecycleManagementExecutionPolicy": {
990964
- "arn": "arn:aws:iam::aws:policy/AWSQuickSetupSSMLifecycleManagementExecutionPolicy",
990965
- "latestVersionId": "v4",
990966
- "versionsCount": 4,
990967
- "versions": {
990968
- "v1": {
990969
- "createdDate": "2024-11-15T21:55:57.000Z",
991481
+ },
991482
+ "v8": {
991483
+ "createdDate": "2024-11-15T21:51:23.000Z",
990970
991484
  "document": {
990971
991485
  "Version": "2012-10-17",
990972
991486
  "Statement": [
990973
991487
  {
991488
+ "Sid": "ReadOnlyPermissions",
990974
991489
  "Effect": "Allow",
990975
991490
  "Action": [
990976
- "ssm:GetAutomationExecution"
991491
+ "iam:GetInstanceProfile",
991492
+ "iam:ListInstanceProfilesForRole"
990977
991493
  ],
990978
- "Resource": "*",
991494
+ "Resource": "*"
991495
+ },
991496
+ {
991497
+ "Sid": "DefaultInstanceRoleManagePermissions",
991498
+ "Effect": "Allow",
991499
+ "Action": [
991500
+ "iam:CreateRole",
991501
+ "iam:GetRole"
991502
+ ],
991503
+ "Resource": "arn:aws:iam::*:role/AmazonSSMRoleForInstancesQuickSetup"
991504
+ },
991505
+ {
991506
+ "Sid": "DefaultInstanceProfileCreatePermissions",
991507
+ "Effect": "Allow",
991508
+ "Action": [
991509
+ "iam:CreateInstanceProfile"
991510
+ ],
991511
+ "Resource": [
991512
+ "arn:aws:iam::*:instance-profile/AmazonSSMRoleForInstancesQuickSetup"
991513
+ ]
991514
+ },
991515
+ {
991516
+ "Sid": "DefaultInstanceRoleAddPermissions",
991517
+ "Effect": "Allow",
991518
+ "Action": "iam:AddRoleToInstanceProfile",
991519
+ "Resource": [
991520
+ "arn:aws:iam::*:instance-profile/AmazonSSMRoleForInstancesQuickSetup"
991521
+ ]
991522
+ },
991523
+ {
991524
+ "Sid": "DefaultInstanceProfileAssociationPermissions",
991525
+ "Effect": "Allow",
991526
+ "Action": [
991527
+ "ec2:AssociateIamInstanceProfile"
991528
+ ],
991529
+ "Resource": "arn:aws:ec2:*:*:instance/*",
990979
991530
  "Condition": {
990980
- "StringEquals": {
990981
- "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991531
+ "Null": {
991532
+ "ec2:InstanceProfile": "true"
991533
+ },
991534
+ "ArnLike": {
991535
+ "ec2:NewInstanceProfile": "arn:aws:iam::*:instance-profile/AmazonSSMRoleForInstancesQuickSetup"
990982
991536
  }
990983
991537
  }
990984
991538
  },
990985
991539
  {
991540
+ "Sid": "DefaultInstanceRolePassToEC2AndSSMPermissions",
990986
991541
  "Effect": "Allow",
990987
991542
  "Action": "iam:PassRole",
990988
- "Resource": "arn:aws:iam::*:role/AWS-QuickSetup-SSM-ManageResources*",
991543
+ "Resource": "arn:aws:iam::*:role/AmazonSSMRoleForInstancesQuickSetup",
990989
991544
  "Condition": {
990990
991545
  "StringEquals": {
990991
991546
  "iam:PassedToService": [
991547
+ "ec2.amazonaws.com",
990992
991548
  "ssm.amazonaws.com"
990993
- ],
990994
- "iam:ResourceTag/QuickSetupDocument": [
990995
- "AWSQuickSetupType-SSM"
990996
991549
  ]
990997
991550
  }
990998
991551
  }
990999
991552
  },
991000
991553
  {
991554
+ "Sid": "InstanceManagementPoliciesAttachAmazonSSMManagedInstanceCore",
991555
+ "Effect": "Allow",
991556
+ "Action": "iam:AttachRolePolicy",
991557
+ "Condition": {
991558
+ "ArnEquals": {
991559
+ "iam:PolicyARN": [
991560
+ "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
991561
+ "arn:aws:iam::aws:policy/AmazonSSMPatchAssociation",
991562
+ "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyBaselineAccess",
991563
+ "arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils",
991564
+ "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
991565
+ ]
991566
+ }
991567
+ },
991568
+ "Resource": "arn:aws:iam::*:role/*"
991569
+ },
991570
+ {
991571
+ "Sid": "InstanceProfileAssociationEc2Permissions",
991572
+ "Effect": "Allow",
991573
+ "Action": [
991574
+ "ec2:DescribeIamInstanceProfileAssociations",
991575
+ "ec2:DescribeInstances"
991576
+ ],
991577
+ "Resource": "*"
991578
+ },
991579
+ {
991580
+ "Sid": "SSMInstanceManagement",
991581
+ "Effect": "Allow",
991582
+ "Action": [
991583
+ "ssm:DescribeInstanceInformation",
991584
+ "ssm:UpdateManagedInstanceRole"
991585
+ ],
991586
+ "Resource": "*"
991587
+ },
991588
+ {
991589
+ "Sid": "TagRoles",
991590
+ "Effect": "Allow",
991591
+ "Action": "iam:TagRole",
991592
+ "Resource": "arn:aws:iam::*:role/*",
991593
+ "Condition": {
991594
+ "ForAllValues:StringLike": {
991595
+ "aws:TagKeys": "QSConfigId-*"
991596
+ }
991597
+ }
991598
+ },
991599
+ {
991600
+ "Sid": "DenyModifyQuickSetupAutomationRoles",
991601
+ "Effect": "Deny",
991602
+ "Action": [
991603
+ "iam:TagRole",
991604
+ "iam:AttachRolePolicy"
991605
+ ],
991606
+ "Resource": "arn:aws:iam::*:role/AWS-QuickSetup-AutomationRole-*"
991607
+ },
991608
+ {
991609
+ "Sid": "AutomationsStartWithTagPermissions",
991001
991610
  "Effect": "Allow",
991002
991611
  "Action": [
991003
991612
  "ssm:StartAutomationExecution",
991004
991613
  "ssm:AddTagsToResource"
991005
991614
  ],
991006
991615
  "Resource": [
991007
- "arn:aws:ssm:*:*:automation-definition/AWSQuickSetupType-SSM-ManageResources*",
991008
- "arn:aws:ssm:*:*:automation-execution/*"
991616
+ "arn:aws:ssm:*:*:automation-execution/*",
991617
+ "arn:aws:ssm:*:*:document/AWS-AttachIAMToInstance*",
991618
+ "arn:aws:ssm:*:*:automation-definition/AWS-AttachIAMToInstance*"
991009
991619
  ],
991010
991620
  "Condition": {
991011
991621
  "StringEquals": {
991012
- "aws:RequestTag/QuickSetupDocument": "AWSQuickSetupType-SSM",
991013
- "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991622
+ "aws:RequestTag/InvokedBy": [
991623
+ "AWSQuickSetupType-ManageInstanceProfile"
991624
+ ],
991625
+ "aws:ResourceTag/InvokedBy": [
991626
+ "AWSQuickSetupType-ManageInstanceProfile"
991627
+ ]
991014
991628
  }
991015
991629
  }
991016
- }
991017
- ]
991018
- }
991019
- },
991020
- "v2": {
991021
- "createdDate": "2024-11-15T21:55:57.000Z",
991022
- "document": {
991023
- "Version": "2012-10-17",
991024
- "Statement": [
991630
+ },
991025
991631
  {
991632
+ "Sid": "AutomationsGetPermissions",
991026
991633
  "Effect": "Allow",
991027
- "Action": [
991028
- "ssm:GetAutomationExecution"
991029
- ],
991634
+ "Action": "ssm:GetAutomationExecution",
991030
991635
  "Resource": "*",
991031
991636
  "Condition": {
991032
991637
  "StringEquals": {
991033
- "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991638
+ "aws:ResourceTag/InvokedBy": [
991639
+ "AWSQuickSetupType-ManageInstanceProfile"
991640
+ ]
991034
991641
  }
991035
991642
  }
991036
991643
  },
991037
991644
  {
991645
+ "Sid": "GetQuickSetupAutomationAssumeRoles",
991038
991646
  "Effect": "Allow",
991039
- "Action": "iam:PassRole",
991040
- "Resource": "arn:aws:iam::*:role/AWS-QuickSetup-SSM-ManageResources*",
991647
+ "Action": "iam:GetRole",
991648
+ "Resource": [
991649
+ "arn:aws:iam::*:role/AWS-QuickSetup-*"
991650
+ ],
991041
991651
  "Condition": {
991042
991652
  "StringEquals": {
991043
- "iam:PassedToService": [
991044
- "ssm.amazonaws.com"
991045
- ],
991046
991653
  "iam:ResourceTag/QuickSetupDocument": [
991047
- "AWSQuickSetupType-SSM"
991654
+ "AWSQuickSetupType-SSM",
991655
+ "AWSQuickSetupType-SSMHostMgmt",
991656
+ "AWSQuickSetupType-PatchPolicy",
991657
+ "AWSQuickSetupType-Distributor",
991658
+ "AWSQuickSetupType-CWASetup"
991048
991659
  ]
991049
991660
  }
991050
991661
  }
991051
991662
  },
991052
991663
  {
991664
+ "Sid": "PassQuickSetupAutomationAssumeRoles",
991053
991665
  "Effect": "Allow",
991054
991666
  "Action": [
991055
- "ssm:StartAutomationExecution",
991056
- "ssm:AddTagsToResource"
991667
+ "iam:PassRole"
991057
991668
  ],
991058
991669
  "Resource": [
991059
- "arn:aws:ssm:*:*:automation-definition/AWSQuickSetupType-SSM-ManageResources*",
991060
- "arn:aws:ssm:*:*:document/AWSQuickSetupType-SSM-ManageResources*",
991061
- "arn:aws:ssm:*:*:automation-execution/*"
991670
+ "arn:aws:iam::*:role/AWS-QuickSetup-*"
991062
991671
  ],
991063
991672
  "Condition": {
991064
991673
  "StringEquals": {
991065
- "aws:RequestTag/QuickSetupDocument": "AWSQuickSetupType-SSM",
991066
- "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991674
+ "iam:PassedToService": [
991675
+ "ssm.amazonaws.com"
991676
+ ],
991677
+ "iam:ResourceTag/QuickSetupDocument": [
991678
+ "AWSQuickSetupType-SSM",
991679
+ "AWSQuickSetupType-SSMHostMgmt",
991680
+ "AWSQuickSetupType-PatchPolicy",
991681
+ "AWSQuickSetupType-Distributor",
991682
+ "AWSQuickSetupType-CWASetup"
991683
+ ]
991067
991684
  }
991068
991685
  }
991069
991686
  }
991070
991687
  ]
991071
991688
  }
991072
- },
991073
- "v3": {
991689
+ }
991690
+ },
991691
+ "createdDate": "2024-11-15T21:51:23.000Z",
991692
+ "lastUpdatedDate": "2026-06-03T14:12:12.000Z"
991693
+ },
991694
+ "AWSQuickSetupSSMLifecycleManagementExecutionPolicy": {
991695
+ "arn": "arn:aws:iam::aws:policy/AWSQuickSetupSSMLifecycleManagementExecutionPolicy",
991696
+ "latestVersionId": "v4",
991697
+ "versionsCount": 4,
991698
+ "versions": {
991699
+ "v1": {
991700
+ "createdDate": "2024-11-15T21:55:57.000Z",
991701
+ "document": {
991702
+ "Version": "2012-10-17",
991703
+ "Statement": [
991704
+ {
991705
+ "Effect": "Allow",
991706
+ "Action": [
991707
+ "ssm:GetAutomationExecution"
991708
+ ],
991709
+ "Resource": "*",
991710
+ "Condition": {
991711
+ "StringEquals": {
991712
+ "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991713
+ }
991714
+ }
991715
+ },
991716
+ {
991717
+ "Effect": "Allow",
991718
+ "Action": "iam:PassRole",
991719
+ "Resource": "arn:aws:iam::*:role/AWS-QuickSetup-SSM-ManageResources*",
991720
+ "Condition": {
991721
+ "StringEquals": {
991722
+ "iam:PassedToService": [
991723
+ "ssm.amazonaws.com"
991724
+ ],
991725
+ "iam:ResourceTag/QuickSetupDocument": [
991726
+ "AWSQuickSetupType-SSM"
991727
+ ]
991728
+ }
991729
+ }
991730
+ },
991731
+ {
991732
+ "Effect": "Allow",
991733
+ "Action": [
991734
+ "ssm:StartAutomationExecution",
991735
+ "ssm:AddTagsToResource"
991736
+ ],
991737
+ "Resource": [
991738
+ "arn:aws:ssm:*:*:automation-definition/AWSQuickSetupType-SSM-ManageResources*",
991739
+ "arn:aws:ssm:*:*:automation-execution/*"
991740
+ ],
991741
+ "Condition": {
991742
+ "StringEquals": {
991743
+ "aws:RequestTag/QuickSetupDocument": "AWSQuickSetupType-SSM",
991744
+ "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991745
+ }
991746
+ }
991747
+ }
991748
+ ]
991749
+ }
991750
+ },
991751
+ "v2": {
991752
+ "createdDate": "2024-11-15T21:55:57.000Z",
991753
+ "document": {
991754
+ "Version": "2012-10-17",
991755
+ "Statement": [
991756
+ {
991757
+ "Effect": "Allow",
991758
+ "Action": [
991759
+ "ssm:GetAutomationExecution"
991760
+ ],
991761
+ "Resource": "*",
991762
+ "Condition": {
991763
+ "StringEquals": {
991764
+ "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991765
+ }
991766
+ }
991767
+ },
991768
+ {
991769
+ "Effect": "Allow",
991770
+ "Action": "iam:PassRole",
991771
+ "Resource": "arn:aws:iam::*:role/AWS-QuickSetup-SSM-ManageResources*",
991772
+ "Condition": {
991773
+ "StringEquals": {
991774
+ "iam:PassedToService": [
991775
+ "ssm.amazonaws.com"
991776
+ ],
991777
+ "iam:ResourceTag/QuickSetupDocument": [
991778
+ "AWSQuickSetupType-SSM"
991779
+ ]
991780
+ }
991781
+ }
991782
+ },
991783
+ {
991784
+ "Effect": "Allow",
991785
+ "Action": [
991786
+ "ssm:StartAutomationExecution",
991787
+ "ssm:AddTagsToResource"
991788
+ ],
991789
+ "Resource": [
991790
+ "arn:aws:ssm:*:*:automation-definition/AWSQuickSetupType-SSM-ManageResources*",
991791
+ "arn:aws:ssm:*:*:document/AWSQuickSetupType-SSM-ManageResources*",
991792
+ "arn:aws:ssm:*:*:automation-execution/*"
991793
+ ],
991794
+ "Condition": {
991795
+ "StringEquals": {
991796
+ "aws:RequestTag/QuickSetupDocument": "AWSQuickSetupType-SSM",
991797
+ "aws:ResourceTag/QuickSetupDocument": "AWSQuickSetupType-SSM"
991798
+ }
991799
+ }
991800
+ }
991801
+ ]
991802
+ }
991803
+ },
991804
+ "v3": {
991074
991805
  "createdDate": "2024-11-15T21:55:57.000Z",
991075
991806
  "document": {
991076
991807
  "Version": "2012-10-17",
@@ -1292346,8 +1293077,8 @@
1292346
1293077
  },
1292347
1293078
  "AWSSecretsManagerClientReadOnlyAccess": {
1292348
1293079
  "arn": "arn:aws:iam::aws:policy/AWSSecretsManagerClientReadOnlyAccess",
1292349
- "latestVersionId": "v3",
1292350
- "versionsCount": 3,
1293080
+ "latestVersionId": "v4",
1293081
+ "versionsCount": 4,
1292351
1293082
  "versions": {
1292352
1293083
  "v1": {
1292353
1293084
  "createdDate": "2025-11-05T20:04:08.000Z",
@@ -1292441,10 +1293172,50 @@
1292441
1293172
  }
1292442
1293173
  ]
1292443
1293174
  }
1293175
+ },
1293176
+ "v4": {
1293177
+ "createdDate": "2025-11-05T20:04:08.000Z",
1293178
+ "document": {
1293179
+ "Version": "2012-10-17",
1293180
+ "Statement": [
1293181
+ {
1293182
+ "Sid": "SecretsManagerGetAndDescribeSecret",
1293183
+ "Effect": "Allow",
1293184
+ "Action": [
1293185
+ "secretsmanager:GetSecretValue",
1293186
+ "secretsmanager:DescribeSecret"
1293187
+ ],
1293188
+ "Resource": "arn:aws:secretsmanager:*:*:secret:*"
1293189
+ },
1293190
+ {
1293191
+ "Sid": "SecretsManagerBatchGetSecrets",
1293192
+ "Effect": "Allow",
1293193
+ "Action": [
1293194
+ "secretsmanager:BatchGetSecretValue",
1293195
+ "secretsmanager:ListSecrets"
1293196
+ ],
1293197
+ "Resource": "*"
1293198
+ },
1293199
+ {
1293200
+ "Sid": "KMSDecryptKey",
1293201
+ "Effect": "Allow",
1293202
+ "Action": [
1293203
+ "kms:Decrypt"
1293204
+ ],
1293205
+ "Resource": "arn:aws:kms:*:*:key/*",
1293206
+ "Condition": {
1293207
+ "StringLike": {
1293208
+ "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:*:*:secret:*",
1293209
+ "kms:ViaService": "secretsmanager.*.amazonaws.com"
1293210
+ }
1293211
+ }
1293212
+ }
1293213
+ ]
1293214
+ }
1292444
1293215
  }
1292445
1293216
  },
1292446
1293217
  "createdDate": "2025-11-05T20:04:08.000Z",
1292447
- "lastUpdatedDate": "2026-02-12T18:00:42.000Z"
1293218
+ "lastUpdatedDate": "2026-06-02T20:42:11.000Z"
1292448
1293219
  },
1292449
1293220
  "AWSControlTowerCloudTrailRolePolicy": {
1292450
1293221
  "arn": "arn:aws:iam::aws:policy/service-role/AWSControlTowerCloudTrailRolePolicy",
@@ -1314977,5 +1315748,552 @@
1314977
1315748
  },
1314978
1315749
  "createdDate": "2026-05-31T13:27:13.000Z",
1314979
1315750
  "lastUpdatedDate": "2026-05-31T13:27:13.000Z"
1315751
+ },
1315752
+ "AmazonSageMakerJobRuntimeAccess": {
1315753
+ "arn": "arn:aws:iam::aws:policy/AmazonSageMakerJobRuntimeAccess",
1315754
+ "latestVersionId": "v1",
1315755
+ "versionsCount": 1,
1315756
+ "versions": {
1315757
+ "v1": {
1315758
+ "createdDate": "2026-06-03T02:42:10.000Z",
1315759
+ "document": {
1315760
+ "Version": "2012-10-17",
1315761
+ "Statement": [
1315762
+ {
1315763
+ "Sid": "SageMakerJobRuntimePermissions",
1315764
+ "Effect": "Allow",
1315765
+ "Action": [
1315766
+ "sagemaker:Sample",
1315767
+ "sagemaker:SampleWithResponseStream",
1315768
+ "sagemaker:CompleteRollout",
1315769
+ "sagemaker:UpdateReward"
1315770
+ ],
1315771
+ "Resource": "arn:aws:sagemaker:*:*:job/*",
1315772
+ "Condition": {
1315773
+ "StringEquals": {
1315774
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315775
+ }
1315776
+ }
1315777
+ },
1315778
+ {
1315779
+ "Sid": "BearerTokenPermissions",
1315780
+ "Effect": "Allow",
1315781
+ "Action": [
1315782
+ "sagemaker:CallWithBearerToken"
1315783
+ ],
1315784
+ "Resource": "*",
1315785
+ "Condition": {
1315786
+ "StringEquals": {
1315787
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315788
+ }
1315789
+ }
1315790
+ }
1315791
+ ]
1315792
+ }
1315793
+ }
1315794
+ },
1315795
+ "createdDate": "2026-06-03T02:42:10.000Z",
1315796
+ "lastUpdatedDate": "2026-06-03T02:42:10.000Z"
1315797
+ },
1315798
+ "AmazonSageMakerJobFullAccess": {
1315799
+ "arn": "arn:aws:iam::aws:policy/AmazonSageMakerJobFullAccess",
1315800
+ "latestVersionId": "v1",
1315801
+ "versionsCount": 1,
1315802
+ "versions": {
1315803
+ "v1": {
1315804
+ "createdDate": "2026-06-03T02:42:30.000Z",
1315805
+ "document": {
1315806
+ "Version": "2012-10-17",
1315807
+ "Statement": [
1315808
+ {
1315809
+ "Sid": "S3Permissions",
1315810
+ "Effect": "Allow",
1315811
+ "Action": [
1315812
+ "s3:GetObject",
1315813
+ "s3:PutObject",
1315814
+ "s3:ListBucket"
1315815
+ ],
1315816
+ "Resource": "*",
1315817
+ "Condition": {
1315818
+ "StringEquals": {
1315819
+ "s3:ResourceAccount": "${aws:PrincipalAccount}"
1315820
+ }
1315821
+ }
1315822
+ },
1315823
+ {
1315824
+ "Sid": "KMSPermissions",
1315825
+ "Effect": "Allow",
1315826
+ "Action": [
1315827
+ "kms:Decrypt",
1315828
+ "kms:GenerateDataKey"
1315829
+ ],
1315830
+ "Resource": "arn:aws:kms:*:*:key/*",
1315831
+ "Condition": {
1315832
+ "StringEquals": {
1315833
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315834
+ },
1315835
+ "StringLike": {
1315836
+ "kms:ViaService": "s3.*.amazonaws.com"
1315837
+ }
1315838
+ }
1315839
+ },
1315840
+ {
1315841
+ "Sid": "KMSDescribeKey",
1315842
+ "Effect": "Allow",
1315843
+ "Action": "kms:DescribeKey",
1315844
+ "Resource": "arn:aws:kms:*:*:key/*",
1315845
+ "Condition": {
1315846
+ "StringEquals": {
1315847
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315848
+ }
1315849
+ }
1315850
+ },
1315851
+ {
1315852
+ "Sid": "SageMakerHubPermissions",
1315853
+ "Effect": "Allow",
1315854
+ "Action": [
1315855
+ "sagemaker:DescribeHubContent"
1315856
+ ],
1315857
+ "Resource": [
1315858
+ "arn:aws:sagemaker:*:*:hub/*",
1315859
+ "arn:aws:sagemaker:*:*:hub-content/*"
1315860
+ ],
1315861
+ "Condition": {
1315862
+ "StringEquals": {
1315863
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315864
+ }
1315865
+ }
1315866
+ },
1315867
+ {
1315868
+ "Sid": "SageMakerModelPackagePermissions",
1315869
+ "Effect": "Allow",
1315870
+ "Action": [
1315871
+ "sagemaker:AccessModelPackage",
1315872
+ "sagemaker:CreateModelPackage",
1315873
+ "sagemaker:DescribeModelPackage",
1315874
+ "sagemaker:DescribeModelPackageGroup"
1315875
+ ],
1315876
+ "Resource": [
1315877
+ "arn:aws:sagemaker:*:*:model-package/*",
1315878
+ "arn:aws:sagemaker:*:*:model-package-group/*"
1315879
+ ],
1315880
+ "Condition": {
1315881
+ "StringEquals": {
1315882
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315883
+ }
1315884
+ }
1315885
+ },
1315886
+ {
1315887
+ "Sid": "MLflowPermissions",
1315888
+ "Effect": "Allow",
1315889
+ "Action": [
1315890
+ "sagemaker:DescribeMlflowApp",
1315891
+ "sagemaker:CallMlflowAppApi",
1315892
+ "sagemaker-mlflow:CreateExperiment",
1315893
+ "sagemaker-mlflow:CreateRun",
1315894
+ "sagemaker-mlflow:UpdateRun",
1315895
+ "sagemaker-mlflow:LogBatch",
1315896
+ "sagemaker-mlflow:GetExperimentByName",
1315897
+ "sagemaker-mlflow:GetMetricHistory",
1315898
+ "sagemaker-mlflow:GetRun",
1315899
+ "sagemaker-mlflow:StartTrace",
1315900
+ "sagemaker-mlflow:EndTrace",
1315901
+ "sagemaker-mlflow:SearchTraces",
1315902
+ "sagemaker-mlflow:ListArtifacts"
1315903
+ ],
1315904
+ "Resource": [
1315905
+ "arn:aws:sagemaker:*:*:mlflow-app/*"
1315906
+ ],
1315907
+ "Condition": {
1315908
+ "StringEquals": {
1315909
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315910
+ }
1315911
+ }
1315912
+ },
1315913
+ {
1315914
+ "Sid": "BedrockAgentCorePermissions",
1315915
+ "Effect": "Allow",
1315916
+ "Action": [
1315917
+ "bedrock-agentcore:InvokeAgentRuntime",
1315918
+ "bedrock-agentcore:StopRuntimeSession",
1315919
+ "bedrock-agentcore:GetAgentRuntime"
1315920
+ ],
1315921
+ "Resource": "arn:aws:bedrock-agentcore:*:*:runtime/*",
1315922
+ "Condition": {
1315923
+ "StringEquals": {
1315924
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315925
+ }
1315926
+ }
1315927
+ },
1315928
+ {
1315929
+ "Sid": "EC2NetworkPermissions",
1315930
+ "Effect": "Allow",
1315931
+ "Action": [
1315932
+ "ec2:CreateNetworkInterface",
1315933
+ "ec2:CreateNetworkInterfacePermission",
1315934
+ "ec2:DescribeNetworkInterfaces",
1315935
+ "ec2:DescribeVpcs",
1315936
+ "ec2:DescribeSubnets",
1315937
+ "ec2:DescribeSecurityGroups",
1315938
+ "ec2:DescribeDhcpOptions"
1315939
+ ],
1315940
+ "Resource": "*",
1315941
+ "Condition": {
1315942
+ "StringEquals": {
1315943
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315944
+ }
1315945
+ }
1315946
+ },
1315947
+ {
1315948
+ "Sid": "EC2NetworkInterfaceTagPermissions",
1315949
+ "Effect": "Allow",
1315950
+ "Action": [
1315951
+ "ec2:CreateTags"
1315952
+ ],
1315953
+ "Resource": "arn:aws:ec2:*:*:network-interface/*",
1315954
+ "Condition": {
1315955
+ "StringEquals": {
1315956
+ "aws:ResourceAccount": "${aws:PrincipalAccount}",
1315957
+ "ec2:CreateAction": "CreateNetworkInterface"
1315958
+ }
1315959
+ }
1315960
+ },
1315961
+ {
1315962
+ "Sid": "EC2NetworkInterfaceDeletePermissions",
1315963
+ "Effect": "Allow",
1315964
+ "Action": [
1315965
+ "ec2:DeleteNetworkInterface",
1315966
+ "ec2:DeleteNetworkInterfacePermission"
1315967
+ ],
1315968
+ "Resource": "*",
1315969
+ "Condition": {
1315970
+ "StringEquals": {
1315971
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315972
+ }
1315973
+ }
1315974
+ },
1315975
+ {
1315976
+ "Sid": "CloudWatchLogsPermissions",
1315977
+ "Effect": "Allow",
1315978
+ "Action": [
1315979
+ "logs:CreateLogGroup",
1315980
+ "logs:CreateLogStream",
1315981
+ "logs:PutLogEvents",
1315982
+ "logs:DescribeLogStreams"
1315983
+ ],
1315984
+ "Resource": "arn:aws:logs:*:*:log-group:/aws/sagemaker/*",
1315985
+ "Condition": {
1315986
+ "StringEquals": {
1315987
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1315988
+ }
1315989
+ }
1315990
+ },
1315991
+ {
1315992
+ "Sid": "LambdaPermissions",
1315993
+ "Effect": "Allow",
1315994
+ "Action": [
1315995
+ "lambda:InvokeFunction"
1315996
+ ],
1315997
+ "Resource": "arn:aws:lambda:*:*:function:*",
1315998
+ "Condition": {
1315999
+ "StringEquals": {
1316000
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1316001
+ }
1316002
+ }
1316003
+ }
1316004
+ ]
1316005
+ }
1316006
+ }
1316007
+ },
1316008
+ "createdDate": "2026-06-03T02:42:30.000Z",
1316009
+ "lastUpdatedDate": "2026-06-03T02:42:30.000Z"
1316010
+ },
1316011
+ "AWSQuickSetupPatchPolicyTagManagementExecutionPolicy": {
1316012
+ "arn": "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyTagManagementExecutionPolicy",
1316013
+ "latestVersionId": "v1",
1316014
+ "versionsCount": 1,
1316015
+ "versions": {
1316016
+ "v1": {
1316017
+ "createdDate": "2026-06-03T14:12:13.000Z",
1316018
+ "document": {
1316019
+ "Version": "2012-10-17",
1316020
+ "Statement": [
1316021
+ {
1316022
+ "Sid": "GetSSMInventory",
1316023
+ "Effect": "Allow",
1316024
+ "Action": [
1316025
+ "ssm:GetInventory"
1316026
+ ],
1316027
+ "Resource": "*"
1316028
+ },
1316029
+ {
1316030
+ "Sid": "ManageSSMManagedInstanceTags",
1316031
+ "Effect": "Allow",
1316032
+ "Action": [
1316033
+ "ssm:AddTagsToResource",
1316034
+ "ssm:RemoveTagsFromResource"
1316035
+ ],
1316036
+ "Resource": "arn:aws:ssm:*:*:managed-instance/*",
1316037
+ "Condition": {
1316038
+ "ForAllValues:StringLike": {
1316039
+ "aws:TagKeys": "QSConfigName-*"
1316040
+ },
1316041
+ "ForAnyValue:StringLike": {
1316042
+ "aws:TagKeys": "QSConfigName-*"
1316043
+ }
1316044
+ }
1316045
+ },
1316046
+ {
1316047
+ "Sid": "ManageEC2InstanceTags",
1316048
+ "Effect": "Allow",
1316049
+ "Action": [
1316050
+ "ec2:CreateTags",
1316051
+ "ec2:DeleteTags"
1316052
+ ],
1316053
+ "Resource": "arn:aws:ec2:*:*:instance/*",
1316054
+ "Condition": {
1316055
+ "ForAllValues:StringLike": {
1316056
+ "aws:TagKeys": "QSConfigName-*"
1316057
+ },
1316058
+ "ForAnyValue:StringLike": {
1316059
+ "aws:TagKeys": "QSConfigName-*"
1316060
+ }
1316061
+ }
1316062
+ }
1316063
+ ]
1316064
+ }
1316065
+ }
1316066
+ },
1316067
+ "createdDate": "2026-06-03T14:12:13.000Z",
1316068
+ "lastUpdatedDate": "2026-06-03T14:12:13.000Z"
1316069
+ },
1316070
+ "AWSQuickSetupPatchPolicyLambdaExecutionPolicy": {
1316071
+ "arn": "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyLambdaExecutionPolicy",
1316072
+ "latestVersionId": "v1",
1316073
+ "versionsCount": 1,
1316074
+ "versions": {
1316075
+ "v1": {
1316076
+ "createdDate": "2026-06-03T14:12:26.000Z",
1316077
+ "document": {
1316078
+ "Version": "2012-10-17",
1316079
+ "Statement": [
1316080
+ {
1316081
+ "Sid": "ManageSSMAssociations",
1316082
+ "Effect": "Allow",
1316083
+ "Action": [
1316084
+ "ssm:DescribeAssociationExecutions",
1316085
+ "ssm:UpdateAssociation",
1316086
+ "ssm:DescribeAssociation"
1316087
+ ],
1316088
+ "Resource": [
1316089
+ "arn:aws:ssm:*:*:association/*",
1316090
+ "arn:aws:ssm:*:*:document/AWSQuickSetup-*",
1316091
+ "arn:aws:ssm:*:*:document/AWSQuickSetupType-*"
1316092
+ ]
1316093
+ },
1316094
+ {
1316095
+ "Sid": "PassQuickSetupAutomationRole",
1316096
+ "Effect": "Allow",
1316097
+ "Action": [
1316098
+ "iam:PassRole"
1316099
+ ],
1316100
+ "Resource": "arn:aws:iam::*:role/AWS-QuickSetup-AutomationRole-*",
1316101
+ "Condition": {
1316102
+ "StringEquals": {
1316103
+ "iam:PassedToService": "ssm.amazonaws.com"
1316104
+ }
1316105
+ }
1316106
+ }
1316107
+ ]
1316108
+ }
1316109
+ }
1316110
+ },
1316111
+ "createdDate": "2026-06-03T14:12:26.000Z",
1316112
+ "lastUpdatedDate": "2026-06-03T14:12:26.000Z"
1316113
+ },
1316114
+ "FinOpsAgentOperatorPolicy": {
1316115
+ "arn": "arn:aws:iam::aws:policy/FinOpsAgentOperatorPolicy",
1316116
+ "latestVersionId": "v1",
1316117
+ "versionsCount": 1,
1316118
+ "versions": {
1316119
+ "v1": {
1316120
+ "createdDate": "2026-06-03T19:57:09.000Z",
1316121
+ "document": {
1316122
+ "Version": "2012-10-17",
1316123
+ "Statement": [
1316124
+ {
1316125
+ "Sid": "FinOpsAgentOperatorAccess",
1316126
+ "Effect": "Allow",
1316127
+ "Action": [
1316128
+ "finops-agent:CreateConversation",
1316129
+ "finops-agent:ListConversations",
1316130
+ "finops-agent:CreateTurn",
1316131
+ "finops-agent:GetTurn",
1316132
+ "finops-agent:ListTurns",
1316133
+ "finops-agent:CancelTurn",
1316134
+ "finops-agent:AcceptAgentRequest",
1316135
+ "finops-agent:RejectAgentRequest",
1316136
+ "finops-agent:GetAgentRequest",
1316137
+ "finops-agent:CreateTask",
1316138
+ "finops-agent:GetTask",
1316139
+ "finops-agent:ListTasks",
1316140
+ "finops-agent:CancelTask",
1316141
+ "finops-agent:CreateAutomation",
1316142
+ "finops-agent:GetAutomation",
1316143
+ "finops-agent:ListAutomations",
1316144
+ "finops-agent:UpdateAutomation",
1316145
+ "finops-agent:DeleteAutomation",
1316146
+ "finops-agent:CreateDocument",
1316147
+ "finops-agent:GetDocumentContent",
1316148
+ "finops-agent:GetDocumentMetadata",
1316149
+ "finops-agent:ListDocuments",
1316150
+ "finops-agent:UpdateDocument",
1316151
+ "finops-agent:DeleteDocument",
1316152
+ "finops-agent:RestoreDocument",
1316153
+ "finops-agent:GetArtifactContent",
1316154
+ "finops-agent:GetArtifactMetadata",
1316155
+ "finops-agent:DeleteArtifact",
1316156
+ "finops-agent:ListArtifacts",
1316157
+ "finops-agent:ListRecords",
1316158
+ "finops-agent:SendFeedback"
1316159
+ ],
1316160
+ "Resource": "*"
1316161
+ }
1316162
+ ]
1316163
+ }
1316164
+ }
1316165
+ },
1316166
+ "createdDate": "2026-06-03T19:57:09.000Z",
1316167
+ "lastUpdatedDate": "2026-06-03T19:57:09.000Z"
1316168
+ },
1316169
+ "FinOpsAgentAgentPolicy": {
1316170
+ "arn": "arn:aws:iam::aws:policy/FinOpsAgentAgentPolicy",
1316171
+ "latestVersionId": "v1",
1316172
+ "versionsCount": 1,
1316173
+ "versions": {
1316174
+ "v1": {
1316175
+ "createdDate": "2026-06-03T19:57:12.000Z",
1316176
+ "document": {
1316177
+ "Version": "2012-10-17",
1316178
+ "Statement": [
1316179
+ {
1316180
+ "Sid": "FinOpsAgentDataAccess",
1316181
+ "Effect": "Allow",
1316182
+ "Action": [
1316183
+ "ce:GetCostAndUsage",
1316184
+ "ce:GetCostAndUsageWithResources",
1316185
+ "ce:GetCostForecast",
1316186
+ "ce:GetUsageForecast",
1316187
+ "ce:GetDimensionValues",
1316188
+ "ce:GetTags",
1316189
+ "ce:GetCostCategories",
1316190
+ "ce:GetCostAndUsageComparisons",
1316191
+ "ce:GetCostComparisonDrivers",
1316192
+ "ce:GetSavingsPlansCoverage",
1316193
+ "ce:GetSavingsPlansUtilization",
1316194
+ "ce:GetSavingsPlansUtilizationDetails",
1316195
+ "ce:GetSavingsPlansPurchaseRecommendation",
1316196
+ "ce:GetReservationCoverage",
1316197
+ "ce:GetReservationUtilization",
1316198
+ "ce:GetReservationPurchaseRecommendation",
1316199
+ "ce:GetAnomalies",
1316200
+ "ce:GetAnomalyMonitors",
1316201
+ "ce:ListCostAllocationTags",
1316202
+ "ce:ListCostAllocationTagBackfillHistory",
1316203
+ "ce:DescribeCostCategoryDefinition",
1316204
+ "ce:ListCostCategoryDefinitions",
1316205
+ "budgets:ViewBudget",
1316206
+ "cost-optimization-hub:GetRecommendation",
1316207
+ "cost-optimization-hub:ListRecommendations",
1316208
+ "cost-optimization-hub:ListRecommendationSummaries",
1316209
+ "compute-optimizer:DescribeRecommendationExportJobs",
1316210
+ "compute-optimizer:GetEnrollmentStatus",
1316211
+ "compute-optimizer:GetEnrollmentStatusesForOrganization",
1316212
+ "compute-optimizer:GetRecommendationSummaries",
1316213
+ "compute-optimizer:GetEC2InstanceRecommendations",
1316214
+ "compute-optimizer:GetEC2RecommendationProjectedMetrics",
1316215
+ "compute-optimizer:GetAutoScalingGroupRecommendations",
1316216
+ "compute-optimizer:GetEBSVolumeRecommendations",
1316217
+ "compute-optimizer:GetLambdaFunctionRecommendations",
1316218
+ "compute-optimizer:GetRecommendationPreferences",
1316219
+ "compute-optimizer:GetEffectiveRecommendationPreferences",
1316220
+ "compute-optimizer:GetECSServiceRecommendations",
1316221
+ "compute-optimizer:GetECSServiceRecommendationProjectedMetrics",
1316222
+ "compute-optimizer:GetLicenseRecommendations",
1316223
+ "compute-optimizer:GetRDSDatabaseRecommendations",
1316224
+ "compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics",
1316225
+ "compute-optimizer:GetIdleRecommendations",
1316226
+ "ec2:DescribeInstances",
1316227
+ "ec2:DescribeVolumes",
1316228
+ "ecs:ListServices",
1316229
+ "ecs:ListClusters",
1316230
+ "autoscaling:DescribeAutoScalingGroups",
1316231
+ "autoscaling:DescribeAutoScalingInstances",
1316232
+ "lambda:ListFunctions",
1316233
+ "lambda:ListProvisionedConcurrencyConfigs",
1316234
+ "organizations:ListAccounts",
1316235
+ "organizations:DescribeOrganization",
1316236
+ "organizations:DescribeAccount",
1316237
+ "rds:DescribeDBInstances",
1316238
+ "rds:DescribeDBClusters",
1316239
+ "pricing:DescribeServices",
1316240
+ "pricing:GetAttributeValues",
1316241
+ "pricing:GetProducts",
1316242
+ "freetier:GetFreeTierUsage",
1316243
+ "bcm-pricing-calculator:GetPreferences",
1316244
+ "bcm-pricing-calculator:GetWorkloadEstimate",
1316245
+ "bcm-pricing-calculator:ListWorkloadEstimateUsage",
1316246
+ "bcm-pricing-calculator:ListWorkloadEstimates",
1316247
+ "cloudtrail:LookupEvents",
1316248
+ "cloudtrail:DescribeTrails",
1316249
+ "cloudtrail:GetTrailStatus",
1316250
+ "cloudtrail:GetEventSelectors",
1316251
+ "cloudwatch:GetMetricData",
1316252
+ "cloudwatch:GetMetricStatistics",
1316253
+ "cloudwatch:ListMetrics",
1316254
+ "logs:StartQuery",
1316255
+ "logs:GetQueryResults"
1316256
+ ],
1316257
+ "Resource": "*"
1316258
+ },
1316259
+ {
1316260
+ "Sid": "EventBridgeManagedRuleManagementWritePermissions",
1316261
+ "Effect": "Allow",
1316262
+ "Action": [
1316263
+ "events:PutRule",
1316264
+ "events:PutTargets",
1316265
+ "events:DeleteRule",
1316266
+ "events:RemoveTargets",
1316267
+ "events:EnableRule",
1316268
+ "events:DisableRule"
1316269
+ ],
1316270
+ "Resource": "arn:aws:events:*:*:rule/*",
1316271
+ "Condition": {
1316272
+ "StringEquals": {
1316273
+ "events:ManagedBy": "finops-agent.amazonaws.com",
1316274
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1316275
+ }
1316276
+ }
1316277
+ },
1316278
+ {
1316279
+ "Sid": "EventBridgeManagedRuleManagementReadPermissions",
1316280
+ "Effect": "Allow",
1316281
+ "Action": [
1316282
+ "events:DescribeRule",
1316283
+ "events:ListTargetsByRule"
1316284
+ ],
1316285
+ "Resource": "arn:aws:events:*:*:rule/*",
1316286
+ "Condition": {
1316287
+ "StringEquals": {
1316288
+ "aws:ResourceAccount": "${aws:PrincipalAccount}"
1316289
+ }
1316290
+ }
1316291
+ }
1316292
+ ]
1316293
+ }
1316294
+ }
1316295
+ },
1316296
+ "createdDate": "2026-06-03T19:57:12.000Z",
1316297
+ "lastUpdatedDate": "2026-06-03T19:57:12.000Z"
1314980
1316298
  }
1314981
1316299
  }