AWS managed policies for AWS Config - AWS Config

AWS managed policies for AWS Config

To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see AWS managed policies in the IAM User Guide.

AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.

Additionally, AWS supports managed policies for job functions that span multiple services. For example, the ViewOnlyAccess AWS managed policy provides read-only access to many AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see AWS managed policies for job functions in the IAM User Guide.

AWS managed policy: AWSConfigServiceRolePolicy

AWS Config uses the service-linked role named AWSServiceRoleForConfig to call other AWS services on your behalf. When you use the AWS Management Console to set up AWS Config, this SLR is automatically created by AWS Config if you select the option to use the AWS Config SLR instead of your own AWS Identity and Access Management (IAM) service role.

The AWSServiceRoleForConfig SLR contains the managed policy AWSConfigServiceRolePolicy. This managed policy contains read-only and write-only permissions for AWS Config resources and read-only permissions for resources in other services that AWS Config supports. For more information, see Supported Resource Types and Using Service-Linked Roles for AWS Config.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "access-analyzer:GetAnalyzer", "access-analyzer:GetArchiveRule", "access-analyzer:ListAnalyzers", "access-analyzer:ListArchiveRules", "access-analyzer:ListTagsForResource", "account:GetAlternateContact", "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm:DescribeCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "airflow:GetEnvironment", "airflow:ListEnvironments", "airflow:ListTagsForResource", "amplifyuibuilder:ExportThemes", "amplifyuibuilder:GetTheme", "amplifyuibuilder:ListThemes", "apigateway:GET", "appconfig:GetApplication", "appconfig:GetConfigurationProfile", "appconfig:GetDeployment", "appconfig:GetDeploymentStrategy", "appconfig:GetEnvironment", "appconfig:GetHostedConfigurationVersion", "appconfig:ListApplications", "appconfig:ListConfigurationProfiles", "appconfig:ListDeployments", "appconfig:ListDeploymentStrategies", "appconfig:ListEnvironments", "appconfig:ListHostedConfigurationVersions", "appconfig:ListTagsForResource", "appflow:DescribeConnectorProfiles", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "appstream:DescribeDirectoryConfigs", "appstream:ListTagsForResource", "appsync:GetApiCache", "appsync:GetGraphqlApi", "appsync:ListGraphqlApis", "APS:DescribeRuleGroupsNamespace", "APS:DescribeWorkspace", "APS:ListWorkspaces", "athena:GetDataCatalog", "athena:GetWorkGroup", "athena:ListDataCatalogs", "athena:ListTagsForResource", "athena:ListWorkGroups", "auditmanager:GetAssessment", "auditmanager:ListAssessments", "autoscaling-plans:DescribeScalingPlanResources", "autoscaling-plans:DescribeScalingPlans", "autoscaling-plans:GetScalingPlanResourceForecastData", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribePolicies", "autoscaling:DescribeScheduledActions", "autoscaling:DescribeTags", "autoscaling:DescribeWarmPool", "backup-gateway:ListTagsForResource", "backup-gateway:ListVirtualMachines", "backup:DescribeBackupVault", "backup:DescribeFramework", "backup:DescribeRecoveryPoint", "backup:DescribeReportPlan", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:GetBackupVaultAccessPolicy", "backup:GetBackupVaultNotifications", "backup:ListBackupPlans", "backup:ListBackupSelections", "backup:ListBackupVaults", "backup:ListFrameworks", "backup:ListRecoveryPointsByBackupVault", "backup:ListReportPlans", "backup:ListTags", "batch:DescribeComputeEnvironments", "batch:DescribeJobQueues", "batch:ListTagsForResource", "billingconductor:ListAccountAssociations", "billingconductor:ListBillingGroups", "billingconductor:ListCustomLineItems", "billingconductor:ListPricingPlans", "billingconductor:ListPricingRules", "billingconductor:ListPricingRulesAssociatedToPricingPlan", "billingconductor:ListTagsForResource", "budgets:DescribeBudgetAction", "budgets:DescribeBudgetActionsForAccount", "budgets:DescribeBudgetActionsForBudget", "budgets:ViewBudget", "cassandra:Select", "ce:GetAnomalyMonitors", "ce:GetAnomalySubscriptions", "cloud9:DescribeEnvironmentMemberships", "cloud9:DescribeEnvironments", "cloud9:ListEnvironments", "cloud9:ListTagsForResource", "cloudformation:DescribeType", "cloudformation:GetResource", "cloudformation:ListResources", "cloudformation:ListStackResources", "cloudformation:ListStacks", "cloudformation:ListTypes", "cloudfront:ListDistributions", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:GetEventDataStore", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListEventDataStores", "cloudtrail:ListTags", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAnomalyDetectors", "cloudwatch:GetDashboard", "cloudwatch:GetMetricStream", "cloudwatch:ListDashboards", "cloudwatch:ListMetricStreams", "codedeploy:GetDeploymentConfig", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:ListPipelines", "config:BatchGet*", "config:Describe*", "config:Get*", "config:List*", "config:Put*", "config:Select*", "connect:DescribePhoneNumber", "connect:ListPhoneNumbers", "connect:ListPhoneNumbersV2", "connect:SearchAvailablePhoneNumbers", "databrew:DescribeDataset", "databrew:DescribeJob", "databrew:DescribeProject", "databrew:DescribeRecipe", "databrew:DescribeRuleset", "databrew:DescribeSchedule", "databrew:ListDatasets", "databrew:ListJobs", "databrew:ListProjects", "databrew:ListRecipes", "databrew:ListRecipeVersions", "databrew:ListRulesets", "databrew:ListSchedules", "datasync:DescribeAgent", "datasync:DescribeLocationEfs", "datasync:DescribeLocationFsxLustre", "datasync:DescribeLocationFsxWindows", "datasync:DescribeLocationHdfs", "datasync:DescribeLocationNfs", "datasync:DescribeLocationObjectStorage", "datasync:DescribeLocationS3", "datasync:DescribeLocationSmb", "datasync:DescribeTask", "datasync:ListAgents", "datasync:ListLocations", "datasync:ListTagsForResource", "datasync:ListTasks", "dax:DescribeClusters", "dax:DescribeParameterGroups", "dax:DescribeParameters", "dax:DescribeSubnetGroups", "dax:ListTags", "detective:ListGraphs", "detective:ListTagsForResource", "devicefarm:GetNetworkProfile", "devicefarm:GetProject", "devicefarm:GetTestGridProject", "devicefarm:ListNetworkProfiles", "devicefarm:ListTagsForResource", "devicefarm:ListTestGridProjects", "devops-guru:GetResourceCollection", "dms:DescribeCertificates", "dms:DescribeEndpoints", "dms:DescribeEventSubscriptions", "dms:DescribeReplicationInstances", "dms:DescribeReplicationSubnetGroups", "dms:DescribeReplicationTasks", "dms:ListTagsForResource", "ds:DescribeDirectories", "ds:ListTagsForResource", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeGlobalTableSettings", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ec2:DescribeClientVpnAuthorizationRules", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeDhcpOptions", "ec2:DescribeFleets", "ec2:DescribeNetworkAcls", "ec2:DescribePlacementGroups", "ec2:DescribeRouteTables", "ec2:DescribeSpotFleetRequests", "ec2:DescribeTrafficMirrorFilters", "ec2:DescribeTags", "ec2:DescribeTrafficMirrorSessions", "ec2:DescribeTrafficMirrorTargets", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:GetEbsEncryptionByDefault", "ec2:GetIpamPoolAllocations", "ec2:GetIpamPoolCidrs", "ec2:GetNetworkInsightsAccessScopeAnalysisFindings", "ec2:GetNetworkInsightsAccessScopeContent", "ecr-public:DescribeRepositories", "ecr-public:GetRepositoryCatalogData", "ecr-public:GetRepositoryPolicy", "ecr-public:ListTagsForResource", "ecr:BatchGetRepositoryScanningConfiguration", "ecr:DescribePullThroughCacheRules", "ecr:DescribeRegistry", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRegistryPolicy", "ecr:GetRepositoryPolicy", "ecr:ListTagsForResource", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTaskSets", "ecs:ListClusters", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "eks:DescribeAddon", "eks:DescribeCluster", "eks:DescribeFargateProfile", "eks:DescribeIdentityProviderConfig", "eks:DescribeNodegroup", "eks:ListAddons", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListIdentityProviderConfigs", "eks:ListNodegroups", "eks:ListTagsForResource", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheParameters", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticache:DescribeSnapshots", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:DescribeStep", "elasticmapreduce:DescribeStudio", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:GetManagedScalingPolicy", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstanceFleets", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListInstances", "elasticmapreduce:ListSecurityConfigurations", "elasticmapreduce:ListSteps", "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings", "es:DescribeDomain", "es:DescribeDomains", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:GetCompatibleElasticsearchVersions", "es:GetCompatibleVersions", "es:ListDomainNames", "es:ListTags", "events:DescribeApiDestination", "events:DescribeArchive", "events:DescribeConnection", "events:DescribeEndpoint", "events:DescribeEventBus", "events:DescribeRule", "events:ListApiDestinations", "events:ListArchives", "events:ListConnections", "events:ListEndpoints", "events:ListEventBuses", "events:ListRules", "events:ListTagsForResource", "events:ListTargetsByRule", "finspace:GetEnvironment", "finspace:ListEnvironments", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fms:GetNotificationChannel", "fms:GetPolicy", "fms:ListPolicies", "fms:ListTagsForResource", "frauddetector:GetDetectors", "frauddetector:GetDetectorVersion", "frauddetector:GetEntityTypes", "frauddetector:GetEventTypes", "frauddetector:GetExternalModels", "frauddetector:GetLabels", "frauddetector:GetModels", "frauddetector:GetOutcomes", "frauddetector:GetRules", "frauddetector:GetVariables", "frauddetector:ListTagsForResource", "fsx:DescribeBackups", "fsx:DescribeFileSystems", "fsx:DescribeSnapshots", "fsx:DescribeStorageVirtualMachines", "fsx:DescribeVolumes", "fsx:ListTagsForResource", "gamelift:DescribeAlias", "gamelift:DescribeBuild", "gamelift:DescribeFleetAttributes", "gamelift:DescribeFleetCapacity", "gamelift:DescribeFleetLocationAttributes", "gamelift:DescribeFleetLocationCapacity", "gamelift:DescribeFleetPortSettings", "gamelift:DescribeGameServerGroup", "gamelift:DescribeGameSessionQueues", "gamelift:DescribeMatchmakingConfigurations", "gamelift:DescribeMatchmakingRuleSets", "gamelift:DescribeRuntimeConfiguration", "gamelift:DescribeScript", "gamelift:DescribeVpcPeeringAuthorizations", "gamelift:DescribeVpcPeeringConnections", "gamelift:ListAliases", "gamelift:ListBuilds", "gamelift:ListFleets", "gamelift:ListGameServerGroups", "gamelift:ListScripts", "gamelift:ListTagsForResource", "geo:DescribeGeofenceCollection", "geo:DescribeMap", "geo:DescribePlaceIndex", "geo:DescribeRouteCalculator", "geo:DescribeTracker", "geo:ListGeofenceCollections", "geo:ListMaps", "geo:ListPlaceIndexes", "geo:ListRouteCalculators", "geo:ListTrackerConsumers", "geo:ListTrackers", "globalaccelerator:DescribeAccelerator", "globalaccelerator:DescribeEndpointGroup", "globalaccelerator:DescribeListener", "globalaccelerator:ListAccelerators", "globalaccelerator:ListEndpointGroups", "globalaccelerator:ListListeners", "globalaccelerator:ListTagsForResource", "glue:BatchGetDevEndpoints", "glue:BatchGetJobs", "glue:BatchGetWorkflows", "glue:GetClassifier", "glue:GetClassifiers", "glue:GetCrawler", "glue:GetCrawlers", "glue:GetDevEndpoint", "glue:GetDevEndpoints", "glue:GetJob", "glue:GetJobs", "glue:GetMLTransform", "glue:GetMLTransforms", "glue:GetSecurityConfiguration", "glue:GetSecurityConfigurations", "glue:GetTable", "glue:GetTags", "glue:GetWorkflow", "glue:ListCrawlers", "glue:ListDevEndpoints", "glue:ListJobs", "glue:ListMLTransforms", "glue:ListWorkflows", "guardduty:DescribePublishingDestination", "guardduty:GetDetector", "guardduty:GetFilter", "guardduty:GetFindings", "guardduty:GetIPSet", "guardduty:GetMasterAccount", "guardduty:GetMembers", "guardduty:GetThreatIntelSet", "guardduty:ListDetectors", "guardduty:ListFilters", "guardduty:ListFindings", "guardduty:ListIPSets", "guardduty:ListMembers", "guardduty:ListOrganizationAdminAccounts", "guardduty:ListPublishingDestinations", "guardduty:ListTagsForResource", "guardduty:ListThreatIntelSets", "healthlake:DescribeFHIRDatastore", "healthlake:ListFHIRDatastores", "healthlake:ListTagsForResource", "iam:GenerateCredentialReport", "iam:GetAccountAuthorizationDetails", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroupsForUser", "iam:ListInstanceProfilesForRole", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListServerCertificates", "iam:ListUserPolicies", "iam:ListVirtualMFADevices", "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "imagebuilder:GetDistributionConfiguration", "imagebuilder:GetImage", "imagebuilder:GetImagePipeline", "imagebuilder:GetImageRecipe", "imagebuilder:GetInfrastructureConfiguration", "imagebuilder:ListComponentBuildVersions", "imagebuilder:ListComponents", "imagebuilder:ListContainerRecipes", "imagebuilder:ListDistributionConfigurations", "imagebuilder:ListImageBuildVersions", "imagebuilder:ListImagePipelines", "imagebuilder:ListImageRecipes", "imagebuilder:ListImages", "imagebuilder:ListInfrastructureConfigurations", "iot:DescribeAccountAuditConfiguration", "iot:DescribeAuthorizer", "iot:DescribeCertificate", "iot:DescribeCustomMetric", "iot:DescribeDimension", "iot:DescribeDomainConfiguration", "iot:DescribeMitigationAction", "iot:DescribeRoleAlias", "iot:DescribeScheduledAudit", "iot:DescribeSecurityProfile", "iot:GetPolicy", "iot:GetTopicRule", "iot:GetTopicRuleDestination", "iot:ListAuthorizers", "iot:ListCertificates", "iot:ListCustomMetrics", "iot:ListDimensions", "iot:ListDomainConfigurations", "iot:ListMitigationActions", "iot:ListPolicies", "iot:ListRoleAliases", "iot:ListScheduledAudits", "iot:ListSecurityProfiles", "iot:ListSecurityProfilesForTarget", "iot:ListTagsForResource", "iot:ListTargetsForSecurityProfile", "iot:ListTopicRuleDestinations", "iot:ListTopicRules", "iot:ListV2LoggingLevels", "iot:ValidateSecurityProfileBehaviors", "iotanalytics:DescribeChannel", "iotanalytics:DescribeDataset", "iotanalytics:DescribeDatastore", "iotanalytics:DescribePipeline", "iotanalytics:ListChannels", "iotanalytics:ListDatasets", "iotanalytics:ListDatastores", "iotanalytics:ListPipelines", "iotanalytics:ListTagsForResource", "iotevents:DescribeAlarmModel", "iotevents:DescribeDetectorModel", "iotevents:DescribeInput", "iotevents:ListAlarmModels", "iotevents:ListDetectorModels", "iotevents:ListInputs", "iotevents:ListTagsForResource", "iotsitewise:DescribeAccessPolicy", "iotsitewise:DescribeAsset", "iotsitewise:DescribeAssetModel", "iotsitewise:DescribeDashboard", "iotsitewise:DescribeGateway", "iotsitewise:DescribePortal", "iotsitewise:DescribeProject", "iotsitewise:ListAccessPolicies", "iotsitewise:ListAssetModels", "iotsitewise:ListAssets", "iotsitewise:ListDashboards", "iotsitewise:ListGateways", "iotsitewise:ListPortals", "iotsitewise:ListProjectAssets", "iotsitewise:ListProjects", "iotsitewise:ListTagsForResource", "iottwinmaker:GetEntity", "iottwinmaker:GetScene", "iottwinmaker:GetWorkspace", "iottwinmaker:ListEntities", "iottwinmaker:ListScenes", "iottwinmaker:ListTagsForResource", "iottwinmaker:ListWorkspaces", "iotwireless:GetServiceProfile", "iotwireless:GetWirelessDevice", "iotwireless:GetWirelessGatewayTaskDefinition", "iotwireless:ListServiceProfiles", "iotwireless:ListTagsForResource", "iotwireless:ListWirelessDevices", "iotwireless:ListWirelessGatewayTaskDefinitions", "ivs:GetChannel", "ivs:GetPlaybackKeyPair", "ivs:GetRecordingConfiguration", "ivs:GetStreamKey", "ivs:ListChannels", "ivs:ListPlaybackKeyPairs", "ivs:ListRecordingConfigurations", "ivs:ListStreamKeys", "ivs:ListTagsForResource", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:ListClusters", "kafka:ListClustersV2", "kinesis:DescribeStreamConsumer", "kinesis:DescribeStreamSummary", "kinesis:ListStreamConsumers", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kinesisanalytics:DescribeApplication", "kinesisanalytics:ListApplications", "kinesisanalytics:ListTagsForResource", "kinesisvideo:DescribeSignalingChannel", "kinesisvideo:DescribeStream", "kinesisvideo:ListSignalingChannels", "kinesisvideo:ListStreams", "kinesisvideo:ListTagsForResource", "kinesisvideo:ListTagsForStream", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListKeys", "kms:ListResourceTags", "lakeformation:DescribeResource", "lakeformation:GetDataLakeSettings", "lakeformation:ListPermissions", "lakeformation:ListResources", "lambda:GetAlias", "lambda:GetFunction", "lambda:GetFunctionCodeSigningConfig", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListFunctions", "lambda:ListVersionsByFunction", "lex:DescribeBot", "lex:DescribeBotAlias", "lex:DescribeBotVersion", "lex:DescribeResourcePolicy", "lex:ListBotAliases", "lex:ListBotLocales", "lex:ListBots", "lex:ListBotVersions", "lex:ListTagsForResource", "license-manager:GetGrant", "license-manager:GetLicense", "license-manager:ListDistributedGrants", "license-manager:ListLicenses", "license-manager:ListReceivedGrants", "lightsail:GetAlarms", "lightsail:GetBuckets", "lightsail:GetCertificates", "lightsail:GetContainerServices", "lightsail:GetDisk", "lightsail:GetDisks", "lightsail:GetDistributions", "lightsail:GetInstance", "lightsail:GetInstances", "lightsail:GetKeyPair", "lightsail:GetLoadBalancer", "lightsail:GetLoadBalancers", "lightsail:GetLoadBalancerTlsCertificates", "lightsail:GetRelationalDatabase", "lightsail:GetRelationalDatabases", "lightsail:GetRelationalDatabaseParameters", "lightsail:GetStaticIp", "lightsail:GetStaticIps", "logs:DescribeLogGroups", "logs:GetLogDelivery", "logs:ListTagsLogGroup", "logs:ListLogDeliveries", "lookoutequipment:DescribeInferenceScheduler", "lookoutequipment:ListTagsForResource", "lookoutmetrics:DescribeAlert", "lookoutmetrics:DescribeAnomalyDetector", "lookoutmetrics:ListAlerts", "lookoutmetrics:ListAnomalyDetectors", "lookoutmetrics:ListMetricSets", "lookoutmetrics:ListTagsForResource", "lookoutvision:DescribeProject", "lookoutvision:ListProjects", "macie2:GetMacieSession", "managedblockchain:GetMember", "managedblockchain:GetNetwork", "managedblockchain:GetNode", "managedblockchain:ListInvitations", "managedblockchain:ListMembers", "managedblockchain:ListNodes", "mediapackage-vod:DescribePackagingConfiguration", "mediapackage-vod:DescribePackagingGroup", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", "mediapackage-vod:ListTagsForResource", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetApps", "mobiletargeting:GetCampaign", "mobiletargeting:GetInAppTemplate", "mobiletargeting:GetSegment", "mobiletargeting:GetSegments", "mobiletargeting:ListTemplates", "mobiletargeting:ListTagsForResource", "mq:DescribeBroker", "mq:ListBrokers", "network-firewall:DescribeLoggingConfiguration", "network-firewall:ListFirewalls", "networkmanager:DescribeGlobalNetworks", "networkmanager:GetTransitGatewayRegistrations", "networkmanager:ListTagsForResource", "nimble:GetLaunchProfile", "nimble:GetLaunchProfileDetails", "nimble:GetStreamingImage", "nimble:GetStudio", "nimble:GetStudioComponent", "nimble:ListLaunchProfiles", "nimble:ListStreamingImages", "nimble:ListStudioComponents", "nimble:ListStudios", "opsworks:DescribeInstances", "opsworks:DescribeLayers", "opsworks:DescribeTimeBasedAutoScaling", "opsworks:DescribeVolumes", "opsworks:ListTags", "organizations:DescribeOrganization", "organizations:DescribePolicy", "organizations:ListParents", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "panorama:DescribeApplicationInstance", "panorama:DescribeApplicationInstanceDetails", "panorama:DescribePackage", "panorama:DescribePackageVersion", "panorama:ListApplicationInstances", "panorama:ListPackages", "profile:GetDomain", "profile:GetIntegration", "profile:GetProfileObjectType", "profile:ListDomains", "profile:ListIntegrations", "profile:ListProfileObjectTypes", "profile:ListTagsForResource", "quicksight:DescribeAnalysis", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboard", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSet", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSource", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeTemplate", "quicksight:DescribeTemplatePermissions", "quicksight:DescribeTheme", "quicksight:DescribeThemePermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListTemplates", "quicksight:ListTagsForResource", "quicksight:ListThemes", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListResources", "ram:ListResourceSharePermissions", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBProxies", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:DescribeGlobalClusters", "rds:DescribeOptionGroups", "rds:ListTagsForResource", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeEventSubscriptions", "redshift:DescribeLoggingStatus", "rekognition:DescribeStreamProcessor", "rekognition:ListStreamProcessors", "rekognition:ListTagsForResource", "resiliencehub:DescribeApp", "resiliencehub:DescribeAppVersionTemplate", "resiliencehub:DescribeResiliencyPolicy", "resiliencehub:ListApps", "resiliencehub:ListAppVersionResourceMappings", "resiliencehub:ListResiliencyPolicies", "resource-groups:GetGroup", "resource-groups:GetGroupConfiguration", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "robomaker:DescribeRobotApplication", "robomaker:DescribeSimulationApplication", "robomaker:ListRobotApplications", "robomaker:ListSimulationApplications", "route53-recovery-control-config:DescribeCluster", "route53-recovery-control-config:DescribeControlPanel", "route53-recovery-control-config:DescribeRoutingControl", "route53-recovery-control-config:DescribeSafetyRule", "route53-recovery-control-config:ListClusters", "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-control-config:ListSafetyRules", "route53-recovery-control-config:ListTagsForResource", "route53-recovery-readiness:GetCell", "route53-recovery-readiness:GetReadinessCheck", "route53-recovery-readiness:GetRecoveryGroup", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:ListCells", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:ListRecoveryGroups", "route53-recovery-readiness:ListResourceSets", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListQueryLoggingConfigs", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53resolver:GetFirewallDomainList", "route53resolver:GetFirewallRuleGroup", "route53resolver:GetFirewallRuleGroupAssociation", "route53resolver:GetResolverDnssecConfig", "route53resolver:GetResolverEndpoint", "route53resolver:GetResolverQueryLogConfig", "route53resolver:GetResolverQueryLogConfigAssociation", "route53resolver:GetResolverRule", "route53resolver:GetResolverRuleAssociation", "route53resolver:ListFirewallDomainLists", "route53resolver:ListFirewallDomains", "route53resolver:ListFirewallRuleGroupAssociations", "route53resolver:ListFirewallRuleGroups", "route53resolver:ListFirewallRules", "route53resolver:ListResolverDnssecConfigs", "route53resolver:ListResolverEndpointIpAddresses", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverQueryLogConfigAssociations", "route53resolver:ListResolverQueryLogConfigs", "route53resolver:ListResolverRuleAssociations", "route53resolver:ListResolverRules", "route53resolver:ListTagsForResource", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:ListTagsForResource", "s3-outposts:GetAccessPoint", "s3-outposts:GetAccessPointPolicy", "s3-outposts:GetBucket", "s3-outposts:GetBucketPolicy", "s3-outposts:GetBucketTagging", "s3-outposts:GetLifecycleConfiguration", "s3-outposts:ListAccessPoints", "s3-outposts:ListEndpoints", "s3-outposts:ListRegionalBuckets", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccessPointForObjectLambda", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyForObjectLambda", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:GetAccessPointPolicyStatus", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMultiRegionAccessPoint", "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", "sagemaker:DescribeCodeRepository", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeMonitoringSchedule", "sagemaker:DescribeNotebookInstance", "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:DescribeWorkteam", "sagemaker:ListCodeRepositories", "sagemaker:ListEndpointConfigs", "sagemaker:ListEndpoints", "sagemaker:ListModels", "sagemaker:ListMonitoringSchedules", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListTags", "sagemaker:ListWorkteams", "schemas:DescribeDiscoverer", "schemas:DescribeRegistry", "schemas:DescribeSchema", "schemas:GetResourcePolicy", "schemas:ListDiscoverers", "schemas:ListRegistries", "schemas:ListSchemas", "sdb:GetAttributes", "sdb:ListDomains", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "securityhub:DescribeHub", "servicediscovery:GetInstance", "servicediscovery:GetNamespace", "servicediscovery:GetService", "servicediscovery:ListInstances", "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:ListTagsForResource", "ses:DescribeReceiptRule", "ses:DescribeReceiptRuleSet", "ses:GetConfigurationSet", "ses:GetConfigurationSetEventDestinations", "ses:GetContactList", "ses:GetEmailTemplate", "ses:GetTemplate", "ses:ListConfigurationSets", "ses:ListContactLists", "ses:ListEmailTemplates", "ses:ListReceiptFilters", "ses:ListReceiptRuleSets", "ses:ListTemplates", "shield:DescribeDRTAccess", "shield:DescribeProtection", "shield:DescribeSubscription", "signer:GetSigningProfile", "signer:ListProfilePermissions", "signer:ListSigningProfiles", "sns:GetSubscriptionAttributes", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:DescribeDocumentPermission", "ssm:GetAutomationExecution", "ssm:GetDocument", "ssm:ListDocuments", "sso:DescribeInstanceAccessControlAttributeConfiguration", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSets", "sso:ListTagsForResource", "states:DescribeActivity", "states:DescribeStateMachine", "states:ListActivities", "states:ListStateMachines", "states:ListTagsForResource", "storagegateway:ListGateways", "storagegateway:ListTagsForResource", "storagegateway:ListVolumes", "sts:GetCallerIdentity", "support:DescribeCases", "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:DescribeRuntimeVersions", "synthetics:GetCanary", "synthetics:GetCanaryRuns", "synthetics:GetGroup", "synthetics:ListAssociatedGroups", "synthetics:ListGroupResources", "synthetics:ListGroups", "synthetics:ListTagsForResource", "tag:GetResources", "timestream:DescribeDatabase", "timestream:DescribeEndpoints", "timestream:DescribeTable", "timestream:ListDatabases", "timestream:ListTables", "timestream:ListTagsForResource", "transfer:DescribeConnector", "transfer:DescribeServer", "transfer:DescribeUser", "transfer:DescribeWorkflow", "transfer:ListConnectors", "transfer:ListServers", "transfer:ListUsers", "transfer:ListWorkflows", "transfer:ListTagsForResource", "voiceid:DescribeDomain", "voiceid:ListTagsForResource", "waf-regional:GetLoggingConfiguration", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", "waf:GetLoggingConfiguration", "waf:GetWebACL", "wafv2:GetLoggingConfiguration", "wafv2:GetRuleGroup", "wafv2:ListRuleGroups", "wafv2:ListTagsForResource", "workspaces:DescribeConnectionAliases", "workspaces:DescribeTags", "workspaces:DescribeWorkspaces" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/config/*" }, { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:/aws/config/*:log-stream:config-rule-evaluation/*" } ] }

AWS managed policy: AWS_ConfigRole

To record your AWS resource configurations, AWS Config requires IAM permissions to get the configuration details about your resources. If you want to create an IAM role for AWS Config, you can use the managed policy AWS_ConfigRole and attach it to your IAM role.

This IAM policy is updated each time AWS Config adds support for an AWS resource type. This means that AWS Config will continue to have the required permissions to record configuration data of supported resource types as long as the AWS_ConfigRole role has this managed policy attached. For more information, see Supported Resource Types and Permissions for the IAM Role Assigned to AWS Config.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "access-analyzer:GetAnalyzer", "access-analyzer:GetArchiveRule", "access-analyzer:ListAnalyzers", "access-analyzer:ListArchiveRules", "access-analyzer:ListTagsForResource", "account:GetAlternateContact", "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm:DescribeCertificate", "acm:ListCertificates", "acm:ListTagsForCertificate", "airflow:GetEnvironment", "airflow:ListEnvironments", "airflow:ListTagsForResource", "amplifyuibuilder:ExportThemes", "amplifyuibuilder:GetTheme", "amplifyuibuilder:ListThemes", "apigateway:GET", "appconfig:GetApplication", "appconfig:GetConfigurationProfile", "appconfig:GetDeployment", "appconfig:GetDeploymentStrategy", "appconfig:GetEnvironment", "appconfig:GetHostedConfigurationVersion", "appconfig:ListApplications", "appconfig:ListConfigurationProfiles", "appconfig:ListDeployments", "appconfig:ListDeploymentStrategies", "appconfig:ListEnvironments", "appconfig:ListHostedConfigurationVersions", "appconfig:ListTagsForResource", "appflow:DescribeConnectorProfiles", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "appstream:DescribeDirectoryConfigs", "appstream:ListTagsForResource", "appsync:GetApiCache", "appsync:GetGraphqlApi", "appsync:ListGraphqlApis", "APS:DescribeRuleGroupsNamespace", "APS:DescribeWorkspace", "APS:ListWorkspaces", "athena:GetDataCatalog", "athena:GetWorkGroup", "athena:ListDataCatalogs", "athena:ListTagsForResource", "athena:ListWorkGroups", "auditmanager:GetAssessment", "auditmanager:ListAssessments", "autoscaling-plans:DescribeScalingPlanResources", "autoscaling-plans:DescribeScalingPlans", "autoscaling-plans:GetScalingPlanResourceForecastData", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribePolicies", "autoscaling:DescribeScheduledActions", "autoscaling:DescribeTags", "autoscaling:DescribeWarmPool", "backup-gateway:ListTagsForResource", "backup-gateway:ListVirtualMachines", "backup:DescribeBackupVault", "backup:DescribeFramework", "backup:DescribeRecoveryPoint", "backup:DescribeReportPlan", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:GetBackupVaultAccessPolicy", "backup:GetBackupVaultNotifications", "backup:ListBackupPlans", "backup:ListBackupSelections", "backup:ListBackupVaults", "backup:ListFrameworks", "backup:ListRecoveryPointsByBackupVault", "backup:ListReportPlans", "backup:ListTags", "batch:DescribeComputeEnvironments", "batch:DescribeJobQueues", "batch:ListTagsForResource", "billingconductor:ListAccountAssociations", "billingconductor:ListBillingGroups", "billingconductor:ListCustomLineItems", "billingconductor:ListPricingPlans", "billingconductor:ListPricingRules", "billingconductor:ListPricingRulesAssociatedToPricingPlan", "billingconductor:ListTagsForResource", "budgets:DescribeBudgetAction", "budgets:DescribeBudgetActionsForAccount", "budgets:DescribeBudgetActionsForBudget", "budgets:ViewBudget", "cassandra:Select", "ce:GetAnomalyMonitors", "ce:GetAnomalySubscriptions", "cloud9:DescribeEnvironmentMemberships", "cloud9:DescribeEnvironments", "cloud9:ListEnvironments", "cloud9:ListTagsForResource", "cloudformation:DescribeType", "cloudformation:GetResource", "cloudformation:ListResources", "cloudformation:ListTypes", "cloudfront:ListDistributions", "cloudformation:ListStackResources", "cloudformation:ListStacks", "cloudfront:ListTagsForResource", "cloudtrail:DescribeTrails", "cloudtrail:GetEventDataStore", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListEventDataStores", "cloudtrail:ListTags", "cloudwatch:DescribeAlarms", "cloudwatch:DescribeAnomalyDetectors", "cloudwatch:GetDashboard", "cloudwatch:GetMetricStream", "cloudwatch:ListDashboards", "cloudwatch:ListMetricStreams", "codedeploy:GetDeploymentConfig", "codeguru-reviewer:DescribeRepositoryAssociation", "codeguru-reviewer:ListRepositoryAssociations", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:ListPipelines", "config:BatchGet*", "config:Describe*", "config:Get*", "config:List*", "config:Put*", "config:Select*", "connect:DescribePhoneNumber", "connect:ListPhoneNumbers", "connect:ListPhoneNumbersV2", "connect:SearchAvailablePhoneNumbers", "databrew:DescribeDataset", "databrew:DescribeJob", "databrew:DescribeProject", "databrew:DescribeRecipe", "databrew:DescribeRuleset", "databrew:DescribeSchedule", "databrew:ListDatasets", "databrew:ListJobs", "databrew:ListProjects", "databrew:ListRecipes", "databrew:ListRecipeVersions", "databrew:ListRulesets", "databrew:ListSchedules", "datasync:DescribeAgent", "datasync:DescribeLocationEfs", "datasync:DescribeLocationFsxLustre", "datasync:DescribeLocationFsxWindows", "datasync:DescribeLocationHdfs", "datasync:DescribeLocationNfs", "datasync:DescribeLocationObjectStorage", "datasync:DescribeLocationS3", "datasync:DescribeLocationSmb", "datasync:DescribeTask", "datasync:ListAgents", "datasync:ListLocations", "datasync:ListTagsForResource", "datasync:ListTasks", "dax:DescribeClusters", "dax:DescribeParameterGroups", "dax:DescribeParameters", "dax:DescribeSubnetGroups", "dax:ListTags", "detective:ListGraphs", "detective:ListTagsForResource", "devicefarm:GetNetworkProfile", "devicefarm:GetProject", "devicefarm:GetTestGridProject", "devicefarm:ListNetworkProfiles", "devicefarm:ListTagsForResource", "devicefarm:ListTestGridProjects", "devops-guru:GetResourceCollection", "dms:DescribeCertificates", "dms:DescribeEndpoints", "dms:DescribeEventSubscriptions", "dms:DescribeReplicationInstances", "dms:DescribeReplicationSubnetGroups", "dms:DescribeReplicationTasks", "dms:ListTagsForResource", "ds:DescribeDirectories", "ds:ListTagsForResource", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeGlobalTableSettings", "dynamodb:DescribeLimits", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "ec2:Describe*", "ec2:DescribeClientVpnAuthorizationRules", "ec2:DescribeClientVpnEndpoints", "ec2:DescribeDhcpOptions", "ec2:DescribeFleets", "ec2:DescribeNetworkAcls", "ec2:DescribePlacementGroups", "ec2:DescribeRouteTables", "ec2:DescribeSpotFleetRequests", "ec2:DescribeTags", "ec2:DescribeTrafficMirrorSessions", "ec2:DescribeTrafficMirrorTargets", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumes", "ec2:GetEbsEncryptionByDefault", "ec2:GetIpamPoolAllocations", "ec2:GetIpamPoolCidrs", "ec2:GetNetworkInsightsAccessScopeAnalysisFindings", "ec2:GetNetworkInsightsAccessScopeContent", "ecr-public:DescribeRepositories", "ecr-public:GetRepositoryCatalogData", "ecr-public:GetRepositoryPolicy", "ecr-public:ListTagsForResource", "ecr:BatchGetRepositoryScanningConfiguration", "ecr:DescribePullThroughCacheRules", "ecr:DescribeRegistry", "ecr:DescribeRepositories", "ecr:GetLifecyclePolicy", "ecr:GetRegistryPolicy", "ecr:GetRepositoryPolicy", "ecr:ListTagsForResource", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:DescribeTaskDefinition", "ecs:DescribeTaskSets", "ecs:ListClusters", "ecs:ListServices", "ecs:ListTagsForResource", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "eks:DescribeAddon", "eks:DescribeCluster", "eks:DescribeFargateProfile", "eks:DescribeIdentityProviderConfig", "eks:DescribeNodegroup", "eks:ListAddons", "eks:ListClusters", "eks:ListFargateProfiles", "eks:ListIdentityProviderConfigs", "eks:ListNodegroups", "eks:ListTagsForResource", "elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheParameters", "elasticache:DescribeCacheSubnetGroups", "elasticache:DescribeReplicationGroups", "elasticache:DescribeSnapshots", "elasticache:ListTagsForResource", "elasticbeanstalk:DescribeConfigurationSettings", "elasticbeanstalk:DescribeEnvironments", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeBackupPolicy", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeLifecycleConfiguration", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeSecurityConfiguration", "elasticmapreduce:DescribeStep", "elasticmapreduce:DescribeStudio", "elasticmapreduce:GetBlockPublicAccessConfiguration", "elasticmapreduce:GetManagedScalingPolicy", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstanceFleets", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListInstances", "elasticmapreduce:ListSecurityConfigurations", "elasticmapreduce:ListSteps", "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings", "es:DescribeDomain", "es:DescribeDomains", "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:GetCompatibleElasticsearchVersions", "es:GetCompatibleVersions", "es:ListDomainNames", "es:ListTags", "events:DescribeApiDestination", "events:DescribeArchive", "events:DescribeConnection", "events:DescribeEndpoint", "events:DescribeEventBus", "events:DescribeRule", "events:ListApiDestinations", "events:ListArchives", "events:ListConnections", "events:ListEndpoints", "events:ListEventBuses", "events:ListRules", "events:ListTagsForResource", "events:ListTargetsByRule", "finspace:GetEnvironment", "finspace:ListEnvironments", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "firehose:ListTagsForDeliveryStream", "fis:GetExperimentTemplate", "fis:ListExperimentTemplates", "fms:GetNotificationChannel", "fms:GetPolicy", "fms:ListPolicies", "fms:ListTagsForResource", "frauddetector:GetDetectors", "frauddetector:GetDetectorVersion", "frauddetector:GetEntityTypes", "frauddetector:GetEventTypes", "frauddetector:GetExternalModels", "frauddetector:GetLabels", "frauddetector:GetModels", "frauddetector:GetOutcomes", "frauddetector:GetRules", "frauddetector:GetVariables", "frauddetector:ListTagsForResource", "fsx:DescribeBackups", "fsx:DescribeFileSystems", "fsx:DescribeSnapshots", "fsx:DescribeStorageVirtualMachines", "fsx:DescribeVolumes", "fsx:ListTagsForResource", "gamelift:DescribeAlias", "gamelift:DescribeBuild", "gamelift:DescribeFleetAttributes", "gamelift:DescribeFleetCapacity", "gamelift:DescribeFleetLocationAttributes", "gamelift:DescribeFleetLocationCapacity", "gamelift:DescribeFleetPortSettings", "gamelift:DescribeGameServerGroup", "gamelift:DescribeGameSessionQueues", "gamelift:DescribeMatchmakingConfigurations", "gamelift:DescribeMatchmakingRuleSets", "gamelift:DescribeRuntimeConfiguration", "gamelift:DescribeScript", "gamelift:DescribeVpcPeeringAuthorizations", "gamelift:DescribeVpcPeeringConnections", "gamelift:ListAliases", "gamelift:ListBuilds", "gamelift:ListFleets", "gamelift:ListGameServerGroups", "gamelift:ListScripts", "gamelift:ListTagsForResource", "geo:DescribeGeofenceCollection", "geo:DescribeMap", "geo:DescribePlaceIndex", "geo:DescribeRouteCalculator", "geo:DescribeTracker", "geo:ListGeofenceCollections", "geo:ListMaps", "geo:ListPlaceIndexes", "geo:ListRouteCalculators", "geo:ListTrackerConsumers", "geo:ListTrackers", "globalaccelerator:DescribeAccelerator", "globalaccelerator:DescribeEndpointGroup", "globalaccelerator:DescribeListener", "globalaccelerator:ListAccelerators", "globalaccelerator:ListEndpointGroups", "globalaccelerator:ListListeners", "globalaccelerator:ListTagsForResource", "glue:BatchGetDevEndpoints", "glue:BatchGetJobs", "glue:BatchGetWorkflows", "glue:GetClassifier", "glue:GetClassifiers", "glue:GetCrawler", "glue:GetCrawlers", "glue:GetDevEndpoint", "glue:GetDevEndpoints", "glue:GetJob", "glue:GetJobs", "glue:GetMLTransform", "glue:GetMLTransforms", "glue:GetSecurityConfiguration", "glue:GetSecurityConfigurations", "glue:GetTable", "glue:GetTags", "glue:GetWorkflow", "glue:ListCrawlers", "glue:ListDevEndpoints", "glue:ListJobs", "glue:ListMLTransforms", "glue:ListWorkflows", "guardduty:DescribePublishingDestination", "guardduty:GetDetector", "guardduty:GetFilter", "guardduty:GetFindings", "guardduty:GetIPSet", "guardduty:GetMasterAccount", "guardduty:GetMembers", "guardduty:GetThreatIntelSet", "guardduty:ListDetectors", "guardduty:ListFilters", "guardduty:ListFindings", "guardduty:ListIPSets", "guardduty:ListMembers", "guardduty:ListOrganizationAdminAccounts", "guardduty:ListPublishingDestinations", "guardduty:ListTagsForResource", "guardduty:ListThreatIntelSets", "healthlake:DescribeFHIRDatastore", "healthlake:ListFHIRDatastores", "healthlake:ListTagsForResource", "iam:GenerateCredentialReport", "iam:GetAccountAuthorizationDetails", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroupsForUser", "iam:ListInstanceProfilesForRole", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListServerCertificates", "iam:ListUserPolicies", "iam:ListVirtualMFADevices", "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "imagebuilder:GetDistributionConfiguration", "imagebuilder:GetImage", "imagebuilder:GetImagePipeline", "imagebuilder:GetImageRecipe", "imagebuilder:GetInfrastructureConfiguration", "imagebuilder:ListComponentBuildVersions", "imagebuilder:ListComponents", "imagebuilder:ListContainerRecipes", "imagebuilder:ListDistributionConfigurations", "imagebuilder:ListImageBuildVersions", "imagebuilder:ListImagePipelines", "imagebuilder:ListImageRecipes", "imagebuilder:ListImages", "imagebuilder:ListInfrastructureConfigurations", "iot:DescribeAccountAuditConfiguration", "iot:DescribeAuthorizer", "iot:DescribeCertificate", "iot:DescribeCustomMetric", "iot:DescribeDimension", "iot:DescribeDomainConfiguration", "iot:DescribeMitigationAction", "iot:DescribeRoleAlias", "iot:DescribeScheduledAudit", "iot:DescribeSecurityProfile", "iot:GetPolicy", "iot:GetTopicRule", "iot:GetTopicRuleDestination", "iot:ListAuthorizers", "iot:ListCertificates", "iot:ListCustomMetrics", "iot:ListDimensions", "iot:ListDomainConfigurations", "iot:ListMitigationActions", "iot:ListPolicies", "iot:ListRoleAliases", "iot:ListScheduledAudits", "iot:ListSecurityProfiles", "iot:ListSecurityProfilesForTarget", "iot:ListTagsForResource", "iot:ListTargetsForSecurityProfile", "iot:ListTopicRuleDestinations", "iot:ListTopicRules", "iot:ListV2LoggingLevels", "iot:ValidateSecurityProfileBehaviors", "iotanalytics:DescribeChannel", "iotanalytics:DescribeDataset", "iotanalytics:DescribeDatastore", "iotanalytics:DescribePipeline", "iotanalytics:ListChannels", "iotanalytics:ListDatasets", "iotanalytics:ListDatastores", "iotanalytics:ListPipelines", "iotanalytics:ListTagsForResource", "iotevents:DescribeAlarmModel", "iotevents:DescribeDetectorModel", "iotevents:DescribeInput", "iotevents:ListAlarmModels", "iotevents:ListDetectorModels", "iotevents:ListInputs", "iotevents:ListTagsForResource", "iotsitewise:DescribeAccessPolicy", "iotsitewise:DescribeAsset", "iotsitewise:DescribeAssetModel", "iotsitewise:DescribeDashboard", "iotsitewise:DescribeGateway", "iotsitewise:DescribePortal", "iotsitewise:DescribeProject", "iotsitewise:ListAccessPolicies", "iotsitewise:ListAssetModels", "iotsitewise:ListAssets", "iotsitewise:ListDashboards", "iotsitewise:ListGateways", "iotsitewise:ListPortals", "iotsitewise:ListProjectAssets", "iotsitewise:ListProjects", "iotsitewise:ListTagsForResource", "iottwinmaker:GetEntity", "iottwinmaker:GetScene", "iottwinmaker:GetWorkspace", "iottwinmaker:ListEntities", "iottwinmaker:ListScenes", "iottwinmaker:ListTagsForResource", "iottwinmaker:ListWorkspaces", "iotwireless:GetServiceProfile", "iotwireless:GetWirelessDevice", "iotwireless:GetWirelessGatewayTaskDefinition", "iotwireless:ListServiceProfiles", "iotwireless:ListTagsForResource", "iotwireless:ListWirelessDevices", "iotwireless:ListWirelessGatewayTaskDefinitions", "ivs:GetChannel", "ivs:GetPlaybackKeyPair", "ivs:GetRecordingConfiguration", "ivs:GetStreamKey", "ivs:ListChannels", "ivs:ListPlaybackKeyPairs", "ivs:ListRecordingConfigurations", "ivs:ListStreamKeys", "ivs:ListTagsForResource", "kafka:DescribeCluster", "kafka:DescribeClusterV2", "kafka:ListClusters", "kafka:ListClustersV2", "kinesis:DescribeStreamConsumer", "kinesis:DescribeStreamSummary", "kinesis:ListStreamConsumers", "kinesis:ListStreams", "kinesis:ListTagsForStream", "kinesisanalytics:DescribeApplication", "kinesisanalytics:ListApplications", "kinesisanalytics:ListTagsForResource", "kinesisvideo:DescribeSignalingChannel", "kinesisvideo:DescribeStream", "kinesisvideo:ListSignalingChannels", "kinesisvideo:ListStreams", "kinesisvideo:ListTagsForResource", "kinesisvideo:ListTagsForStream", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListKeys", "kms:ListResourceTags", "lakeformation:DescribeResource", "lakeformation:GetDataLakeSettings", "lakeformation:ListPermissions", "lakeformation:ListResources", "lambda:GetAlias", "lambda:GetFunction", "lambda:GetFunctionCodeSigningConfig", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListFunctions", "lambda:ListVersionsByFunction", "lex:DescribeBot", "lex:DescribeBotAlias", "lex:DescribeBotVersion", "lex:DescribeResourcePolicy", "lex:ListBotAliases", "lex:ListBotLocales", "lex:ListBots", "lex:ListBotVersions", "lex:ListTagsForResource", "license-manager:GetGrant", "license-manager:GetLicense", "license-manager:ListDistributedGrants", "license-manager:ListLicenses", "license-manager:ListReceivedGrants", "lightsail:GetAlarms", "lightsail:GetBuckets", "lightsail:GetCertificates", "lightsail:GetContainerServices", "lightsail:GetDisk", "lightsail:GetDisks", "lightsail:GetDistributions", "lightsail:GetInstance", "lightsail:GetInstances", "lightsail:GetKeyPair", "lightsail:GetLoadBalancer", "lightsail:GetLoadBalancers", "lightsail:GetLoadBalancerTlsCertificates", "lightsail:GetRelationalDatabase", "lightsail:GetRelationalDatabases", "lightsail:GetRelationalDatabaseParameters", "lightsail:GetStaticIp", "lightsail:GetStaticIps", "logs:DescribeLogGroups", "logs:GetLogDelivery", "logs:ListTagsLogGroup", "logs:ListLogDeliveries", "lookoutequipment:DescribeInferenceScheduler", "lookoutequipment:ListTagsForResource", "lookoutmetrics:DescribeAlert", "lookoutmetrics:DescribeAnomalyDetector", "lookoutmetrics:ListAlerts", "lookoutmetrics:ListAnomalyDetectors", "lookoutmetrics:ListMetricSets", "lookoutmetrics:ListTagsForResource", "lookoutvision:DescribeProject", "lookoutvision:ListProjects", "macie2:GetMacieSession", "managedblockchain:GetMember", "managedblockchain:GetNetwork", "managedblockchain:GetNode", "managedblockchain:ListInvitations", "managedblockchain:ListMembers", "managedblockchain:ListNodes", "mediapackage-vod:DescribePackagingConfiguration", "mediapackage-vod:DescribePackagingGroup", "mediapackage-vod:ListPackagingConfigurations", "mediapackage-vod:ListPackagingGroups", "mediapackage-vod:ListTagsForResource", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetApps", "mobiletargeting:GetCampaign", "mobiletargeting:GetInAppTemplate", "mobiletargeting:GetSegment", "mobiletargeting:GetSegments", "mobiletargeting:ListTemplates", "mobiletargeting:ListTagsForResource", "mq:DescribeBroker", "mq:ListBrokers", "network-firewall:DescribeLoggingConfiguration", "network-firewall:ListFirewalls", "networkmanager:DescribeGlobalNetworks", "networkmanager:GetTransitGatewayRegistrations", "networkmanager:ListTagsForResource", "nimble:GetLaunchProfile", "nimble:GetLaunchProfileDetails", "nimble:GetStreamingImage", "nimble:GetStudio", "nimble:GetStudioComponent", "nimble:ListLaunchProfiles", "nimble:ListStreamingImages", "nimble:ListStudioComponents", "nimble:ListStudios", "opsworks:DescribeInstances", "opsworks:DescribeLayers", "opsworks:DescribeTimeBasedAutoScaling", "opsworks:DescribeVolumes", "opsworks:ListTags", "organizations:DescribeOrganization", "organizations:DescribePolicy", "organizations:ListParents", "organizations:ListPolicies", "organizations:ListPoliciesForTarget", "panorama:DescribeApplicationInstance", "panorama:DescribeApplicationInstanceDetails", "panorama:DescribePackage", "panorama:DescribePackageVersion", "panorama:ListApplicationInstances", "panorama:ListPackages", "profile:GetDomain", "profile:GetIntegration", "profile:GetProfileObjectType", "profile:ListDomains", "profile:ListIntegrations", "profile:ListProfileObjectTypes", "profile:ListTagsForResource", "quicksight:DescribeAnalysis", "quicksight:DescribeAnalysisPermissions", "quicksight:DescribeDashboard", "quicksight:DescribeDashboardPermissions", "quicksight:DescribeDataSet", "quicksight:DescribeDataSetPermissions", "quicksight:DescribeDataSource", "quicksight:DescribeDataSourcePermissions", "quicksight:DescribeTemplate", "quicksight:DescribeTemplatePermissions", "quicksight:DescribeTheme", "quicksight:DescribeThemePermissions", "quicksight:ListAnalyses", "quicksight:ListDashboards", "quicksight:ListDataSets", "quicksight:ListDataSources", "quicksight:ListTemplates", "quicksight:ListTagsForResource", "quicksight:ListThemes", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListResources", "ram:ListResourceSharePermissions", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBProxies", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "rds:DescribeDBSubnetGroups", "rds:DescribeEventSubscriptions", "rds:DescribeGlobalClusters", "rds:DescribeOptionGroups", "rds:ListTagsForResource", "redshift:DescribeClusterParameterGroups", "redshift:DescribeClusterParameters", "redshift:DescribeClusters", "redshift:DescribeClusterSecurityGroups", "redshift:DescribeClusterSnapshots", "redshift:DescribeClusterSubnetGroups", "redshift:DescribeEventSubscriptions", "redshift:DescribeLoggingStatus", "rekognition:DescribeStreamProcessor", "rekognition:ListStreamProcessors", "rekognition:ListTagsForResource", "resiliencehub:DescribeApp", "resiliencehub:DescribeAppVersionTemplate", "resiliencehub:DescribeResiliencyPolicy", "resiliencehub:ListApps", "resiliencehub:ListAppVersionResourceMappings", "resiliencehub:ListResiliencyPolicies", "resource-groups:GetGroup", "resource-groups:GetGroupConfiguration", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:ListGroupResources", "resource-groups:ListGroups", "robomaker:DescribeRobotApplication", "robomaker:DescribeSimulationApplication", "robomaker:ListRobotApplications", "robomaker:ListSimulationApplications", "route53-recovery-control-config:DescribeCluster", "route53-recovery-control-config:DescribeControlPanel", "route53-recovery-control-config:DescribeRoutingControl", "route53-recovery-control-config:DescribeSafetyRule", "route53-recovery-control-config:ListClusters", "route53-recovery-control-config:ListControlPanels", "route53-recovery-control-config:ListRoutingControls", "route53-recovery-control-config:ListSafetyRules", "route53-recovery-control-config:ListTagsForResource", "route53-recovery-readiness:GetCell", "route53-recovery-readiness:GetReadinessCheck", "route53-recovery-readiness:GetRecoveryGroup", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:ListCells", "route53-recovery-readiness:ListReadinessChecks", "route53-recovery-readiness:ListRecoveryGroups", "route53-recovery-readiness:ListResourceSets", "route53:GetHealthCheck", "route53:GetHostedZone", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListQueryLoggingConfigs", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53resolver:GetFirewallDomainList", "route53resolver:GetFirewallRuleGroup", "route53resolver:GetFirewallRuleGroupAssociation", "route53resolver:GetResolverDnssecConfig", "route53resolver:GetResolverEndpoint", "route53resolver:GetResolverQueryLogConfig", "route53resolver:GetResolverQueryLogConfigAssociation", "route53resolver:GetResolverRule", "route53resolver:GetResolverRuleAssociation", "route53resolver:ListFirewallDomainLists", "route53resolver:ListFirewallDomains", "route53resolver:ListFirewallRuleGroupAssociations", "route53resolver:ListFirewallRuleGroups", "route53resolver:ListFirewallRules", "route53resolver:ListResolverDnssecConfigs", "route53resolver:ListResolverEndpointIpAddresses", "route53resolver:ListResolverEndpoints", "route53resolver:ListResolverQueryLogConfigAssociations", "route53resolver:ListResolverQueryLogConfigs", "route53resolver:ListResolverRuleAssociations", "route53resolver:ListResolverRules", "route53resolver:ListTagsForResource", "rum:GetAppMonitor", "rum:GetAppMonitorData", "rum:ListAppMonitors", "rum:ListTagsForResource", "s3-outposts:GetAccessPoint", "s3-outposts:GetAccessPointPolicy", "s3-outposts:GetBucket", "s3-outposts:GetBucketPolicy", "s3-outposts:GetBucketTagging", "s3-outposts:GetLifecycleConfiguration", "s3-outposts:ListAccessPoints", "s3-outposts:ListEndpoints", "s3-outposts:ListRegionalBuckets", "s3:GetAccelerateConfiguration", "s3:GetAccessPoint", "s3:GetAccessPointForObjectLambda", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyForObjectLambda", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:GetAccessPointPolicyStatus", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMultiRegionAccessPoint", "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", "s3:ListAccessPoints", "s3:ListAccessPointsForObjectLambda", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListMultiRegionAccessPoints", "s3:ListStorageLensConfigurations", "sagemaker:DescribeCodeRepository", "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeMonitoringSchedule", "sagemaker:DescribeNotebookInstance", "sagemaker:DescribeNotebookInstanceLifecycleConfig", "sagemaker:DescribeWorkteam", "sagemaker:ListCodeRepositories", "sagemaker:ListEndpointConfigs", "sagemaker:ListEndpoints", "sagemaker:ListModels", "sagemaker:ListMonitoringSchedules", "sagemaker:ListNotebookInstanceLifecycleConfigs", "sagemaker:ListNotebookInstances", "sagemaker:ListTags", "sagemaker:ListWorkteams", "schemas:DescribeDiscoverer", "schemas:DescribeRegistry", "schemas:DescribeSchema", "schemas:GetResourcePolicy", "schemas:ListDiscoverers", "schemas:ListRegistries", "schemas:ListSchemas", "sdb:GetAttributes", "sdb:ListDomains", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "securityhub:DescribeHub", "servicediscovery:GetInstance", "servicediscovery:GetNamespace", "servicediscovery:GetService", "servicediscovery:ListInstances", "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:ListTagsForResource", "ses:DescribeReceiptRule", "ses:DescribeReceiptRuleSet", "ses:GetConfigurationSet", "ses:GetConfigurationSetEventDestinations", "ses:GetContactList", "ses:GetEmailTemplate", "ses:GetTemplate", "ses:ListConfigurationSets", "ses:ListContactLists", "ses:ListEmailTemplates", "ses:ListReceiptFilters", "ses:ListReceiptRuleSets", "ses:ListTemplates", "shield:DescribeDRTAccess", "shield:DescribeProtection", "shield:DescribeSubscription", "signer:GetSigningProfile", "signer:ListProfilePermissions", "signer:ListSigningProfiles", "sns:GetSubscriptionAttributes", "sns:GetTopicAttributes", "sns:ListSubscriptions", "sns:ListSubscriptionsByTopic", "sns:ListTagsForResource", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ListQueueTags", "ssm:DescribeAutomationExecutions", "ssm:DescribeDocument", "ssm:DescribeDocumentPermission", "ssm:GetAutomationExecution", "ssm:GetDocument", "ssm:ListDocuments", "sso:DescribeInstanceAccessControlAttributeConfiguration", "sso:DescribePermissionSet", "sso:GetInlinePolicyForPermissionSet", "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSets", "sso:ListTagsForResource", "states:DescribeActivity", "states:DescribeStateMachine", "states:ListActivities", "states:ListStateMachines", "states:ListTagsForResource", "storagegateway:ListGateways", "storagegateway:ListTagsForResource", "storagegateway:ListVolumes", "sts:GetCallerIdentity", "support:DescribeCases", "synthetics:DescribeCanaries", "synthetics:DescribeCanariesLastRun", "synthetics:DescribeRuntimeVersions", "synthetics:GetCanary", "synthetics:GetCanaryRuns", "synthetics:GetGroup", "synthetics:ListAssociatedGroups", "synthetics:ListGroupResources", "synthetics:ListGroups", "synthetics:ListTagsForResource", "tag:GetResources", "timestream:DescribeDatabase", "timestream:DescribeEndpoints", "timestream:DescribeTable", "timestream:ListDatabases", "timestream:ListTables", "timestream:ListTagsForResource", "transfer:DescribeConnector", "transfer:DescribeServer", "transfer:DescribeUser", "transfer:DescribeWorkflow", "transfer:ListConnectors", "transfer:ListServers", "transfer:ListUsers", "transfer:ListWorkflows", "transfer:ListTagsForResource", "voiceid:DescribeDomain", "voiceid:ListTagsForResource", "waf-regional:GetLoggingConfiguration", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", "waf:GetLoggingConfiguration", "waf:GetWebACL", "wafv2:GetLoggingConfiguration", "wafv2:GetRuleGroup", "wafv2:ListRuleGroups", "wafv2:ListTagsForResource", "workspaces:DescribeConnectionAliases", "workspaces:DescribeTags", "workspaces:DescribeWorkspaces" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/config/*" }, { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:/aws/config/*:log-stream:config-rule-evaluation/*" } ] }

AWS managed policy: ConfigConformsServiceRolePolicy

To deploy and manage conformance packs, AWS Config requires IAM permissions and certain permissions from other AWS services. These allow you to deploy and manage conformance packs with full functionality and are updated each time AWS Config adds new functionality for conformance packs. For more information on conformance packs, see Conformance packs.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "config:PutConfigRule", "config:DeleteConfigRule" ], "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/config-conforms.amazonaws.com*" }, { "Effect": "Allow", "Action": [ "config:DescribeConfigRules" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "config:DescribeRemediationConfigurations", "config:DeleteRemediationConfiguration", "config:PutRemediationConfigurations" ], "Resource": "arn:aws:config:*:*:remediation-configuration/aws-service-remediation-configuration/config-conforms.amazonaws.com*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/config-conforms.amazonaws.com/*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/aws-service-role/remediation.config.amazonaws.com/AWSServiceRoleForConfigRemediation" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/remediation.config.amazonaws.com/AWSServiceRoleForConfigRemediation", "Condition": { "StringLike": { "iam:AWSServiceName": "remediation.config.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "ssm.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "ssm:DescribeDocument", "ssm:GetDocument" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::awsconfigconforms*" }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:GetStackPolicy", "cloudformation:SetStackPolicy", "cloudformation:UpdateStack", "cloudformation:UpdateTerminationProtection", "cloudformation:ValidateTemplate", "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:*:stack/awsconfigconforms-*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/Config" } } } ] }

AWS Config updates to AWS managed policies

View details about updates to AWS managed policies for AWS Config since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Config Document history page.

Change Description Date

AWSConfigServiceRolePolicy – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries

This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, AWS IoT, Amazon AppStream 2.0, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Route 53 Application Recovery Controller, AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, AWS Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs.

February 1, 2023

AWS_ConfigRole – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries

This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, AWS IoT, Amazon AppStream 2.0, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Route 53 Application Recovery Controller, AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, AWS Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs.

February 1, 2023

ConfigConformsServiceRolePolicy – Update config:DescribeConfigRules

As a security best practice, this policy now removes broad resource-level permission for config:DescribeConfigRules.

January 12, 2023

AWSConfigServiceRolePolicy – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource

This policy now supports additional permissions for Amazon Managed Service for Prometheus, AWS Audit Manager, AWS Device Farm, AWS Database Migration Service (AWS DMS), AWS Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), AWS Glue, AWS IoT, Amazon Lightsail, AWS Elemental MediaPackage, AWS Network Manager, Amazon QuickSight, AWS Resource Access Manager, Amazon Route 53 Application Recovery Controller, Amazon Simple Storage Service (Amazon S3), and Amazon Timestream.

Decemeber 15, 2022

AWS_ConfigRole – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource

This policy now supports additional permissions for Amazon Managed Service for Prometheus, AWS Audit Manager, AWS Device Farm, AWS Database Migration Service (AWS DMS), AWS Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), AWS Glue, AWS IoT, Amazon Lightsail, AWS Elemental MediaPackage, AWS Network Manager, Amazon QuickSight, AWS Resource Access Manager, Amazon Route 53 Application Recovery Controller, Amazon Simple Storage Service (Amazon S3), and Amazon Timestream.

Decemeber 15, 2022

AWSConfigServiceRolePolicy – Add cloudformation:ListStackResources and cloudformation:ListStacks

This policy now grants permission to return descriptions of all resources of a specified AWS CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter.

November 7, 2022

AWS_ConfigRole – Add cloudformation:ListStackResources and cloudformation:ListStacks

This policy now grants permission to return descriptions of all resources of a specified AWS CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter.

November 7, 2022

AWSConfigServiceRolePolicy – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups

This policy now supports additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Simulator, Amazon Fraud Detector, Amazon FSx, Amazon GameLift, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, AWS OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon QuickSight, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service.

October 19, 2022

AWS_ConfigRole – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups

This policy now supports additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Simulator, Amazon Fraud Detector, Amazon FSx, Amazon GameLift, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, AWS OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon QuickSight, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service.

October 19, 2022

AWSConfigServiceRolePolicy – Add Glue::GetTable

This policy now grants permission to retrieve the AWS Glue Table definition in a Data Catalog for a specified table.

September 14, 2022

AWS_ConfigRole – Add Glue::GetTable

This policy now grants permission to retrieve the AWS Glue Table definition in a Data Catalog for a specified table.

September 14, 2022

AWSConfigServiceRolePolicy – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource

This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift, Amazon Interactive Video Service (Amazon IVS), Amazon Kinesis Data Analytics, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon QuickSight, Amazon Route 53 Application Recovery Controller, Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family.

September 7, 2022

AWS_ConfigRole – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource

This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift, Amazon Interactive Video Service (Amazon IVS), Amazon Kinesis Data Analytics, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon QuickSight, Amazon Route 53 Application Recovery Controller, Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family

September 7, 2022

AWSConfigServiceRolePolicy – Add datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists

This policy now grants permission to return a list of AWS DataSync agents, DataSync source and destination locations, and DataSync tasks in an AWS account; list summary information about the AWS Cloud Map namespaces and services that are associated with one or more specified namespaces in an AWS account; and list all the Amazon Simple Email Service (Amazon SES) contact lists available in AWS account.

August 22, 2022

AWS_ConfigRole – Add datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists

This policy now grants permission to return a list of AWS DataSync agents, DataSync source and destination locations, and DataSync tasks in an AWS account; list summary information about the AWS Cloud Map namespaces and services that are associated with one or more specified namespaces in an AWS account; and list all the Amazon Simple Email Service (Amazon SES) contact lists available in AWS account.

August 22, 2022

ConfigConformsServiceRolePolicy – Add cloudwatch:PutMetricData

This policy now grants permission to publish metric data points to Amazon CloudWatch.

July 25, 2022

AWSConfigServiceRolePolicy – Add amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet

This policy now supports additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Kinesis Data Analytics, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon QuickSight, Amazon Rekognition, AWS RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), AWS Amplify, AWS AppConfig, AWS AppSync, AWS Billing Conductor, AWS DataSync, AWS Firewall Manager, AWS Glue, AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing.

July 15, 2022

AWS_ConfigRole – Add amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet

This policy now supports additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Kinesis Data Analytics, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon QuickSight, Amazon Rekognition, AWS RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), AWS Amplify, AWS AppConfig, AWS AppSync, AWS Billing Conductor, AWS DataSync, AWS Firewall Manager, AWS Glue, AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing.

July 15, 2022

AWSConfigServiceRolePolicy – Add athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource

This policy now grants permission to get a specified Amazon Athena data catalog, list the Athena data catalogs in an AWS account, and list tags associated with an Athena workgroup or data catalog resource; to get a list of Amazon Detective behavior graphs and list tags for a Detective behavior graph; get a list of resource metadata for a given list of AWS Glue development endpoint names, get information about a specified AWS Glue development endpoint, get all the AWS Glue development endpoints in an AWS account, retrieve a specified AWS Glue security configuration, get all AWS Glue security configurations, get a list of tags associated with an AWS Glue resource, get information about an AWS Glue workgroup with the specified name, retrieve the names of all AWS Glue crawler resources in an AWS account, get the names of all AWS Glue DevEndpoint resources in an AWS account, list the names of all AWS Glue job resources in an AWS account, get details about AWS Glue member accounts, list names of AWS Glue workflows created in an account, and list available AWS Glue workgroups for an account; to retrieve details about an Amazon GuardDuty filter, retrieve a GuardDuty IPSet, retrieve a GuardDuty ThreatIntelSet, retrieve GuardDuty member accounts, get a list of GuardDuty filters, get the IPSets of the GuardDuty service, retrieve tags for the GuardDuty Service, and get the ThreatIntelSets of the GuardDuty service; to get the current status and configuration settings for an Amazon Macie account; to retrieve the resource and principal associations for AWS Resource Access Manager (AWS RAM) resource shares and retrieve details about AWS RAM resource shares; to get information about an Amazon Simple Email Service (Amazon SES) existing configuration set, get a list of event destinations that are associated with an Amazon SES configuration set, and list all of the configuration sets associated with an Amazon SES account; and to get a list of Identity Center directory attributes, get the details of an AWS IAM Identity Center (successor to AWS Single Sign-On) permission set, get the IAM managed policy that is attached to a specified IAM Identity Center permission set, get the permissions set for an IAM Identity Center instance, and get tags for IAM Identity Center resources.

May 31, 2022

AWS_ConfigRole – Add athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource

This policy now grants permission to get a specified Amazon Athena data catalog, list the Athena data catalogs in an AWS account, and list tags associated with an Athena workgroup or data catalog resource; to get a list of Amazon Detective behavior graphs and list tags for a Detective behavior graph; get a list of resource metadata for a given list of AWS Glue development endpoint names, get information about a specified AWS Glue development endpoint, get all the AWS Glue development endpoints in an AWS account, retrieve a specified AWS Glue security configuration, get all AWS Glue security configurations, get a list of tags associated with an AWS Glue resource, get information about an AWS Glue workgroup with the specified name, retrieve the names of all AWS Glue crawler resources in an AWS account, get the names of all AWS Glue DevEndpoint resources in an AWS account, list the names of all AWS Glue job resources in an AWS account, get details about AWS Glue member accounts, list names of AWS Glue workflows created in an account, and list available AWS Glue workgroups for an account; to retrieve details about an Amazon GuardDuty filter, retrieve a GuardDuty IPSet, retrieve a GuardDuty ThreatIntelSet, retrieve GuardDuty member accounts, get a list of GuardDuty filters, get the IPSets of the GuardDuty service, retrieve tags for the GuardDuty Service, and get the ThreatIntelSets of the GuardDuty service; to get the current status and configuration settings for an Amazon Macie account; to retrieve the resource and principal associations for AWS Resource Access Manager (AWS RAM) resource shares and retrieve details about AWS RAM resource shares; to get information about an Amazon Simple Email Service (Amazon SES) existing configuration set, get a list of event destinations that are associated with an Amazon SES configuration set, and list all of the configuration sets associated with an Amazon SES account; and to get a list of Identity Center directory attributes, get the details of an AWS IAM Identity Center (successor to AWS Single Sign-On) permission set, get the IAM managed policy that is attached to a specified IAM Identity Center permission set, get the permissions set for an IAM Identity Center instance, and get tags for IAM Identity Center resources.

May 31, 2022

AWSConfigServiceRolePolicy – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies

This policy now grants permission to get information about all or a specified AWS CloudTrail event data store (EDS), get information about all or a specified AWS CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about AWS Database Migration Service (AWS DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an AWS Organizations of a specified type.

April 7, 2022

AWS_ConfigRole – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies

This policy now grants permission to get information about all or a specified AWS CloudTrail event data store (EDS), get information about all or a specified AWS CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about AWS Database Migration Service (AWS DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an AWS Organizations of a specified type.

April 7, 2022

AWSConfigServiceRolePolicy – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces

This policy now supports additional permissions for AWS Backup, AWS Batch, DynamoDB Accelerator, AWS Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, AWS Key Management Service, AWS OpsWorks, Amazon Relational Database Service, AWS WAFV2, and Amazon WorkSpaces.

March 14, 2022

AWS_ConfigRole – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces

This policy now supports additional permissions for AWS Backup, AWS Batch, DynamoDB Accelerator, AWS Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, AWS Key Management Service, AWS OpsWorks, Amazon Relational Database Service, AWS WAFV2, and Amazon WorkSpaces.

March 14, 2022

AWSConfigServiceRolePolicy – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies

This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an AWS account, retrieve information about an AWS Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived AWS Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account.

February 10, 2022

AWS_ConfigRole – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies

This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an AWS account, retrieve information about an AWS Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived AWS Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account.

February 10, 2022

AWSConfigServiceRolePolicy – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent

This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams.

December 15, 2021

AWS_ConfigRole – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent

This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams.

Decemeber 15, 2021

AWSConfigServiceRolePolicy – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots

This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots.

September 8, 2021

AWS_ConfigRole – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots

This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots.

September 8, 2021

AWSConfigServiceRolePolicy – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for AWS resource types

This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Kinesis Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker, Amazon Simple Notification Service, AWS Database Migration Service, AWS Global Accelerator, and AWS Storage Gateway.

July 28, 2021

AWS_ConfigRole – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for AWS resource types

This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Kinesis Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker, Amazon Simple Notification Service, AWS Database Migration Service, AWS Global Accelerator, and AWS Storage Gateway.

July 28, 2021

AWSConfigServiceRolePolicy – Add ssm:DescribeDocumentPermission and additional permissions for AWS resource types

This policy now grants permission to view the permissions of AWS Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional AWS resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, AWS Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the lambda-inside-vpc AWS Config managed rule.

June 8, 2021

AWS_ConfigRole – Add ssm:DescribeDocumentPermission and additional permissions for AWS resource types

This policy now grants permission to view the permissions of AWS Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional AWS resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, AWS Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the lambda-inside-vpc AWS Config managed rule.

June 8, 2021

AWSConfigServiceRolePolicy – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs

This policy now grants permissions that allow AWS Config to make read-only GET calls to API Gateway to support a AWS Config Rule for API Gateway. The policy also adds permissions that allow AWS Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new AWS::S3::AccessPoint resource type.

May 10, 2021

AWS_ConfigRole – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs

This policy now grants permissions that allow AWS Config to make read-only GET calls to API Gateway to support a AWS Config for API Gateway. The policy also adds permissions that allow AWS Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new AWS::S3::AccessPoint resource type.

May 10, 2021

AWSConfigServiceRolePolicy – Add ssm:ListDocuments permission and additional permissions for AWS resource types

This policy now grants permission to view information about AWS Systems Manager specified documents. This policy also now supports additional AWS resource types for AWS Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker, AWS Database Migration Service, and Amazon Route 53. These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types.

April 1, 2021

AWS_ConfigRole – Add ssm:ListDocuments permission and additional permissions for AWS resource types

This policy now grants permission to view information about AWS Systems Manager specified documents. This policy also now supports additional AWS resource types for AWS Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker, AWS Database Migration Service, and Amazon Route 53. These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types.

April 1, 2021

AWSConfigRole is deprecated

AWSConfigRole is deprecated. The replacement policy is AWS_ConfigRole.

April 1, 2021

AWS Config started tracking changes

AWS Config started tracking changes for its AWS managed policies.

April 1, 2021