{ "Resources": { "AWSManagedServicesOperationsAllowPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-ops-allow-policy", "PolicyDocument": { "Statement": [ { "Action": [ "organizations:Describe*", "organizations:List*" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/ams-access*" } } }, "Effect": "Allow", "Resource": "*", "Sid": "AllowOrgsRead" }, { "Action": [ "amsssrv:GetDashboardUrl", "amsssrv:ListReports" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowAmsSsr" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesOperationsAllowPolicy" } }, "AWSManagedServicesDenyCloudShellPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-deny-cloudshell-policy", "PolicyDocument": { "Statement": [ { "Action": "cloudshell:*", "Effect": "Deny", "Resource": "*", "Sid": "DenyCloudShell" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesDenyCloudShellPolicy" } }, "AWSManagedServicesDenyAssumeRootPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-deny-assume-root-policy", "PolicyDocument": { "Statement": [ { "Action": "sts:AssumeRoot", "Effect": "Deny", "Resource": "arn:*:iam::*:root", "Sid": "DenyAssumeRoot" }, { "Action": "support:RateCaseCommunication", "Effect": "Deny", "Resource": "*", "Sid": "DenyAmsCaseRatings" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesDenyAssumeRootPolicy" } }, "AWSManagedServicesOperationsDenyListPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-deny-operations-policy", "PolicyDocument": { "Statement": [ { "Action": "sts:AssumeRoot", "Effect": "Deny", "Resource": "arn:*:iam::*:root", "Sid": "DenyAssumeRoot" }, { "Action": "support:RateCaseCommunication", "Effect": "Deny", "Resource": "*", "Sid": "DenyAmsCaseRatings" }, { "Action": "cloudformation:DeleteStack*", "Effect": "Deny", "Resource": "*", "Sid": "DenyCloudFormationDeleteStack" }, { "Action": [ "ec2:TerminateInstances", "rds:DeleteDBInstance*", "rds:DeleteDBCluster*" ], "Effect": "Deny", "Resource": "*", "Sid": "DenyTerminateActions" }, { "Action": [ "devicefarm:PurchaseOffering", "dynamodb:PurchaseReservedCapacityOfferings", "ec2:AcceptCapacityReservationBillingOwnership", "ec2:AcceptReservedInstancesExchangeQuote", "ec2:AssociateCapacityReservationBillingOwner", "ec2:CancelCapacityReservation", "ec2:CancelCapacityReservationFleets", "ec2:CancelReservedInstancesListing", "ec2:CreateCapacityReservation", "ec2:CreateCapacityReservationBySplitting", "ec2:CreateCapacityReservationFleet", "ec2:CreateReservedInstancesListing", "ec2:DeleteQueuedReservedInstances", "ec2:DisassociateCapacityReservationBillingOwner", "ec2:ModifyCapacityReservation", "ec2:ModifyCapacityReservationFleet", "ec2:ModifyInstanceCapacityReservationAttributes", "ec2:ModifyReservedInstances", "ec2:MoveCapacityReservationInstances", "ec2:PurchaseCapacityBlock", "ec2:PurchaseCapacityBlockExtension", "ec2:PurchaseHostReservation", "ec2:PurchaseReservedInstancesOffering", "ec2:PurchaseScheduledInstances", "ec2:RejectCapacityReservationBillingOwnership", "ec2:RunScheduledInstances", "elasticache:PurchaseReservedCacheNodesOffering", "es:PurchaseReservedElasticsearchInstanceOffering", "es:PurchaseReservedInstanceOffering", "memorydb:PurchaseReservedNodesOffering", "rds:PurchaseReservedDBInstancesOffering", "redshift:AcceptReservedNodeExchange", "redshift:PurchaseReservedNodeOffering", "savingsplans:CreateSavingsPlan", "savingsplans:DeleteQueuedSavingsPlan", "savingsplans:ReturnSavingsPlan", "savingsplans:TagResource", "savingsplans:UntagResource" ], "Effect": "Deny", "Resource": "*", "Sid": "DenyPurchaseRIAndSavingsPlansActions" }, { "Action": "ssm:StartAutomationExecution", "Effect": "Deny", "Resource": [ "arn:*:ssm:*:*:automation-definition/AWS-DeleteCloudFormationStack:*", "arn:*:ssm:*:*:automation-definition/AWS-DeleteCloudFormationStackWithApproval:*" ], "Sid": "DenyAWSSSMDocument" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesOperationsDenyListPolicy" } }, "AWSManagedServicesRestrictedActionsPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-restricted-actions-policy", "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObject*", "s3:GetObject", "s3:GetObject*", "s3:DeleteObject", "s3:DeleteObject*" ], "Effect": "Deny", "NotResource": [ "arn:*:s3:::*/AWSLogs/*/CloudTrail/*", "arn:*:s3:::*/AWSLogs/*/vpcflowlogs/*", "arn:*:s3:::ams-*/*", "arn:*:s3:::AMS-*/*", "arn:*:s3:::ams*/*", "arn:*:s3:::Ams*/*", "arn:*:s3:::AMS*/*", "arn:*:s3:::aws-*/*", "arn:*:s3:::AWSManagedServices*", "arn:*:s3:::cf-templates-*/*", "arn:*:s3:::mc*/*", "arn:*:s3:::Mc*/*", "arn:*:s3:::MC*/*", "arn:*:s3:::sc-*/*" ] }, { "Action": [ "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:DeleteItem", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:GetRecords", "dynamodb:PartiQL*", "dynamodb:Query", "dynamodb:Scan", "dynamodb:UpdateItem", "dynamodb:UpdateTable" ], "Effect": "Deny", "NotResource": [ "arn:*:dynamodb:*:*:table/ams*", "arn:*:dynamodb:*:*:table/AMS*", "arn:*:dynamodb:*:*:table/Ams*", "arn:*:dynamodb:*:*:table/AWS*", "arn:*:dynamodb:*:*:table/aws*", "arn:*:dynamodb:*:*:table/Aws*", "arn:*:dynamodb:*:*:table/mc*", "arn:*:dynamodb:*:*:table/MC*", "arn:*:dynamodb:*:*:table/Mc*", "arn:*:dynamodb:*:*:table/AWSManagedServices*" ] }, { "Action": [ "elasticfilesystem:ClientRootAccess", "elasticfilesystem:ClientMount" ], "Effect": "Deny", "Resource": "arn:*:elasticfilesystem:*:*:file-system/*" }, { "Action": [ "elasticache:Connect", "elasticache:CreateUser", "elasticache:CreateUserGroup", "elasticache:DeleteUser", "elasticache:DeleteUserGroup", "elasticache:ModifyUser", "elasticache:ModifyUserGroup", "elasticache:StartMigration", "elasticache:TestFailover" ], "Effect": "Deny", "Resource": "arn:*:elasticache:*:*:*" }, { "Action": [ "rds:StartExportTask", "rds:CreateDBProxy" ], "Effect": "Deny", "Resource": "*" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesRestrictedActionsPolicy" } }, "AWSManagedServicesRestrictedActionsExtendedPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-restricted-actions-extended-policy", "PolicyDocument": { "Statement": [ { "Action": [ "rds:ModifyDBProxyEndpoint", "rds:ModifyDBProxyTargetGroup", "rds:ModifyDBProxy" ], "Effect": "Deny", "Resource": [ "arn:*:rds:*:*:db-proxy:*", "arn:*:rds:*:*:db-proxy-endpoint:*", "arn:*:rds:*:*:target-group:*" ] }, { "Action": [ "redshift:AuthorizeDataShare", "redshift:CreateHsmClientCertificate", "redshift:CreateHsmConfiguration", "redshift:DeauthorizeDataShare", "redshift:DeleteAuthenticationProfile", "redshift:GetClusterCredentialsWithIAM" ], "Effect": "Deny", "Resource": "arn:*:redshift:*:*:*:*" }, { "Action": [ "redshift:CancelQuery", "redshift:CancelQuery*", "redshift:CreateSavedQuery", "redshift:CreateScheduledAction", "redshift:DeleteSavedQueries", "redshift:DeletePartner", "redshift:ExecuteQuery", "redshift:FetchResults", "redshift:GetClusterCredentials", "redshift:ViewQueriesFromConsole" ], "Effect": "Deny", "Resource": "*" }, { "Action": "redshift-serverless:GetCredentials", "Effect": "Deny", "Resource": "arn:*:redshift-serverless:*:*:*/*" }, { "Action": [ "fsx:CreateDataRepositoryAssociation", "fsx:DeleteDataRepositoryAssociation", "fsx:ManageBackupPrincipalAssociations", "fsx:UpdateDataRepositoryAssociation", "fsx:UpdateFileCache" ], "Effect": "Deny", "Resource": "*" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesRestrictedActionsExtendedPolicy" } }, "AWSManagedServicesDenyUpdateAccessResourcesPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-deny-update-iam-policy", "PolicyDocument": { "Statement": [ { "Action": [ "iam:Create*", "iam:Update*", "iam:Delete*", "iam:Attach*", "iam:Detach*", "iam:Put*" ], "Effect": "Deny", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/ams-access*" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::*:policy/ams-access*" } ] } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesDenyUpdateAccessResourcesPolicy" } }, "AWSManagedServicesAdminPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-admin-policy", "PolicyDocument": { "Statement": [ { "NotAction": "account:CloseAccount", "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesAdminPolicy" } }, "AWSManagedServicesAllowPassRole": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-allow-pass-role", "PolicyDocument": { "Statement": [ { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } }, "Effect": "Allow", "Resource": "*", "Sid": "AllowEC2InstancesToBeLaunchedWithAnyRole" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "ssm.amazonaws.com" } }, "Effect": "Allow", "Resource": [ "arn:*:iam::*:role/ams_ssm_automation_*role", "arn:*:iam::*:role/ams_ssm_maintenance_window_role" ], "Sid": "AllowSSMExecutionWithSSMAutomationRole" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "backup.amazonaws.com" } }, "Effect": "Allow", "Resource": [ "arn:*:iam::*:role/service-role/AWSBackupDefaultServiceRole", "arn:*:iam::*:role/ams-backup-iam-role" ], "Sid": "AllowBackupPlanModificationsWithAMSRoleBackupSLR" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "ssm.amazonaws.com" } }, "Effect": "Allow", "Resource": "arn:*:iam::*:role/ams_resource_scheduler_ssm_automation_role", "Sid": "AllowResourceSchedulerSSMExecutionWithResourceSchedulerRole" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": [ "codepipeline.amazonaws.com", "events.amazonaws.com" ] } }, "Effect": "Allow", "Resource": "*", "Sid": "VPCCreation" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "access-analyzer.amazonaws.com" } }, "Effect": "Allow", "Resource": "*", "Sid": "AccessAnalyzer" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesAllowPassRole" } }, "AWSManagedServicesChangeRecordPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-change-record-policy", "PolicyDocument": { "Statement": [ { "Action": [ "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/ams-change-record" }, "Sid": "AthenaQueryActions" }, { "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:s3:::ams-a${AWS::AccountId}-athena-results-${AWS::Region}/*" }, "Sid": "AthenaQueryResultBucket" }, { "Action": "kms:Decrypt", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } }, "Effect": "Allow", "Resource": "*", "Sid": "AthenaKMSActions" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesChangeRecordPolicy" } }, "AWSManagedOperationsAdminPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-admin-operations-policy", "PolicyDocument": { "Statement": [ { "NotAction": "account:CloseAccount", "Effect": "Allow", "Resource": "*", "Sid": "AMSOperationsAdmin" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedOperationsAdminPolicy" } }, "AWSManagedServicesSecurityAnalystStreamlinedReadOnlyPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-security-analyst-streamlined-readonly-policy", "PolicyDocument": { "Statement": [ { "Action": "cloudformation:DeleteStack*", "Effect": "Deny", "Resource": "*", "Sid": "DenyCloudFormationDeleteStack" }, { "Action": [ "ec2:TerminateInstances", "rds:DeleteDBInstance*", "rds:DeleteDBCluster*" ], "Effect": "Deny", "Resource": "*", "Sid": "DenyTerminateActions" }, { "Action": [ "iam:Create*", "iam:Update*", "iam:Delete*", "iam:Attach*", "iam:Detach*", "iam:Put*" ], "Effect": "Deny", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/ams-access*" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::*:policy/ams-access*" } ] }, { "Action": [ "cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*", "cloudtrail:LookupEvents", "cloudtrail:CancelQuery", "cloudtrail:StartQuery" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:Describe*", "logs:FilterLogEvents", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "guardduty:Describe*", "guardduty:Get*", "guardduty:List*", "guardduty:StartMalwareScan" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "athena:CreateNamedQuery", "athena:CreatePreparedStatement", "athena:Get*", "athena:List*", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:UpdatePreparedStatement", "glue:Get*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "macie2:Get*", "macie2:List*" ], "Effect": "Allow", "Resource": "*", "Sid": "Macie2ReadPermissions" }, { "Action": [ "s3:Get*", "s3:List*", "s3:DescribeJob" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:::ams-*/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::awsms-*/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::mc-*/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::cf-templates-*/*" } ] }, { "Action": [ "cloudshell:CreateEnvironment", "cloudshell:CreateSession", "cloudshell:DeleteEnvironment", "cloudshell:GetEnvironmentStatus", "cloudshell:GetFileDownloadUrls", "cloudshell:GetFileUploadUrls", "cloudshell:PutCredentials", "cloudshell:StartEnvironment", "cloudshell:StopEnvironment", "cloudshell:DescribeEnvironments" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "sso:GetSSOStatus", "sso:List*", "sso:Describe*", "sso:Get*", "sso-directory:Describe*", "sso-directory:List*", "sso-directory:Get*", "sso-directory:Search*" ], "Effect": "Allow", "Resource": "*" }, { "Action": "secretsmanager:listSecrets", "Effect": "Allow", "Resource": "*", "Sid": "AllowSecretsManagerListSecrets" }, { "Action": [ "secretsmanager:Describe*", "secretsmanager:Get*", "secretsmanager:List*" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:*:*:secret:ams-ops/dsm_agent_selfprotect_localoverride*" }, "Sid": "AllowCustomerReadOnlyAccessToSharedNameSpaces" }, { "Action": [ "amscm:Get*", "amscm:Describe*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesSecurityAnalystStreamlinedReadOnlyPolicy" } }, "AWSManagedServicesSecurityAnalystStreamlinedContainmentPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-access-security-analyst-streamlined-containment-policy", "PolicyDocument": { "Statement": [ { "Action": "cloudformation:DeleteStack*", "Effect": "Deny", "Resource": "*", "Sid": "DenyCloudFormationDeleteStack" }, { "Action": [ "ec2:TerminateInstances", "rds:DeleteDBInstance*", "rds:DeleteDBCluster*" ], "Effect": "Deny", "Resource": "*", "Sid": "DenyTerminateActions" }, { "Action": [ "iam:Create*", "iam:Update*", "iam:Delete*", "iam:Attach*", "iam:Detach*", "iam:Put*" ], "Effect": "Deny", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/ams-access*" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::*:policy/ams-access*" } ] }, { "Action": [ "iam:*AccessKey", "iam:DeleteLoginProfile", "iam:ResetServiceSpecificCredential", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice", "iam:AddUserToGroup", "iam:RemoveUserFromGroup", "iam:Attach*Policy", "iam:Detach*Policy" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudtrail:Describe*", "cloudtrail:Get*", "cloudtrail:List*", "cloudtrail:LookupEvents", "cloudtrail:CancelQuery", "cloudtrail:StartQuery" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "logs:Describe*", "logs:FilterLogEvents", "logs:Get*", "logs:List*", "logs:StartQuery", "logs:StopQuery" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "athena:CreateNamedQuery", "athena:CreatePreparedStatement", "athena:Get*", "athena:List*", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:UpdatePreparedStatement" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "macie2:Get*", "macie2:List*", "macie2:CreateFindingsFilter", "macie2:DeleteFindingsFilter", "macie2:UpdateFindingsFilter" ], "Effect": "Allow", "Resource": "*", "Sid": "Macie2ReadPermissions" }, { "Action": [ "s3:Get*", "s3:List*", "s3:DescribeJob" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:s3:::ams-*/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::awsms-*/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::mc-*/*" }, { "Fn::Sub": "arn:${AWS::Partition}:s3:::cf-templates-*/*" } ] }, { "Action": [ "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutObjectAcl", "s3:PutBucketPublicAccessBlock" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ec2:AssociateIamInstanceProfile", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:DisassociateIamInstanceProfile", "ec2:ModifySecurityGroupRules", "ec2:RevokeSecurityGroup*", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:UpdateSecurityGroupRuleDescriptions*", "ec2:AuthorizeSecurityGroup*", "ec2:CreateVolume", "ec2:CopyImage", "ec2:CopySnapshot", "ec2:CreateImage", "ec2:CreateNetworkAcl*", "ec2:CreateSnapshot*", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteVolume", "ec2:DeleteTags", "ec2:DeleteNetworkAcl*", "ec2:ReplaceNetworkAcl*", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ssm:SendCommand", "ssm:GetDocument", "ssm:GetCommandInvocation", "ssm:ListCommandInvocations", "ssm:CancelCommand", "ssm:SendAutomationSignal", "ssm:StopAutomationExecution" ], "Effect": "Allow", "Resource": "*" }, { "Action": "rds:*SecurityGroup*", "Effect": "Allow", "Resource": "*" }, { "Action": [ "autoscaling:AttachInstances", "autoscaling:DetachInstances" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "guardduty:CreateFilter", "guardduty:CreateIPSet", "guardduty:CreateSampleFindings", "guardduty:CreateThreatIntelSet", "guardduty:DeleteFilter", "guardduty:DeleteIPSet", "guardduty:DeleteThreatIntelSet", "guardduty:Describe*", "guardduty:Get*", "guardduty:List*", "guardduty:ArchiveFindings", "guardduty:UnarchiveFindings", "guardduty:UpdateFilter", "guardduty:UpdateIPSet", "guardduty:UpdateThreatIntelSet", "guardduty:*MalwareProtection*", "guardduty:StartMalwareScan" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty" } }, { "Action": [ "wafv2:Get*", "wafv2:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "wafv2:Create*", "wafv2:Update*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "config:BatchGetAggregateResourceConfig", "config:BatchGetResourceConfig", "config:StartConfigRulesEvaluation", "config:StartRemediationExecution", "config:StartResourceEvaluation" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudshell:CreateEnvironment", "cloudshell:CreateSession", "cloudshell:DeleteEnvironment", "cloudshell:GetEnvironmentStatus", "cloudshell:GetFileDownloadUrls", "cloudshell:GetFileUploadUrls", "cloudshell:PutCredentials", "cloudshell:StartEnvironment", "cloudshell:StopEnvironment", "cloudshell:DescribeEnvironments" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "sso:List*", "sso:Describe*", "sso:Get*", "sso-directory:Describe*", "sso-directory:List*", "sso-directory:Get*", "sso-directory:Search*" ], "Effect": "Allow", "Resource": "*" }, { "Action": "secretsmanager:listSecrets", "Effect": "Allow", "Resource": "*", "Sid": "AllowSecretsManagerListSecrets" }, { "Action": [ "secretsmanager:Describe*", "secretsmanager:Get*", "secretsmanager:List*" ], "Effect": "Allow", "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:*:*:secret:ams-ops/dsm_agent_selfprotect_localoverride*" }, "Sid": "AllowCustomerReadOnlyAccessToSharedNameSpaces" }, { "Action": [ "route53resolver:CreateFirewallDomainList", "route53resolver:DeleteFirewallDomainList", "route53resolver:UpdateFirewallDomains", "route53resolver:ImportFirewallDomains", "route53resolver:CreateFirewallRule", "route53resolver:DeleteFirewallRule", "route53resolver:UpdateFirewallRule", "route53resolver:CreateFirewallRuleGroup", "route53resolver:DeleteFirewallRuleGroup", "route53resolver:AssociateFirewallRuleGroup", "route53resolver:DisassociateFirewallRuleGroup", "route53resolver:UpdateFirewallConfig", "route53resolver:UpdateFirewallRuleGroupAssociation" ], "Effect": "Allow", "Resource": "*", "Sid": "AllowRoute53DNSFirewall" }, { "Action": [ "amscm:Get*", "amscm:Describe*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesSecurityAnalystStreamlinedContainmentPolicy" } }, "AWSManagedServicesControlTowerOperationsExtendedPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "ManagedPolicyName": "ams-control-tower-operations-extended-policy", "PolicyDocument": { "Statement": [ { "Action": [ "organizations:CreateOrganizationalUnit", "organizations:DeleteOrganizationalUnit", "organizations:AttachPolicy", "organizations:CreatePolicy", "organizations:DeletePolicy", "organizations:DetachPolicy", "organizations:UpdatePolicy" ], "Condition": { "ArnEquals": { "aws:PrincipalArn": [ { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/ams-access-admin" }, { "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/ams-access-management" } ] } }, "Effect": "Allow", "Resource": "*", "Sid": "OUCreateDeleteAccess" }, { "Action": "account:ListRegions", "Effect": "Allow", "Resource": "*", "Sid": "AccountManagementReadOnly" } ], "Version": "2012-10-17" } }, "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesControlTowerOperationsExtendedPolicy" } }, "AWSManagedServicesReadOnlyAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } }, { "Action": "sts:TagSession", "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Required by AMS - Do Not Delete", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/ReadOnlyAccess" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/AWSCloudShellFullAccess" ] ] }, { "Ref": "AWSManagedServicesOperationsAllowPolicy" }, { "Ref": "AWSManagedServicesChangeRecordPolicy" }, { "Ref": "AWSManagedServicesRestrictedActionsPolicy" }, { "Ref": "AWSManagedServicesRestrictedActionsExtendedPolicy" } ], "RoleName": "ams-access-read-only", "Tags": [ { "Key": "ams:resourceOwner", "Value": "AMS" }, { "Key": "ams:resourceOwnerService", "Value": "Access" }, { "Key": "ams:stackRegion", "Value": { "Ref": "AWS::Region" } } ] }, "DependsOn": [ "AWSManagedServicesChangeRecordPolicy", "AWSManagedServicesOperationsAllowPolicy", "AWSManagedServicesRestrictedActionsExtendedPolicy", "AWSManagedServicesRestrictedActionsPolicy" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesReadOnlyAccessRole/Resource" } }, "AWSManagedServicesOperationsAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } }, { "Action": "sts:TagSession", "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Required by AMS - Do Not Delete", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/PowerUserAccess" ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/IAMReadOnlyAccess" ] ] }, { "Ref": "AWSManagedServicesDenyCloudShellPolicy" }, { "Ref": "AWSManagedServicesAllowPassRole" }, { "Ref": "AWSManagedServicesOperationsDenyListPolicy" }, { "Ref": "AWSManagedServicesOperationsAllowPolicy" }, { "Ref": "AWSManagedServicesRestrictedActionsPolicy" }, { "Ref": "AWSManagedServicesRestrictedActionsExtendedPolicy" }, { "Ref": "AWSManagedServicesControlTowerOperationsExtendedPolicy" } ], "RoleName": "ams-access-operations", "Tags": [ { "Key": "ams:resourceOwner", "Value": "AMS" }, { "Key": "ams:resourceOwnerService", "Value": "Access" }, { "Key": "ams:stackRegion", "Value": { "Ref": "AWS::Region" } } ] }, "DependsOn": [ "AWSManagedServicesAllowPassRole", "AWSManagedServicesControlTowerOperationsExtendedPolicy", "AWSManagedServicesDenyCloudShellPolicy", "AWSManagedServicesOperationsAllowPolicy", "AWSManagedServicesOperationsDenyListPolicy", "AWSManagedServicesRestrictedActionsExtendedPolicy", "AWSManagedServicesRestrictedActionsPolicy" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesOperationsAccessRole/Resource" } }, "AWSManagedServicesAdminAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } }, { "Action": "sts:TagSession", "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Required by AMS - Do Not Delete", "ManagedPolicyArns": [ { "Ref": "AWSManagedServicesAdminPolicy" }, { "Ref": "AWSManagedServicesDenyUpdateAccessResourcesPolicy" }, { "Ref": "AWSManagedServicesDenyCloudShellPolicy" } ], "RoleName": "ams-access-admin", "Tags": [ { "Key": "ams:resourceOwner", "Value": "AMS" }, { "Key": "ams:resourceOwnerService", "Value": "Access" }, { "Key": "ams:stackRegion", "Value": { "Ref": "AWS::Region" } } ] }, "DependsOn": [ "AWSManagedServicesAdminPolicy", "AWSManagedServicesDenyCloudShellPolicy", "AWSManagedServicesDenyUpdateAccessResourcesPolicy" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesAdminAccessRole/Resource" } }, "AWSManagedServicesAdminAccessOperationsRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } }, { "Action": "sts:TagSession", "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Required by AMS - Do Not Delete", "ManagedPolicyArns": [ { "Ref": "AWSManagedOperationsAdminPolicy" }, { "Ref": "AWSManagedServicesDenyUpdateAccessResourcesPolicy" }, { "Ref": "AWSManagedServicesDenyCloudShellPolicy" }, { "Ref": "AWSManagedServicesRestrictedActionsPolicy" }, { "Ref": "AWSManagedServicesRestrictedActionsExtendedPolicy" }, { "Ref": "AWSManagedServicesDenyAssumeRootPolicy" } ], "RoleName": "ams-access-admin-operations", "Tags": [ { "Key": "ams:resourceOwner", "Value": "AMS" }, { "Key": "ams:resourceOwnerService", "Value": "Access" }, { "Key": "ams:stackRegion", "Value": { "Ref": "AWS::Region" } } ] }, "DependsOn": [ "AWSManagedOperationsAdminPolicy", "AWSManagedServicesDenyAssumeRootPolicy", "AWSManagedServicesDenyCloudShellPolicy", "AWSManagedServicesDenyUpdateAccessResourcesPolicy", "AWSManagedServicesRestrictedActionsExtendedPolicy", "AWSManagedServicesRestrictedActionsPolicy" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesAdminAccessOperationsRole/Resource" } }, "AWSManagedServicesSecurityAnalystRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } }, { "Action": "sts:TagSession", "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Required by AMS Security Team - Do Not Delete", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/SecurityAudit" ] ] }, { "Ref": "AWSManagedServicesSecurityAnalystStreamlinedContainmentPolicy" } ], "RoleName": "ams-access-security-analyst", "Tags": [ { "Key": "ams:resourceOwner", "Value": "AMS" }, { "Key": "ams:resourceOwnerService", "Value": "Access" }, { "Key": "ams:stackRegion", "Value": { "Ref": "AWS::Region" } } ] }, "DependsOn": [ "AWSManagedServicesSecurityAnalystStreamlinedContainmentPolicy" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesSecurityAnalystRole/Resource" } }, "AWSManagedServicesSecurityAnalystReadOnlyRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": { "Ref": "AWS::AccountId" } } }, "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } }, { "Action": "sts:TagSession", "Effect": "Allow", "Principal": { "Service": "access.managedservices.amazonaws.com" } } ], "Version": "2012-10-17" }, "Description": "Required by AMS Security Team - Do Not Delete", "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":iam::aws:policy/SecurityAudit" ] ] }, { "Ref": "AWSManagedServicesSecurityAnalystStreamlinedReadOnlyPolicy" } ], "RoleName": "ams-access-security-analyst-read-only", "Tags": [ { "Key": "ams:resourceOwner", "Value": "AMS" }, { "Key": "ams:resourceOwnerService", "Value": "Access" }, { "Key": "ams:stackRegion", "Value": { "Ref": "AWS::Region" } } ] }, "DependsOn": [ "AWSManagedServicesSecurityAnalystStreamlinedReadOnlyPolicy" ], "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain", "Metadata": { "aws:cdk:path": "ams-access-roles/AWSManagedServicesSecurityAnalystReadOnlyRole/Resource" } } } }