Updates AWS managed policies

udondan · Sep 20, 2024 · f7daa52 · f7daa52
1 parent 0d3fd8f
commit f7daa52
Show file tree

Hide file tree

Showing 46 changed files with 1,034 additions and 72 deletions.
diff --git a/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json b/docs/source/_static/managed-policies/AWSCompromisedKeyQuarantineV3.json
@@ -0,0 +1,73 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Action": [
+        "cloudtrail:LookupEvents",
+        "ec2:RequestSpotInstances",
+        "ec2:RunInstances",
+        "ec2:StartInstances",
+        "iam:AddUserToGroup",
+        "iam:AttachGroupPolicy",
+        "iam:AttachRolePolicy",
+        "iam:AttachUserPolicy",
+        "iam:ChangePassword",
+        "iam:CreateAccessKey",
+        "iam:CreateInstanceProfile",
+        "iam:CreateLoginProfile",
+        "iam:CreatePolicyVersion",
+        "iam:CreateRole",
+        "iam:CreateUser",
+        "iam:DetachUserPolicy",
+        "iam:PassRole",
+        "iam:PutGroupPolicy",
+        "iam:PutRolePolicy",
+        "iam:PutUserPermissionsBoundary",
+        "iam:PutUserPolicy",
+        "iam:SetDefaultPolicyVersion",
+        "iam:UpdateAccessKey",
+        "iam:UpdateAccountPasswordPolicy",
+        "iam:UpdateAssumeRolePolicy",
+        "iam:UpdateLoginProfile",
+        "iam:UpdateUser",
+        "lambda:AddLayerVersionPermission",
+        "lambda:AddPermission",
+        "lambda:CreateFunction",
+        "lambda:GetPolicy",
+        "lambda:ListTags",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:UpdateFunctionCode",
+        "lightsail:Create*",
+        "lightsail:Delete*",
+        "lightsail:DownloadDefaultKeyPair",
+        "lightsail:GetInstanceAccessDetails",
+        "lightsail:Start*",
+        "lightsail:Update*",
+        "organizations:CreateAccount",
+        "organizations:CreateOrganization",
+        "organizations:InviteAccountToOrganization",
+        "s3:DeleteBucket",
+        "s3:DeleteObject",
+        "s3:DeleteObjectVersion",
+        "s3:PutLifecycleConfiguration",
+        "s3:PutBucketAcl",
+        "s3:PutBucketOwnershipControls",
+        "s3:DeleteBucketPolicy",
+        "s3:ObjectOwnerOverrideToBucketOwner",
+        "s3:PutAccountPublicAccessBlock",
+        "s3:PutBucketPolicy",
+        "s3:ListAllMyBuckets",
+        "ec2:PurchaseReservedInstancesOffering",
+        "ec2:AcceptReservedInstancesExchangeQuote",
+        "ec2:CreateReservedInstancesListing",
+        "savingsplans:CreateSavingsPlan"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
diff --git a/docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSConfigServiceRolePolicy.json
@@ -29,6 +29,18 @@
         "amplifyuibuilder:ExportThemes",
         "amplifyuibuilder:GetTheme",
         "amplifyuibuilder:ListThemes",
+        "aoss:BatchGetCollection",
+        "aoss:BatchGetLifecyclePolicy",
+        "aoss:BatchGetVpcEndpoint",
+        "aoss:GetAccessPolicy",
+        "aoss:GetSecurityConfig",
+        "aoss:GetSecurityPolicy",
+        "aoss:ListAccessPolicies",
+        "aoss:ListCollections",
+        "aoss:ListLifecyclePolicies",
+        "aoss:ListSecurityConfigs",
+        "aoss:ListSecurityPolicies",
+        "aoss:ListVpcEndpoints",
         "app-integrations:GetEventIntegration",
         "app-integrations:ListEventIntegrationAssociations",
         "app-integrations:ListEventIntegrations",
@@ -73,6 +85,7 @@
         "apprunner:ListServices",
         "apprunner:ListTagsForResource",
         "apprunner:ListVpcConnectors",
+        "appstream:DescribeAppBlockBuilders",
         "appstream:DescribeApplications",
         "appstream:DescribeDirectoryConfigs",
         "appstream:DescribeFleets",
@@ -119,12 +132,16 @@
         "backup:GetBackupSelection",
         "backup:GetBackupVaultAccessPolicy",
         "backup:GetBackupVaultNotifications",
+        "backup:GetRestoreTestingPlan",
+        "backup:GetRestoreTestingSelection",
         "backup:ListBackupPlans",
         "backup:ListBackupSelections",
         "backup:ListBackupVaults",
         "backup:ListFrameworks",
         "backup:ListRecoveryPointsByBackupVault",
         "backup:ListReportPlans",
+        "backup:ListRestoreTestingPlans",
+        "backup:ListRestoreTestingSelections",
         "backup:ListTags",
         "batch:DescribeComputeEnvironments",
         "batch:DescribeJobQueues",
@@ -164,9 +181,11 @@
         "cloudfront:ListResponseHeadersPolicies",
         "cloudfront:ListTagsForResource",
         "cloudtrail:DescribeTrails",
+        "cloudTrail:GetChannel",
         "cloudtrail:GetEventDataStore",
         "cloudtrail:GetEventSelectors",
         "cloudtrail:GetTrailStatus",
+        "cloudTrail:ListChannels",
         "cloudtrail:ListEventDataStores",
         "cloudtrail:ListTags",
         "cloudtrail:ListTrails",
@@ -544,11 +563,13 @@
         "glue:GetSecurityConfigurations",
         "glue:GetTable",
         "glue:GetTags",
+        "glue:GetTrigger",
         "glue:GetWorkflow",
         "glue:ListCrawlers",
         "glue:ListDevEndpoints",
         "glue:ListJobs",
         "glue:ListMLTransforms",
+        "glue:ListTriggers",
         "glue:ListWorkflows",
         "grafana:DescribeWorkspace",
         "grafana:DescribeWorkspaceAuthentication",
@@ -633,6 +654,7 @@
         "imagebuilder:GetImagePipeline",
         "imagebuilder:GetImageRecipe",
         "imagebuilder:GetInfrastructureConfiguration",
+        "imagebuilder:GetLifecyclePolicy",
         "imagebuilder:ListComponentBuildVersions",
         "imagebuilder:ListComponents",
         "imagebuilder:ListContainerRecipes",
@@ -642,12 +664,14 @@
         "imagebuilder:ListImageRecipes",
         "imagebuilder:ListImages",
         "imagebuilder:ListInfrastructureConfigurations",
+        "imagebuilder:ListLifecyclePolicies",
         "inspector2:BatchGetAccountStatus",
         "inspector2:GetDelegatedAdminAccount",
         "inspector2:ListFilters",
         "inspector2:ListMembers",
         "iot:DescribeAccountAuditConfiguration",
         "iot:DescribeAuthorizer",
+        "iot:DescribeBillingGroup",
         "iot:DescribeCACertificate",
         "iot:DescribeCertificate",
         "iot:DescribeCustomMetric",
@@ -664,6 +688,7 @@
         "iot:GetTopicRule",
         "iot:GetTopicRuleDestination",
         "iot:ListAuthorizers",
+        "iot:ListBillingGroups",
         "iot:ListCACertificates",
         "iot:ListCertificates",
         "iot:ListCustomMetrics",
@@ -739,12 +764,20 @@
         "iotwireless:ListWirelessDevices",
         "iotwireless:ListWirelessGatewayTaskDefinitions",
         "ivs:GetChannel",
+        "ivs:GetEncoderConfiguration",
         "ivs:GetPlaybackKeyPair",
+        "ivs:GetPlaybackRestrictionPolicy",
         "ivs:GetRecordingConfiguration",
+        "ivs:GetStage",
+        "ivs:GetStorageConfiguration",
         "ivs:GetStreamKey",
         "ivs:ListChannels",
+        "ivs:ListEncoderConfigurations",
         "ivs:ListPlaybackKeyPairs",
+        "ivs:ListPlaybackRestrictionPolicies",
         "ivs:ListRecordingConfigurations",
+        "ivs:ListStages",
+        "ivs:ListStorageConfigurations",
         "ivs:ListStreamKeys",
         "ivs:ListTagsForResource",
         "kafka:DescribeCluster",
@@ -867,16 +900,28 @@
         "managedblockchain:ListInvitations",
         "managedblockchain:ListMembers",
         "managedblockchain:ListNodes",
+        "mediaconnect:DescribeBridge",
         "mediaconnect:DescribeFlow",
+        "mediaconnect:DescribeGateway",
+        "mediaconnect:ListBridges",
         "mediaconnect:ListFlows",
+        "mediaconnect:ListGateways",
         "mediaconnect:ListTagsForResource",
         "mediapackage-vod:DescribePackagingConfiguration",
         "mediapackage-vod:DescribePackagingGroup",
         "mediapackage-vod:ListPackagingConfigurations",
         "mediapackage-vod:ListPackagingGroups",
         "mediapackage-vod:ListTagsForResource",
+        "mediatailor:DescribeChannel",
+        "mediatailor:DescribeLiveSource",
+        "mediatailor:DescribeSourceLocation",
+        "mediatailor:DescribeVodSource",
         "mediatailor:GetPlaybackConfiguration",
+        "mediatailor:ListChannels",
+        "mediatailor:ListLiveSources",
         "mediatailor:ListPlaybackConfigurations",
+        "mediatailor:ListSourceLocations",
+        "mediatailor:ListVodSources",
         "memorydb:DescribeAcls",
         "memorydb:DescribeClusters",
         "memorydb:DescribeParameterGroups",
@@ -920,6 +965,8 @@
         "nimble:ListStreamingImages",
         "nimble:ListStudioComponents",
         "nimble:ListStudios",
+        "omics:GetWorkflow",
+        "omics:ListWorkflows",
         "opsworks:DescribeInstances",
         "opsworks:DescribeLayers",
         "opsworks:DescribeTimeBasedAutoScaling",
@@ -1204,6 +1251,8 @@
         "sagemaker:ListProjects",
         "sagemaker:ListTags",
         "sagemaker:ListWorkteams",
+        "scheduler:GetSchedule",
+        "scheduler:ListSchedules",
         "schemas:DescribeDiscoverer",
         "schemas:DescribeRegistry",
         "schemas:DescribeSchema",
@@ -1254,6 +1303,7 @@
         "sqs:GetQueueAttributes",
         "sqs:ListQueues",
         "sqs:ListQueueTags",
+        "ssm-sap:ListTagsForResource",
         "ssm:DescribeAutomationExecutions",
         "ssm:DescribeDocument",
         "ssm:DescribeDocumentPermission",
@@ -1262,7 +1312,6 @@
         "ssm:GetDocument",
         "ssm:ListDocuments",
         "ssm:ListTagsForResource",
-        "ssm-sap:ListTagsForResource",
         "sso:DescribeInstanceAccessControlAttributeConfiguration",
         "sso:DescribePermissionSet",
         "sso:GetInlinePolicyForPermissionSet",

diff --git a/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json b/docs/source/_static/managed-policies/AWSDataExchangeProviderFullAccess.json
@@ -2,6 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "DataExchangeActions",
       "Effect": "Allow",
       "Action": [
         "dataexchange:CreateDataSet",
@@ -16,12 +17,14 @@
         "dataexchange:PublishDataSet",
         "dataexchange:SendApiAsset",
         "dataexchange:RevokeRevision",
+        "dataexchange:SendDataSetNotification",
         "tag:GetTagKeys",
         "tag:GetTagValues"
       ],
       "Resource": "*"
     },
     {
+      "Sid": "DataExchangeJobsActions",
       "Effect": "Allow",
       "Action": [
         "dataexchange:CreateJob",
@@ -43,6 +46,7 @@
       }
     },
     {
+      "Sid": "S3GetActionConditionalResourceAndADX",
       "Effect": "Allow",
       "Action": "s3:GetObject",
       "Resource": "arn:aws:s3:::*aws-data-exchange*",
@@ -55,6 +59,7 @@
       }
     },
     {
+      "Sid": "S3GetActionConditionalTagAndADX",
       "Effect": "Allow",
       "Action": "s3:GetObject",
       "Resource": "*",
@@ -70,6 +75,7 @@
       }
     },
     {
+      "Sid": "S3WriteActions",
       "Effect": "Allow",
       "Action": [
         "s3:PutObject",
@@ -85,6 +91,7 @@
       }
     },
     {
+      "Sid": "S3ReadActions",
       "Effect": "Allow",
       "Action": [
         "s3:GetBucketLocation",
@@ -94,6 +101,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "AWSMarketplaceActions",
       "Effect": "Allow",
       "Action": [
         "aws-marketplace:DescribeEntity",
@@ -113,6 +121,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "KMSActions",
       "Effect": "Allow",
       "Action": [
         "kms:DescribeKey",
@@ -122,6 +131,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "RedshiftConditionalActions",
       "Effect": "Allow",
       "Action": [
         "redshift:AuthorizeDataShare"
@@ -134,6 +144,7 @@
       }
     },
     {
+      "Sid": "RedshiftActions",
       "Effect": "Allow",
       "Action": [
         "redshift:DescribeDataSharesForProducer",
@@ -142,6 +153,7 @@
       "Resource": "*"
     },
     {
+      "Sid": "APIGatewayActions",
       "Effect": "Allow",
       "Action": [
         "apigateway:GET"

diff --git a/docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json b/docs/source/_static/managed-policies/AWSDirectoryServiceDataFullAccess.json
@@ -0,0 +1,32 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "DSDataFullAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ds:AccessDSData",
+        "ds-data:AddGroupMember",
+        "ds-data:CreateGroup",
+        "ds-data:CreateUser",
+        "ds-data:DeleteGroup",
+        "ds-data:DeleteUser",
+        "ds-data:DescribeGroup",
+        "ds-data:DescribeUser",
+        "ds-data:DisableUser",
+        "ds-data:ListGroupMembers",
+        "ds-data:ListGroups",
+        "ds-data:ListGroupsForMember",
+        "ds-data:ListUsers",
+        "ds-data:RemoveGroupMember",
+        "ds-data:SearchGroups",
+        "ds-data:SearchUsers",
+        "ds-data:UpdateGroup",
+        "ds-data:UpdateUser"
+      ],
+      "Resource": [
+        "arn:aws:ds:*:*:directory/*"
+      ]
+    }
+  ]
+}