# AWS managed policies for Next generation Resilience Hub
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
**Topics**
+ [AWSResilienceHubV2AssessmentExecutionPolicy](#next-gen-security_iam_aws-v2-assessment-policy)
+ [Next generation Resilience Hub updates to AWS managed policies](#next-gen-security-iam-awsmanpol-updates)
## AWSResilienceHubV2AssessmentExecutionPolicy
You can attach the `AWSResilienceHubV2AssessmentExecutionPolicy` to your IAM identities. While running an assessment, this policy grants read-only access permissions to other AWS services for resilience discovery, assessment, and management.
### Permission details
This policy grants wildcarded read-only permissions that might include sensitive information in the output.
This policy includes the following permissions:
+ Amazon CloudWatch (CloudWatch) – Provides `Describe`, `Get`, and `List` permissions for CloudWatch resources that are associated with your AWS account.
+ AWS CloudFormation – Provides `Describe`, `Get`, and `List` permissions for AWS CloudFormation resources that are associated with your AWS account.
+ Amazon Elastic Compute Cloud (Amazon EC2) – Provides specific `Describe` permissions for Amazon EC2 resources that are associated with your AWS account.
+ Amazon Elastic Container Service (Amazon ECS) – Provides `Describe` and `List` permissions for Amazon ECS resources that are associated with your AWS account.
+ Amazon Elastic Kubernetes Service (Amazon EKS) – Provides `Describe` and `List` permissions for Amazon EKS resources that are associated with your AWS account.
+ Amazon Elastic Container Registry (Amazon ECR) – Provides `Describe` permissions for Amazon ECR resources that are associated with your AWS account.
+ Amazon Elastic File System (Amazon EFS) – Provides `Describe` permissions for Amazon EFS resources that are associated with your AWS account.
+ Amazon ElastiCache (ElastiCache) – Provides `Describe` permissions for ElastiCache resources that are associated with your AWS account.
+ Elastic Load Balancing – Provides `Describe` permissions for Elastic Load Balancing resources that are associated with your AWS account.
+ Amazon DynamoDB (DynamoDB) – Provides `Describe` and `List` permissions for DynamoDB resources that are associated with your AWS account.
+ Amazon RDS – Provides `Describe` permissions for Amazon RDS resources that are associated with your AWS account.
+ Amazon DocumentDB – Provides `Describe` and `List` permissions for Amazon DocumentDB resources that are associated with your AWS account.
+ AWS Lambda (Lambda) – Provides specific `Get` and `List` permissions for Lambda resources that are associated with your AWS account.
+ AWS Step Functions – Provides `Describe` and `List` permissions for AWS Step Functions resources that are associated with your AWS account.
+ IAM – Provides specific `Get` and `List` permissions for IAM resources that are associated with your AWS account.
+ Amazon Simple Notification Service (Amazon SNS) – Provides `Get` and `List` permissions for Amazon SNS resources that are associated with your AWS account.
+ Amazon Simple Queue Service (Amazon SQS) – Provides `Get` and `List` permissions for Amazon SQS resources that are associated with your AWS account.
+ Amazon Simple Storage Service (Amazon S3) – Provides `Get` and `List` permissions for Amazon S3 resources that are associated with your AWS account. The Amazon S3 permissions in the `AWSResilienceHubS3AccessStatement` are restricted to resources in the same account by using the `aws:ResourceAccount` condition key.
+ Amazon Route 53 (Route 53) – Provides `Get` and `List` permissions for Route 53 resources, including Route 53 Application Recovery Controller resources, that are associated with your AWS account.
+ Amazon EC2 Systems Manager (SSM) – Provides `Describe` and `Get` permissions for SSM resources that are associated with your AWS account.
+ Amazon EC2 Auto Scaling – Provides `Describe` permissions for Amazon EC2 Auto Scaling resources that are associated with your AWS account.
+ AWS Backup – Provides `Describe`, `Get`, and `List` permissions for AWS Backup resources that are associated with your AWS account.
+ AWS Elastic Disaster Recovery (Elastic Disaster Recovery) – Provides `Describe` permissions for Elastic Disaster Recovery resources that are associated with your AWS account.
+ AWS Fault Injection Service (AWS FIS) – Provides `Get` and `List` permissions for AWS FIS experiments and experiment templates that are associated with your AWS account.
+ Amazon FSx for Windows File Server (Amazon FSx) – Provides `Describe` permissions for Amazon FSx resources that are associated with your AWS account.
+ Amazon Data Lifecycle Manager – Provides `Get` permissions for Amazon Data Lifecycle Manager resources that are associated with your AWS account.
+ AWS DataSync – Provides `Describe` and `List` permissions for AWS DataSync resources that are associated with your AWS account.
+ AWS Resource Groups (Resource Groups) – Provides `Get` and `List` permissions for Resource Groups resources that are associated with your AWS account.
+ AWS Service Catalog (Service Catalog) – Provides `Get` and `List` permissions for Service Catalog resources that are associated with your AWS account.
+ Amazon API Gateway – Provides `GET` permissions scoped to specific resource ARN patterns for REST APIs, HTTP APIs, usage plans, and domain names.
+ Amazon Kinesis – Provides `Describe` and `List` permissions for Kinesis resources that are associated with your AWS account.
+ Amazon Kinesis Data Firehose – Provides `Describe` and `List` permissions for Kinesis Data Firehose resources that are associated with your AWS account.
+ Amazon EventBridge – Provides `Describe` and `List` permissions for EventBridge resources that are associated with your AWS account.
+ Amazon MSK – Provides `Describe`, `Get`, and `List` permissions for Amazon MSK and MSK Connect resources that are associated with your AWS account.
+ Amazon MemoryDB – Provides `Describe` permissions for MemoryDB resources that are associated with your AWS account.
+ Amazon Redshift – Provides `Describe` permissions for Redshift resources that are associated with your AWS account.
+ AWS Global Accelerator – Provides `Describe` and `List` permissions for Global Accelerator resources that are associated with your AWS account.
+ AWS Network Firewall – Provides `Describe` and `List` permissions for Network Firewall resources that are associated with your AWS account.
+ AWS Shield – Provides `Describe` and `List` permissions for Shield resources that are associated with your AWS account.
+ AWS WAF V2 – Provides `Get` and `List` permissions for WAF V2 resources that are associated with your AWS account.
+ AWS Resource Access Manager – Provides `Get` and `List` permissions for RAM resources that are associated with your AWS account.
+ Amazon VPC Lattice – Provides `Get` and `List` permissions for VPC Lattice resources that are associated with your AWS account.
+ AWS Config – Provides `Describe` and `List` permissions for Config resources that are associated with your AWS account.
+ Amazon CloudFront – Provides `Get` and `List` permissions for CloudFront resources that are associated with your AWS account.
+ AWS Secrets Manager – Provides `Describe` and `List` permissions for Secrets Manager resources that are associated with your AWS account.
+ AWS Directory Service – Provides `Describe` permissions for Directory Service resources that are associated with your AWS account.
+ Amazon DSQL – Provides `Get` and `List` permissions for DSQL resources that are associated with your AWS account.
+ Amazon QLDB – Provides `Describe` and `List` permissions for QLDB resources that are associated with your AWS account.
+ AWS Certificate Manager – Provides `Describe`, `Get`, and `List` permissions for ACM resources that are associated with your AWS account.
+ Application Auto Scaling – Provides `Describe` permissions for Application Auto Scaling resources that are associated with your AWS account.
+ SSM Incidents – Provides `Get` and `List` permissions for SSM Incidents resources that are associated with your AWS account.
+ Tag – Provides `GetResources` permission for querying tagged resources that are associated with your AWS account.
The following IAM policy provides required permissions for Next generation Resilience Hub to access other AWS services while running assessments.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSResilienceHubV2ReadResourceConfigStatement",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"arc-region-switch:GetRegionSwitchStatus",
"arc-region-switch:ListRegionSwitchAZSummaries",
"arc-zonal-shift:GetManagedResource",
"arc-zonal-shift:ListManagedResources",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"backup:DescribeBackupVault",
"backup:GetBackupPlan",
"backup:GetBackupSelection",
"backup:ListBackupPlans",
"backup:ListBackupSelections",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudfront:GetDistribution",
"cloudfront:ListDistributions",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics",
"config:DescribeConfigRules",
"config:ListDiscoveredResources",
"datasync:DescribeTask",
"datasync:ListLocations",
"datasync:ListTasks",
"dlm:GetLifecyclePolicies",
"dlm:GetLifecyclePolicy",
"docdb-elastic:GetCluster",
"docdb-elastic:ListClusters",
"drs:DescribeJobs",
"drs:DescribeSourceServers",
"drs:GetReplicationConfiguration",
"ds:DescribeDirectories",
"dsql:GetCluster",
"dsql:ListClusters",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:ListGlobalTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeFastSnapshotRestores",
"ec2:DescribeFleets",
"ec2:DescribeInstances",
"ec2:DescribeNatGateways",
"ec2:DescribeRegions",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ecr:DescribeRepositories",
"ecs:DescribeCapacityProviders",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:ListContainerInstances",
"ecs:ListServices",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeNodegroup",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeGlobalReplicationGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeSnapshots",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeReplicationConfigurations",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"events:DescribeEventBus",
"events:DescribeRule",
"events:ListRules",
"events:ListTargets",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"fis:GetExperiment",
"fis:GetExperimentTemplate",
"fis:ListExperimentTemplates",
"fis:ListExperiments",
"fsx:DescribeFileSystems",
"globalaccelerator:DescribeAccelerator",
"globalaccelerator:DescribeEndpointGroup",
"globalaccelerator:DescribeListener",
"globalaccelerator:ListAccelerators",
"globalaccelerator:ListEndpointGroups",
"globalaccelerator:ListListeners",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"kafka:DescribeCluster",
"kafka:DescribeClusterV2",
"kafka:GetBootstrapBrokers",
"kafka:ListClusters",
"kafka:ListClustersV2",
"kafkaconnect:DescribeConnector",
"kafkaconnect:ListConnectors",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"lambda:GetFunctionConcurrency",
"lambda:GetFunctionConfiguration",
"lambda:ListAliases",
"lambda:ListEventSourceMappings",
"lambda:ListFunctionEventInvokeConfigs",
"lambda:ListVersionsByFunction",
"memorydb:DescribeClusters",
"memorydb:DescribeMultiRegionClusters",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListFirewalls",
"qldb:DescribeLedger",
"qldb:ListLedgers",
"ram:GetResourceShareAssociations",
"ram:ListResources",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstanceAutomatedBackups",
"rds:DescribeDBInstances",
"rds:DescribeDBProxies",
"rds:DescribeDBSnapshots",
"rds:DescribeGlobalClusters",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusters",
"resource-groups:GetGroup",
"resource-groups:ListGroupResources",
"route53:GetHealthCheck",
"route53:GetHostedZone",
"route53:ListHealthChecks",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53-recovery-control-config:ListClusters",
"route53-recovery-control-config:ListControlPanels",
"route53-recovery-control-config:ListRoutingControls",
"route53-recovery-readiness:GetReadinessCheckStatus",
"route53-recovery-readiness:GetResourceSet",
"route53-recovery-readiness:ListReadinessChecks",
"route53resolver:ListFirewallRuleGroupAssociations",
"route53resolver:ListResolverEndpoints",
"route53resolver:ListResolverRules",
"s3:ListBucket",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets",
"servicecatalog:GetApplication",
"servicecatalog:ListAssociatedResources",
"shield:DescribeProtection",
"shield:ListProtections",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"ssm:DescribeAutomationExecutions",
"ssm:GetDocument",
"ssm:GetParametersByPath",
"ssm-incidents:GetResponsePlan",
"ssm-incidents:ListReplicationSets",
"ssm-incidents:ListResponsePlans",
"states:DescribeStateMachine",
"states:ListStateMachines",
"tag:GetResources",
"vpc-lattice:GetService",
"vpc-lattice:GetServiceNetwork",
"vpc-lattice:GetTargetGroup",
"vpc-lattice:ListServices",
"vpc-lattice:ListServiceNetworks",
"vpc-lattice:ListTargetGroups",
"wafv2:GetWebACL",
"wafv2:ListWebACLs"
],
"Resource": "*"
},
{
"Sid": "AWSResilienceHubApiGatewayStatement",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/apis/*",
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/usageplans",
"arn:aws:apigateway:*::/domainnames/*"
]
},
{
"Sid": "AWSResilienceHubS3AccessStatement",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetMultiRegionAccessPointRoutes",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListMultiRegionAccessPoints"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
## Next generation Resilience Hub updates to AWS managed policies
View details about updates to AWS managed policies for Next generation Resilience Hub since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Next generation Resilience Hub Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSResilienceHubV2AssessmentExecutionPolicy](#next-gen-security_iam_aws-v2-assessment-policy) – New policy | Next generation Resilience Hub added a new policy to grant read-only access permissions to other AWS services for resilience discovery, assessment, and management. | June 18, 2026 |
| Next generation Resilience Hub started tracking changes | Next generation Resilience Hub started tracking changes for its AWS managed policies. | June 18, 2026 |