AWS SAM lista de modelos de políticas - AWS Serverless Application Model
AcmGetCertificatePolicyAMIDescribePolicyAthenaQueryPolicyAWSSecretsManagerGetSecretValuePolicyAWSSecretsManagerRotationPolicyCloudFormationDescribeStacksPolicyCloudWatchDashboardPolicyCloudWatchDescribeAlarmHistoryPolicyCloudWatchPutMetricPolicyCodePipelineLambdaExecutionPolicyCodePipelineReadOnlyPolicyCodeCommitCrudPolicyCodeCommitReadPolicyComprehendBasicAccessPolicyCostExplorerReadOnlyPolicyDynamoDBBackupFullAccessPolicyDynamoDBCrudPolicyDynamoDBReadPolicyDynamoDBReconfigurePolicyDynamoDBRestoreFromBackupPolicyDynamoDBStreamReadPolicyDynamoDBWritePolicyEC2CopyImagePolicyEC2DescribePolicyEcsRunTaskPolicyEFSWriteAccessPolicyEKSDescribePolicyElasticMapReduceAddJobFlowStepsPolicyElasticMapReduceCancelStepsPolicyElasticMapReduceModifyInstanceFleetPolicyElasticMapReduceModifyInstanceGroupsPolicyElasticMapReduceSetTerminationProtectionPolicyElasticMapReduceTerminateJobFlowsPolicyElasticsearchHttpPostPolicyEventBridgePutEventsPolicyFilterLogEventsPolicyFirehoseCrudPolicyFirehoseWritePolicyKinesisCrudPolicyKinesisStreamReadPolicyKMSDecryptPolicyKMSEncryptPolicyLambdaInvokePolicyMobileAnalyticsWriteOnlyAccessPolicyOrganizationsListAccountsPolicyPinpointEndpointAccessPolicyPollyFullAccessPolicyRekognitionDetectOnlyPolicyRekognitionFacesManagementPolicyRekognitionFacesPolicyRekognitionLabelsPolicyRekognitionNoDataAccessPolicyRekognitionReadPolicyRekognitionWriteOnlyAccessPolicyRoute53ChangeResourceRecordSetsPolicyS3CrudPolicyS3FullAccessPolicyS3ReadPolicyS3WritePolicySageMakerCreateEndpointConfigPolicySageMakerCreateEndpointPolicyServerlessRepoReadWriteAccessPolicySESBulkTemplatedCrudPolicySESBulkTemplatedCrudPolicy_v2SESCrudPolicySESEmailTemplateCrudPolicySESSendBouncePolicySNSCrudPolicySNSPublishMessagePolicySQSPollerPolicySQSSendMessagePolicySSMParameterReadPolicySSMParameterWithSlashPrefixReadPolicyStepFunctionsExecutionPolicyTextractDetectAnalyzePolicyTextractGetResultPolicyTextractPolicyVPCAccessPolicy

As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.

AWS SAM lista de modelos de políticas

A seguir estão os modelos de política disponíveis, juntamente com as permissões que são aplicadas a cada um. AWS Serverless Application Model (AWS SAM) preenche automaticamente os itens de espaço reservado (como AWS região e ID da conta) com as informações apropriadas.

Tópicos

AcmGetCertificatePolicy

Dá permissão para ler um certificado de AWS Certificate Manager.

"Statement": [ { "Effect": "Allow", "Action": [ "acm:GetCertificate" ], "Resource": { "Fn::Sub": [ "${certificateArn}", { "certificateArn": { "Ref": "CertificateArn" } } ] } } ]

AMIDescribePolicy

Dá permissão para descrever Amazon Machine Images (AMIs).

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": "*" } ]

AthenaQueryPolicy

Concede permissões para executar consultas do Athena.

"Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetCatalogs", "athena:GetNamespaces", "athena:GetTables", "athena:GetTable" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryResults", "athena:DeleteNamedQuery", "athena:GetNamedQuery", "athena:ListQueryExecutions", "athena:StopQueryExecution", "athena:GetQueryResultsStream", "athena:ListNamedQueries", "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", { "workgroupName": { "Ref": "WorkGroupName" } } ] } } ]

AWSSecretsManagerGetSecretValuePolicy

Dá permissão para obter o valor secreto do AWS Secrets Manager segredo especificado.

"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": { "Fn::Sub": [ "${secretArn}", { "secretArn": { "Ref": "SecretArn" } } ] } } ]

AWSSecretsManagerRotationPolicy

Permite a entrada de um segredo no AWS Secrets Manager.

"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]

CloudFormationDescribeStacksPolicy

Dá permissão para descrever AWS CloudFormation pilhas.

"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]

CloudWatchDashboardPolicy

Concede permissões para colocar métricas em operação em CloudWatch painéis.

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]

CloudWatchDescribeAlarmHistoryPolicy

Permite descrever o histórico de CloudWatch alarmes da Amazon.

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmHistory" ], "Resource": "*" } ]

CloudWatchPutMetricPolicy

Dá permissão para enviar métricas para CloudWatch o.

"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]

CodePipelineLambdaExecutionPolicy

Permite que uma função Lambda invocada por relate AWS CodePipeline o status do trabalho.

"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": "*" } ]

CodePipelineReadOnlyPolicy

Dá permissão de leitura para obter detalhes sobre um CodePipeline funil.

"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:ListPipelineExecutions" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": { "Ref": "PipelineName" } } ] } } ]

CodeCommitCrudPolicy

Concede permissões para criar, ler, atualizar e excluir objetos em um CodeCommit repositório específico.

"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GitPush", "codecommit:CreateBranch", "codecommit:DeleteBranch", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:MergeBranchesByFastForward", "codecommit:MergeBranchesBySquash", "codecommit:MergeBranchesByThreeWay", "codecommit:UpdateDefaultBranch", "codecommit:BatchDescribeMergeConflicts", "codecommit:CreateUnreferencedMergeCommit", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:CreatePullRequest", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:MergePullRequestByFastForward", "codecommit:MergePullRequestBySquash", "codecommit:MergePullRequestByThreeWay", "codecommit:PostCommentForPullRequest", "codecommit:UpdatePullRequestDescription", "codecommit:UpdatePullRequestStatus", "codecommit:UpdatePullRequestTitle", "codecommit:DeleteFile", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:PutFile", "codecommit:DeleteCommentContent", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:PostCommentForComparedCommit", "codecommit:PostCommentReply", "codecommit:UpdateComment", "codecommit:BatchGetCommits", "codecommit:CreateCommit", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:UpdateRepositoryDescription", "codecommit:ListTagsForResource", "codecommit:TagResource", "codecommit:UntagResource", "codecommit:GetRepositoryTriggers", "codecommit:PutRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]

CodeCommitReadPolicy

Concede permissões para ler objetos em um CodeCommit repositório específico.

"Statement": [ { "Effect": "Allow", "Action": [ "codecommit:GitPull", "codecommit:GetBranch", "codecommit:ListBranches", "codecommit:BatchDescribeMergeConflicts", "codecommit:DescribeMergeConflicts", "codecommit:GetMergeCommit", "codecommit:GetMergeOptions", "codecommit:BatchGetPullRequests", "codecommit:DescribePullRequestEvents", "codecommit:GetCommentsForPullRequest", "codecommit:GetCommitsFromMergeBase", "codecommit:GetMergeConflicts", "codecommit:GetPullRequest", "codecommit:ListPullRequests", "codecommit:GetBlob", "codecommit:GetFile", "codecommit:GetFolder", "codecommit:GetComment", "codecommit:GetCommentsForComparedCommit", "codecommit:BatchGetCommits", "codecommit:GetCommit", "codecommit:GetCommitHistory", "codecommit:GetDifferences", "codecommit:GetObjectIdentifier", "codecommit:GetReferences", "codecommit:GetTree", "codecommit:GetRepository", "codecommit:ListTagsForResource", "codecommit:GetRepositoryTriggers", "codecommit:TestRepositoryTriggers", "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": { "Ref": "RepositoryName" } } ] } } ]

ComprehendBasicAccessPolicy

Concede permissão para a detecção de entidades, frases-chave, idiomas e sentimentos.

"Statement": [ { "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]

CostExplorerReadOnlyPolicy

Concede permissão somente de leitura para o histórico de faturamento somente para leitura (Cost AWS Cost Explorer Explorer)APIs.

"Statement": [ { "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "ce:GetDimensionValues", "ce:GetReservationCoverage", "ce:GetReservationPurchaseRecommendation", "ce:GetReservationUtilization", "ce:GetTags" ], "Resource": "*" } ]

DynamoDBBackupFullAccessPolicy

Concede permissão de leitura e gravação aos backups do DynamoDB sob demanda para uma tabela.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBCrudPolicy

Concede permissões de criação, leitura, atualização e exclusão a uma tabela do Amazon DynamoDB.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]

DynamoDBReadPolicy

Concede permissão somente leitura para uma tabela do DynamoDB.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem", "dynamodb:DescribeTable" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]

DynamoDBReconfigurePolicy

Concede permissão para reconfigurar uma tabela do DynamoDB.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:UpdateTable" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBRestoreFromBackupPolicy

Concede permissão para restaurar uma tabela do DynamoDB do backup.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBStreamReadPolicy

Concede permissão para descrever e ler streams e registros do DynamoDB.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": { "Ref": "TableName" } } ] } } ]

DynamoDBWritePolicy

Concede permissão somente gravação a uma tabela do DynamoDB.

"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", { "tableName": { "Ref": "TableName" } } ] } ] } ]

EC2CopyImagePolicy

Permite copiar EC2 imagens da Amazon.

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]

EC2DescribePolicy

Dá permissão para descrever instâncias do Amazon Elastic Compute Cloud (AmazonEC2).

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]

EcsRunTaskPolicy

Concede permissão para iniciar uma nova tarefa para uma definição de tarefa.

"Statement": [ { "Action": [ "ecs:RunTask" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${taskDefinition}", { "taskDefinition": { "Ref": "TaskDefinition" } } ] }, "Effect": "Allow" } ]

EFSWriteAccessPolicy

Permite montar um sistema de EFS arquivos da Amazon com acesso de gravação.

"Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:file-system/${FileSystem}", { "FileSystem": { "Ref": "FileSystem" } } ] }, "Condition": { "StringEquals": { "elasticfilesystem:AccessPointArn": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticfilesystem:${AWS::Region}:${AWS::AccountId}:access-point/${AccessPoint}", { "AccessPoint": { "Ref": "AccessPoint" } } ] } } } } ]

EKSDescribePolicy

Permite descrever ou listar clusters do Amazon Elastic Kubernetes Service (Amazon). EKS

"Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ]

ElasticMapReduceAddJobFlowStepsPolicy

Concede permissão para adicionar novas etapas a um cluster em execução.

"Statement": [ { "Action": "elasticmapreduce:AddJobFlowSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]

ElasticMapReduceCancelStepsPolicy

Concede permissão para cancelar uma etapa ou etapas pendentes em um cluster em execução.

"Statement": [ { "Action": "elasticmapreduce:CancelSteps", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]

ElasticMapReduceModifyInstanceFleetPolicy

Concede permissão para listar detalhes e modificar capacidades para frotas de instâncias em um cluster.

"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceFleet", "elasticmapreduce:ListInstanceFleets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]

ElasticMapReduceModifyInstanceGroupsPolicy

Concede permissão para listar detalhes e modificar configurações para grupos de instâncias em um cluster.

"Statement": [ { "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]

ElasticMapReduceSetTerminationProtectionPolicy

Concede permissão para definir a proteção contra encerramento para um cluster.

"Statement": [ { "Action": "elasticmapreduce:SetTerminationProtection", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]

ElasticMapReduceTerminateJobFlowsPolicy

Concede permissão para encerrar um cluster.

"Statement": [ { "Action": "elasticmapreduce:TerminateJobFlows", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:elasticmapreduce:${AWS::Region}:${AWS::AccountId}:cluster/${clusterId}", { "clusterId": { "Ref": "ClusterId" } } ] }, "Effect": "Allow" } ]

ElasticsearchHttpPostPolicy

Concede POST e PUT autoriza a Amazon OpenSearch Service.

"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost", "es:ESHttpPut" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": { "Ref": "DomainName" } } ] } } ]

EventBridgePutEventsPolicy

Concede permissões para enviar eventos para a Amazon EventBridge.

"Statement": [ { "Effect": "Allow", "Action": "events:PutEvents", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBusName}", { "eventBusName": { "Ref": "EventBusName" } } ] } } ]

FilterLogEventsPolicy

Permite filtrar eventos de CloudWatch registros de um grupo de registros especificado.

"Statement": [ { "Effect": "Allow", "Action": [ "logs:FilterLogEvents" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": { "Ref": "LogGroupName" } } ] } } ]

FirehoseCrudPolicy

Permite criar, gravar, atualizar e excluir um stream de entrega do Firehose.

"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]

FirehoseWritePolicy

Dá permissão para gravar em um stream de entrega do Firehose.

"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]

KinesisCrudPolicy

Concede permissão para criar, publicar e excluir um Amazon Kinesis Stream.

"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]

KinesisStreamReadPolicy

Concede permissão para listar e ler um Amazon Kinesis Stream.

"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]

KMSDecryptPolicy

Dá permissão para descriptografar com uma chave AWS Key Management Service ()AWS KMS. Observe que keyId deve ser um ID de AWS KMS chave e não um alias de chave.

"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]

KMSEncryptPolicy

Dá permissão para criptografar com uma AWS KMS chave. Observe que keyId deve ser um ID de AWS KMS chave e não um alias de chave.

"Statement": [ { "Action": "kms:Encrypt", "Effect": "Allow", "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]

LambdaInvokePolicy

Permite invocar uma AWS Lambda função, alias ou versão.

"Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]

MobileAnalyticsWriteOnlyAccessPolicy

Concede permissão somente gravação para colocar dados de eventos para todos os recursos de aplicativos.

"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]

OrganizationsListAccountsPolicy

Concede permissão somente para leitura para listar nomes de contas infantis e. IDs

"Statement": [ { "Effect": "Allow", "Action": [ "organizations:ListAccounts" ], "Resource": "*" } ]

PinpointEndpointAccessPolicy

Concede permissão para obter e atualizar endpoints para um aplicativo Amazon Pinpoint.

"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]

PollyFullAccessPolicy

Concede permissão de acesso total aos recursos de léxico do Amazon Polly.

"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]

RekognitionDetectOnlyPolicy

Concede permissão para detectar faces, rótulos e texto.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels", "rekognition:DetectText" ], "Resource": "*" } ]

RekognitionFacesManagementPolicy

Concede permissão para adicionar, excluir e pesquisar faces em uma coleção do Amazon Rekognition.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:IndexFaces", "rekognition:DeleteFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage", "rekognition:ListFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionFacesPolicy

Concede permissão para comparar e detectar faces e rótulos.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": "*" } ]

RekognitionLabelsPolicy

Concede permissão para detectar rótulos de objetos e moderação.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]

RekognitionNoDataAccessPolicy

Concede permissão para comparar e detectar faces e rótulos.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionReadPolicy

Concede permissão para listar e pesquisar faces.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

RekognitionWriteOnlyAccessPolicy

Concede permissão para criar faces de coleção e índice.

"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]

Route53ChangeResourceRecordSetsPolicy

Concede permissão para alterar conjuntos de registros de recursos no Route 53.

"Statement": [ { "Effect": "Allow", "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:route53:::hostedzone/${HostedZoneId}", { "HostedZoneId": { "Ref": "HostedZoneId" } } ] } } ]

S3CrudPolicy

Concede permissão de criação, leitura, atualização e exclusão para atuar nos objetos em um bucket do Amazon S3.

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

S3FullAccessPolicy

Concede permissão de acesso total para atuar nos objetos em um bucket do Amazon S3.

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject", "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging", "s3:GetObjectTagging", "s3:GetObjectVersionTagging", "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

S3ReadPolicy

Concede permissão somente leitura para ler objetos em um bucket do Amazon Simple Storage Service (Amazon S3).

"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

S3WritePolicy

Concede permissão de gravação para gravar objetos em um bucket do Amazon S3.

"Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]

SageMakerCreateEndpointConfigPolicy

Dá permissão para criar uma configuração de endpoint em SageMaker.

"Statement": [ { "Action": [ "sagemaker:CreateEndpointConfig" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint-config/${endpointConfigName}", { "endpointConfigName": { "Ref": "EndpointConfigName" } } ] }, "Effect": "Allow" } ]

SageMakerCreateEndpointPolicy

Dá permissão para criar um endpoint em SageMaker.

"Statement": [ { "Action": [ "sagemaker:CreateEndpoint" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:endpoint/${endpointName}", { "endpointName": { "Ref": "EndpointName" } } ] }, "Effect": "Allow" } ]

ServerlessRepoReadWriteAccessPolicy

Dá permissão para criar e listar aplicativos no serviço AWS Serverless Application Repository (AWS SAM).

"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]

SESBulkTemplatedCrudPolicy

Permite enviar SES e-mails, e-mails modelados e e-mails em massa modelados para a Amazon e para verificar a identidade.

nota

A ses:SendTemplatedEmail ação requer um modeloARN. Use SESBulkTemplatedCrudPolicy_v2 em vez disso.

"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

SESBulkTemplatedCrudPolicy_v2

Permite enviar SES e-mails, e-mails modelados e e-mails em massa modelados para a Amazon e para verificar a identidade.

"Statement": [ { "Action": [ "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail" ], "Effect": "Allow", "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:template/${templateName}", { "templateName": { "Ref": "TemplateName" } } ] } ] }, { "Action": [ "ses:GetIdentityVerificationAttributes", "ses:VerifyEmailIdentity" ], "Effect": "Allow", "Resource": "*" } ]

SESCrudPolicy

Concede permissão para enviar e-mails e verificar identidades.

"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:SendRawEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

SESEmailTemplateCrudPolicy

Permite criar, obter, listar, atualizar e excluir modelos de SES e-mail da Amazon.

"Statement": [ { "Effect": "Allow", "Action": [ "ses:CreateTemplate", "ses:GetTemplate", "ses:ListTemplates", "ses:UpdateTemplate", "ses:DeleteTemplate", "ses:TestRenderTemplate" ], "Resource": "*" } ]

SESSendBouncePolicy

Concede SendBounce permissão a uma identidade do Amazon Simple Email Service (AmazonSES).

"Statement": [ { "Effect": "Allow", "Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]

SNSCrudPolicy

Permite criar, publicar e assinar SNS tópicos da Amazon.

"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]

SNSPublishMessagePolicy

Permite publicar uma mensagem em um tópico do Amazon Simple Notification Service (AmazonSNS).

"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]

SQSPollerPolicy

Permite pesquisar uma fila do Amazon Simple Queue Service SQS (Amazon).

"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]

SQSSendMessagePolicy

Permite enviar mensagens para uma SQS fila da Amazon.

"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]

SSMParameterReadPolicy

Permite acessar um parâmetro de um repositório de parâmetros do Amazon EC2 Systems Manager (SSM) para carregar segredos nessa conta. Use quando o nome do parâmetro não tiver prefixo de barra.

nota

Se você não estiver usando a chave padrão, também precisará da política de KMSDecryptPolicy.

"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]

SSMParameterWithSlashPrefixReadPolicy

Permite acessar um parâmetro de um repositório de parâmetros do Amazon EC2 Systems Manager (SSM) para carregar segredos nessa conta. Use quando o nome do parâmetro tiver prefixo de barra.

nota

Se você não estiver usando a chave padrão, também precisará da política de KMSDecryptPolicy.

"Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameters", "ssm:GetParameter", "ssm:GetParametersByPath" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${parameterName}", { "parameterName": { "Ref": "ParameterName" } } ] } } ]

StepFunctionsExecutionPolicy

Concede permissão para iniciar a execução de uma máquina de estado do Step Functions.

"Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": { "Ref": "StateMachineName" } } ] } } ]

TextractDetectAnalyzePolicy

Concede acesso para detectar e analisar documentos com Amazon Textract.

"Statement": [ { "Effect": "Allow", "Action": [ "textract:DetectDocumentText", "textract:StartDocumentTextDetection", "textract:StartDocumentAnalysis", "textract:AnalyzeDocument" ], "Resource": "*" } ]

TextractGetResultPolicy

Concede acesso para detectar e analisar documentos com o Amazon Textract.

"Statement": [ { "Effect": "Allow", "Action": [ "textract:GetDocumentTextDetection", "textract:GetDocumentAnalysis" ], "Resource": "*" } ]

TextractPolicy

Concede acesso total ao Amazon Textract.

"Statement": [ { "Effect": "Allow", "Action": [ "textract:*" ], "Resource": "*" } ]

VPCAccessPolicy

Concede acesso para criar, excluir, descrever e desanexar interfaces de rede elásticas.

"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]