IAM user role in AMS - AMS Advanced User Guide
MALZ: Default IAM User RolesSALZ: Default IAM User Role

IAM user role in AMS

An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and can't do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Currently there is one AMS default user role, Customer_ReadOnly_Role, for standard AMS accounts and an additional role, customer_managed_ad_user_role for AMS accounts with Managed Active Directory.

The role policies set permissions for CloudWatch and Amazon S3 log actions, AMS console access, read-only restrictions on most AWS services, restricted access to account S3 console, and AMS change-type access.

Additionally, the Customer_ReadOnly_Role has mutative, reserved-instances permissions that allow you to reserve instances. It has some cost-saving values, so, if you know that you're going to need a certain number of Amazon EC2 instances for a long period of time, you can call those APIs. To learn more, see Amazon EC2 Reserved Instances.

Note

The AMS service level objective (SLO) for creating custom IAM policies for IAM users is four business days, unless an existing policy is going to be reused. If you want to modify the existing IAM user role, or add a new one, submit an IAM: Update Entity or IAM: Create Entity RFC, respectively.

If you're unfamiliar with Amazon IAM roles, see IAM Roles for important information.

Multi-Account Landing Zone (MALZ): To see the AMS multi-account landing zone default, un-customized, user role policies, see MALZ: Default IAM User Roles, next.

MALZ: Default IAM User Roles

JSON policy statements for the default multi-account AMS multi-account landing zone user roles.

Note

The user roles are customizable and may differ on a per-account basis. Instructions on finding your role are provided.

These are examples of the default MALZ user roles. To make sure that you have the policies set that you need, run the AWS command get-role or sign in to the AWS Management -> IAM console and choose Roles in the navigation pane.

Core OU account roles

A core account is an MALZ-managed infrastructure account. AMS multi-account landing zone Core accounts include a management account and a networking account.

Core OU account: Common roles and policies
Role Policy or policies

AWSManagedServicesReadOnlyRole

ReadOnlyAccess (Public AWS Managed Policy).

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupportAccess (Public AWS Managed Policy).

AWSManagedServicesChangeManagementRole (Core account version)

ReadOnlyAccess

AWSSupportAccess

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementInfrastructurePolicy

Core OU account: Management account roles and policies
Role Policy or policies

AWSManagedServicesBillingRole

AMSBillingPolicy (AMSBillingPolicy).

AWSManagedServicesReadOnlyRole

ReadOnlyAccess (Public AWS Managed Policy).

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupportAccess (Public AWS Managed Policy).

AWSManagedServicesChangeManagementRole (Management account version)

ReadOnlyAccess

AWSSupportAccess

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementInfrastructurePolicy

AMSMasterAccountSpecificChangeManagementInfrastructurePolicy

Core OU Account: Networking account roles and policies
Role Policy or policies

AWSManagedServicesReadOnlyRole

ReadOnlyAccess (Public AWS Managed Policy).

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupportAccess (Public AWS Managed Policy).

AWSManagedServicesChangeManagementRole (Networking account version)

ReadOnlyAccess

AWSSupportAccess

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementInfrastructurePolicy

AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy

Application Account Roles

Application account roles are applied to your application-specific accounts.

Application account: Roles and policies
Role Policy or policies

AWSManagedServicesReadOnlyRole

ReadOnlyAccess (Public AWS Managed Policy).

AWSManagedServicesCaseRole

ReadOnlyAccess

AWSSupportAccess (Public AWS Managed Policy).

This policy provides access to all support operations and resources. For information, see Getting Started with AWS Support.

AWSManagedServicesSecurityOpsRole

ReadOnlyAccess

AWSSupportAccess Example

This policy provides access to all support operations and resources.

AWSCertificateManagerFullAccess information, (Public AWS Managed Policy)

AWSWAFFullAccess information, (Public AWS Managed policy). This policy grants full access to AWS WAF resources.

AMSSecretsManagerSharedPolicy

AWSManagedServicesChangeManagementRole (Application account version)

ReadOnlyAccess

AWSSupportAccess (Public AWS Managed Policy).

This policy provides access to all support operations and resources. For information, see Getting Started with AWS Support.

AMSSecretsManagerSharedPolicy

AMSChangeManagementPolicy

AMSReservedInstancesPolicy

AMSS3Policy

AWSManagedServicesAdminRole

ReadOnlyAccess

AWSSupportAccess

AMSChangeManagementInfrastructurePolicy

AWSMarketplaceManageSubscriptions

AMSSecretsManagerSharedPolicy

AMSChangeManagementPolicy

AWSCertificateManagerFullAccess

AWSWAFFullAccess

AMSS3Policy

AMSReservedInstancesPolicy

Policy Examples

Examples are provided for most policies used. To view the ReadOnlyAccess policy (which is pages long as it provides read-only access to all AWS services), you can use this link, if you have an active AWS account: ReadOnlyAccess. Also, a condensed version is included here.

AMSBillingPolicy

AMSBillingPolicy

The new Billing role can be used by your accounting department to view and change billing information or account settings in the Management account. To access information such as Alternate Contacts, view the account resources usage, or keep a tab of your billing or even modify your payment methods, you use this role. This new role comprises of all the permissions listed in the AWS Billing IAM actions web page. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "aws-portal:ViewBilling",
                "aws-portal:ModifyBilling"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToBilling"
        },
        {
            "Action": [
                "aws-portal:ViewAccount",
                "aws-portal:ModifyAccount"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToAccountSettings"
        },
        {
            "Action": [
                "budgets:ViewBudget",
                "budgets:ModifyBudget"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToAccountBudget"
        },
        {
            "Action": [
                "aws-portal:ViewPaymentMethods",
                "aws-portal:ModifyPaymentMethods"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToPaymentMethods"
        },
        {
            "Action": [
                "aws-portal:ViewUsage"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToUsage"
        },
        {
            "Action": [
                "cur:DescribeReportDefinitions",
                "cur:PutReportDefinition",
                "cur:DeleteReportDefinition",
                "cur:ModifyReportDefinition"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToCostAndUsageReport"
        },
        {
            "Action": [
                "pricing:DescribeServices",
                "pricing:GetAttributeValues",
                "pricing:GetProducts"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToPricing"
        },
        {
            "Action": [
                "ce:*",
                "compute-optimizer:*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToCostExplorerComputeOptimizer"
        },
        {
            "Action": [
                "purchase-orders:ViewPurchaseOrders",
                "purchase-orders:ModifyPurchaseOrders"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToPurchaseOrders"
        },
        {
            "Action": [
                "redshift:AcceptReservedNodeExchange",
                "redshift:PurchaseReservedNodeOffering"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowAccessToRedshiftAction"
        },
        {
            "Action": "savingsplans:*",
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AWSSavingsPlansFullAccess"
        }
    ]
}

AMSChangeManagementReadOnlyPolicy

AMSChangeManagementReadOnlyPolicy

Permissions to see all AMS change types, and the history of requested change types.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AMSCoreAccountsCMAndSKMSReadOnlyAccess",
		"Effect": "Allow",
		"Action": [
			"amscm:GetChangeTypeVersion",
			"amscm:GetRfc",
			"amscm:ListChangeTypeCategories",
			"amscm:ListChangeTypeClassificationSummaries",
			"amscm:ListChangeTypeItems",
			"amscm:ListChangeTypeOperations",
			"amscm:ListChangeTypeSubcategories",
			"amscm:ListChangeTypeVersionSummaries",
			"amscm:ListRestrictedExecutionTimes",
			"amscm:ListRfcSummaries",
			"amsskms:GetStack",
			"amsskms:GetSubnet",
			"amsskms:GetVpc",
			"amsskms:ListAmis",
			"amsskms:ListStackSummaries",
			"amsskms:ListSubnetSummaries",
			"amsskms:ListVpcSummaries"
		],
		"Resource": "*"
	}]
}

AMSMasterAccountSpecificChangeManagementInfrastructurePolicy

AMSMasterAccountSpecificChangeManagementInfrastructurePolicy

Permissions to request the Deployment | Managed landing zone | Management account | Create application account (with VPC) change type.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AMSMasterAccountAccess",
		"Effect": "Allow",
		"Action": [
			"amscm:ApproveRfc",
			"amscm:CancelRfc",
			"amscm:CreateRfc",
			"amscm:RejectRfc",
			"amscm:SubmitRfc",
			"amscm:UpdateRfc",
			"amscm:UpdateRfcActionState",
			"amscm:UpdateRestrictedExecutionTimes"
		],
		"Resource": [
			"arn:aws:amscm:global:*:changetype/ct-1zdasmc2ewzrs:*"
		]
	}]
}

AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy

AMSNetworkingAccountSpecificChangeManagementInfrastructurePolicy

Permissions to request the Deployment | Managed landing zone | Networking account | Create application route table change type.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AMSNetworkingAccountAccess",
		"Effect": "Allow",
		"Action": [
			"amscm:ApproveRfc",
			"amscm:CancelRfc",
			"amscm:CreateRfc",
			"amscm:RejectRfc",
			"amscm:SubmitRfc",
			"amscm:UpdateRfc",
			"amscm:UpdateRfcActionState",
			"amscm:UpdateRestrictedExecutionTimes"
		],
		"Resource": [
			"arn:aws:amscm:global:*:changetype/ct-1urj94c3hdfu5:*"
		]
	}]
}

AMSChangeManagementInfrastructurePolicy

AMSChangeManagementInfrastructurePolicy (for Management | Other | Other CTs)

Permissions to request the Management | Other | Other | Create, and Management | Other | Other | Update change types.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AMSCoreAccountsAccess",
		"Effect": "Allow",
		"Action": [
			"amscm:CancelRfc",
			"amscm:CreateRfc",
			"amscm:SubmitRfc",
			"amscm:UpdateRfc",
			"amscm:UpdateRfcActionState",
			"amscm:UpdateRestrictedExecutionTimes",
		],
		"Resource": [
			"arn:aws:amscm:global:*:changetype/ct-1e1xtak34nx76:*",
			"arn:aws:amscm:global:*:changetype/ct-0xdawir96cy7k:*",
		]
	}]
}

AMSSecretsManagerSharedPolicy

AMSSecretsManagerSharedPolicy

Permissions to view secret passwords/hashes shared by AMS through AWS Secrets manager (e.g. passwords to infrastructure for auditing).

Permissions to create secret password/hashes to share with AMS. (e.g. license keys for products that need to be deployed).

{
	"Version": "2012-10-17",
	"Statement": [{
			"Sid": "AllowAccessToSharedNameSpaces",
			"Effect": "Allow",
			"Action": "secretsmanager:*",
			"Resource": [
				"arn:aws:secretsmanager:*:*:secret:ams-shared/*",
				"arn:aws:secretsmanager:*:*:secret:customer-shared/*"
			]
		},
		{
			"Sid": "DenyGetSecretOnCustomerNamespace",
			"Effect": "Deny",
			"Action": "secretsmanager:GetSecretValue",
			"Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
		},
		{
			"Sid": "AllowReadAccessToAMSNameSpace",
			"Effect": "Deny",
			"NotAction": [
				"secretsmanager:Describe*",
				"secretsmanager:Get*",
				"secretsmanager:List*"
			],
			"Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
		}
	]
}

AMSChangeManagementPolicy

AMSChangeManagementPolicy

Permissions to request and view all AMS change types, and the history of requested change types.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AMSFullAccess",
		"Effect": "Allow",
		"Action": [
			"amscm:*",
			"amsskms:*"
		],
		"Resource": [
			"*"
		]
	}]
}

AMSReservedInstancesPolicy

AMSReservedInstancesPolicy

Permissions to manage EC2 reserved instances; for pricing information, see Amazon EC2 Reserved Instances.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Sid": "AllowReservedInstancesManagement",
		"Effect": "Allow",
		"Action": [
			"ec2:ModifyReservedInstances",
			"ec2:PurchaseReservedInstancesOffering"
		],
		"Resource": [
			"*"
		]
	}]
}

AMSS3Policy

AMSS3Policy

Permissions to create and delete files from existing S3 buckets.

Note

These permissions do not grant the ability to create S3 buckets; that must be done with the Deployment | Advanced stack components | S3 storage | Create change type.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"s3:AbortMultipartUpload",
			"s3:DeleteObject",
			"s3:PutObject",
		],
		"Resource": "*"
	}]
}

AWSSupportAccess

AWSSupportAccess

Full access to AWS Support. For information, see Getting Started with AWS Support. For Premium Support information, see AWS Support.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"support:*"
		],
		"Resource": "*"
	}]
}

AWSMarketplaceManageSubscriptions

AWSMarketplaceManageSubscriptions (Public AWS Managed Policy)

Permissions to subscribe, unsubscribe, and view AWS Marketplace subscriptions.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Action": [
			"aws-marketplace:ViewSubscriptions",
			"aws-marketplace:Subscribe",
			"aws-marketplace:Unsubscribe"
		],
		"Effect": "Allow",
		"Resource": "*"
	}]
}

AWSCertificateManagerFullAccess

AWSCertificateManagerFullAccess

Full access to AWS Certificate Manager. For Certificate Manager information, see AWS Certificate Manager.

AWSCertificateManagerFullAccess information, (Public AWS Managed Policy).

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"acm:*"
		],
		"Resource": "*"
	}]
}

AWSWAFFullAccess

AWSWAFFullAccess

Full access to AWS Web Application Firewall (WAF). For WAF information, see AWS WAF - Web Application Firewall.

AWSWAFFullAccess information, (Public AWS Managed policy). This policy grants full access to AWS WAF resources.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Action": [
			"waf:*",
			"waf-regional:*",
			"elasticloadbalancing:SetWebACL"
		],
		"Effect": "Allow",
		"Resource": "*"
	}]
}

ReadOnlyAccess

ReadOnlyAccess (actions a-l only)

Read-only access to all AWS services and resources on the AWS console.

When AWS launches a new service, AMS updates the ReadOnlyAccess policy to add read-only permissions for the new service. The updated permissions are applied to all principal entities that the policy is attached to.

This doesn't grant the ability to log into EC2 hosts or database hosts.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Action": [
			"aws-marketplace:ViewSubscriptions",
			"aws-marketplace:Subscribe",
			"aws-marketplace:Unsubscribe"
		],
		"Effect": "Allow",
		"Resource": "*"
	}]
}

Single-Account Landing Zone (SALZ): To see the AMS single-account landing zone default, uncustomized, user role policies, see SALZ: Default IAM User Role, next.

SALZ: Default IAM User Role

JSON policy statements for the default AMS single-account landing zone user role.

Note

The SALZ default user role is customizable and may differ on a per-account basis. Instructions on finding your role are provided.

This is an example of the default SALZ user role, but to make sure that you have the policies set for you, run the AWS command get-role or sign in to the AWS Management -> IAM console at https://console.aws.amazon.com/iam/. In the IAM console, in the navigation pane, choose Roles.

The customer read-only role is a combination of multiple policies. A breakdown of the role (JSON) follows.

Managed Services Audit Policy:

{"Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BasicConsoleAccess",
      "Effect": "Allow",
      "Action": [
        "aws-portal:View*",
        "ec2-reports:View*",
        "support:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AuditAccessToAWSServices",
      "Effect": "Allow",
      "Action": [
        "acm:Describe*",
        "acm:List*",
        "appstream:Get*",
        "autoscaling:Describe*",
        "cloudformation:Describe*",
        "cloudformation:Get*",
        "cloudformation:List*",
        "cloudformation:ValidateTemplate",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudsearch:Describe*",
        "cloudsearch:List*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codecommit:Get*",
        "codecommit:List*",
        "codedeploy:BatchGet*",
        "codedeploy:Get*",
        "codedeploy:List*",
        "codepipeline:Get*",
        "codepipeline:List*",
        "config:Describe*",
        "config:Get*",
        "datapipeline:Describe*",
        "datapipeline:EvaluateExpression",
        "datapipeline:GetPipelineDefinition",
        "datapipeline:ListPipelines",
        "datapipeline:ValidatePipelineDefinition",
        "directconnect:Describe*",
        "ds:Describe*",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ec2:Get*",
        "ecs:Describe*",
        "ecs:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "elasticfilesystem:Describe*",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "elastictranscoder:List*",
        "events:Describe*",
        "events:Get*",
        "events:List*",
        "guardduty:Get*",
        "guardduty:List*",
        "kinesis:Describe*",
        "kinesis:List*",
        "kms:List*",
        "lambda:Get*",
        "lambda:List*",
        "macie:Describe*",
        "macie:Get*",
        "macie:List*",
        "opsworks:Describe*",
        "opsworks:Get*",
        "rds:Describe*",
        "rds:Download*",
        "rds:List*",
        "redshift:Describe*",
        "redshift:View*",
        "route53:Get*",
        "route53:List*",
        "route53domains:CheckDomainAvailability",
        "route53domains:Get*",
        "route53domains:List*",
        "sdb:Get*",
        "sdb:List*",
        "ses:Get*",
        "ses:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:Get*",
        "sqs:List*",
        "ssm:ListCommands",
        "ssm:ListCommandInvocations",
        "storagegateway:Describe*",
        "storagegateway:List*",
        "swf:Count*",
        "swf:Describe*",
        "swf:Get*",
        "swf:List*",
        "tag:get*",
        "trustedadvisor:Describe*",
        "waf:Get*",
        "waf:List*",
        "waf-regional:Get*",
        "waf-regional:List*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AWSManagedServicesFullAccess",
      "Effect": "Allow",
      "Action": [
        "amscm:*",
        "amsskms:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Managed Services IAM ReadOnly Policy

{
  "Statement": [
    {
      "Action": [
        "iam:GenerateCredentialReport",
        "iam:GetAccountAuthorizationDetails",
        "iam:GetAccountPasswordPolicy",
        "iam:GetAccountSummary",
        "iam:GetCredentialReport",
        "iam:GetGroup",
        "iam:GetGroupPolicy",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:GetUser",
        "iam:GetUserPolicy",
        "iam:ListAccountAliases",
        "iam:ListAttachedRolePolicies",
        "iam:ListEntitiesForPolicy",
        "iam:ListGroupPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListMFADevices",
        "iam:ListPolicies",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:ListSAMLProviders",
        "iam:ListUsers",
        "iam:ListVirtualMFADevices"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Sid": "IAMReadOnlyAccess"
    },
    {
      "Action": [
        "iam:*"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:iam::*:group/mc-*",
        "arn:aws:iam::*:group/mc_*",
        "arn:aws:iam::*:policy/mc-*",
        "arn:aws:iam::*:policy/mc_*",
        "arn:aws:iam::*:role/mc-*",
        "arn:aws:iam::*:role/mc_*",
        "arn:aws:iam::*:role/Sentinel-*",
        "arn:aws:iam::*:role/Sentinel_*",
        "arn:aws:iam::*:user/mc-*",
        "arn:aws:iam::*:user/mc_*"
      ],
      "Sid": "DenyAccessToIamRolesStartingWithMC"
    }
  ],

Managed Services User Policy

"Version": "2012-10-17"
}
	{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCustomerToListTheLogBucketLogs",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mc-a*-logs-*"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "aws/*",
            "app/*",
            "encrypted",
            "encrypted/",
            "encrypted/app/*"
          ]
        }
      }
    },
    {
      "Sid": "BasicAccessRequiredByS3Console",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowCustomerToGetLogs",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject*"
      ],
      "Resource": [
        "arn:aws:s3:::mc-a*-logs-*/aws/*",
        "arn:aws:s3:::mc-a*-logs-*/encrypted/app/*"
      ]
    },
    {
      "Sid": "AllowAccessToOtherObjects",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject*",
        "s3:Get*",
        "s3:List*",
        "s3:PutObject*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowCustomerToListTheLogBucketRoot",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mc-a*-logs-*"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "/"
          ]
        }
      }
    },
    {
      "Sid": "AllowCustomerCWLConsole",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogStreams",
        "logs:DescribeLogGroups"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:*"
      ]
    },
    {
      "Sid": "AllowCustomerCWLAccessLogs",
      "Effect": "Allow",
      "Action": [
        "logs:FilterLogEvents",
        "logs:GetLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/aws/*",
        "arn:aws:logs:*:*:log-group:/infra/*",
        "arn:aws:logs:*:*:log-group:/app/*",
        "arn:aws:logs:*:*:log-group:RDSOSMetrics:*:*"
      ]
    },
    {
      "Sid": "AWSManagedServicesFullAccess",
      "Effect": "Allow",
      "Action": [
        "amscm:*",
        "amsskms:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "ModifyAWSBillingPortal",
      "Effect": "Allow",
      "Action": [
        "aws-portal:Modify*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "DenyDeleteCWL",
      "Effect": "Deny",
      "Action": [
        "logs:DeleteLogGroup",
        "logs:DeleteLogStream"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:*"
      ]
    },
    {
      "Sid": "DenyMCCWL",
      "Effect": "Deny",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:FilterLogEvents",
        "logs:GetLogEvents",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:*:*:log-group:/mc/*"
      ]
    },
    {
      "Sid": "DenyS3MCNamespace",
      "Effect": "Deny",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::mc-a*-logs-*/encrypted/mc/*",
        "arn:aws:s3:::mc-a*-logs-*/mc/*",
        "arn:aws:s3:::mc-a*-logs-*-audit/*",
        "arn:aws:s3:::mc-a*-internal-*/*",
        "arn:aws:s3:::mc-a*-internal-*"
      ]
    },
    {
      "Sid": "ExplicitDenyS3CfnBucket",
      "Effect": "Deny",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::cf-templates-*"
      ]
    },
    {
      "Sid": "DenyListBucketS3LogsMC",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::mc-a*-logs-*"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "auditlog/*",
            "encrypted/mc/*",
            "mc/*"
          ]
        }
      }
    },
    {
      "Sid": "DenyS3LogsDelete",
      "Effect": "Deny",
      "Action": [
        "s3:Delete*",
        "s3:Put*"
      ],
      "Resource": [
        "arn:aws:s3:::mc-a*-logs-*/*"
      ]
    },
    {
      "Sid": "DenyAccessToKmsKeysStartingWithMC",
      "Effect": "Deny",
      "Action": [
        "kms:*"
      ],
      "Resource": [
        "arn:aws:kms::*:key/mc-*",
        "arn:aws:kms::*:alias/mc-*"
      ]
    },
    {
      "Sid": "DenyListingOfStacksStartingWithMC",
      "Effect": "Deny",
      "Action": [
        "cloudformation:*"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:*:stack/mc-*"
      ]
    },
    {
      "Sid": "AllowCreateCWMetricsAndManageDashboards",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:PutMetricData"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "AllowCreateandDeleteCWDashboards",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:DeleteDashboards",
        "cloudwatch:PutDashboard"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Customer Secrets Manager Shared Policy 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSecretsManagerListSecrets",
      "Effect": "Allow",
      "Action": "secretsmanager:listSecrets",
      "Resource": "*"
    },
    {
      "Sid": "AllowCustomerAdminAccessToSharedNameSpaces",
      "Effect": "Allow",
      "Action": "secretsmanager:*",
      "Resource": [
        "arn:aws:secretsmanager:*:*:secret:ams-shared/*",
        "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
      ]
    },
   {
      "Sid": "DenyCustomerGetSecretCustomerNamespace",
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:*:*:secret:customer-shared/*"
    },  
    {
      "Sid": "AllowCustomerReadOnlyAccessToAMSNameSpace",
      "Effect": "Deny",
      "NotAction": [
        "secretsmanager:Describe*",
        "secretsmanager:Get*",
        "secretsmanager:List*"
      ],
      "Resource": "arn:aws:secretsmanager:*:*:secret:ams-shared/*"
    }
  ]
}

Customer Marketplace Subscribe Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowMarketPlaceSubscriptions",
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:ViewSubscriptions",
        "aws-marketplace:Subscribe"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}