From 12f08e83b473c524094a110c5e984bb18cd878e2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 1 Feb 2024 17:32:39 -0100 Subject: [PATCH] chore: update IAM Managed Policies (#7291) --- moto/iam/aws_managed_policies.py | 1641 +++++++++++++++--------------- 1 file changed, 837 insertions(+), 804 deletions(-) diff --git a/moto/iam/aws_managed_policies.py b/moto/iam/aws_managed_policies.py index da45be2498d1..9a330e8f8351 100644 --- a/moto/iam/aws_managed_policies.py +++ b/moto/iam/aws_managed_policies.py @@ -19124,7 +19124,7 @@ }, "AWSFaultInjectionSimulatorECSAccess":{ "CreateDate":"2022-10-26T20:37:56+00:00", - "DefaultVersionId":"v2", + "DefaultVersionId":"v3", "Document":{ "Statement":[ { @@ -19135,7 +19135,8 @@ "Effect":"Allow", "Resource":[ "arn:aws:ecs:*:*:cluster/*" - ] + ], + "Sid":"Clusters" }, { "Action":[ @@ -19145,17 +19146,26 @@ "Effect":"Allow", "Resource":[ "arn:aws:ecs:*:*:task/*/*" - ] + ], + "Sid":"Tasks" }, { "Action":[ - "ecs:ListTasks", "ecs:UpdateContainerInstancesState" ], "Effect":"Allow", "Resource":[ "arn:aws:ecs:*:*:container-instance/*/*" - ] + ], + "Sid":"ContainerInstances" + }, + { + "Action":[ + "ecs:ListTasks" + ], + "Effect":"Allow", + "Resource":"*", + "Sid":"ListTasks" }, { "Action":"ssm:SendCommand", @@ -19163,7 +19173,8 @@ "Resource":[ "arn:aws:ssm:*:*:managed-instance/*", "arn:aws:ssm:*:*:document/*" - ] + ], + "Sid":"SSMSend" }, { "Action":[ @@ -19171,14 +19182,23 @@ "ssm:CancelCommand" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"SSMList" + }, + { + "Action":[ + "tag:GetResources" + ], + "Effect":"Allow", + "Resource":"*", + "Sid":"TargetResolutionByTags" } ], "Version":"2012-10-17" }, "Path":"/service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-06-01T10:48:27+00:00" + "UpdateDate":"2024-01-25T16:16:02+00:00" }, "AWSFaultInjectionSimulatorEKSAccess":{ "CreateDate":"2022-10-26T20:34:43+00:00", @@ -19232,7 +19252,7 @@ }, "AWSFaultInjectionSimulatorNetworkAccess":{ "CreateDate":"2022-10-26T20:32:50+00:00", - "DefaultVersionId":"v1", + "DefaultVersionId":"v2", "Document":{ "Statement":[ { @@ -19244,7 +19264,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:network-acl/*" + "Resource":"arn:aws:ec2:*:*:network-acl/*", + "Sid":"CreateTagsOnNetworkAcl" }, { "Action":"ec2:CreateNetworkAcl", @@ -19254,7 +19275,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:network-acl/*" + "Resource":"arn:aws:ec2:*:*:network-acl/*", + "Sid":"CreateNetworkAcl" }, { "Action":[ @@ -19270,22 +19292,32 @@ "Resource":[ "arn:aws:ec2:*:*:network-acl/*", "arn:aws:ec2:*:*:vpc/*" - ] + ], + "Sid":"DeleteNetworkAcl" }, { "Action":"ec2:CreateNetworkAcl", "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:vpc/*" + "Resource":"arn:aws:ec2:*:*:vpc/*", + "Sid":"CreateNetworkAclOnVpc" }, { "Action":[ "ec2:DescribeVpcs", "ec2:DescribeManagedPrefixLists", "ec2:DescribeSubnets", - "ec2:DescribeNetworkAcls" + "ec2:DescribeNetworkAcls", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeRouteTables", + "ec2:DescribeTransitGatewayPeeringAttachments", + "ec2:DescribeTransitGatewayAttachments", + "ec2:DescribeTransitGateways" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"VpcActions" }, { "Action":"ec2:ReplaceNetworkAclAssociation", @@ -19293,19 +19325,235 @@ "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-acl/*" - ] + ], + "Sid":"ReplaceNetworkAclAssociation" }, { "Action":"ec2:GetManagedPrefixListEntries", "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:prefix-list/*" + "Resource":"arn:aws:ec2:*:*:prefix-list/*", + "Sid":"GetManagedPrefixListEntries" + }, + { + "Action":"ec2:CreateRouteTable", + "Condition":{ + "StringEquals":{ + "aws:RequestTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:route-table/*", + "Sid":"CreateRouteTable" + }, + { + "Action":"ec2:CreateRouteTable", + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:vpc/*", + "Sid":"CreateRouteTableOnVpc" + }, + { + "Action":"ec2:CreateTags", + "Condition":{ + "StringEquals":{ + "aws:RequestTag/managedByFIS":"true", + "ec2:CreateAction":"CreateRouteTable" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:route-table/*", + "Sid":"CreateTagsOnRouteTable" + }, + { + "Action":"ec2:CreateTags", + "Condition":{ + "StringEquals":{ + "aws:RequestTag/managedByFIS":"true", + "ec2:CreateAction":"CreateNetworkInterface" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:network-interface/*", + "Sid":"CreateTagsOnNetworkInterface" + }, + { + "Action":"ec2:CreateTags", + "Condition":{ + "StringEquals":{ + "aws:RequestTag/managedByFIS":"true", + "ec2:CreateAction":"CreateManagedPrefixList" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:prefix-list/*", + "Sid":"CreateTagsOnPrefixList" + }, + { + "Action":"ec2:DeleteRouteTable", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:route-table/*", + "arn:aws:ec2:*:*:vpc/*" + ], + "Sid":"DeleteRouteTable" + }, + { + "Action":"ec2:CreateRoute", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:route-table/*", + "Sid":"CreateRoute" + }, + { + "Action":"ec2:CreateNetworkInterface", + "Condition":{ + "StringEquals":{ + "aws:RequestTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:network-interface/*", + "Sid":"CreateNetworkInterface" + }, + { + "Action":"ec2:CreateNetworkInterface", + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:security-group/*" + ], + "Sid":"CreateNetworkInterfaceOnSubnet" + }, + { + "Action":"ec2:DeleteNetworkInterface", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:network-interface/*", + "Sid":"DeleteNetworkInterface" + }, + { + "Action":"ec2:CreateManagedPrefixList", + "Condition":{ + "StringEquals":{ + "aws:RequestTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:prefix-list/*", + "Sid":"CreateManagedPrefixList" + }, + { + "Action":"ec2:DeleteManagedPrefixList", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:prefix-list/*", + "Sid":"DeleteManagedPrefixList" + }, + { + "Action":"ec2:ModifyManagedPrefixList", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:prefix-list/*", + "Sid":"ModifyManagedPrefixList" + }, + { + "Action":"ec2:ReplaceRouteTableAssociation", + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:route-table/*" + ], + "Sid":"ReplaceRouteTableAssociation" + }, + { + "Action":"ec2:AssociateRouteTable", + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:route-table/*" + ], + "Sid":"AssociateRouteTable" + }, + { + "Action":"ec2:DisassociateRouteTable", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:route-table/*" + ], + "Sid":"DisassociateRouteTable" + }, + { + "Action":"ec2:DisassociateRouteTable", + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:subnet/*" + ], + "Sid":"DisassociateRouteTableOnSubnet" + }, + { + "Action":"ec2:ModifyVpcEndpoint", + "Condition":{ + "StringEquals":{ + "ec2:ResourceTag/managedByFIS":"true" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:route-table/*" + ], + "Sid":"ModifyVpcEndpointOnRouteTable" + }, + { + "Action":"ec2:ModifyVpcEndpoint", + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:vpc-endpoint/*" + ], + "Sid":"ModifyVpcEndpoint" + }, + { + "Action":[ + "ec2:DisassociateTransitGatewayRouteTable", + "ec2:AssociateTransitGatewayRouteTable" + ], + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:transit-gateway-route-table/*", + "arn:aws:ec2:*:*:transit-gateway-attachment/*" + ], + "Sid":"TransitGatewayRouteTableAssociation" } ], "Version":"2012-10-17" }, "Path":"/service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2022-10-26T20:32:50+00:00" + "UpdateDate":"2024-01-25T16:07:44+00:00" }, "AWSFaultInjectionSimulatorRDSAccess":{ "CreateDate":"2022-10-26T20:30:57+00:00", @@ -40102,7 +40350,7 @@ }, "AWSTrustedAdvisorServiceRolePolicy":{ "CreateDate":"2018-02-22T21:24:25+00:00", - "DefaultVersionId":"v11", + "DefaultVersionId":"v12", "Document":{ "Statement":[ { @@ -40118,6 +40366,9 @@ "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", + "cloudtrail:GetTrail", + "cloudtrail:ListTrails", + "cloudtrail:GetEventSelectors", "cloudwatch:GetMetricStatistics", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", @@ -40155,6 +40406,9 @@ "kinesis:DescribeLimits", "kafka:ListClustersV2", "kafka:ListNodes", + "outposts:ListAssets", + "outposts:GetOutpost", + "outposts:ListOutposts", "rds:DescribeAccountAttributes", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", @@ -40207,7 +40461,7 @@ }, "Path":"/aws-service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-11-10T00:18:42+00:00" + "UpdateDate":"2024-01-18T16:25:15+00:00" }, "AWSUserNotificationsServiceLinkedRolePolicy":{ "CreateDate":"2023-04-19T13:28:34+00:00", @@ -42474,20 +42728,21 @@ }, "AccessAnalyzerServiceRolePolicy":{ "CreateDate":"2019-12-02T17:13:10+00:00", - "DefaultVersionId":"v11", + "DefaultVersionId":"v12", "Document":{ "Statement":[ { "Action":[ "dynamodb:GetResourcePolicy", - "dynamodb:ListTables", "dynamodb:ListStreams", + "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeByoipCidrs", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", + "ec2:GetSnapshotBlockPublicAccessState", "ecr:DescribeRepositories", "ecr:GetRepositoryPolicy", "elasticfilesystem:DescribeFileSystemPolicy", @@ -42566,7 +42821,7 @@ }, "Path":"/aws-service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2024-01-11T20:13:34+00:00" + "UpdateDate":"2024-01-22T22:34:53+00:00" }, "AdministratorAccess":{ "CreateDate":"2015-02-06T18:39:46+00:00", @@ -50972,6 +51227,103 @@ "PermissionsBoundaryUsageCount":0, "UpdateDate":"2020-04-23T19:30:49+00:00" }, + "AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity":{ + "CreateDate":"2024-01-19T20:08:36+00:00", + "DefaultVersionId":"v1", + "Document":{ + "Statement":[ + { + "Action":"secretsmanager:CreateSecret", + "Condition":{ + "ArnLike":{ + "aws:RequestTag/AmazonECSCreated":[ + "arn:aws:ecs:*:*:service/*/*", + "arn:aws:ecs:*:*:task-set/*/*" + ] + }, + "StringEquals":{ + "aws:RequestTag/AmazonECSManaged":"true", + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:secretsmanager:*:*:secret:ecs-sc!*", + "Sid":"CreateSecret" + }, + { + "Action":"secretsmanager:TagResource", + "Condition":{ + "ArnLike":{ + "aws:RequestTag/AmazonECSCreated":[ + "arn:aws:ecs:*:*:service/*/*", + "arn:aws:ecs:*:*:task-set/*/*" + ] + }, + "StringEquals":{ + "aws:RequestTag/AmazonECSManaged":"true", + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:secretsmanager:*:*:secret:ecs-sc!*", + "Sid":"TagOnCreateSecret" + }, + { + "Action":[ + "secretsmanager:DescribeSecret", + "secretsmanager:UpdateSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", + "secretsmanager:DeleteSecret", + "secretsmanager:RotateSecret", + "secretsmanager:UpdateSecretVersionStage" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}", + "secretsmanager:ResourceTag/aws:secretsmanager:owningService":"ecs-sc" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:secretsmanager:*:*:secret:ecs-sc!*", + "Sid":"RotateTLSCertificateSecret" + }, + { + "Action":[ + "acm-pca:GetCertificate", + "acm-pca:GetCertificateAuthorityCertificate", + "acm-pca:DescribeCertificateAuthority" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceTag/AmazonECSManaged":"true" + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"ManagePrivateCertificateAuthority" + }, + { + "Action":[ + "acm-pca:IssueCertificate" + ], + "Condition":{ + "StringEquals":{ + "acm-pca:TemplateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1", + "aws:ResourceTag/AmazonECSManaged":"true" + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"ManagePrivateCertificateAuthorityForIssuingEndEntityCertificate" + } + ], + "Version":"2012-10-17" + }, + "Path":"/service-role/", + "PermissionsBoundaryUsageCount":0, + "UpdateDate":"2024-01-19T20:08:36+00:00" + }, "AmazonECSInfrastructureRolePolicyForVolumes":{ "CreateDate":"2024-01-10T22:56:41+00:00", "DefaultVersionId":"v1", @@ -52704,7 +53056,7 @@ }, "AmazonEMRServerlessServiceRolePolicy":{ "CreateDate":"2022-05-20T23:15:42+00:00", - "DefaultVersionId":"v2", + "DefaultVersionId":"v3", "Document":{ "Statement":[ { @@ -52719,7 +53071,8 @@ "ec2:DescribeRouteTables" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"EC2PolicyStatement" }, { "Action":[ @@ -52736,14 +53089,15 @@ "Effect":"Allow", "Resource":[ "*" - ] + ], + "Sid":"CloudWatchPolicyStatement" } ], "Version":"2012-10-17" }, "Path":"/aws-service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-04-20T15:47:33+00:00" + "UpdateDate":"2024-01-25T18:21:43+00:00" }, "AmazonEMRServicePolicy_v2":{ "CreateDate":"2021-03-12T01:11:08+00:00", @@ -55847,7 +56201,7 @@ }, "AmazonGuardDutyMalwareProtectionServiceRolePolicy":{ "CreateDate":"2022-07-19T19:06:53+00:00", - "DefaultVersionId":"v1", + "DefaultVersionId":"v2", "Document":{ "Statement":[ { @@ -55862,7 +56216,8 @@ "eks:DescribeCluster" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"DescribeAndListPermissions" }, { "Action":"ec2:CreateSnapshot", @@ -55872,7 +56227,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:volume/*" + "Resource":"arn:aws:ec2:*:*:volume/*", + "Sid":"CreateSnapshotVolumeConditionalStatement" }, { "Action":"ec2:CreateSnapshot", @@ -55882,7 +56238,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:snapshot/*" + "Resource":"arn:aws:ec2:*:*:snapshot/*", + "Sid":"CreateSnapshotConditionalStatement" }, { "Action":"ec2:CreateTags", @@ -55892,7 +56249,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:*/*" + "Resource":"arn:aws:ec2:*:*:*/*", + "Sid":"CreateTagsPermission" }, { "Action":"ec2:CreateTags", @@ -55908,7 +56266,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:snapshot/*" + "Resource":"arn:aws:ec2:*:*:snapshot/*", + "Sid":"AddTagsToSnapshotPermission" }, { "Action":[ @@ -55924,7 +56283,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:snapshot/*" + "Resource":"arn:aws:ec2:*:*:snapshot/*", + "Sid":"DeleteAndShareSnapshotPermission" }, { "Action":[ @@ -55936,7 +56296,8 @@ } }, "Effect":"Deny", - "Resource":"arn:aws:ec2:*:*:snapshot/*" + "Resource":"arn:aws:ec2:*:*:snapshot/*", + "Sid":"PreventPublicAccessToSnapshotPermission" }, { "Action":"kms:CreateGrant", @@ -55963,7 +56324,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:kms:*:*:key/*" + "Resource":"arn:aws:kms:*:*:key/*", + "Sid":"CreateGrantPermission" }, { "Action":[ @@ -55979,12 +56341,14 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:kms:*:*:key/*" + "Resource":"arn:aws:kms:*:*:key/*", + "Sid":"ShareSnapshotKMSPermission" }, { "Action":"kms:DescribeKey", "Effect":"Allow", - "Resource":"arn:aws:kms:*:*:key/*" + "Resource":"arn:aws:kms:*:*:key/*", + "Sid":"DescribeKeyPermission" }, { "Action":[ @@ -55993,7 +56357,8 @@ "logs:PutRetentionPolicy" ], "Effect":"Allow", - "Resource":"arn:aws:logs:*:*:log-group:/aws/guardduty/*" + "Resource":"arn:aws:logs:*:*:log-group:/aws/guardduty/*", + "Sid":"GuardDutyLogGroupPermission" }, { "Action":[ @@ -56002,14 +56367,32 @@ "logs:DescribeLogStreams" ], "Effect":"Allow", - "Resource":"arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*" + "Resource":"arn:aws:logs:*:*:log-group:/aws/guardduty/*:log-stream:*", + "Sid":"GuardDutyLogStreamPermission" + }, + { + "Action":[ + "ebs:GetSnapshotBlock", + "ebs:ListSnapshotBlocks" + ], + "Condition":{ + "Null":{ + "aws:ResourceTag/GuardDutyExcluded":"true" + }, + "StringLike":{ + "aws:ResourceTag/GuardDutyScanId":"*" + } + }, + "Effect":"Allow", + "Resource":"arn:aws:ec2:*:*:snapshot/*", + "Sid":"EBSDirectAPIPermissions" } ], "Version":"2012-10-17" }, "Path":"/aws-service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2022-07-19T19:06:53+00:00" + "UpdateDate":"2024-01-25T22:24:00+00:00" }, "AmazonGuardDutyReadOnlyAccess":{ "CreateDate":"2017-11-28T22:29:40+00:00", @@ -56669,6 +57052,29 @@ "PermissionsBoundaryUsageCount":0, "UpdateDate":"2023-08-03T19:28:59+00:00" }, + "AmazonInspector2ManagedCisPolicy":{ + "CreateDate":"2024-01-24T16:31:43+00:00", + "DefaultVersionId":"v1", + "Document":{ + "Statement":[ + { + "Action":[ + "inspector2:StartCisSession", + "inspector2:StopCisSession", + "inspector2:SendCisSessionTelemetry", + "inspector2:SendCisSessionHealth" + ], + "Effect":"Allow", + "Resource":"*", + "Sid":"PermissionsForCISScans" + } + ], + "Version":"2012-10-17" + }, + "Path":"/", + "PermissionsBoundaryUsageCount":0, + "UpdateDate":"2024-01-24T16:31:43+00:00" + }, "AmazonInspector2ReadOnlyAccess":{ "CreateDate":"2022-01-21T14:45:14+00:00", "DefaultVersionId":"v5", @@ -56701,7 +57107,7 @@ }, "AmazonInspector2ServiceRolePolicy":{ "CreateDate":"2021-11-16T20:27:48+00:00", - "DefaultVersionId":"v11", + "DefaultVersionId":"v12", "Document":{ "Statement":[ { @@ -56809,11 +57215,11 @@ ], "Effect":"Allow", "Resource":[ - "arn:*:ec2:*:*:instance/*", - "arn:*:ssm:*:*:document/AmazonInspector2-*", - "arn:*:ssm:*:*:document/AWS-GatherSoftwareInventory", - "arn:*:ssm:*:*:managed-instance/*", - "arn:*:ssm:*:*:association/*" + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ssm:*:*:document/AmazonInspector2-*", + "arn:aws:ssm:*:*:document/AWS-GatherSoftwareInventory", + "arn:aws:ssm:*:*:managed-instance/*", + "arn:aws:ssm:*:*:association/*" ], "Sid":"GatherInventory" }, @@ -56824,7 +57230,7 @@ ], "Effect":"Allow", "Resource":[ - "arn:*:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete" + "arn:aws:ssm:*:*:resource-data-sync/InspectorResourceDataSync-do-not-delete" ], "Sid":"DataSyncCleanup" }, @@ -56839,7 +57245,7 @@ ], "Effect":"Allow", "Resource":[ - "arn:*:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule" + "arn:aws:events:*:*:rule/DO-NOT-DELETE-AmazonInspector*ManagedRule" ], "Sid":"ManagedRules" }, @@ -56897,7 +57303,7 @@ }, "Effect":"Allow", "Resource":[ - "arn:*:ssm:*:*:parameter/inspector-aws/service/inspector-linux-application-paths" + "arn:aws:ssm:*:*:parameter/inspector-aws/service/inspector-linux-application-paths" ], "Sid":"Ec2DeepInspection" }, @@ -56913,7 +57319,7 @@ }, "Effect":"Allow", "Resource":[ - "arn:*:cloudtrail:*:*:channel/aws-service-channel/inspector2/*" + "arn:aws:cloudtrail:*:*:channel/aws-service-channel/inspector2/*" ], "Sid":"AllowManagementOfServiceLinkedChannel" }, @@ -56931,13 +57337,54 @@ "*" ], "Sid":"AllowListServiceLinkedChannels" + }, + { + "Action":[ + "ssm:SendCommand", + "ssm:GetCommandInvocation" + ], + "Effect":"Allow", + "Resource":[ + "arn:aws:ssm:*:*:document/AmazonInspector2-InvokeInspectorSsmPluginCIS" + ], + "Sid":"AllowToRunInvokeCisSpecificDocuments" + }, + { + "Action":[ + "ssm:SendCommand" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:ec2:*:*:instance/*" + ], + "Sid":"AllowToRunCisCommandsToSpecificResources" + }, + { + "Action":[ + "cloudwatch:PutMetricData" + ], + "Condition":{ + "StringEquals":{ + "cloudwatch:namespace":"AWS/Inspector2" + } + }, + "Effect":"Allow", + "Resource":[ + "*" + ], + "Sid":"AllowToPutCloudwatchMetricData" } ], "Version":"2012-10-17" }, "Path":"/aws-service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-09-07T13:20:55+00:00" + "UpdateDate":"2024-01-22T14:06:01+00:00" }, "AmazonInspectorFullAccess":{ "CreateDate":"2015-10-07T17:08:04+00:00", @@ -58152,716 +58599,8 @@ "Resource":[ "arn:aws:servicecatalog:*:*:*/*", "arn:aws:catalog:*:*:*/*" - ], - "Sid":"ServiceCatalogActions0" - }, - { - "Action":[ - "ssm:CreateAssociation", - "ssm:DeleteAssociation" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":[ - "arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage", - "arn:aws:ssm:*:*:association/*" - ], - "Sid":"SsmActions7" - }, - { - "Action":[ - "elasticfilesystem:UntagResource", - "elasticfilesystem:TagResource" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*", - "Sid":"EfsActions1" - }, - { - "Action":[ - "logs:CreateLogStream", - "logs:DeleteLogGroup", - "logs:DescribeLogStreams", - "logs:UntagResource", - "logs:TagResource", - "logs:CreateLogGroup", - "logs:DeleteLogStream", - "logs:PutLogEvents", - "logs:GetLogEvents", - "logs:GetLogDelivery", - "logs:GetLogGroupFields", - "logs:GetLogRecord", - "logs:ListLogDeliveries" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":[ - "arn:aws:logs:*:*:log-group:LaunchWizard*", - "arn:aws:logs:*:*:log-group:LaunchWizard*:log-stream:*" - ], - "Sid":"LogsActions0" - }, - { - "Action":"logs:DescribeLogGroups", - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":"*", - "Sid":"LogsActions1" - }, - { - "Action":[ - "fsx:CreateStorageVirtualMachine", - "fsx:CreateVolume" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":[ - "launchwizard.amazonaws.com" - ] - }, - "StringLike":{ - "aws:ResourceTag/aws:cloudformation:stack-id":"arn:aws:cloudformation:*:*:stack/LaunchWizard-*/*" - } - }, - "Effect":"Allow", - "Resource":"*", - "Sid":"FsxActions3" - }, - { - "Action":[ - "fsx:DescribeStorageVirtualMachines", - "fsx:DescribeVolumes" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":[ - "launchwizard.amazonaws.com" - ] - } - }, - "Effect":"Allow", - "Resource":"*", - "Sid":"FsxActions4" - }, - { - "Action":[ - "fsx:DeleteStorageVirtualMachine", - "fsx:DeleteVolume" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":[ - "launchwizard.amazonaws.com" - ] - }, - "StringLike":{ - "aws:ResourceTag/aws:cloudformation:stack-id":"arn:aws:cloudformation:*:*:stack/LaunchWizard-*/*" - } - }, - "Effect":"Allow", - "Resource":[ - "arn:aws:fsx:*:*:storage-virtual-machine/*/*", - "arn:aws:fsx:*:*:backup/*", - "arn:aws:fsx:*:*:volume/*/*" - ], - "Sid":"FsxActions5" - } - ], - "Version":"2012-10-17" - }, - "Path":"/", - "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-09-01T17:14:56+00:00" - }, - "AmazonLaunchWizard_Fullaccess":{ - "CreateDate":"2020-08-06T17:47:30+00:00", - "DefaultVersionId":"v15", - "Document":{ - "Statement":[ - { - "Action":"applicationinsights:*", - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":"resource-groups:List*", - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "route53:ChangeResourceRecordSets", - "route53:GetChange", - "route53:ListResourceRecordSets", - "route53:ListHostedZones", - "route53:ListHostedZonesByName" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "s3:ListAllMyBuckets", - "s3:ListBucket", - "s3:GetBucketLocation" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "kms:ListKeys", - "kms:ListAliases" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "cloudwatch:List*", - "cloudwatch:Get*", - "cloudwatch:Describe*" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateVpc", - "ec2:CreateKeyPair", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSubnet" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "ec2:AllocateAddress", - "ec2:AllocateHosts", - "ec2:AssignPrivateIpAddresses", - "ec2:AssociateAddress", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateVolume", - "ec2:CreateVpcEndpoint", - "ec2:CreateTags", - "ec2:DeleteTags", - "ec2:RunInstances", - "ec2:StartInstances", - "ec2:ModifyInstanceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVolumeAttribute", - "ec2:ModifyVpcAttribute", - "ec2:AssociateDhcpOptions", - "ec2:AssociateSubnetCidrBlock", - "ec2:AttachInternetGateway", - "ec2:AttachNetworkInterface", - "ec2:AttachVolume", - "ec2:DeleteDhcpOptions", - "ec2:DeleteInternetGateway", - "ec2:DeleteKeyPair", - "ec2:DeleteNatGateway", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DeleteVpc", - "ec2:DetachInternetGateway", - "ec2:DetachVolume", - "ec2:DeleteSnapshot", - "ec2:AssociateRouteTable", - "ec2:AssociateVpcCidrBlock", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkInterface", - "ec2:DeleteNetworkInterfacePermission", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSubnet", - "ec2:DetachNetworkInterface", - "ec2:DisassociateAddress", - "ec2:DisassociateVpcCidrBlock", - "ec2:GetLaunchTemplateData", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifyVolume", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:GetConsoleOutput", - "ec2:GetPasswordData", - "ec2:ReleaseAddress", - "ec2:ReplaceRoute", - "ec2:ReplaceRouteTableAssociation", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DisassociateIamInstanceProfile", - "ec2:DisassociateRouteTable", - "ec2:DisassociateSubnetCidrBlock", - "ec2:ModifyInstancePlacement", - "ec2:DeletePlacementGroup", - "ec2:CreatePlacementGroup", - "elasticfilesystem:DeleteFileSystem", - "elasticfilesystem:DeleteMountTarget", - "ds:AddIpRoutes", - "ds:CreateComputer", - "ds:CreateMicrosoftAD", - "ds:DeleteDirectory", - "servicecatalog:AssociateProductWithPortfolio", - "cloudformation:GetTemplateSummary", - "sts:GetCallerIdentity" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "cloudformation:DescribeStack*", - "cloudformation:Get*", - "cloudformation:ListStacks", - "cloudformation:SignalResource", - "cloudformation:DeleteStack" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:cloudformation:*:*:stack/LaunchWizard*/*", - "arn:aws:cloudformation:*:*:stack/ApplicationInsights*/*" - ] - }, - { - "Action":[ - "ec2:StopInstances", - "ec2:TerminateInstances" - ], - "Condition":{ - "StringLike":{ - "ec2:ResourceTag/aws:cloudformation:stack-id":"arn:aws:cloudformation:*:*:stack/LaunchWizard-*/*" - } - }, - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "iam:CreateInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:RemoveRoleFromInstanceProfile", - "iam:AddRoleToInstanceProfile" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:iam::*:role/service-role/AmazonEC2RoleForLaunchWizard*", - "arn:aws:iam::*:instance-profile/LaunchWizard*" - ] - }, - { - "Action":[ - "iam:PassRole" - ], - "Condition":{ - "StringEqualsIfExists":{ - "iam:PassedToService":[ - "lambda.amazonaws.com", - "ec2.amazonaws.com", - "ec2.amazonaws.com.cn" - ] - } - }, - "Effect":"Allow", - "Resource":[ - "arn:aws:iam::*:role/service-role/AmazonEC2RoleForLaunchWizard*", - "arn:aws:iam::*:role/service-role/AmazonLambdaRoleForLaunchWizard*", - "arn:aws:iam::*:instance-profile/LaunchWizard*" - ] - }, - { - "Action":[ - "autoscaling:AttachInstances", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:CreateOrUpdateTags", - "logs:CreateLogStream", - "logs:DeleteLogGroup", - "logs:DeleteLogStream", - "logs:DescribeLog*", - "logs:PutLogEvents", - "resource-groups:CreateGroup", - "resource-groups:DeleteGroup", - "sns:ListSubscriptionsByTopic", - "sns:Publish", - "ssm:DeleteDocument", - "ssm:DeleteParameter*", - "ssm:DescribeDocument*", - "ssm:GetDocument", - "ssm:PutParameter" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:resource-groups:*:*:group/LaunchWizard*", - "arn:aws:sns:*:*:*", - "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/LaunchWizard*", - "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/LaunchWizard*", - "arn:aws:ssm:*:*:parameter/LaunchWizard*", - "arn:aws:ssm:*:*:document/LaunchWizard*", - "arn:aws:logs:*:*:log-group:*:*:*", - "arn:aws:logs:*:*:log-group:LaunchWizard*" - ] - }, - { - "Action":[ - "ssm:GetDocument", - "ssm:SendCommand" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:ssm:*::document/AWS-RunShellScript" - ] - }, - { - "Action":[ - "ssm:SendCommand" - ], - "Condition":{ - "StringLike":{ - "aws:ResourceTag/aws:cloudformation:stack-id":"arn:aws:cloudformation:*:*:stack/LaunchWizard-*/*" - } - }, - "Effect":"Allow", - "Resource":[ - "arn:aws:ec2:*:*:instance/*" - ] - }, - { - "Action":[ - "logs:DeleteLogStream", - "logs:GetLogEvents", - "logs:PutLogEvents", - "ssm:AddTagsToResource", - "ssm:DescribeDocument", - "ssm:GetDocument", - "ssm:ListTagsForResource", - "ssm:RemoveTagsFromResource" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:logs:*:*:log-group:*:*:*", - "arn:aws:logs:*:*:log-group:LaunchWizard*", - "arn:aws:ssm:*:*:parameter/LaunchWizard*", - "arn:aws:ssm:*:*:document/LaunchWizard*" - ] - }, - { - "Action":[ - "autoscaling:Describe*", - "cloudformation:DescribeAccountLimits", - "cloudformation:DescribeStackDriftDetectionStatus", - "cloudformation:List*", - "cloudformation:ValidateTemplate", - "ds:Describe*", - "ds:ListAuthorizedApplications", - "ec2:Describe*", - "ec2:Get*", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetUser", - "iam:GetPolicyVersion", - "iam:GetPolicy", - "iam:List*", - "logs:CreateLogGroup", - "logs:GetLogDelivery", - "logs:GetLogRecord", - "logs:ListLogDeliveries", - "resource-groups:Get*", - "resource-groups:List*", - "servicequotas:GetServiceQuota", - "servicequotas:ListServiceQuotas", - "sns:ListSubscriptions", - "sns:ListTopics", - "ssm:CreateDocument", - "ssm:DescribeAutomation*", - "ssm:DescribeInstanceInformation", - "ssm:DescribeParameters", - "ssm:GetAutomationExecution", - "ssm:GetCommandInvocation", - "ssm:GetParameter*", - "ssm:GetConnectionStatus", - "ssm:ListCommand*", - "ssm:ListDocument*", - "ssm:ListInstanceAssociations", - "ssm:SendAutomationSignal", - "tag:Get*" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "ssm:StartAutomationExecution", - "ssm:StopAutomationExecution" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":"arn:aws:ssm:*:*:automation-definition/LaunchWizard-*:*" - }, - { - "Action":"logs:GetLog*", - "Effect":"Allow", - "Resource":[ - "arn:aws:logs:*:*:log-group:*:*:*", - "arn:aws:logs:*:*:log-group:LaunchWizard*" - ] - }, - { - "Action":[ - "cloudformation:List*", - "cloudformation:Describe*" - ], - "Effect":"Allow", - "Resource":"arn:aws:cloudformation:*:*:stack/LaunchWizard*/" - }, - { - "Action":[ - "iam:CreateServiceLinkedRole" - ], - "Condition":{ - "StringEquals":{ - "iam:AWSServiceName":[ - "autoscaling.amazonaws.com", - "application-insights.amazonaws.com", - "events.amazonaws.com", - "autoscaling.amazonaws.com.cn", - "events.amazonaws.com.cn" - ] - } - }, - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":"launchwizard:*", - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "sqs:TagQueue", - "sqs:GetQueueUrl", - "sqs:AddPermission", - "sqs:ListQueues", - "sqs:DeleteQueue", - "sqs:GetQueueAttributes", - "sqs:ListQueueTags", - "sqs:CreateQueue", - "sqs:SetQueueAttributes" - ], - "Effect":"Allow", - "Resource":"arn:aws:sqs:*:*:LaunchWizard*" - }, - { - "Action":[ - "cloudwatch:PutMetricAlarm", - "iam:GetInstanceProfile", - "cloudwatch:DeleteAlarms", - "cloudwatch:DescribeAlarms" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:cloudwatch:*:*:alarm:LaunchWizard*", - "arn:aws:iam::*:instance-profile/LaunchWizard*" - ] - }, - { - "Action":[ - "cloudformation:CreateStack", - "route53:ListHostedZones", - "ec2:CreateSecurityGroup", - "ec2:AuthorizeSecurityGroupIngress", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:CreateFileSystem", - "elasticfilesystem:CreateMountTarget", - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:DescribeMountTargetSecurityGroups" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "s3:GetObject", - "s3:PutObject" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:s3:::launchwizard*", - "arn:aws:s3:::launchwizard*/*", - "arn:aws:s3:::aws-sap-data-provider/config.properties" - ] - }, - { - "Action":"cloudformation:TagResource", - "Condition":{ - "ForAllValues:StringLike":{ - "aws:TagKeys":"LaunchWizard*" - } - }, - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "s3:CreateBucket", - "s3:PutBucketVersioning", - "s3:DeleteBucket", - "lambda:CreateFunction", - "lambda:DeleteFunction", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:InvokeFunction" - ], - "Effect":"Allow", - "Resource":[ - "arn:aws:lambda:*:*:function:LaunchWizard*", - "arn:aws:s3:::launchwizard*" - ] - }, - { - "Action":[ - "dynamodb:CreateTable", - "dynamodb:DescribeTable", - "dynamodb:DeleteTable" - ], - "Effect":"Allow", - "Resource":"arn:aws:dynamodb:*:*:table/LaunchWizard*" - }, - { - "Action":[ - "secretsmanager:CreateSecret", - "secretsmanager:DeleteSecret", - "secretsmanager:TagResource", - "secretsmanager:UntagResource", - "secretsmanager:PutResourcePolicy", - "secretsmanager:DeleteResourcePolicy", - "secretsmanager:ListSecretVersionIds", - "secretsmanager:GetSecretValue" - ], - "Effect":"Allow", - "Resource":"arn:aws:secretsmanager:*:*:secret:LaunchWizard*" - }, - { - "Action":[ - "secretsmanager:GetRandomPassword", - "secretsmanager:ListSecrets" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "ssm:CreateOpsMetadata" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":"ssm:DeleteOpsMetadata", - "Effect":"Allow", - "Resource":"arn:aws:ssm:*:*:opsmetadata/aws/ssm/LaunchWizard*" - }, - { - "Action":[ - "sns:CreateTopic", - "sns:DeleteTopic", - "sns:Subscribe", - "sns:Unsubscribe" - ], - "Effect":"Allow", - "Resource":"arn:aws:sns:*:*:LaunchWizard*" - }, - { - "Action":[ - "fsx:UntagResource", - "fsx:TagResource", - "fsx:DeleteFileSystem", - "fsx:ListTagsForResource" - ], - "Condition":{ - "StringLike":{ - "aws:ResourceTag/Name":"LaunchWizard*" - } - }, - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "fsx:CreateFileSystem" - ], - "Condition":{ - "StringLike":{ - "aws:RequestTag/Name":[ - "LaunchWizard*" - ] - } - }, - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "fsx:DescribeFileSystems" - ], - "Effect":"Allow", - "Resource":"*" - }, - { - "Action":[ - "servicecatalog:CreatePortfolio", - "servicecatalog:DescribePortfolio", - "servicecatalog:CreateConstraint", - "servicecatalog:CreateProduct", - "servicecatalog:AssociatePrincipalWithPortfolio", - "servicecatalog:CreateProvisioningArtifact", - "servicecatalog:TagResource", - "servicecatalog:UntagResource" - ], - "Condition":{ - "ForAnyValue:StringEquals":{ - "aws:CalledVia":"launchwizard.amazonaws.com" - } - }, - "Effect":"Allow", - "Resource":[ - "arn:aws:servicecatalog:*:*:*/*", - "arn:aws:catalog:*:*:*/*" - ] + ], + "Sid":"ServiceCatalogActions0" }, { "Action":[ @@ -58874,8 +58613,11 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage", - "Sid":"VisualEditor0" + "Resource":[ + "arn:aws:ssm:*:*:document/AWS-ConfigureAWSPackage", + "arn:aws:ssm:*:*:association/*" + ], + "Sid":"SsmActions7" }, { "Action":[ @@ -58888,12 +58630,24 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*" + "Resource":"arn:aws:elasticfilesystem:*:*:file-system/*", + "Sid":"EfsActions1" }, { "Action":[ + "logs:CreateLogStream", + "logs:DeleteLogGroup", + "logs:DescribeLogStreams", + "logs:UntagResource", "logs:TagResource", - "logs:UntagResource" + "logs:CreateLogGroup", + "logs:DeleteLogStream", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogDelivery", + "logs:GetLogGroupFields", + "logs:GetLogRecord", + "logs:ListLogDeliveries" ], "Condition":{ "ForAnyValue:StringEquals":{ @@ -58901,14 +58655,87 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:logs:*:*:log-group:LaunchWizard*" + "Resource":[ + "arn:aws:logs:*:*:log-group:LaunchWizard*", + "arn:aws:logs:*:*:log-group:LaunchWizard*:log-stream:*" + ], + "Sid":"LogsActions0" + }, + { + "Action":"logs:DescribeLogGroups", + "Condition":{ + "ForAnyValue:StringEquals":{ + "aws:CalledVia":"launchwizard.amazonaws.com" + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"LogsActions1" + }, + { + "Action":[ + "fsx:CreateStorageVirtualMachine", + "fsx:CreateVolume" + ], + "Condition":{ + "ForAnyValue:StringEquals":{ + "aws:CalledVia":[ + "launchwizard.amazonaws.com" + ] + }, + "StringLike":{ + "aws:ResourceTag/aws:cloudformation:stack-id":"arn:aws:cloudformation:*:*:stack/LaunchWizard-*/*" + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"FsxActions3" + }, + { + "Action":[ + "fsx:DescribeStorageVirtualMachines", + "fsx:DescribeVolumes" + ], + "Condition":{ + "ForAnyValue:StringEquals":{ + "aws:CalledVia":[ + "launchwizard.amazonaws.com" + ] + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"FsxActions4" + }, + { + "Action":[ + "fsx:DeleteStorageVirtualMachine", + "fsx:DeleteVolume" + ], + "Condition":{ + "ForAnyValue:StringEquals":{ + "aws:CalledVia":[ + "launchwizard.amazonaws.com" + ] + }, + "StringLike":{ + "aws:ResourceTag/aws:cloudformation:stack-id":"arn:aws:cloudformation:*:*:stack/LaunchWizard-*/*" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:fsx:*:*:storage-virtual-machine/*/*", + "arn:aws:fsx:*:*:backup/*", + "arn:aws:fsx:*:*:volume/*/*" + ], + "Sid":"FsxActions5" } ], "Version":"2012-10-17" }, "Path":"/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-02-22T17:25:14+00:00" + "UpdateDate":"2023-09-01T17:14:56+00:00" }, "AmazonLexChannelsAccess":{ "CreateDate":"2021-01-13T20:12:46+00:00", @@ -59170,6 +58997,102 @@ "PermissionsBoundaryUsageCount":0, "UpdateDate":"2023-01-31T19:31:41+00:00" }, + "AmazonLexReplicationPolicy":{ + "CreateDate":"2024-01-31T23:29:42+00:00", + "DefaultVersionId":"v1", + "Document":{ + "Statement":[ + { + "Action":[ + "lex:BuildBotLocale", + "lex:ListBotLocales", + "lex:CreateBotAlias", + "lex:UpdateBotAlias", + "lex:DeleteBotAlias", + "lex:DescribeBotAlias", + "lex:CreateBotVersion", + "lex:DeleteBotVersion", + "lex:DescribeBotVersion", + "lex:CreateExport", + "lex:DescribeBot", + "lex:UpdateExport", + "lex:DescribeExport", + "lex:DescribeBotLocale", + "lex:DescribeIntent", + "lex:ListIntents", + "lex:DescribeSlotType", + "lex:ListSlotTypes", + "lex:DescribeSlot", + "lex:ListSlots", + "lex:DescribeCustomVocabulary", + "lex:StartImport", + "lex:DescribeImport", + "lex:CreateBot", + "lex:UpdateBot", + "lex:DeleteBot", + "lex:CreateBotLocale", + "lex:UpdateBotLocale", + "lex:DeleteBotLocale", + "lex:CreateIntent", + "lex:UpdateIntent", + "lex:DeleteIntent", + "lex:CreateSlotType", + "lex:UpdateSlotType", + "lex:DeleteSlotType", + "lex:CreateSlot", + "lex:UpdateSlot", + "lex:DeleteSlot", + "lex:CreateCustomVocabulary", + "lex:UpdateCustomVocabulary", + "lex:DeleteCustomVocabulary", + "lex:DeleteBotChannel" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:lex:*:*:bot/*", + "arn:aws:lex:*:*:bot-alias/*" + ], + "Sid":"ReplicationServicePolicyStatement1" + }, + { + "Action":[ + "lex:CreateUploadUrl", + "lex:ListBots" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"ReplicationServicePolicyStatement2" + }, + { + "Action":[ + "iam:PassRole" + ], + "Condition":{ + "StringEquals":{ + "iam:PassedToService":"lexv2.amazonaws.com" + } + }, + "Effect":"Allow", + "Resource":"*", + "Sid":"ReplicationServicePolicyStatement3" + } + ], + "Version":"2012-10-17" + }, + "Path":"/aws-service-role/", + "PermissionsBoundaryUsageCount":0, + "UpdateDate":"2024-01-31T23:29:42+00:00" + }, "AmazonLexRunBotsOnly":{ "CreateDate":"2017-04-11T23:06:24+00:00", "DefaultVersionId":"v3", @@ -64258,7 +64181,7 @@ }, "AmazonRDSServiceRolePolicy":{ "CreateDate":"2018-01-08T18:17:46+00:00", - "DefaultVersionId":"v12", + "DefaultVersionId":"v13", "Document":{ "Statement":[ { @@ -64266,7 +64189,8 @@ "rds:CrossRegionCommunication" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"CrossRegionCommunication" }, { "Action":[ @@ -64305,14 +64229,16 @@ "ec2:UnassignPrivateIpAddresses" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"Ec2" }, { "Action":[ "sns:Publish" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"Sns" }, { "Action":[ @@ -64323,7 +64249,8 @@ "arn:aws:logs:*:*:log-group:/aws/rds/*", "arn:aws:logs:*:*:log-group:/aws/docdb/*", "arn:aws:logs:*:*:log-group:/aws/neptune/*" - ] + ], + "Sid":"CloudWatchLogs" }, { "Action":[ @@ -64336,7 +64263,8 @@ "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/docdb/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*" - ] + ], + "Sid":"CloudWatchStreams" }, { "Action":[ @@ -64352,7 +64280,8 @@ "Effect":"Allow", "Resource":[ "arn:aws:kinesis:*:*:stream/aws-rds-das-*" - ] + ], + "Sid":"Kinesis" }, { "Action":[ @@ -64369,14 +64298,16 @@ } }, "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"CloudWatch" }, { "Action":[ "secretsmanager:GetRandomPassword" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"SecretsManagerPassword" }, { "Action":[ @@ -64396,7 +64327,8 @@ "Effect":"Allow", "Resource":[ "arn:aws:secretsmanager:*:*:secret:rds!*" - ] + ], + "Sid":"SecretsManagerSecret" }, { "Action":"secretsmanager:TagResource", @@ -64412,14 +64344,15 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:secretsmanager:*:*:secret:rds!*" + "Resource":"arn:aws:secretsmanager:*:*:secret:rds!*", + "Sid":"SecretsManagerTags" } ], "Version":"2012-10-17" }, "Path":"/aws-service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2022-12-13T16:24:27+00:00" + "UpdateDate":"2024-01-19T15:10:09+00:00" }, "AmazonRedshiftAllCommandsFullAccess":{ "CreateDate":"2021-11-04T00:48:08+00:00", @@ -68222,7 +68155,7 @@ }, "AmazonSageMakerCanvasFullAccess":{ "CreateDate":"2022-09-09T00:44:25+00:00", - "DefaultVersionId":"v8", + "DefaultVersionId":"v9", "Document":{ "Statement":[ { @@ -68231,7 +68164,8 @@ "sagemaker:DescribeUserProfile", "sagemaker:ListTags", "sagemaker:ListModelPackages", - "sagemaker:ListModelPackageGroups" + "sagemaker:ListModelPackageGroups", + "sagemaker:ListEndpoints" ], "Effect":"Allow", "Resource":"*", @@ -68564,7 +68498,7 @@ }, "Path":"/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-12-09T00:58:33+00:00" + "UpdateDate":"2024-01-24T22:01:20+00:00" }, "AmazonSageMakerClusterInstanceRolePolicy":{ "CreateDate":"2023-11-29T15:11:26+00:00", @@ -72230,6 +72164,90 @@ "PermissionsBoundaryUsageCount":0, "UpdateDate":"2023-05-30T22:04:10+00:00" }, + "AmazonSecurityLakeMetastoreManager":{ + "CreateDate":"2024-01-23T15:26:57+00:00", + "DefaultVersionId":"v1", + "Document":{ + "Statement":[ + { + "Action":[ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:CreateLogGroup" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:logs:*:*:log-group:/aws/lambda/AmazonSecurityLake*", + "arn:aws:logs:*:*:/aws/lambda/AmazonSecurityLake*" + ], + "Sid":"AllowWriteLambdaLogs" + }, + { + "Action":[ + "glue:CreatePartition", + "glue:BatchCreatePartition", + "glue:GetTable", + "glue:UpdateTable" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:glue:*:*:table/amazon_security_lake_glue_db*/*", + "arn:aws:glue:*:*:database/amazon_security_lake_glue_db*", + "arn:aws:glue:*:*:catalog" + ], + "Sid":"AllowGlueManage" + }, + { + "Action":[ + "sqs:ReceiveMessage", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:sqs:*:*:AmazonSecurityLake*" + ], + "Sid":"AllowToReadFromSqs" + }, + { + "Action":[ + "s3:ListBucket", + "s3:PutObject", + "s3:GetObject" + ], + "Condition":{ + "StringEquals":{ + "aws:ResourceAccount":"${aws:PrincipalAccount}" + } + }, + "Effect":"Allow", + "Resource":[ + "arn:aws:s3:::aws-security-data-lake*" + ], + "Sid":"AllowMetaDataReadWrite" + } + ], + "Version":"2012-10-17" + }, + "Path":"/service-role/", + "PermissionsBoundaryUsageCount":0, + "UpdateDate":"2024-01-23T15:26:57+00:00" + }, "AmazonSecurityLakePermissionsBoundary":{ "CreateDate":"2022-11-29T14:11:12+00:00", "DefaultVersionId":"v1", @@ -81432,7 +81450,7 @@ }, "NeptuneFullAccess":{ "CreateDate":"2018-05-30T19:17:31+00:00", - "DefaultVersionId":"v6", + "DefaultVersionId":"v7", "Document":{ "Statement":[ { @@ -81451,7 +81469,8 @@ "Effect":"Allow", "Resource":[ "arn:aws:rds:*:*:*" - ] + ], + "Sid":"AllowNeptuneCreate" }, { "Action":[ @@ -81532,7 +81551,8 @@ "Effect":"Allow", "Resource":[ "*" - ] + ], + "Sid":"AllowManagementPermissionsForRDS" }, { "Action":[ @@ -81557,7 +81577,8 @@ "Effect":"Allow", "Resource":[ "*" - ] + ], + "Sid":"AllowOtherDepedentPermissions" }, { "Action":"iam:PassRole", @@ -81567,7 +81588,8 @@ } }, "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"AllowPassRoleForNeptune" }, { "Action":"iam:CreateServiceLinkedRole", @@ -81577,7 +81599,8 @@ } }, "Effect":"Allow", - "Resource":"arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS" + "Resource":"arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", + "Sid":"AllowCreateSLRForNeptune" }, { "Action":[ @@ -81586,14 +81609,15 @@ "Effect":"Allow", "Resource":[ "*" - ] + ], + "Sid":"AllowDataAccessForNeptune" } ], "Version":"2012-10-17" }, "Path":"/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2022-07-28T19:58:27+00:00" + "UpdateDate":"2024-01-22T16:32:31+00:00" }, "NeptuneGraphReadOnlyAccess":{ "CreateDate":"2023-11-30T07:32:17+00:00", @@ -81662,7 +81686,7 @@ }, "NeptuneReadOnlyAccess":{ "CreateDate":"2018-05-30T19:16:37+00:00", - "DefaultVersionId":"v2", + "DefaultVersionId":"v3", "Document":{ "Statement":[ { @@ -81690,7 +81714,8 @@ "rds:ListTagsForResource" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"AllowReadOnlyPermissionsForRDS" }, { "Action":[ @@ -81698,7 +81723,8 @@ "cloudwatch:ListMetrics" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"AllowReadOnlyPermissionsForCloudwatch" }, { "Action":[ @@ -81711,7 +81737,8 @@ "ec2:DescribeVpcs" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"AllowReadOnlyPermissionsForEC2" }, { "Action":[ @@ -81721,7 +81748,8 @@ "kms:ListKeyPolicies" ], "Effect":"Allow", - "Resource":"*" + "Resource":"*", + "Sid":"AllowReadOnlyPermissionsForKMS" }, { "Action":[ @@ -81732,7 +81760,8 @@ "Resource":[ "arn:aws:logs:*:*:log-group:/aws/rds/*:log-stream:*", "arn:aws:logs:*:*:log-group:/aws/neptune/*:log-stream:*" - ] + ], + "Sid":"AllowReadOnlyPermissionsForLogs" }, { "Action":[ @@ -81743,14 +81772,15 @@ "Effect":"Allow", "Resource":[ "*" - ] + ], + "Sid":"AllowReadOnlyPermissionsForNeptuneDB" } ], "Version":"2012-10-17" }, "Path":"/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2022-08-03T18:53:32+00:00" + "UpdateDate":"2024-01-22T16:33:46+00:00" }, "NetworkAdministrator":{ "CreateDate":"2016-11-10T17:31:35+00:00", @@ -82664,7 +82694,7 @@ }, "ROSAInstallerPolicy":{ "CreateDate":"2023-06-06T21:00:31+00:00", - "DefaultVersionId":"v1", + "DefaultVersionId":"v2", "Document":{ "Statement":[ { @@ -82684,8 +82714,11 @@ "ec2:DescribeInstanceTypeOfferings", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeLoadBalancers", + "iam:GetOpenIDConnectProvider", "iam:GetRole", + "route53:GetHostedZone", "route53:ListHostedZones", + "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:GetAccountLimit", "servicequotas:GetServiceQuota" @@ -82973,7 +83006,7 @@ }, "Path":"/service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-06-06T21:00:31+00:00" + "UpdateDate":"2024-01-26T21:04:47+00:00" }, "ROSAKMSProviderPolicy":{ "CreateDate":"2023-04-27T20:10:20+00:00", @@ -83479,7 +83512,7 @@ }, "ROSASRESupportPolicy":{ "CreateDate":"2023-06-01T14:36:06+00:00", - "DefaultVersionId":"v1", + "DefaultVersionId":"v2", "Document":{ "Statement":[ { @@ -83621,7 +83654,7 @@ "ec2:DescribeStaleSecurityGroups" ], "Effect":"Allow", - "Resource":"arn:aws:ec2:*:*:security-group*/*", + "Resource":"*", "Sid":"DescribeSecurityGroups" }, { @@ -83686,7 +83719,7 @@ }, "Path":"/service-role/", "PermissionsBoundaryUsageCount":0, - "UpdateDate":"2023-06-01T14:36:06+00:00" + "UpdateDate":"2024-01-22T22:46:40+00:00" }, "ROSAWorkerInstancePolicy":{ "CreateDate":"2023-04-20T22:35:32+00:00",