{ "Version": "0.0.1", "Templates": { "SQSPollerPolicy": { "Description": "Gives permissions to poll an SQS Queue", "Parameters": { "QueueName": { "Description": "Name of the SQS Queue" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ] } }, "LambdaInvokePolicy": { "Description": "Gives permission to invoke a Lambda Function, Alias or Version", "Parameters": { "FunctionName": { "Description": "Name of the Lambda Function" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ] } }, "CloudWatchPutMetricPolicy": { "Description": "Gives permissions to put metrics to CloudWatch", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ] } }, "EC2DescribePolicy": { "Description": "Gives permission to describe EC2 instances", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ] } }, "DynamoDBCrudPolicy": { "Description": "Gives CRUD access to a DynamoDB Table", "Parameters": { "TableName": { "Description": "Name of the DynamoDB Table" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ] } }, "DynamoDBReadPolicy": { "Description": "Gives read only access to a DynamoDB Table", "Parameters": { "TableName": { "Description": "Name of the DynamoDB Table" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ] } }, "DynamoDBReconfigurePolicy": { "Description": "Gives access reconfigure to a DynamoDB Table", "Parameters": { "TableName": { "Description": "Name of the DynamoDB Table" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:UpdateTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ] } }, "SESSendBouncePolicy": { "Description": "Gives SendBounce permission to a SES identity", "Parameters": { "IdentityName": { "Description": "Identity to give permissions to" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ] } }, "ElasticsearchHttpPostPolicy": { "Description": "Gives POST permissions to Elasticsearch", "Parameters": { "DomainName": { "Description": "Name of Domain" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}", { "domainName": { "Ref": "DomainName" } } ] } } ] } }, "S3ReadPolicy": { "Description": "Gives read permissions to objects in the S3 Bucket", "Parameters": { "BucketName": { "Description": "Name of the Bucket" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ] } }, "S3CrudPolicy": { "Description": "Gives CRUD permissions to objects in the S3 Bucket", "Parameters": { "BucketName": { "Description": "Name of the Bucket" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ] } }, "AMIDescribePolicy": { "Description": "Gives permissions to describe AMIs", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" } } ] } }, "CloudFormationDescribeStacksPolicy": { "Description": "Gives permission to describe CloudFormation stacks", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ] } }, "RekognitionDetectOnlyPolicy": { "Description": "Gives permission to detect faces, labels and text", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ] } }, "RekognitionNoDataAccessPolicy": { "Description": "Gives permission to compare and detect faces and labels", "Parameters": { "CollectionId": { "Description": "ID of the collection" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ] } }, "RekognitionReadPolicy": { "Description": "Gives permission to list and search faces", "Parameters": { "CollectionId": { "Description": "ID of the collection" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ] } }, "RekognitionWriteOnlyAccessPolicy": { "Description": "Gives permission to create collection and index faces", "Parameters": { "CollectionId": { "Description": "ID of the collection" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ] } }, "SQSSendMessagePolicy": { "Description": "Gives permission to send message to SQS Queue", "Parameters": { "QueueName": { "Description": "Name of the SQS Queue" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ] } }, "SNSPublishMessagePolicy": { "Description": "Gives permission to publish message to SNS Topic", "Parameters": { "TopicName": { "Description": "Name of the SNS Topic" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ] } }, "VPCAccessPolicy": { "Description": "Gives access to create, delete, describe and detach ENIs", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ] } }, "DynamoDBStreamReadPolicy": { "Description": "Gives permission to describe and read a DynamoDB Stream and Records", "Parameters": { "TableName": { "Description": "Name of DynamoDB Table" }, "StreamName": { "Description": "Name of DynamoDB Stream" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } } ] } }, "KinesisStreamReadPolicy": { "Description": "Gives permission to list and read a Kinesis stream", "Parameters": { "StreamName": { "Description": "Name of Kinesis Stream" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ] } }, "SESCrudPolicy": { "Description": "Gives permission to send email and verify identity", "Parameters": { "IdentityName": { "Description": "Identity to give permissions to" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ] } }, "SNSCrudPolicy": { "Description": "Gives permissions to create, publish and subscribe to SNS topics", "Parameters": { "TopicName": { "Description": "Name of the SNS topic" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ] } }, "KinesisCrudPolicy": { "Description": "Gives permission to create, publish and delete Kinesis Stream", "Parameters": { "StreamName": { "Description": "Name of Kinesis Stream" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ] } }, "KMSDecryptPolicy": { "Description": "Gives permission to decrypt with KMS Key", "Parameters": { "KeyId": { "Description": "ID of the KMS Key" } }, "Definition": { "Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ] } }, "PollyFullAccessPolicy": { "Description": "Gives full access permissions to Polly lexicon resources", "Parameters": { "LexiconName": { "Description": "Name of the Lexicon" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ] } }, "S3FullAccessPolicy": { "Description": "Gives full access permissions to objects in the S3 Bucket", "Parameters": { "BucketName": { "Description": "Name of the Bucket" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ] } }, "CodePipelineLambdaExecutionPolicy": { "Description": "Gives permission for a Lambda function invoked by AWS CodePipeline to report back status of the job", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ] } }, "ServerlessRepoReadWriteAccessPolicy": { "Description": "Gives access permissions to create and list applications in the AWS Serverless Application Repository service", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ] } }, "EC2CopyImagePolicy": { "Description": "Gives permission top copy EC2 Images", "Parameters": { "ImageId": { "Description": "The id of the image" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ] } }, "CodePipelineReadOnlyPolicy": { "Description": "Gives read permissions to get details about a CodePipeline pipeline", "Parameters": { "PipelineName": { "Description": "Name of the CodePipeline pipeline" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": { "Ref": "PipelineName" } } ] } } ] } }, "CloudWatchDashboardPolicy": { "Description": "Gives permissions to put metrics to operate on CloudWatch Dashboards", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ] } }, "RekognitionFacesManagementPolicy": { "Description": "Gives permission to add, delete and search faces in a collection", "Parameters": { "CollectionId": { "Description": "ID of the collection" } }, "Definition": { "Statement": [{ "Effect": "Allow", "Action": [ "rekognition:IndexFaces", "rekognition:DeleteFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage", "rekognition:ListFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } }] } }, "RekognitionFacesPolicy": { "Description": "Gives permission to compare and detect faces and labels", "Parameters": { "CollectionId": { "Description": "ID of the collection" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ] } }, "RekognitionLabelsPolicy": { "Description": "Gives permission to detect object and moderation labels", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ] } }, "DynamoDBBackupFullAccessPolicy": { "Description": "Gives read/write permissions to DynamoDB on-demand backups for a table", "Parameters": { "TableName": { "Description": "Name of DynamoDB Table" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ] } }, "DynamoDBRestoreFromBackupPolicy": { "Description": "Gives permissions to restore a table from backup", "Parameters": { "TableName": { "Description": "Name of DynamoDB Table" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ] } }, "ComprehendBasicAccessPolicy": { "Description": "Gives access to Amazon Comprehend APIs for detecting entities, key phrases, languages and sentiments", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ] } }, "AWSSecretsManagerRotationPolicy": { "Description": "Grants permissions to APIs required to rotate a secret in AWS Secrets Manager", "Parameters": { "FunctionName": { "Description": "Name of the Lambda Function" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ] } }, "AWSSecretsManagerGetSecretValuePolicy": { "Description": "Grants permissions to GetSecretValue for the specified AWS Secrets Manager secret", "Parameters": { "SecretArn": { "Description": "The ARN of the secret to grant access to" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ] } }, "MobileAnalyticsWriteOnlyAccessPolicy": { "Description": "Gives write only permissions to put event data for all application resources", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ] } }, "PinpointEndpointAccessPolicy": { "Description": "Gives permissions to get and update endpoints for a Pinpoint application", "Parameters": { "PinpointApplicationId": { "Description": "The id of your Pinpoint application" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ] } }, "FirehoseWritePolicy": { "Description": "Gives permission to write to a Kinesis Firehose Delivery Stream", "Parameters": { "DeliveryStreamName": { "Description": "Name of Kinesis Firehose Delivery Stream" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ] } }, "FirehoseCrudPolicy": { "Description": "Gives permission to create, write to, update, and delete a Kinesis Firehose Delivery Stream", "Parameters": { "DeliveryStreamName": { "Description": "Name of Kinesis Firehose Delivery Stream" } }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ] } }, "EKSDescribePolicy": { "Description": "Gives permission to describe or list Amazon EKS clusters", "Parameters": { }, "Definition": { "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] } }, "CostExplorerReadOnlyPolicy": { "Description": "Gives access to the readonly Cost Explorer APIs for billing history", "Parameters": {}, "Definition": { "Statement": [{ "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues", "ce:GetReservationCoverage", "ce:GetReservationPurchaseRecommendation", "ce:GetReservationUtilization", "ce:GetTags" ], "Resource": "*" }] } }, "OrganizationsListAccountsPolicy": { "Description": "Gives readonly permission to list child account names and ids", "Parameters": {}, "Definition": { "Statement": [{ "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" }] } } } }