Updates AWS managed policies

udondan · Aug 15, 2024 · 1f93f67 · 1f93f67
1 parent 6d0d582
commit 1f93f67
Show file tree

Hide file tree

Showing 19 changed files with 285 additions and 26 deletions.
diff --git a/docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json b/docs/source/_static/managed-policies/AWSSSMForSAPServiceLinkedRolePolicy.json
@@ -117,7 +117,7 @@
       "Sid": "CreateServiceLinkedRole",
       "Effect": "Allow",
       "Action": "iam:CreateServiceLinkedRole",
-      "Resource": "arn:*:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry",
+      "Resource": "arn:aws:iam::*:role/aws-service-role/servicecatalog-appregistry.amazonaws.com/AWSServiceRoleForAWSServiceCatalogAppRegistry",
       "Condition": {
         "StringEquals": {
           "iam:AWSServiceName": "servicecatalog-appregistry.amazonaws.com"
@@ -271,6 +271,64 @@
           "ec2:resourceTag/SSMForSAPManaged": "True"
         }
       }
+    },
+    {
+      "Sid": "SsmSapResourceGroup",
+      "Effect": "Allow",
+      "Action": [
+        "resource-groups:Tag",
+        "resource-groups:CreateGroup"
+      ],
+      "Resource": "arn:aws:resource-groups:*:*:group/SystemsManagerForSAP-*",
+      "Condition": {
+        "StringEquals": {
+          "aws:RequestTag/SSMForSAPCreated": "True"
+        },
+        "ArnLike": {
+          "aws:RequestTag/awsApplication": "arn:aws:resource-groups:*:*:group/*/*"
+        },
+        "ForAllValues:StringEquals": {
+          "aws:TagKeys": [
+            "SSMForSAPCreated",
+            "awsApplication"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "ManageSsmSapTagsOnEc2Instances",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags",
+        "ec2:DeleteTags"
+      ],
+      "Resource": "arn:aws:ec2:*:*:instance/*",
+      "Condition": {
+        "StringEquals": {
+          "aws:ResourceTag/SSMForSAPManaged": "True"
+        },
+        "ForAllValues:StringLike": {
+          "aws:TagKeys": [
+            "SystemsManagerForSAP-*"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "ManageSsmSapTagsOnEbsVolumes",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags",
+        "ec2:DeleteTags"
+      ],
+      "Resource": "arn:aws:ec2:*:*:volume/*",
+      "Condition": {
+        "ForAllValues:StringLike": {
+          "aws:TagKeys": [
+            "SystemsManagerForSAP-*"
+          ]
+        }
+      }
     }
   ]
 }
diff --git a/docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json b/docs/source/_static/managed-policies/AWSSupportServiceRolePolicy.json
@@ -84,6 +84,8 @@
         "access-analyzer:listArchiveRules",
         "access-analyzer:listFindings",
         "access-analyzer:listPolicyGenerations",
+        "account:getRegionOptStatus",
+        "account:listRegions",
         "acm-pca:describeCertificateAuthority",
         "acm-pca:describeCertificateAuthorityAuditReport",
         "acm-pca:getCertificate",
@@ -259,6 +261,7 @@
         "autoscaling:describeScalingActivities",
         "autoscaling:describeScalingProcessTypes",
         "autoscaling:describeScheduledActions",
+        "autoscaling:describeTrafficSources",
         "autoscaling:describeTags",
         "autoscaling:describeTerminationPolicyTypes",
         "autoscaling:describeWarmPool",
@@ -318,6 +321,28 @@
         "batch:describeJobQueues",
         "batch:describeJobs",
         "batch:listJobs",
+        "bedrock:getAgent",
+        "bedrock:getAgentActionGroup",
+        "bedrock:getAgentAlias",
+        "bedrock:getAgentKnowledgeBase",
+        "bedrock:getAgentVersion",
+        "bedrock:getCustomModel",
+        "bedrock:getDataSource",
+        "bedrock:getIngestionJob",
+        "bedrock:getKnowledgeBase",
+        "bedrock:getModelCustomizationJob",
+        "bedrock:getModelInvocationLoggingConfiguration",
+        "bedrock:listAgentActionGroups",
+        "bedrock:listAgentAliases",
+        "bedrock:listAgentKnowledgeBases",
+        "bedrock:listAgents",
+        "bedrock:listAgentVersions",
+        "bedrock:listCustomModels",
+        "bedrock:listDataSources",
+        "bedrock:listIngestionJobs",
+        "bedrock:listKnowledgeBases",
+        "bedrock:listModelCustomizationJobs",
+        "bedrock:listProvisionedModelThroughputs",
         "braket:getDevice",
         "braket:getQuantumTask",
         "braket:searchDevices",
@@ -519,6 +544,18 @@
         "codecommit:getRepositoryTriggers",
         "codecommit:listBranches",
         "codecommit:listRepositories",
+        "codeconnections:getConnection",
+        "codeconnections:getHost",
+        "codeconnections:getRepositoryLink",
+        "codeconnections:getRepositorySyncStatus",
+        "codeconnections:getResourceSyncStatus",
+        "codeconnections:getSyncBlockerSummary",
+        "codeconnections:getSyncConfiguration",
+        "codeconnections:listConnections",
+        "codeconnections:listHosts",
+        "codeconnections:listRepositoryLinks",
+        "codeconnections:listRepositorySyncDefinitions",
+        "codeconnections:listSyncConfigurations",
         "codedeploy:batchGetApplicationRevisions",
         "codedeploy:batchGetApplications",
         "codedeploy:batchGetDeploymentGroups",
@@ -746,6 +783,23 @@
         "dax:describeParameterGroups",
         "dax:describeParameters",
         "dax:describeSubnetGroups",
+        "deadline:listAvailableMeteredProducts",
+        "deadline:listBudgets",
+        "deadline:listFarmMembers",
+        "deadline:listFarms",
+        "deadline:listFleetMembers",
+        "deadline:listFleets",
+        "deadline:listJobMembers",
+        "deadline:listJobs",
+        "deadline:listLicenseEndpoints",
+        "deadline:listMeteredProducts",
+        "deadline:listMonitors",
+        "deadline:listQueueEnvironments",
+        "deadline:listQueueFleetAssociations",
+        "deadline:listQueueMembers",
+        "deadline:listQueues",
+        "deadline:listStorageProfiles",
+        "deadline:listWorkers",
         "detective:getMembers",
         "detective:listGraphs",
         "detective:listInvitations",
@@ -961,6 +1015,7 @@
         "ec2:describeSecurityGroups",
         "ec2:describeSnapshotAttribute",
         "ec2:describeSnapshots",
+        "ec2:describeSnapshotTierStatus",
         "ec2:describeSpotDatafeedSubscription",
         "ec2:describeSpotFleetInstances",
         "ec2:describeSpotFleetRequestHistory",
@@ -1006,6 +1061,7 @@
         "ec2:describeVpnGateways",
         "ec2:getAssociatedIpv6PoolCidrs",
         "ec2:getCapacityReservationUsage",
+        "ec2:getSubnetCidrReservations",
         "ec2:getCoipPoolUsage",
         "ec2:getConsoleOutput",
         "ec2:getConsoleScreenshot",
@@ -1084,6 +1140,8 @@
         "eks:describeFargateProfile",
         "eks:describeIdentityProviderConfig",
         "eks:describeNodegroup",
+        "eks:describePodIdentityAssociation",
+        "eks:listPodIdentityAssociations",
         "eks:describeUpdate",
         "eks:listAccessEntries",
         "eks:listAccessPolicies",
@@ -1149,6 +1207,9 @@
         "elasticloadbalancing:describeLoadBalancerPolicies",
         "elasticloadbalancing:describeLoadBalancerPolicyTypes",
         "elasticloadbalancing:describeLoadBalancers",
+        "elasticloadbalancing:describeTrustStores",
+        "elasticloadbalancing:describeTrustStoreAssociations",
+        "elasticloadbalancing:describeTrustStoreRevocations",
         "elasticloadbalancing:describeRules",
         "elasticloadbalancing:describeSSLPolicies",
         "elasticloadbalancing:describeTags",
@@ -1279,6 +1340,7 @@
         "forecast:listForecastExportJobs",
         "forecast:listForecasts",
         "forecast:listPredictors",
+        "freetier:getFreeTierUsage",
         "fsx:describeBackups",
         "fsx:describeDataRepositoryAssociations",
         "fsx:describeDataRepositoryTasks",
@@ -1572,6 +1634,8 @@
         "inspector2:batchGetAccountStatus",
         "inspector2:batchGetFreeTrialInfo",
         "inspector2:describeOrganizationConfiguration",
+        "inspector2:getConfiguration",
+        "inspector2:getEc2DeepInspectionConfiguration",
         "inspector2:getDelegatedAdminAccount",
         "inspector2:getMember",
         "inspector2:getSbomExport",
@@ -2228,6 +2292,12 @@
         "opsworks:getHostnameSuggestion",
         "organizations:listAccounts",
         "organizations:listTagsForResource",
+        "osis:getPipeline",
+        "osis:getPipelineBlueprint",
+        "osis:getPipelineChangeProgress",
+        "osis:listPipelineBlueprints",
+        "osis:listPipelines",
+        "osis:validatePipeline",
         "outposts:getCatalogItem",
         "outposts:getConnection",
         "outposts:getOrder",
@@ -3282,6 +3352,8 @@
         "workspaces-web:listUserSettings",
         "workspaces:describeAccount",
         "workspaces:describeAccountModifications",
+        "workspaces:describeApplicationAssociations",
+        "workspaces:describeWorkspaceAssociations",
         "workspaces:describeIpGroups",
         "workspaces:describeTags",
         "workspaces:describeWorkspaceBundles",
@@ -3293,7 +3365,13 @@
         "xray:getGroup",
         "xray:getGroups",
         "xray:getSamplingRules",
-        "xray:listResourcePolicies"
+        "xray:listResourcePolicies",
+        "xray:getInsightImpactGraph",
+        "xray:getSamplingStatisticSummaries",
+        "xray:getSamplingTargets",
+        "xray:getServiceGraph",
+        "xray:getTimeSeriesServiceStatistics",
+        "xray:getTraceGraph"
       ],
       "Effect": "Allow",
       "Resource": [

diff --git a/docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json b/docs/source/_static/managed-policies/AmazonCognitoUnAuthedIdentitiesSessionPolicy.json
@@ -2,6 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "CognitoUnAuthedIdentitiesSessionPolicy",
       "Effect": "Allow",
       "Action": [
         "rum:PutRumEvents",
@@ -13,7 +14,14 @@
         "rekognition:*",
         "mobiletargeting:*",
         "firehose:*",
-        "personalize:*"
+        "personalize:*",
+        "geo:GetMap*",
+        "geo:SearchPlaceIndex*",
+        "geo:GetPlace",
+        "geo:CalculateRoute*",
+        "geo:*Geofence",
+        "geo:*Geofences",
+        "geo:*DevicePosition*"
       ],
       "Resource": "*"
     }

diff --git a/docs/source/_static/managed-policies/AmazonECS_FullAccess.json b/docs/source/_static/managed-policies/AmazonECS_FullAccess.json
@@ -2,6 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "ECSIntegrationsManagementPolicy",
       "Effect": "Allow",
       "Action": [
         "application-autoscaling:DeleteScalingPolicy",
@@ -124,6 +125,7 @@
       ]
     },
     {
+      "Sid": "SSMPolicy",
       "Effect": "Allow",
       "Action": [
         "ssm:GetParameter",
@@ -133,6 +135,7 @@
       "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*"
     },
     {
+      "Sid": "ManagedCloudformationResourcesCleanupPolicy",
       "Effect": "Allow",
       "Action": [
         "ec2:DeleteInternetGateway",
@@ -150,6 +153,7 @@
       }
     },
     {
+      "Sid": "TasksPassRolePolicy",
       "Action": "iam:PassRole",
       "Effect": "Allow",
       "Resource": [
@@ -162,6 +166,20 @@
       }
     },
     {
+      "Sid": "InfrastructurePassRolePolicy",
+      "Action": "iam:PassRole",
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:iam::*:role/ecsInfrastructureRole"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "iam:PassedToService": "ecs.amazonaws.com"
+        }
+      }
+    },
+    {
+      "Sid": "InstancePassRolePolicy",
       "Action": "iam:PassRole",
       "Effect": "Allow",
       "Resource": [
@@ -177,6 +195,7 @@
       }
     },
     {
+      "Sid": "AutoScalingPassRolePolicy",
       "Action": "iam:PassRole",
       "Effect": "Allow",
       "Resource": [
@@ -192,14 +211,15 @@
       }
     },
     {
+      "Sid": "ServiceLinkedRoleCreationPolicy",
       "Effect": "Allow",
       "Action": "iam:CreateServiceLinkedRole",
       "Resource": "*",
       "Condition": {
         "StringLike": {
           "iam:AWSServiceName": [
-            "autoscaling.amazonaws.com",
             "ecs.amazonaws.com",
+            "autoscaling.amazonaws.com",
             "ecs.application-autoscaling.amazonaws.com",
             "spot.amazonaws.com",
             "spotfleet.amazonaws.com"
@@ -208,6 +228,7 @@
       }
     },
     {
+      "Sid": "ELBTaggingPolicy",
       "Effect": "Allow",
       "Action": [
         "elasticloadbalancing:AddTags"

diff --git a/docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json b/docs/source/_static/managed-policies/AmazonElasticFileSystemReadOnlyAccess.json
@@ -2,6 +2,7 @@
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "ElasticFileSystemReadOnlyAccess",
       "Effect": "Allow",
       "Action": [
         "cloudwatch:DescribeAlarmsForMetric",

diff --git a/docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonGuardDutyServiceRolePolicy.json
@@ -27,6 +27,7 @@
         "eks:ListClusters",
         "eks:DescribeCluster",
         "ec2:DescribeVpcEndpointServices",
+        "ec2:DescribeVpcs",
         "ec2:DescribeSecurityGroups",
         "ecs:ListClusters",
         "ecs:DescribeClusters"

diff --git a/docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json b/docs/source/_static/managed-policies/AmazonInspector2ServiceRolePolicy.json
@@ -93,6 +93,7 @@
         "lambda:ListFunctions",
         "lambda:GetFunction",
         "lambda:GetLayerVersion",
+        "lambda:ListTags",
         "cloudwatch:GetMetricData"
       ],
       "Resource": "*"