nOps requires safe, secure, and AWS-approved cross account access to your AWS accounts in order to give you the analysis, dashboards, and reports that you need. We only see what you want us to see in order to provide our services, no more, and we need you to give us permission first.

For AWS Payer/Management Account, nOps uses the following policies:

  1. AWS managed ReadOnlyAccess policy, which is completely managed by AWS and is updated periodically as AWS adds new services.

  2. Since the AWS managed ReadOnlyAccess policy contains some read access to sensitive data, nOps uses an explicit deny list which can be easily update for your own security requires. - Explicit Deny List

  3. Lastly, few other policies that are necessary to create the Cost and Usage Report for Cost Visibility, Well-Architected Review and placeholders to support automating the setup for nOps ShareSave Program. CUR , S3, Well-Architected , EventBridge and Organization,

For the AWS Linked accounts, nOps uses the following policies:

  1. AWS managed ReadOnlyAccess policy, which is completely managed by AWS and is updated periodically as AWS adds new services.

  2. Since the AWS managed ReadOnlyAccess policy contains some read access to sensitive data, nOps uses an explicit deny list which can be easily update for your own security requires. - Explicit Deny List

  3. Lastly, few other policies that are necessary for Well-Architected Review and placeholders to automating the setup for nOps ShareSave Program. Well-Architected and EventBridge

**Payer Account - IAM Policy JSON - Payer Account - JSON

**Linked Account - IAM Policy JSON - Linked Account - JSON

What? Why? and How Much?

The following tables describe each permission within the IAM policy:

  • First column: Permission name.

  • Second column: What the permission is?

  • Third column: Why the permission is important for nOps?

  • Forth column: What kind of access the permission gives to nOps?What? Why? and How Much?

    The following tables describe each permission within the IAM policy:

    • First column: Permission name.

    • Second column: What the permission is?

    • Third column: Why the permission is important for nOps?

    • Forth column: What kind of access the permission gives to nOps?

CUR

What

Why

Access (Full: Read, Limited: Write)

DescribeReportDefinitions

Lists the AWS Cost and Usage Report available to this account.

Used for creating reports in billing bucket setup.

Read: All resource

PutReportDefinition

Creates a new report using the description that you provide.

Used for creating reports in billing bucket setup.

Write: All resource

EventBridge

What

Why

Access(Limited: Write)

CreateEventBus

Creates a new event bus within your account.

Allows nOps to create EventBridge integrations for automation. Required for ShareSave program.

Write: All resources

Organizations

What

Why

Access (Limited: Write, Full: List, Read)

InviteAccountToOrganization

Sends an invitation to another AWS account, asking it to join your organization as a member account.

Required for onboarding child accounts via CloudFormation stack during Automatic Setup and the ShareSave program.

Write: All resources

S3

What

Why

Access (Limited: Read)

HeadBucket

Allows you to determine if a bucket exists and you have permission to access it.

This permission allows nOps to see if the butcket for CUR already exists or do we need need to create one.

Read

HeadObject

The HEAD action retrieves metadata from an object without returning the object itself

This permission allows nOps to only see the metadata of a bucket without allowing nOps to see the bucket's contents.

Read

Support

What

Why

Access (Limited: Read)

DescribeTrustedAdvisorCheckRefreshStatuses

Returns the refresh status of the AWS Trusted Advisor checks that have the specified check IDs.

Not used anymore.

Read: All resources

DescribeTrustedAdvisorCheckResult

Returns the results of the AWS Trusted Advisor check that has the specified check ID.

Not used anymore.

Read: All resources

DescribeTrustedAdvisorChecks

Returns information about all available AWS Trusted Advisor checks, including the name, ID, category, description, and metadata.

Not used anymore.

Read: All resources

Well-Architected

What

Why

Access (Full access)

wellarchitected

Gives full access to Well-Architected.

nOps provides a full functionality dedicated for wellarchitected compliances and it requires full access of this component for managing cloud workloads.

Full access

Explicit Deny

The following is the list of services for which nOps explicitly denies the permission:

ACM (AWS Certificate Manager)

What

acm-pca:Describe

Denies all Describe permissions in ACM-PCA.

acm-pca:Get

Denies all Get permissions in ACM-PCA.

acm-pca:List

Denies all List permissions in ACM-PCA.

acm:Describe

Denies all Describe permissions in ACM.

acm:Get

Denies all Get permissions in ACM.

acm:List

Denies all List permissions in ACM.

API Gateway

What

GET

Denies all Get permission for API Gateway.

AppConfig

What

GetConfiguration

Denies the permission to view details about a configuration.

AppFlow

What

DescribeConnector

Denies the permission to describe a connector registered in Amazon AppFlow.

ListConnector

Denies the permission to list connectors supported in Amazon AppFlow.

AppStream

What

DescribeDirectoryConfigs

Denies the permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0.

DescribeUsers

Denies the permission to retrieve a list that describes one or more specified users in the user pool.

DescribeSessions

Denies the permission to retrieve a list that describes the streaming sessions for a specified stack and fleet.

AppSync

What

Get

Denies the permission to read resources in this service.

List

Denies the permission to list resources in this service.

Athena

What

Get

Denies the permission to read resources in this service.

List

Denies the permission to list resources in this service.

Backup

What

GetBackupVaultAccessPolicy

Denies the permission to get backup vault access policy.

Cassandra (Keyspaces)

What

Select

Denies the permission to SELECT data from table.

Chime

What

Describe

Denies the permission to read resources in this service.

Get

Denies the permission to read resources in this service.

List

Denies the permission to list resources in this service.

Cloud9

What

Describe

Denies the permission to read resources in this service.

Get

Denies the permission to read resources in this service.

List

Denies the permission to read resources in this service.

Cloud Directory

What

Get

Denies the permission to read resources in this service.

List

Denies the permission to list resources in this service.

CloudFront

What

GetCloudFrontOriginAccessIdentity

Denies the permission to get the information about a cloud front origin access identity.

GetFieldLevelEncryption

Denies the permission to get the field-level encryption configuration information.

GetKeyGroupConfig

Denies the permission to get a key group configuration.

CloudWatch

What

GetMetricData

Denies the permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data.

GetMetricStream

Denies the permission to return the details of a CloudWatch metric stream.

ListMetricStreams

Denies the permission to return a list of all CloudWatch metric streams in your account.

CodeArtifact

What

GetAuthorizationToken

Denies the permission to generate a temporary authorization token for accessing repositories in a domain.

ReadFromRepository

Denies the permission to return package assets and metadata from a repository endpoint.

CodeBuild

What

BatchGet

Denies the permission to all BatchGet permissions.

ListSourceCredentials

Denies the permission to return a list of SourceCredentialsInfo objects.

CodeCommit

What

BatchGet

Denies the permission to all BatchGet permissions.

Get

Denies the permission to Get permissions.

GitPull

Denies the permission to pull information from an AWS CodeCommit repository to a local repo.

CodeDeploy

What

BatchGet

Denies the permission to all BatchGet permissions.

Get

Denies the permission to Get permissions.

CodeStar

What

DescribeUserProfile

Denies the permission to describe a user in AWS CodeStar and the user attributes across all projects.

ListUserProfiles

Denies the permission to list user profiles in AWS CodeStar.

Cognito

What

cognito-identity (Cognito Identity)

Denies the permission to access any resources in this service.

cognito-idp (Cognito User Pools)

Denies the permission to access any resources in this service.

cognito-sync (Cognito Sync)

Denies the permission to access any resources in this service.

Comprehend

What

Describe

Denies the permission to Describe resources.

List

Denies the permission to List resources.

Config

What

BatchGetAggregateResourceConfig

Denies the permission to return the current configuration items for resources that are present in your AWS Config aggregator.

BatchGetResourceConfig

Denies the permission to return the current configuration for one or more requested resources.

SelectAggregateResourceConfig

Denies the permission to accept a structured query language (SQL) SELECT command and an aggregator to query configuration state of AWS resources across multiple accounts and regions, performs the corresponding search, and returns resource configuration matching the properties.

SelectResourceConfig

Denies the permission to accept a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.

Connect

What

Describe

Denies the permission to Describe resources

Get

Denies the permission to Get resources.

List

Denies the permission to List resources.

Data Pipeline

What

DescribeObjects

Denies the permission to get the object definitions for a set of objects associated with the pipeline.

EvaluateExpression

Denies the permission to task runners to call EvaluateExpression, to evaluate a string in the context of the object.

QueryObjects

Denies the permission to query the specified pipeline for the names of the objects that match the specified set of conditions.

DAX (DynamoDB Accelerator)

What

BatchGetItem

Denies the permission to return the attributes of one or more items from one or more tables.

GetItem

Denies the permission to the GetItem operation that returns a set of attributes for the item with the given primary key.

Query

Denies the permission to use the primary key of a table or a secondary index to directly access items from that table or index.

DeepComposer

What

Get

Denies all Get permissions in DeepComposer.

List

Denies all List permissions in DeepComposer.

Device Farm

What

GetRemoteAccessSession

Denies the permission to retrieve the link to a currently running remote access session.

ListRemoteAccessSessions

Denies the permission to list the information of currently running remote access sessions.

Direct Connect

What

Describe

Denies all Describe permissions in Direct Connect.

List

Denies all List permissions in Direct Connect.

Discovery

What

Describe

Denies all Describe permissions in Discovery.

Get

Denies all Get permissions in Discovery.

List

Denies all List permissions in List.

DMS (Database Migration Service)

What

Describe

Denies all DEscribe permissions in DMS.

List

Denies the permission to list all tags for AWS DMS resources.

DS (Directory Service)

What

Get

Denies all Get permission in Directory Service.

DynamoDB

What

GetItem

Denies permission to the GetItem operation that returns a set of attributes for the item with the given primary key.

BatchGetItem

Denies permission to return the attributes of one or more items from one or more tables.

Query

Denies permission to use the primary key of a table or a secondary index to directly access items from that table or index.

Scan

Denies the permission to return one or more items and item attributes by accessing every item in a table or a secondary index.

EC2 (Elastic Compute Cloud)

What

GetConsoleScreenshot

Denies the permission to retrieve a JPG-format screenshot of a running instance.

ECR (Elastic Container Registry)

What

ecr:BatchGetImage

Denies the permission to get detailed information for specified images within a specified repository.

ecr:GetAuthorizationToken

Denies the permission to retrieve a token that is valid for a specified registry for 12 hours.

ecr:GetDownloadUrlForLayer

Denies the permission to retrieve that download URL corresponding to an image layer.

ecr-public:GetAuthorizationToken

Denies the permission to retrieve a token that is valid for a specified registry for 12 hours.

EKS (Elastic Kubernetes Service)

What

DescribeIdentityProviderConfig

Denies the permission to retrieve descriptive information about an Idp config associated with a cluster.

Elastic Beanstalk

What

DescribeConfigurationOptions

Denies the permission to retrieve descriptions of environment configuration options.

DescribeConfigurationSettings

Denies the permission to retrieve a description of the settings for a configuration set.

ES (OpenSearch Service)

What

ESHttpGet

Denies the permission to send HTTP GET request to the OpenSearch APIs.

FIS (Fault Injection Simulator)

What

GetExperimentTemplate

Denies the permission to retrieve an AWS FIS Experiment Template.

FMS (Firewall Manager)

What

GetAdminAccount

Denies the permission to retrieve the AWS Organization master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator.

Fraud Detector

What

BatchGetVariable

Denies the permission to get a batch of variables.

Get

Denies all Get permission in Fraud Detector.

GameLift

What

GetGameSessionLogUrl

Denies the permission to retrieve the location of stored logs for a game session.

GetInstanceAccess

Denies the permission to request remote access to a specified fleet instance.

GeoLocation (Location)

What

ListDevicePositions

Denies the permission to retrieve a list of devices and their latest positions from the given tracker resource.

Glue

What

GetSecurityConfiguration

Denies the permission to retrieve a security configuration.

SearchTables

Denies the permission to retrieve the tables in the catalog.

GetTable

Denies all GetTable permission in Glue.

GuardDuty

What

GetIPSet

Denies the permission to retrieve GuardDuty IPSets

GetMasterAccount

Denies the permission to retrieve details of the GuardDuty administrator account associated with a member account.

GetMembers

Denies the permission to retrieve the member accounts associated with an administrator account.

ListMembers

Denies the permission to retrieve a list of GuardDuty member accounts associated with an administrator account.

ListOrganizationAdminAccounts

Denies the permission to list details about the organization delegated administrator for GuardDuty.

Inspector 2

What

GetConfiguration

Denies the permission to retrieve information about the Amazon Inspector configuration settings for an AWS account.

Image Builder

What

GetImage

Denies the permission to get an EC2 image.

IoT RoboRunner

What

Get

Denies all Get permission in IoT RoboRunner.

IoT SiteWise

What

ListAccessPolicies

Denies the permission to lit all access policies for an identity or a resource.

IVS (Interactive Video Service)

What

GetPlaybackKeyPair

Denies the permission to get the playback keypair information for a specified ARN.

GetStreamSession

Denies the permission to get information about the stream session on a specified channel.

Kafka (MSK)

What

GetBootstrapBrokers

Denies the permission to get connection details for the brokers in an MSK cluster.

Kendra

What

Query

Denies the permission to query documents and faqs.

Kinesis

What

Get

Denies all Get permission in Kinesis.

KMS (Key Management Service)

What

DescribeKey

Denies the control to the permission to view detailed information about an AWS KMS key.

GetPublicKey

Denies the control to the permission to download the public key of an asymmetric AWS KMS Key.

Lex

What

Get

Denies all Get permission in Lex.

Lambda

What

GetFunctionConfiguration

Denies the permission to view details about the version-specific settings of an AWS Lambda function or version.

License Manager

What

GetGrant

Denies the permission to get a grant.

GetLicense

Denies the permission to get a license.

ListTokens

Denies the permission to list tokens.

Lightsail

What

GetBucketAccessKeys

Denies the permission to get the existing access key IDs for the specified Amazon Lightsail bucket.

GetCertificates

Denies the permission to view information about one or more Amazon Lightsail SSL/TLS certificates.

GetContainerImages

Denies the permission to view the container images that are registered to your Amazon Lightsail container service.

GetKeyPair

Denies the permission to get information about a key pair.

GetRelationalDatabaseLogStreams

Denies the permission to get the log streams available for a relational database.

Logs

What

GetLogEvents

Denies the permission to list log events from the specified log stream.

StartQuery

Denies the permission to schedule a query of a log group using CloudWatch Logs Insights.

ML (Machine Learning)

What

GetMLModel

Denies the permission to return an MLModel that includes detailed metadata, and data source information as well as the current status of the MLModel.

Macie2

What

GetAdministratorAccount

Denies the permission to retrieve information about the Amazon Macie administrator account for an account.

GetMember

Denies the permission to retrieve information about an account that’s associated with an Amazon Macie administrator account.

GetMacieSession

Denies the permission to retrieve information about the status and configuration settings for an Amazon Macie account.

SearchResources

Denies the permission to retrieve statistical data and other information about AWS resources that Amazon MAcie monitors and analyzes.

GetSensitiveDataOccurrences

Denies the permission to retrieve occurrences of sensitive data reported by a finding.

Mobile Hub

What

ExportProject

Denies the permission to export the project configuration.

Nimble Studio

What

GetStreamingSession

Denies the permission to get a streaming session.

Polly

What

SynthesizeSpeech

Denies the permission to synthesize speech.

Proton

What

GetEnvironmentTemplate

Denies the permission to describe an environment template.

GetServiceTemplate

Denies the permission to describe a service template.

ListServiceTemplates

Denies the permission to list service templates.

ListEnvironmentTemplates

Denies the permission to list environment templates.

QLDB (Quantum Ledger Database)

What

GetBlock

Denies the permission to retrieve a block from a ledger for a given BlockAddress.

GetDigest

Denies the permission to retrieve a digest from a ledger from a given BlockAddress.

RDS (Relational Database Service)

What

Download

Denies all Download permission for RDS.

Rekognition

What

CompareFaces

Denies the permission to compare faces in the source input images with each face detected in the target input image.

Detect

Denies all Detect permissions in Rekognition.

Search

Denies all Search permission in Rekognition.

Resilience Hub

What

DescribeAppVersionTemplate

Denies the permission to describe the application version template.

ListRecommendationTemplates

Denies the permission to list recommendation templates.

RoboMaker

What

GetWorldTemplateBody

Denies the permission to get the body of a world template.

S3 (S3 Object Lambda)

What

s3-object-lambda:GetObject

Denies the permission to retrieve objects from Amazon S3.

SageMaker

What

Search

Denies the permission to search for SageMaker objects.

Schemas (EventBridgeSchemas)

What

GetDiscoveredSchema

Denies the permission to retrieve a schema for the provided list of sample events.

SDB (SimpleDB)

What

Get

Denies all Get permissions for SDB.

Select

Denies all Select permissions for SDB.

Secrets Manager

What

*

Denies all permission in Secrets Manager.

Security Hub

What

GetFindings

Denies the permission to retrieve a list of findings from Security Hub.

GetMembers

Denies the permission to retrieve the details of Security Hub member accounts.

ListMembers

Denies the permission to retrieve details about Security Hub member accounts associated with the administrator account.

SES (SES v1, SES v2)

What

GetTemplate

Denies the permission to return the template object, which includes the subject line, HTML part, and text part for the template you specify.

GetEmailTemplate

Denies the permission to return the template object, which includes the subject line, HTML part, and text part for the template you specify.

GetContact

Denies the permission to return a contact from a contact list.

GetContactList

Denies the permission to return contact list metadata.

ListTemplates

Denies the permission to list the email templates present in your account.

ListEmailTemplates

Denies the permission to list all of the email templates for your account.

ListVerifiedEmailAddresses

Denies the permission to list all of the email addresses that have been verified.

Signer

What

GetSigningProfile

Denies the permission to return information about a specific Signing Profile.

ListProfilePermissions

Denies the permission to list the cross-account permissions associated with a Signing Profile.

ListSigningProfiles

Denies the permission to list all Signing Profiles in your account.

SMS (Pinpoint SMS Voice V2)

What

sms-voice:DescribeKeywords

Denies the permission to describe the keywords for a pool or origination phone number.

sms-voice:DescribeOptedOutNumbers

Denies the permission to describe the destination phone numbers in an opt-out list.

sms-voice:DescribePhoneNumbers

Denies the permission to describe the origination phone numbers in your account.

sms-voice:DescribePools

Denies the permission to describe the pools in your account.

Snowball

What

Describe

Denies all Describe permission for Snowball.

SQS (Simple Queue Service)

What

Receive

Denies all Receive permission in SQS.

S SM (Systems Manager)

What

ssm-contacts:*

ssm:DescribeParameters

Denies the permission to view details about a specified SSM parameter.

ssm:GetParameter

Denies all GetParameter permission in Systems Manager.

SSO (Single Sign-On)

What

Describe

Denies all Describe permissions in SSO.

Get

Denies all Get permissions in SSO.

List

Denies all List permissions in SSO.

Storage Gateway

What

DescribeChapCredentials

Denies the permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair.

Support

What

DescribeCommunications

Denies the permission to return the communications and attachments for one or more AWS Support cases.

TimeStream

What

ListDatabases

Denies the permission to list databases in your account.

ListTables

Denies the permission to list tables in your account.

Transcribe

What

Get

Denies all Get permission in Transcribe.

List

Denies all List permission in Transcribe.

Transfer

What

Describe

Denies all Describe permission in Transfer.

List

Denies all List permission in Transfer.

WAF (WAF Regional)

What

waf-regional:GetChangeToken

Denies the permission to retrieve a change token to use in create, update, and delete requests.

WorkMail

What

DescribeUser

Denies the permission to read details for a user.

GetMailUserDetails

Denies the permission to get the details of the user’s mailbox and account.

ListUsers

Denies the permission to list the organization's users.

IAM policy for nOps Last Updated: 12/17/2022

Payer Account - IAM Policy JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cur:DescribeReportDefinitions",
"cur:DeleteReportDefinition",
"cur:PutReportDefinition",
"events:CreateEventBus",
"organizations:InviteAccountToOrganization",
"s3:HeadBucket",
"s3:HeadObject",
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"wellarchitected:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"acm-pca:Describe*",
"acm-pca:Get*",
"acm-pca:List*",
"acm:Describe*",
"acm:Get*",
"acm:List*",
"apigateway:GET",
"appconfig:GetConfiguration*",
"appflow:DescribeConnector*",
"appflow:ListConnector*",
"appstream:DescribeDirectoryConfigs",
"appstream:DescribeUsers",
"appstream:DescribeSessions",
"appsync:Get*",
"appsync:List*",
"athena:Get*",
"athena:List*",
"backup:GetBackupVaultAccessPolicy",
"cassandra:Select",
"chime:Describe*",
"chime:Get*",
"chime:List*",
"cloud9:Describe*",
"cloud9:Get*",
"cloud9:List*",
"clouddirectory:Get*",
"clouddirectory:List*",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetFieldLevelEncryption*",
"cloudfront:GetKeyGroupConfig",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStream",
"cloudwatch:ListMetricStreams",
"codeartifact:GetAuthorizationToken",
"codeartifact:ReadFromRepository",
"codebuild:BatchGet*",
"codebuild:ListSourceCredentials",
"codecommit:BatchGet*",
"codecommit:Get*",
"codecommit:GitPull",
"codedeploy:BatchGet*",
"codedeploy:Get*",
"codestar:DescribeUserProfile",
"codestar:ListUserProfiles",
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"comprehend:Describe*",
"comprehend:List*",
"config:BatchGetAggregateResourceConfig",
"config:BatchGetResourceConfig",
"config:SelectAggregateResourceConfig",
"config:SelectResourceConfig",
"connect:Describe*",
"connect:Get*",
"connect:List*",
"datapipeline:DescribeObjects",
"datapipeline:EvaluateExpression",
"datapipeline:QueryObjects",
"dax:BatchGetItem",
"dax:GetItem",
"dax:Query",
"deepcomposer:Get*",
"deepcomposer:List*",
"devicefarm:GetRemoteAccessSession",
"devicefarm:ListRemoteAccessSessions",
"directconnect:Describe*",
"directconnect:List*",
"discovery:Describe*",
"discovery:Get*",
"discovery:List*",
"dms:Describe*",
"dms:List*",
"ds:Get*",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"ec2:GetConsoleScreenshot",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr-public:GetAuthorizationToken",
"eks:DescribeIdentityProviderConfig",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"es:ESHttpGet*",
"fis:GetExperimentTemplate",
"fms:GetAdminAccount",
"frauddetector:BatchGetVariable",
"frauddetector:Get*",
"gamelift:GetGameSessionLogUrl",
"gamelift:GetInstanceAccess",
"geo:ListDevicePositions",
"glue:GetSecurityConfiguration*",
"glue:SearchTables",
"glue:GetTable*",
"guardduty:GetIPSet",
"guardduty:GetMasterAccount",
"guardduty:GetMembers",
"guardduty:ListMembers",
"guardduty:ListOrganizationAdminAccounts",
"inspector2:GetConfiguration",
"imagebuilder:GetImage",
"iotroborunner:Get*",
"iotsitewise:ListAccessPolicies",
"ivs:GetPlaybackKeyPair",
"ivs:GetStreamSession",
"kafka:GetBootstrapBrokers",
"kendra:Query*",
"kinesis:Get*",
"kms:DescribeKey",
"kms:GetPublicKey",
"lex:Get*",
"lambda:GetFunctionConfiguration",
"license-manager:GetGrant",
"license-manager:GetLicense",
"license-manager:ListTokens",
"lightsail:GetBucketAccessKeys",
"lightsail:GetCertificates",
"lightsail:GetContainerImages",
"lightsail:GetKeyPair",
"lightsail:GetRelationalDatabaseLogStreams",
"logs:GetLogEvents",
"logs:StartQuery",
"machinelearning:GetMLModel",
"macie2:GetAdministratorAccount",
"macie2:GetMember",
"macie2:GetMacieSession",
"macie2:SearchResources",
"macie2:GetSensitiveDataOccurrences",
"mobilehub:ExportProject",
"nimble:GetStreamingSession",
"polly:SynthesizeSpeech",
"proton:GetEnvironmentTemplate",
"proton:GetServiceTemplate",
"proton:ListServiceTemplates",
"proton:ListEnvironmentTemplates",
"qldb:GetBlock",
"qldb:GetDigest",
"rds:Download*",
"rekognition:CompareFaces",
"rekognition:Detect*",
"rekognition:Search*",
"resiliencehub:DescribeAppVersionTemplate",
"resiliencehub:ListRecommendationTemplates",
"robomaker:GetWorldTemplateBody",
"s3-object-lambda:GetObject",
"sagemaker:Search",
"schemas:GetDiscoveredSchema",
"sdb:Get*",
"sdb:Select*",
"secretsmanager:*",
"securityhub:GetFindings",
"securityhub:GetMembers",
"securityhub:ListMembers",
"ses:GetTemplate",
"ses:GetEmailTemplate",
"ses:GetContact",
"ses:GetContactList",
"ses:ListTemplates",
"ses:ListEmailTemplates",
"ses:ListVerifiedEmailAddresses",
"signer:GetSigningProfile",
"signer:ListProfilePermissions",
"signer:ListSigningProfiles",
"sms-voice:DescribeKeywords",
"sms-voice:DescribeOptedOutNumbers",
"sms-voice:DescribePhoneNumbers",
"sms-voice:DescribePools",
"snowball:Describe*",
"sqs:Receive*",
"ssm-contacts:*",
"ssm:DescribeParameters*",
"ssm:GetParameter*",
"sso:Describe*",
"sso:Get*",
"sso:List*",
"storagegateway:DescribeChapCredentials",
"support:DescribeCommunications",
"timestream:ListDatabases",
"timestream:ListTables",
"transcribe:Get*",
"transcribe:List*",
"transfer:Describe*",
"transfer:List*",
"waf-regional:GetChangeToken",
"workmail:DescribeUser",
"workmail:GetMailUserDetails",
"workmail:ListUsers"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
 {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::[INSERT CUR S3 BUCKET]",
"arn:aws:s3:::[INSERT CUR S3 BUCKET]/*"
],
"Effect": "Allow"
}
]
}

Linked Account - IAM Policy JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"support:DescribeTrustedAdvisorCheckRefreshStatuses",
"support:DescribeTrustedAdvisorCheckResult",
"support:DescribeTrustedAdvisorChecks",
"wellarchitected:*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"acm-pca:Describe*",
"acm-pca:Get*",
"acm-pca:List*",
"acm:Describe*",
"acm:Get*",
"acm:List*",
"apigateway:GET",
"appconfig:GetConfiguration*",
"appflow:DescribeConnector*",
"appflow:ListConnector*",
"appstream:DescribeDirectoryConfigs",
"appstream:DescribeUsers",
"appstream:DescribeSessions",
"appsync:Get*",
"appsync:List*",
"athena:Get*",
"athena:List*",
"backup:GetBackupVaultAccessPolicy",
"cassandra:Select",
"chime:Describe*",
"chime:Get*",
"chime:List*",
"cloud9:Describe*",
"cloud9:Get*",
"cloud9:List*",
"clouddirectory:Get*",
"clouddirectory:List*",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetFieldLevelEncryption*",
"cloudfront:GetKeyGroupConfig",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStream",
"cloudwatch:ListMetricStreams",
"codeartifact:GetAuthorizationToken",
"codeartifact:ReadFromRepository",
"codebuild:BatchGet*",
"codebuild:ListSourceCredentials",
"codecommit:BatchGet*",
"codecommit:Get*",
"codecommit:GitPull",
"codedeploy:BatchGet*",
"codedeploy:Get*",
"codestar:DescribeUserProfile",
"codestar:ListUserProfiles",
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"comprehend:Describe*",
"comprehend:List*",
"config:BatchGetAggregateResourceConfig",
"config:BatchGetResourceConfig",
"config:SelectAggregateResourceConfig",
"config:SelectResourceConfig",
"connect:Describe*",
"connect:Get*",
"connect:List*",
"datapipeline:DescribeObjects",
"datapipeline:EvaluateExpression",
"datapipeline:QueryObjects",
"dax:BatchGetItem",
"dax:GetItem",
"dax:Query",
"deepcomposer:Get*",
"deepcomposer:List*",
"devicefarm:GetRemoteAccessSession",
"devicefarm:ListRemoteAccessSessions",
"directconnect:Describe*",
"directconnect:List*",
"discovery:Describe*",
"discovery:Get*",
"discovery:List*",
"dms:Describe*",
"dms:List*",
"ds:Get*",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"ec2:GetConsoleScreenshot",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr-public:GetAuthorizationToken",
"eks:DescribeIdentityProviderConfig",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"es:ESHttpGet*",
"fis:GetExperimentTemplate",
"fms:GetAdminAccount",
"frauddetector:BatchGetVariable",
"frauddetector:Get*",
"gamelift:GetGameSessionLogUrl",
"gamelift:GetInstanceAccess",
"geo:ListDevicePositions",
"glue:GetSecurityConfiguration*",
"glue:SearchTables",
"glue:GetTable*",
"guardduty:GetIPSet",
"guardduty:GetMasterAccount",
"guardduty:GetMembers",
"guardduty:ListMembers",
"guardduty:ListOrganizationAdminAccounts",
"inspector2:GetConfiguration",
"imagebuilder:GetImage",
"iotroborunner:Get*",
"iotsitewise:ListAccessPolicies",
"ivs:GetPlaybackKeyPair",
"ivs:GetStreamSession",
"kafka:GetBootstrapBrokers",
"kendra:Query*",
"kinesis:Get*",
"kms:DescribeKey",
"kms:GetPublicKey",
"lex:Get*",
"lambda:GetFunctionConfiguration",
"license-manager:GetGrant",
"license-manager:GetLicense",
"license-manager:ListTokens",
"lightsail:GetBucketAccessKeys",
"lightsail:GetCertificates",
"lightsail:GetContainerImages",
"lightsail:GetKeyPair",
"lightsail:GetRelationalDatabaseLogStreams",
"logs:GetLogEvents",
"logs:StartQuery",
"machinelearning:GetMLModel",
"macie2:GetAdministratorAccount",
"macie2:GetMember",
"macie2:GetMacieSession",
"macie2:SearchResources",
"macie2:GetSensitiveDataOccurrences",
"mobilehub:ExportProject",
"nimble:GetStreamingSession",
"polly:SynthesizeSpeech",
"proton:GetEnvironmentTemplate",
"proton:GetServiceTemplate",
"proton:ListServiceTemplates",
"proton:ListEnvironmentTemplates",
"qldb:GetBlock",
"qldb:GetDigest",
"rds:Download*",
"rekognition:CompareFaces",
"rekognition:Detect*",
"rekognition:Search*",
"resiliencehub:DescribeAppVersionTemplate",
"resiliencehub:ListRecommendationTemplates",
"robomaker:GetWorldTemplateBody",
"s3-object-lambda:GetObject",
"sagemaker:Search",
"schemas:GetDiscoveredSchema",
"sdb:Get*",
"sdb:Select*",
"secretsmanager:*",
"securityhub:GetFindings",
"securityhub:GetMembers",
"securityhub:ListMembers",
"ses:GetTemplate",
"ses:GetEmailTemplate",
"ses:GetContact",
"ses:GetContactList",
"ses:ListTemplates",
"ses:ListEmailTemplates",
"ses:ListVerifiedEmailAddresses",
"signer:GetSigningProfile",
"signer:ListProfilePermissions",
"signer:ListSigningProfiles",
"sms-voice:DescribeKeywords",
"sms-voice:DescribeOptedOutNumbers",
"sms-voice:DescribePhoneNumbers",
"sms-voice:DescribePools",
"snowball:Describe*",
"sqs:Receive*",
"ssm-contacts:*",
"ssm:DescribeParameters*",
"ssm:GetParameter*",
"sso:Describe*",
"sso:Get*",
"sso:List*",
"storagegateway:DescribeChapCredentials",
"support:DescribeCommunications",
"timestream:ListDatabases",
"timestream:ListTables",
"transcribe:Get*",
"transcribe:List*",
"transfer:Describe*",
"transfer:List*",
"waf-regional:GetChangeToken",
"workmail:DescribeUser",
"workmail:GetMailUserDetails",
"workmail:ListUsers"
],
"Effect": "Deny",
"Resource": "*"
}
]
}

Did this answer your question?