Skip to content

Instantly share code, notes, and snippets.

@nitrocode

nitrocode/README.md

Last active December 30, 2022 23:43
Show Gist options
  • Save nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf to your computer and use it in GitHub Desktop.
Save nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf to your computer and use it in GitHub Desktop.
Download ZIP
Cloud custodian iam policy and role generated from code and outputted to terraform
Raw
README.md

CloudCustodian IAM Policy

Extracts perms from cloud-custodian repo, sanitizes extracted data, and transforms into terraform.

How it works

The code will

  1. search for permissions = (get this data) over multiline
  2. print only the captured group
  3. remove the file names from rg output
  4. make all quotes single quotes
  5. insert a new line in between single quoted strings
  6. make all quotes double quotes
  7. remove leading whitespace and empty lines
  8. remove any lines that don't begin with a quote
  9. remove all quotes
  10. remove all commas
  11. sort output
  12. only return unique values
  13. run python script against that to create the iam policy
  14. profit

Regenerate

  1. Install ripgrep and git

    brew install rg git

  2. Clone

    git clone [email protected]:cloud-custodian/cloud-custodian.git
cd cloud-custodian

  3. Download extract-perms.sh and convert-extracted-cloud-custodian-perms-to-terraform.py

    wget https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf/raw/extract-perms.sh
wget https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf/raw/convert-extracted-cloud-custodian-perms-to-terraform.py

  4. Run extract-perms.sh

    bash extract-perms.sh

    The output terraform will be saved in cloud-custodian-iam-policy.tf and the list of perms will be saved in perms.txt.

Reuse

If regenerating the policy is not wanted then feel free to download the following terraform files, init, and apply.

Note: That this code does fall out of date with the source code so it's usually best to regenerate.

wget https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf/raw/cloud_custodain_iam_role.tf
wget https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf/raw/cloud_custodian_iam_policy.tf

Add a backend and simply run the following to create the role.

terraform init
terraform apply
Raw
cloud_custodain_iam_role.tf
# Source: https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf
locals {
name = "custodian"
tags = {
application = local.name
env = "production"
}
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com", "ec2.amazonaws.com"]
}
# Fill this in to assume the role locally
# principals {
# type = "AWS"
# identifiers = [
# data.aws_iam_role.engineer.arn
# ]
# }
}
}
# This policy is retrieved from the data source in cloud_custodian_iam_policy.tf
resource "aws_iam_role_policy" "custodian" {
name = local.name
role = local.name
policy = data.aws_iam_policy_document.custodian.json
}
resource "aws_iam_role" "default" {
name = local.name
description = "Cloud custodian blanket role for all c7n policies"
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
tags = local.tags
}
Raw
cloud_custodian_iam_policy.tf
# Source: https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf
# Last generated from 0.9.17.0
# From commit https://github.com/cloud-custodian/cloud-custodian/tree/0fb47173aad2f8f3a69c88c967f63eb7d351de80
# This may be out of date. See manually updated and corrected `iam.tf` below.
data "aws_iam_policy_document" "custodian" {
statement {
sid = "S3"
effect = "Allow"
resources = ["*"]
actions = [
"S3:PutObject",
]
}
statement {
sid = "access-analyzer"
effect = "Allow"
resources = ["*"]
actions = [
"access-analyzer:ListAnalyzers",
"access-analyzer:ListFindings",
]
}
statement {
sid = "acm"
effect = "Allow"
resources = ["*"]
actions = [
"acm:DeleteCertificate",
]
}
statement {
sid = "airflow"
effect = "Allow"
resources = ["*"]
actions = [
"airflow:GetEnvironment",
"airflow:ListEnvironments",
"airflow:TagResource",
"airflow:UntagResource",
]
}
statement {
sid = "apigateway"
effect = "Allow"
resources = ["*"]
actions = [
"apigateway:DELETE",
"apigateway:GET",
"apigateway:PATCH",
]
}
statement {
sid = "appflow"
effect = "Allow"
resources = ["*"]
actions = [
"appflow:DeleteFlow",
"appflow:TagResource",
"appflow:UntagResource",
]
}
statement {
sid = "application-autoscaling"
effect = "Allow"
resources = ["*"]
actions = [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:RegisterScalableTarget",
]
}
statement {
sid = "autoscaling"
effect = "Allow"
resources = ["*"]
actions = [
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup",
]
}
statement {
sid = "batch"
effect = "Allow"
resources = ["*"]
actions = [
"batch:DeleteComputeEnvironment",
"batch:DeregisterJobDefinition",
"batch:UpdateComputeEnvironment",
]
}
statement {
sid = "cloudWatch"
effect = "Allow"
resources = ["*"]
actions = [
"cloudWatch:PutMetricData",
]
}
statement {
sid = "cloudformation"
effect = "Allow"
resources = ["*"]
actions = [
"cloudformation:DeleteStack",
"cloudformation:UpdateStack",
]
}
statement {
sid = "cloudfront"
effect = "Allow"
resources = ["*"]
actions = [
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:UpdateDistribution",
"cloudfront:UpdateStreamingDistribution",
]
}
statement {
sid = "cloudhsm"
effect = "Allow"
resources = ["*"]
actions = [
"cloudhsm:DeleteCluster",
]
}
statement {
sid = "cloudsearch"
effect = "Allow"
resources = ["*"]
actions = [
"cloudsearch:DeleteDomain",
"cloudsearch:DescribeDomainEndpointOptions",
"cloudsearch:UpdateDomainEndpointOptions",
]
}
statement {
sid = "cloudtrail"
effect = "Allow"
resources = ["*"]
actions = [
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
]
}
statement {
sid = "cloudwatch"
effect = "Allow"
resources = ["*"]
actions = [
"cloudwatch:DeleteAlarms",
"cloudwatch:DeleteInsightRules",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DisableInsightRules",
"cloudwatch:GetMetricStatistics",
"cloudwatch:PutMetricAlarm",
]
}
statement {
sid = "codeartifact"
effect = "Allow"
resources = ["*"]
actions = [
"codeartifact:DeleteDomain",
"codeartifact:DeleteRepository",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:GetRepositoryPermissionsPolicy",
"codeartifact:ListRepositoriesInDomain",
]
}
statement {
sid = "codebuild"
effect = "Allow"
resources = ["*"]
actions = [
"codebuild:DeleteProject",
]
}
statement {
sid = "codecommit"
effect = "Allow"
resources = ["*"]
actions = [
"codecommit:DeleteRepository",
]
}
statement {
sid = "codedeploy"
effect = "Allow"
resources = ["*"]
actions = [
"codedeploy:DeleteApplication",
"codedeploy:DeleteDeploymentGroup",
]
}
statement {
sid = "codepipeline"
effect = "Allow"
resources = ["*"]
actions = [
"codepipeline:DeletePipeline",
]
}
statement {
sid = "cognito-identity"
effect = "Allow"
resources = ["*"]
actions = [
"cognito-identity:DeleteIdentityPool",
]
}
statement {
sid = "cognito-idp"
effect = "Allow"
resources = ["*"]
actions = [
"cognito-idp:DeleteUserPool",
]
}
statement {
sid = "config"
effect = "Allow"
resources = ["*"]
actions = [
"config:DeleteConfigRule",
"config:DescribeAggregationAuthorizations",
"config:DescribeComplianceByConfigRule",
"config:DescribeConfigRuleEvaluationStatus",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetResourceConfigHistory",
]
}
statement {
sid = "datapipeline"
effect = "Allow"
resources = ["*"]
actions = [
"datapipeline:AddTags",
"datapipeline:DeletePipeline",
"datapipeline:RemoveTags",
]
}
statement {
sid = "dax"
effect = "Allow"
resources = ["*"]
actions = [
"dax:DeleteCluster",
"dax:ListTags",
"dax:TagResource",
"dax:UntagResource",
"dax:UpdateCluster",
]
}
statement {
sid = "dms"
effect = "Allow"
resources = ["*"]
actions = [
"dms:AddTagsToResource",
"dms:DeleteEndpoint",
"dms:DeleteReplicationInstance",
"dms:ModifyEndpoint",
"dms:ModifyReplicationInstance",
"dms:RemoveTagsFromResource",
]
}
statement {
sid = "ds"
effect = "Allow"
resources = ["*"]
actions = [
"ds:AddTagsToResource",
"ds:RemoveTagsFromResource",
]
}
statement {
sid = "dynamodb"
effect = "Allow"
resources = ["*"]
actions = [
"dynamodb:CreateBackup",
"dynamodb:DeleteBackup",
"dynamodb:DeleteTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateTable",
]
}
statement {
sid = "ec2"
effect = "Allow"
resources = ["*"]
actions = [
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateFlowLogs",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteTrafficMirrorSession",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeDhcpOptions",
"ec2:DescribeFlowLogs",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:DisableEbsEncryptionByDefault",
"ec2:DisassociateAddress",
"ec2:DisassociateIamInstanceProfile",
"ec2:EnableEbsEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetManagedPrefixListEntries",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyInstanceMetadataOptions",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:ModifySpotFleetRequest",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:MonitorInstances",
"ec2:RebootInstances",
"ec2:ReleaseAddress",
"ec2:ResetImageAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnmonitorInstances",
]
}
statement {
sid = "ecr"
effect = "Allow"
resources = ["*"]
actions = [
"ecr:DeleteLifecyclePolicy",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:PutImageScanningConfiguration",
"ecr:PutImageTagMutability",
"ecr:PutLifecyclePolicy",
"ecr:SetRepositoryPolicy",
"ecr:TagResource",
"ecr:UntagResource",
]
}
statement {
sid = "ecs"
effect = "Allow"
resources = ["*"]
actions = [
"ecs:DeleteService",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:StopTask",
"ecs:TagResource",
"ecs:UntagResource",
"ecs:UpdateContainerAgent",
"ecs:UpdateContainerInstancesState",
"ecs:UpdateService",
]
}
statement {
sid = "eks"
effect = "Allow"
resources = ["*"]
actions = [
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"eks:TagResource",
"eks:UntagResource",
"eks:UpdateClusterConfig",
]
}
statement {
sid = "elasticache"
effect = "Allow"
resources = ["*"]
actions = [
"elasticache:CreateSnapshot",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteReplicationGroup",
"elasticache:DeleteSnapshot",
"elasticache:DescribeReplicationGroups",
"elasticache:ListTagsForResource",
"elasticache:ModifyReplicationGroup",
]
}
statement {
sid = "elasticbeanstalk"
effect = "Allow"
resources = ["*"]
actions = [
"elasticbeanstalk:AddTags",
"elasticbeanstalk:ListTagsForResource",
"elasticbeanstalk:RemoveTags",
"elasticbeanstalk:TerminateEnvironment",
]
}
statement {
sid = "elasticfilesystem"
effect = "Allow"
resources = ["*"]
actions = [
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:PutLifecycleConfiguration",
]
}
statement {
sid = "elasticloadbalancing"
effect = "Allow"
resources = ["*"]
actions = [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetSecurityGroups",
]
}
statement {
sid = "elasticmapreduce"
effect = "Allow"
resources = ["*"]
actions = [
"elasticmapreduce:AddTags",
"elasticmapreduce:DeleteSecurityConfiguration",
"elasticmapreduce:DescribeSecurityConfiguration",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:ListSecurityConfigurations",
"elasticmapreduce:PutBlockPublicAccessConfiguration",
"elasticmapreduce:RemoveTags",
"elasticmapreduce:TerminateJobFlows",
]
}
statement {
sid = "es"
effect = "Allow"
resources = ["*"]
actions = [
"es:AddTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ESCrossClusterGet",
"es:RemoveTags",
"es:UpdateElasticsearchDomainConfig",
]
}
statement {
sid = "events"
effect = "Allow"
resources = ["*"]
actions = [
"events:DeleteRule",
"events:ListEventBuses",
"events:ListTargetsByRule",
"events:RemoveTargets",
]
}
statement {
sid = "firehose"
effect = "Allow"
resources = ["*"]
actions = [
"firehose:DeleteDeliveryStream",
"firehose:UpdateDestination",
]
}
statement {
sid = "fis"
effect = "Allow"
resources = ["*"]
actions = [
"fis:DeleteExperimentTemplate",
"fis:TagResource",
"fis:UntagResource",
]
}
statement {
sid = "fsx"
effect = "Allow"
resources = ["*"]
actions = [
"fsx:CreateBackup",
"fsx:DeleteBackup",
"fsx:DeleteFileSystem",
"fsx:TagResource",
"fsx:UntagResource",
"fsx:UpdateFileSystem",
]
}
statement {
sid = "glacier"
effect = "Allow"
resources = ["*"]
actions = [
"glacier:DeleteVault",
"glacier:GetVaultAccessPolicy",
"glacier:ListTagsForVault",
"glacier:SetVaultAccessPolicy",
]
}
statement {
sid = "glue"
effect = "Allow"
resources = ["*"]
actions = [
"glue:DeleteClassifier",
"glue:DeleteConnection",
"glue:DeleteCrawler",
"glue:DeleteDatabase",
"glue:DeleteDevEndpoint",
"glue:DeleteJob",
"glue:DeleteMLTransform",
"glue:DeleteSecurityConfiguration",
"glue:DeleteTable",
"glue:DeleteTrigger",
"glue:DeleteWorkflow",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetJobs",
"glue:GetResourcePolicy",
"glue:PutDataCatalogEncryptionSettings",
"glue:PutResourcePolicy",
"glue:UpdateJob",
]
}
statement {
sid = "guardduty"
effect = "Allow"
resources = ["*"]
actions = [
"guardduty:GetDetector",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
]
}
statement {
sid = "health"
effect = "Allow"
resources = ["*"]
actions = [
"health:DescribeAffectedEntities",
"health:DescribeEventDetails",
"health:DescribeEvents",
]
}
statement {
sid = "iam"
effect = "Allow"
resources = ["*"]
actions = [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteSSHPublicKey",
"iam:DeleteServerCertificate",
"iam:DeleteSigningCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetServiceLastAccessedDetails",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:RemoveUserFromGroup",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateSSHPublicKey",
]
}
statement {
sid = "kafka"
effect = "Allow"
resources = ["*"]
actions = [
"kafka:DeleteCluster",
"kafka:UpdateClusterConfiguration",
]
}
statement {
sid = "kinesis"
effect = "Allow"
resources = ["*"]
actions = [
"kinesis:DeleteStream",
"kinesis:UpdateShardCount",
]
}
statement {
sid = "kinesisanalytics"
effect = "Allow"
resources = ["*"]
actions = [
"kinesisanalytics:DeleteApplication",
"kinesisanalytics:DescribeApplication",
]
}
statement {
sid = "kinesisvideo"
effect = "Allow"
resources = ["*"]
actions = [
"kinesisvideo:DeleteStream",
]
}
statement {
sid = "kms"
effect = "Allow"
resources = ["*"]
actions = [
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:PutKeyPolicy",
]
}
statement {
sid = "lambda"
effect = "Allow"
resources = ["*"]
actions = [
"lambda:*",
"lambda:DeleteFunction",
"lambda:DeleteFunctionConcurrency",
"lambda:DeleteLayerVersion",
"lambda:GetFunction",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:ListAliases",
"lambda:ListVersionsByFunction",
"lambda:PutFunctionConcurrency",
"lambda:RemoveLayerVersionPermission",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
]
}
statement {
sid = "logs"
effect = "Allow"
resources = ["*"]
actions = [
"logs:AssociateKmsKey",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeSubscriptionFilters",
"logs:DisassociateKmsKey",
"logs:GetResourcePolicy",
"logs:PutResourcePolicy",
"logs:PutRetentionPolicy",
]
}
statement {
sid = "machinelearning"
effect = "Allow"
resources = ["*"]
actions = [
"machinelearning:DeleteMLModel",
]
}
statement {
sid = "macie2"
effect = "Allow"
resources = ["*"]
actions = [
"macie2:GetMacieSession",
"macie2:GetMasterAccount",
]
}
statement {
sid = "mq"
effect = "Allow"
resources = ["*"]
actions = [
"mq:CreateTags",
"mq:DeleteBroker",
"mq:DeleteTags",
"mq:ListBrokers",
"mq:ListTags",
]
}
statement {
sid = "opsworks-cm"
effect = "Allow"
resources = ["*"]
actions = [
"opsworks-cm:DeleteServer",
]
}
statement {
sid = "opsworks"
effect = "Allow"
resources = ["*"]
actions = [
"opsworks:DeleteApp",
"opsworks:DeleteInstance",
"opsworks:DeleteLayer",
"opsworks:DeleteStack",
"opsworks:DescribeApps",
"opsworks:DescribeInstances",
"opsworks:DescribeLayers",
"opsworks:StopStack",
]
}
statement {
sid = "qldb"
effect = "Allow"
resources = ["*"]
actions = [
"qldb:DeleteLedger",
"qldb:UpdateLedger",
]
}
statement {
sid = "rds"
effect = "Allow"
resources = ["*"]
actions = [
"rds:AddTagsToResource",
"rds:CopyDBClusterParameterGroup",
"rds:CopyDBParameterGroup",
"rds:CopyDBSnapshot",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBSnapshot",
"rds:DeleteDBCluster",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBSnapshot",
"rds:DeleteDBSubnetGroup",
"rds:DeleteEventSubscription",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyDBSnapshotAttribute",
"rds:ModifyOptionGroup",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:StartDBCluster",
"rds:StartDBInstance",
"rds:StopDBCluster",
"rds:StopDBInstance",
]
}
statement {
sid = "redshift"
effect = "Allow"
resources = ["*"]
actions = [
"redshift:CreateClusterSnapshot",
"redshift:CreateTags",
"redshift:DeleteCluster",
"redshift:DeleteClusterSnapshot",
"redshift:DeleteTags",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeLoggingStatus",
"redshift:ModifyCluster",
"redshift:PauseCluster",
"redshift:ResumeCluster",
"redshift:RevokeSnapshotAccess",
]
}
statement {
sid = "route53"
effect = "Allow"
resources = ["*"]
actions = [
"route53:CreateQueryLoggingConfig",
"route53:DeleteHostedZone",
"route53:DeleteQueryLoggingConfig",
"route53:GetHostedZone",
"route53:GetQueryLoggingConfig",
"route53:ListTagsForResources",
]
}
statement {
sid = "route53domains"
effect = "Allow"
resources = ["*"]
actions = [
"route53domains:DeleteTagsForDomain",
"route53domains:ListTagsForDomain",
"route53domains:UpdateTagsForDomain",
]
}
statement {
sid = "s3"
effect = "Allow"
resources = ["*"]
actions = [
"s3:*",
"s3:CreateBucket",
"s3:DeleteAccessPoint",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:DeleteObjectVersion",
"s3:GetAccessPointPolicy",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:PutReplicationConfiguration",
"s3:RestoreObject",
]
}
statement {
sid = "sagemaker"
effect = "Allow"
resources = ["*"]
actions = [
"sagemaker:AddTags",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteTags",
"sagemaker:ListTags",
"sagemaker:StartNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
]
}
statement {
sid = "sdb"
effect = "Allow"
resources = ["*"]
actions = [
"sdb:DeleteDomain",
"sdb:DomainMetadata",
]
}
statement {
sid = "secretsmanager"
effect = "Allow"
resources = ["*"]
actions = [
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
]
}
statement {
sid = "securityhub"
effect = "Allow"
resources = ["*"]
actions = [
"securityhub:BatchImportFindings",
"securityhub:DescribeHub",
"securityhub:GetFindings",
]
}
statement {
sid = "serverlessrepo"
effect = "Allow"
resources = ["*"]
actions = [
"serverlessrepo:DeleteApplication",
"serverlessrepo:GetApplicationPolicy",
]
}
statement {
sid = "servicecatalog"
effect = "Allow"
resources = ["*"]
actions = [
"servicecatalog:DeletePortfolio",
"servicecatalog:DeletePortfolioShare",
"servicecatalog:ListPortfolioAccess",
]
}
statement {
sid = "servicequotas"
effect = "Allow"
resources = ["*"]
actions = [
"servicequotas:ListRequestedServiceQuotaChangeHistory",
"servicequotas:RequestServiceQuotaIncrease",
]
}
statement {
sid = "shield"
effect = "Allow"
resources = ["*"]
actions = [
"shield:CreateProtection",
"shield:CreateSubscription",
"shield:DeleteSubscription",
"shield:DescribeSubscription",
"shield:ListProtections",
]
}
statement {
sid = "sns"
effect = "Allow"
resources = ["*"]
actions = [
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:SetTopicAttributes",
"sns:TagResource",
"sns:Unsubscribe",
"sns:UntagResource",
]
}
statement {
sid = "sqs"
effect = "Allow"
resources = ["*"]
actions = [
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:RemovePermission",
"sqs:SetQueueAttributes",
]
}
statement {
sid = "ssm"
effect = "Allow"
resources = ["*"]
actions = [
"ssm:CreateOpsItem",
"ssm:DeleteActivation",
"ssm:DeleteDocument",
"ssm:DeleteParameter",
"ssm:DeleteResourceDataSync",
"ssm:DescribeActivations",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"ssm:DescribeOpsItems",
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:ListDocuments",
"ssm:ListResourceComplianceSummaries",
"ssm:ListResourceDataSync",
"ssm:ModifyDocumentPermission",
"ssm:SendCommand",
"ssm:UpdateOpsItem",
]
}
statement {
sid = "states"
effect = "Allow"
resources = ["*"]
actions = [
"states:StartExecution",
"states:TagResource",
"states:UntagResource",
]
}
statement {
sid = "support"
effect = "Allow"
resources = ["*"]
actions = [
"support:CreateCase",
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"support:RefreshTrustedAdvisorCheck",
]
}
statement {
sid = "tag"
effect = "Allow"
resources = ["*"]
actions = [
"tag:TagResources",
"tag:UntagResources",
]
}
statement {
sid = "waf-regional"
effect = "Allow"
resources = ["*"]
actions = [
"waf-regional:AssociateWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListWebACLs",
]
}
statement {
sid = "waf"
effect = "Allow"
resources = ["*"]
actions = [
"waf:ListWebACLs",
]
}
statement {
sid = "wafv2"
effect = "Allow"
resources = ["*"]
actions = [
"wafv2:AssociateWebACL",
"wafv2:ListResourcesForWebACL",
"wafv2:ListWebACLs",
]
}
statement {
sid = "workspaces"
effect = "Allow"
resources = ["*"]
actions = [
"workspaces:DeleteWorkspaceImage",
"workspaces:DeregisterWorkspaceDirectory",
"workspaces:DescribeClientProperties",
"workspaces:DescribeWorkspaceImagePermissions",
"workspaces:DescribeWorkspacesConnectionStatus",
"workspaces:ModifyClientProperties",
"workspaces:TerminateWorkspaces",
]
}
statement {
sid = "xray"
effect = "Allow"
resources = ["*"]
actions = [
"xray:GetEncryptionConfig",
"xray:PutEncryptionConfig",
]
}
}
Raw
convert-extracted-cloud-custodian-perms-to-terraform.py
#!/usr/bin/env python
# Source: https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf
import sys
def statement(sid, actions):
print('')
print(' statement {')
print(' sid = "{0}"'.format(sid))
print(' effect = "Allow"')
print(' resources = ["*"]')
print('')
print(' actions = [')
for action in actions:
print(' "{0}",'.format(action))
print(' ]')
print(' }')
print('data "aws_iam_policy_document" "custodian" {')
actions = []
last_sline = None
for stdline in sys.stdin:
line = stdline
sline = line.split(':')
if last_sline and sline[0] != last_sline[0]:
statement(last_sline[0], actions)
actions = [line.rstrip('\n')]
else:
actions.append(line.rstrip('\n'))
last_sline = sline
statement(last_sline[0], actions)
print('}')
Raw
extract-perms.sh
#!/usr/bin/env bash
# Source: https://gist.github.com/nitrocode/0cd3db8e0a7c994fbca2a6f252ca40cf
# extract and transform
# purposely did not lowercase everything `tr '[:upper:]' '[:lower:]'` because we want to keep the casing
rg 'permissions[\s]?=[\s]?\((.*?)\)[\s]?' \
--multiline-dotall \
--multiline \
--only-matching \
--replace '$1' \
--no-filename \
--glob '!tools/*' |
tr '"' "'" |
sed $'s/\', \'/\', \\\n\'/g' |
tr "'" '"' |
awk '{$1=$1};1' |
sed '/^[[:space:]]*$/d' |
grep -e '^"' |
tr -d '"' |
tr -d ',' |
sort |
uniq > perms.txt
# run python script to convert to terraform
python convert-extracted-cloud-custodian-perms-to-terraform.py < perms.txt > cloud-custodian-iam-policy.tf
echo "Generated data.aws_iam_policy_document.custodian.json policy in cloud-custodian-iam-policy.tf"
Raw
perms.txt
S3:PutObject
access-analyzer:ListAnalyzers
access-analyzer:ListFindings
acm:DeleteCertificate
airflow:GetEnvironment
airflow:ListEnvironments
airflow:TagResource
airflow:UntagResource
apigateway:DELETE
apigateway:GET
apigateway:PATCH
appflow:DeleteFlow
appflow:TagResource
appflow:UntagResource
application-autoscaling:DescribeScalableTargets
application-autoscaling:RegisterScalableTarget
autoscaling:CreateOrUpdateTags
autoscaling:DeleteAutoScalingGroup
autoscaling:DeleteLaunchConfiguration
autoscaling:DeleteTags
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribePolicies
autoscaling:ResumeProcesses
autoscaling:SuspendProcesses
autoscaling:UpdateAutoScalingGroup
batch:DeleteComputeEnvironment
batch:DeregisterJobDefinition
batch:UpdateComputeEnvironment
cloudWatch:PutMetricData
cloudformation:DeleteStack
cloudformation:UpdateStack
cloudfront:GetDistributionConfig
cloudfront:GetStreamingDistributionConfig
cloudfront:UpdateDistribution
cloudfront:UpdateStreamingDistribution
cloudhsm:DeleteCluster
cloudsearch:DeleteDomain
cloudsearch:DescribeDomainEndpointOptions
cloudsearch:UpdateDomainEndpointOptions
cloudtrail:CreateTrail
cloudtrail:DeleteTrail
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
cloudtrail:GetTrailStatus
cloudtrail:StartLogging
cloudtrail:UpdateTrail
cloudwatch:DeleteAlarms
cloudwatch:DeleteInsightRules
cloudwatch:DescribeAlarmsForMetric
cloudwatch:DisableInsightRules
cloudwatch:GetMetricStatistics
cloudwatch:PutMetricAlarm
codeartifact:DeleteDomain
codeartifact:DeleteRepository
codeartifact:GetDomainPermissionsPolicy
codeartifact:GetRepositoryPermissionsPolicy
codeartifact:ListRepositoriesInDomain
codebuild:DeleteProject
codecommit:DeleteRepository
codedeploy:DeleteApplication
codedeploy:DeleteDeploymentGroup
codepipeline:DeletePipeline
cognito-identity:DeleteIdentityPool
cognito-idp:DeleteUserPool
config:DeleteConfigRule
config:DescribeAggregationAuthorizations
config:DescribeComplianceByConfigRule
config:DescribeConfigRuleEvaluationStatus
config:DescribeConfigurationRecorderStatus
config:DescribeConfigurationRecorders
config:DescribeDeliveryChannels
config:GetResourceConfigHistory
datapipeline:AddTags
datapipeline:DeletePipeline
datapipeline:RemoveTags
dax:DeleteCluster
dax:ListTags
dax:TagResource
dax:UntagResource
dax:UpdateCluster
dms:AddTagsToResource
dms:DeleteEndpoint
dms:DeleteReplicationInstance
dms:ModifyEndpoint
dms:ModifyReplicationInstance
dms:RemoveTagsFromResource
ds:AddTagsToResource
ds:RemoveTagsFromResource
dynamodb:CreateBackup
dynamodb:DeleteBackup
dynamodb:DeleteTable
dynamodb:DescribeContinuousBackups
dynamodb:UpdateContinuousBackups
dynamodb:UpdateTable
ec2:AssociateIamInstanceProfile
ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:CopyImage
ec2:CopySnapshot
ec2:CreateFlowLogs
ec2:CreateSnapshot
ec2:CreateTags
ec2:CreateVolume
ec2:DeleteInternetGateway
ec2:DeleteKeyPair
ec2:DeleteNatGateway
ec2:DeleteNetworkInterface
ec2:DeleteSecurityGroup
ec2:DeleteSnapshot
ec2:DeleteTags
ec2:DeleteTrafficMirrorSession
ec2:DeleteVolume
ec2:DeregisterImage
ec2:DescribeDhcpOptions
ec2:DescribeFlowLogs
ec2:DescribeImageAttribute
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstances
ec2:DescribeKeyPairs
ec2:DescribeLaunchTemplateVersions
ec2:DescribePrefixLists
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSnapshotAttribute
ec2:DescribeSnapshots
ec2:DescribeSpotInstanceRequests
ec2:DescribeStaleSecurityGroups
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVpcAttribute
ec2:DescribeVpcEndpoints
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DetachVolume
ec2:DisableEbsEncryptionByDefault
ec2:DisassociateAddress
ec2:DisassociateIamInstanceProfile
ec2:EnableEbsEncryptionByDefault
ec2:GetEbsEncryptionByDefault
ec2:GetManagedPrefixListEntries
ec2:ModifyImageAttribute
ec2:ModifyInstanceAttribute
ec2:ModifyInstanceMetadataOptions
ec2:ModifyNetworkInterfaceAttribute
ec2:ModifySnapshotAttribute
ec2:ModifySpotFleetRequest
ec2:ModifySubnetAttribute
ec2:ModifyVolumeAttribute
ec2:MonitorInstances
ec2:RebootInstances
ec2:ReleaseAddress
ec2:ResetImageAttribute
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
ec2:StartInstances
ec2:StopInstances
ec2:TerminateInstances
ec2:UnmonitorInstances
ecr:DeleteLifecyclePolicy
ecr:GetLifecyclePolicy
ecr:GetRepositoryPolicy
ecr:PutImageScanningConfiguration
ecr:PutImageTagMutability
ecr:PutLifecyclePolicy
ecr:SetRepositoryPolicy
ecr:TagResource
ecr:UntagResource
ecs:DeleteService
ecs:DeregisterTaskDefinition
ecs:DescribeTaskDefinition
ecs:ListTaskDefinitions
ecs:StopTask
ecs:TagResource
ecs:UntagResource
ecs:UpdateContainerAgent
ecs:UpdateContainerInstancesState
ecs:UpdateService
eks:DeleteCluster
eks:DeleteNodegroup
eks:TagResource
eks:UntagResource
eks:UpdateClusterConfig
elasticache:CreateSnapshot
elasticache:DeleteCacheCluster
elasticache:DeleteReplicationGroup
elasticache:DeleteSnapshot
elasticache:DescribeReplicationGroups
elasticache:ListTagsForResource
elasticache:ModifyReplicationGroup
elasticbeanstalk:AddTags
elasticbeanstalk:ListTagsForResource
elasticbeanstalk:RemoveTags
elasticbeanstalk:TerminateEnvironment
elasticfilesystem:DeleteFileSystem
elasticfilesystem:DeleteMountTarget
elasticfilesystem:DescribeFileSystemPolicy
elasticfilesystem:DescribeLifecycleConfiguration
elasticfilesystem:DescribeMountTargets
elasticfilesystem:PutLifecycleConfiguration
elasticloadbalancing:AddTags
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:CreateLoadBalancerPolicy
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:RemoveTags
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:SetSecurityGroups
elasticmapreduce:AddTags
elasticmapreduce:DeleteSecurityConfiguration
elasticmapreduce:DescribeSecurityConfiguration
elasticmapreduce:GetBlockPublicAccessConfiguration
elasticmapreduce:ListSecurityConfigurations
elasticmapreduce:PutBlockPublicAccessConfiguration
elasticmapreduce:RemoveTags
elasticmapreduce:TerminateJobFlows
es:AddTags
es:DeleteElasticsearchDomain
es:DescribeElasticsearchDomainConfig
es:ESCrossClusterGet
es:RemoveTags
es:UpdateElasticsearchDomainConfig
events:DeleteRule
events:ListEventBuses
events:ListTargetsByRule
events:RemoveTargets
firehose:DeleteDeliveryStream
firehose:UpdateDestination
fis:DeleteExperimentTemplate
fis:TagResource
fis:UntagResource
fsx:CreateBackup
fsx:DeleteBackup
fsx:DeleteFileSystem
fsx:TagResource
fsx:UntagResource
fsx:UpdateFileSystem
glacier:DeleteVault
glacier:GetVaultAccessPolicy
glacier:ListTagsForVault
glacier:SetVaultAccessPolicy
glue:DeleteClassifier
glue:DeleteConnection
glue:DeleteCrawler
glue:DeleteDatabase
glue:DeleteDevEndpoint
glue:DeleteJob
glue:DeleteMLTransform
glue:DeleteSecurityConfiguration
glue:DeleteTable
glue:DeleteTrigger
glue:DeleteWorkflow
glue:GetDataCatalogEncryptionSettings
glue:GetJobs
glue:GetResourcePolicy
glue:PutDataCatalogEncryptionSettings
glue:PutResourcePolicy
glue:UpdateJob
guardduty:GetDetector
guardduty:GetMasterAccount
guardduty:ListDetectors
health:DescribeAffectedEntities
health:DescribeEventDetails
health:DescribeEvents
iam:AddUserToGroup
iam:AttachGroupPolicy
iam:AttachRolePolicy
iam:DeactivateMFADevice
iam:DeleteAccessKey
iam:DeleteGroup
iam:DeleteGroupPolicy
iam:DeleteInstanceProfile
iam:DeleteLoginProfile
iam:DeletePolicy
iam:DeleteRole
iam:DeleteSSHPublicKey
iam:DeleteServerCertificate
iam:DeleteSigningCertificate
iam:DeleteUser
iam:DeleteUserPolicy
iam:DetachGroupPolicy
iam:DetachRolePolicy
iam:DetachUserPolicy
iam:GenerateCredentialReport
iam:GenerateServiceLastAccessedDetails
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetGroup
iam:GetServiceLastAccessedDetails
iam:ListAccessKeys
iam:ListAccountAliases
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroupPolicies
iam:ListGroupsForUser
iam:ListMFADevices
iam:ListPolicies
iam:ListPolicyVersions
iam:ListRolePolicies
iam:ListRoles
iam:ListSSHPublicKeys
iam:ListServiceSpecificCredentials
iam:ListSigningCertificates
iam:ListUserPolicies
iam:ListVirtualMFADevices
iam:PassRole
iam:RemoveUserFromGroup
iam:TagRole
iam:TagUser
iam:UntagRole
iam:UntagUser
iam:UpdateAccessKey
iam:UpdateAccountPasswordPolicy
iam:UpdateSSHPublicKey
kafka:DeleteCluster
kafka:UpdateClusterConfiguration
kinesis:DeleteStream
kinesis:UpdateShardCount
kinesisanalytics:DeleteApplication
kinesisanalytics:DescribeApplication
kinesisvideo:DeleteStream
kms:DescribeKey
kms:EnableKeyRotation
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:ListAliases
kms:ListGrants
kms:PutKeyPolicy
lambda:*
lambda:DeleteFunction
lambda:DeleteFunctionConcurrency
lambda:DeleteLayerVersion
lambda:GetFunction
lambda:GetLayerVersionPolicy
lambda:GetPolicy
lambda:InvokeFunction
lambda:ListAliases
lambda:ListVersionsByFunction
lambda:PutFunctionConcurrency
lambda:RemoveLayerVersionPermission
lambda:RemovePermission
lambda:UpdateFunctionConfiguration
logs:AssociateKmsKey
logs:CreateLogGroup
logs:DeleteLogGroup
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:DescribeSubscriptionFilters
logs:DisassociateKmsKey
logs:GetResourcePolicy
logs:PutResourcePolicy
logs:PutRetentionPolicy
machinelearning:DeleteMLModel
macie2:GetMacieSession
macie2:GetMasterAccount
mq:CreateTags
mq:DeleteBroker
mq:DeleteTags
mq:ListBrokers
mq:ListTags
opsworks-cm:DeleteServer
opsworks:DeleteApp
opsworks:DeleteInstance
opsworks:DeleteLayer
opsworks:DeleteStack
opsworks:DescribeApps
opsworks:DescribeInstances
opsworks:DescribeLayers
opsworks:StopStack
qldb:DeleteLedger
qldb:UpdateLedger
rds:AddTagsToResource
rds:CopyDBClusterParameterGroup
rds:CopyDBParameterGroup
rds:CopyDBSnapshot
rds:CreateDBClusterSnapshot
rds:CreateDBSnapshot
rds:DeleteDBCluster
rds:DeleteDBClusterParameterGroup
rds:DeleteDBClusterSnapshot
rds:DeleteDBInstance
rds:DeleteDBParameterGroup
rds:DeleteDBSnapshot
rds:DeleteDBSubnetGroup
rds:DeleteEventSubscription
rds:DescribeDBClusterParameters
rds:DescribeDBClusterSnapshotAttributes
rds:DescribeDBClusterSnapshots
rds:DescribeDBClusters
rds:DescribeDBEngineVersions
rds:DescribeDBInstances
rds:DescribeDBParameters
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
rds:ModifyDBCluster
rds:ModifyDBClusterParameterGroup
rds:ModifyDBClusterSnapshotAttribute
rds:ModifyDBInstance
rds:ModifyDBParameterGroup
rds:ModifyDBSnapshotAttribute
rds:ModifyOptionGroup
rds:RebootDBInstance
rds:RemoveTagsFromResource
rds:RestoreDBInstanceFromDBSnapshot
rds:StartDBCluster
rds:StartDBInstance
rds:StopDBCluster
rds:StopDBInstance
redshift:CreateClusterSnapshot
redshift:CreateTags
redshift:DeleteCluster
redshift:DeleteClusterSnapshot
redshift:DeleteTags
redshift:DescribeClusterParameters
redshift:DescribeClusterSnapshots
redshift:DescribeLoggingStatus
redshift:ModifyCluster
redshift:PauseCluster
redshift:ResumeCluster
redshift:RevokeSnapshotAccess
route53:CreateQueryLoggingConfig
route53:DeleteHostedZone
route53:DeleteQueryLoggingConfig
route53:GetHostedZone
route53:GetQueryLoggingConfig
route53:ListTagsForResources
route53domains:DeleteTagsForDomain
route53domains:ListTagsForDomain
route53domains:UpdateTagsForDomain
s3:*
s3:CreateBucket
s3:DeleteAccessPoint
s3:DeleteBucketPolicy
s3:DeleteBucketWebsite
s3:DeleteObjectVersion
s3:GetAccessPointPolicy
s3:GetAccountPublicAccessBlock
s3:GetBucketLogging
s3:GetBucketNotification
s3:GetBucketOwnershipControls
s3:GetBucketPolicy
s3:GetBucketPublicAccessBlock
s3:GetEncryptionConfiguration
s3:GetInventoryConfiguration
s3:GetLifecycleConfiguration
s3:GetObject
s3:GetReplicationConfiguration
s3:ListAllMyBuckets
s3:ListBucket
s3:PutAccountPublicAccessBlock
s3:PutBucketAcl
s3:PutBucketLogging
s3:PutBucketNotification
s3:PutBucketPolicy
s3:PutBucketPublicAccessBlock
s3:PutBucketVersioning
s3:PutEncryptionConfiguration
s3:PutInventoryConfiguration
s3:PutLifecycleConfiguration
s3:PutObject
s3:PutReplicationConfiguration
s3:RestoreObject
sagemaker:AddTags
sagemaker:DeleteEndpoint
sagemaker:DeleteEndpointConfig
sagemaker:DeleteModel
sagemaker:DeleteNotebookInstance
sagemaker:DeleteTags
sagemaker:ListTags
sagemaker:StartNotebookInstance
sagemaker:StopNotebookInstance
sagemaker:StopTrainingJob
sagemaker:StopTransformJob
sdb:DeleteDomain
sdb:DomainMetadata
secretsmanager:GetResourcePolicy
secretsmanager:ListSecretVersionIds
secretsmanager:TagResource
secretsmanager:UntagResource
securityhub:BatchImportFindings
securityhub:DescribeHub
securityhub:GetFindings
serverlessrepo:DeleteApplication
serverlessrepo:GetApplicationPolicy
servicecatalog:DeletePortfolio
servicecatalog:DeletePortfolioShare
servicecatalog:ListPortfolioAccess
servicequotas:ListRequestedServiceQuotaChangeHistory
servicequotas:RequestServiceQuotaIncrease
shield:CreateProtection
shield:CreateSubscription
shield:DeleteSubscription
shield:DescribeSubscription
shield:ListProtections
sns:DeleteTopic
sns:GetTopicAttributes
sns:ListTagsForResource
sns:SetTopicAttributes
sns:TagResource
sns:Unsubscribe
sns:UntagResource
sqs:DeleteQueue
sqs:GetQueueAttributes
sqs:RemovePermission
sqs:SetQueueAttributes
ssm:CreateOpsItem
ssm:DeleteActivation
ssm:DeleteDocument
ssm:DeleteParameter
ssm:DeleteResourceDataSync
ssm:DescribeActivations
ssm:DescribeDocumentPermission
ssm:DescribeInstanceInformation
ssm:DescribeOpsItems
ssm:DescribeParameters
ssm:GetParameters
ssm:ListDocuments
ssm:ListResourceComplianceSummaries
ssm:ListResourceDataSync
ssm:ModifyDocumentPermission
ssm:SendCommand
ssm:UpdateOpsItem
states:StartExecution
states:TagResource
states:UntagResource
support:CreateCase
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorCheckResult
support:DescribeTrustedAdvisorChecks
support:RefreshTrustedAdvisorCheck
tag:TagResources
tag:UntagResources
waf-regional:AssociateWebACL
waf-regional:ListResourcesForWebACL
waf-regional:ListWebACLs
waf:ListWebACLs
wafv2:AssociateWebACL
wafv2:ListResourcesForWebACL
wafv2:ListWebACLs
workspaces:DeleteWorkspaceImage
workspaces:DeregisterWorkspaceDirectory
workspaces:DescribeClientProperties
workspaces:DescribeWorkspaceImagePermissions
workspaces:DescribeWorkspacesConnectionStatus
workspaces:ModifyClientProperties
workspaces:TerminateWorkspaces
xray:GetEncryptionConfig
xray:PutEncryptionConfig
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment