本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# DevOps 代理 IAM 权限
AWS DevOps 代理使用特定于服务的 AWS 身份和访问管理 (IAM) Access Management 操作来控制对其功能和功能的访问。这些操作决定了用户在 AWS DevOps 代理控制台和操作员 Web 应用程序中可以执行的操作。这与代理本身用于调查您的资源的 AWS 服务 API 权限是分开的。
有关限制代理访问权限的更多信息,请参阅[限制 AWS 账户中的代理访问权限。](https://docs.aws.amazon.com/devopsagent/latest/userguide/aws-devops-agent-security-limiting-agent-access-in-an-aws-account.html)
## 代理空间管理操作
以下操作控制对代理空间配置和管理的访问:
+ **aidevops: GetAgentSpace** — 允许用户查看有关代理空间的详细信息,包括其配置、状态和关联账户。用户需要此权限才能访问 AWS 管理控制台中的代理空间。
+ **aidevops: GetAssociation** — 允许用户查看有关特定账户关联的详细信息,包括 IAM 角色配置和连接状态。
+ **aidevops: ListAssociations** — 允许用户列出为代理空间配置的所有 AWS 账户关联,包括主账户和次要账户。
## 调查和执行行动
以下操作控制对事件调查功能的访问:
+ **aidevops: ListExecutions** — 允许用户查看执行元数据(包括 ID、状态等),用于与任务相关的调查、缓解措施、评估和聊天对话。
+ **aidevops:ListJournalRecords**— 允许用户访问详细日志,这些日志显示了代理的推理步骤、采取的操作以及调查、缓解、评估和聊天对话期间咨询的数据源。这对于了解代理如何得出结论很有用。
## 聊天管理操作
聊天需要以下 IAM 权限才能运行:
+ **aidevops: ListChats** — 允许用户列出和访问聊天对话历史记录。
+ **aidevops: CreateChat** — 允许用户创建新的聊天对话。
+ **aidevops: SendMessage** — 允许用户提交查询和接收直播回复。
## 拓扑和发现操作
以下操作控制对应用程序资源映射功能的访问:
+ **aidevops: DiscoverTopology** — 允许用户触发代理空间的拓扑发现和映射。此操作启动扫描 AWS 帐户和构建应用程序资源拓扑的过程。
## 预防和建议行动
以下操作控制对 “预防” 功能的访问权限:
+ **aidevops:ListGoals**— 允许用户根据最近的事件模式查看代理正在努力实现的预防目标。
+ **aidevops:ListRecommendations**— 允许用户查看 “预防” 功能生成的所有建议,包括其优先级和类别。
+ **aidevops:GetRecommendation**— 允许用户查看有关特定建议的详细信息,包括该建议本可以防止的事件和实施指南。
## 待办事项任务管理操作
这些操作控制将推荐作为待办事项任务进行管理的能力:
+ **aidevops: CreateBacklogTask** — 允许用户创建事件调查或预防评估任务。
+ **aidevops:UpdateBacklogTask**— 允许用户批准缓解计划或取消正在进行的调查或评估。
+ **aidevops: GetBacklogTask** — 允许用户检索有关特定任务的详细信息。
+ **aidevops: ListBacklogTasks** — 允许用户列出代理空间的任务,按任务类型、状态、优先级或创建时间进行筛选。
## 知识管理行动
这些操作控制了代理在调查期间可以使用的添加和管理自定义知识的能力:
+ **aidevops: CreateKnowledgeItem** — 允许用户添加自定义知识项,例如技能、故障排除指南或代理应参考的特定于应用程序的信息。
+ **aidevops: ListKnowledgeItems** — 允许用户查看为代理空间配置的所有知识项目。
+ **aidevops: GetKnowledgeItem** — 允许用户检索特定知识项的详细信息。
+ **aidevops: UpdateKnowledgeItem** — 允许用户修改现有知识项目以保持信息最新。
+ **aidevops: DeleteKnowledgeItem** — 允许用户删除不再相关的知识项目。
## AWS Support 集成操作
以下操作可控制与 Su AWS pport 案例的集成:
+ **aidevops:InitiateChatForCase**— 允许用户直接通过调查开始与 Su AWS pport 的聊天会话,自动提供有关事件的背景信息。
+ **aidevops: EndChatForCase** — 允许用户结束活跃的 Su AWS pport 案例聊天会话。
+ **aidevops:DescribeSupportLevel**— 允许用户查看账户的 AWS 支持计划级别,以确定可用的支持选项。
## 使用情况和监控操作
以下操作控制对使用信息的访问权限:
+ **aidevops: GetAccountUsage** — 允许用户查看 AWS DevOps 代理每月的调查时间、预防评估时间和聊天请求配额以及当月的使用情况。
## 常见的 IAM 策略示例
### 管理员策略
此政策授予对所有 AWS DevOps 代理功能的完全访问权限:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "aidevops:*",
"Resource": "*"
}
]
}
```
### 运营商政策
此策略允许访问调查和预防功能,但无需管理权限:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aidevops:GetAgentSpace",
"aidevops:InvokeAgent",
"aidevops:ListExecutions",
"aidevops:ListJournalRecords",
"aidevops:ListAssociations",
"aidevops:GetAssociation",
"aidevops:DiscoverTopology",
"aidevops:ListRecommendations",
"aidevops:GetRecommendation",
"aidevops:CreateBacklogTask",
"aidevops:UpdateBacklogTask",
"aidevops:GetBacklogTask",
"aidevops:ListBacklogTasks",
"aidevops:ListKnowledgeItems",
"aidevops:GetKnowledgeItem",
"aidevops:InitiateChatForCase",
"aidevops:EndChatForCase",
"aidevops:ListChats",
"aidevops:CreateChat",
"aidevops:SendMessage",
"aidevops:ListGoals",
"aidevops:CreateKnowledgeItem",
"aidevops:UpdateKnowledgeItem",
"aidevops:DescribeSupportLevel",
"aidevops:ListPendingMessages"
],
"Resource": "*"
}
]
}
```
### 只读策略
此政策授予对调查和建议的访问权限,仅供查看:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aidevops:GetAgentSpace",
"aidevops:ListAssociations",
"aidevops:GetAssociation",
"aidevops:ListExecutions",
"aidevops:ListJournalRecords",
"aidevops:ListRecommendations",
"aidevops:GetRecommendation",
"aidevops:ListBacklogTasks",
"aidevops:GetBacklogTask",
"aidevops:ListKnowledgeItems",
"aidevops:GetKnowledgeItem",
"aidevops:GetAccountUsage"
],
"Resource": "*"
}
]
}
```
## 为 AWS DevOps 代理使用服务相关角色
AWS DevOps 代理使用 AWS 身份和访问管理 (IAM) Access [Management 服务](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html)相关角色。服务相关角色是一种独特的 IAM 角色,直接链接到 AWS DevOps 代理。服务相关角色由 AWS DevOps 代理预定义,包括该服务代表您调用其他 AWS 服务所需的所有权限。
### 服务相关角色权限
`AWSServiceRoleForAIDevOps` 服务相关角色信任 `aidevops.amazonaws.com` 服务委托人担任该角色。
该角色使用`AWSServiceRoleForAIDevOpsPolicy`具有以下权限的托管策略:
+ `cloudwatch:PutMetricData`— 将使用情况指标发布到`AWS/AIDevOps` CloudWatch 命名空间。由一个`cloudwatch:namespace`条件限定为仅允许`AWS/AIDevOps`命名空间。
+ `vpc-lattice:CreateResourceGateway`— 为私有连接创建 VPC 莱迪思资源网关。按`aws:RequestTag/AWSAIDevOpsManaged`条件设定范围,因此该服务只能创建带有该`AWSAIDevOpsManaged`标签的资源网关。
+ `vpc-lattice:TagResource`— 标记 VPC 莱迪思资源网关。按`aws:RequestTag/AWSAIDevOpsManaged`条件划分范围。
+ `vpc-lattice:DeleteResourceGateway`— 删除 VPC 莱迪思资源网关。按`aws:ResourceTag/AWSAIDevOpsManaged`条件设定范围,因此服务只能删除其创建的资源网关。
+ `vpc-lattice:GetResourceGateway`— 检索有关 VPC 莱迪思资源网关的信息。按`aws:ResourceTag/AWSAIDevOpsManaged`条件设定范围,因此服务只能读取其创建的资源网关。
+ `ec2:DescribeVpcs`,`ec2:DescribeSubnets`,`ec2:DescribeSecurityGroups`— 检索有关配置资源网关所需的 VPC 网络资源的信息。这些只读操作适用于所有 VPC 资源,因为 EC2 API 不支持描述调用的资源级权限。
+ `iam:CreateServiceLinkedRole`— 创建资源网关操作所需的VPC Lattice服务相关角色。此权限仅限于`vpc-lattice.amazonaws.com`服务主体,不能用于为任何其他服务创建服务相关角色。
### 创建服务关联角色
无需手动创建 `AWSServiceRoleForAIDevOps` 服务关联角色。当您开始使用 AWS DevOps 代理时,该服务会为您创建服务相关角色。
要允许服务代表您创建角色,您必须拥有`iam:CreateServiceLinkedRole`权限。我们建议`aidevops.amazonaws.com`以遵循最小权限原则为`iam:AWSServiceName`条件来界定此权限的范围。有关更多信息,请参阅[服务相关角色权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions)。
### 编辑 服务相关角色
您无法编辑 `AWSServiceRoleForAIDevOps` 服务相关角色。创建角色后,您无法更改角色的名称,因为各种实体可能会按名称引用该角色。不过,您可以使用 IAM 编辑角色的说明。有关更多信息,请参阅[编辑服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role)。
### 删除 服务相关角色
如果您不再需要使用 AWS DevOps 代理,我们建议您删除`AWSServiceRoleForAIDevOps`服务相关角色。在删除角色之前,必须先删除在代理空间中配置的所有专用连接。删除服务相关角色不会自动移除之前由该服务创建的带有`AWSAIDevOpsManaged`标签的 VPC Lattice 资源网关。如果不再需要这些资源网关,则应手动将其删除。有关更多信息,请参阅[删除服务相关角色](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role)。
## AWS AWS DevOps 代理的托管策略
AWS 通过提供由创建和管理的独立 IAM 策略来解决许多常见用例 AWS。这些 AWS 托管策略为常见用例授予必要的权限,这样您就可以不必调查需要哪些权限。有关更多信息,请参阅 \$1IAM 用户指南\$1中的[AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
以下 AWS 托管策略特定于 A AWS DevOps gent,您可以将其附加到账户中的用户。
### AIDevOpsAgentReadOnlyAccess
通过 AWS 管理控制台提供对 Amazon A DevOps gent 的只读访问权限
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AIDevOpsAgentReadOnlyAccess",
"Effect": "Allow",
"Action": [
"aidevops:Get*",
"aidevops:List*",
"aidevops:SearchServiceAccessibleResource"
],
"Resource": "*"
}
]
}
```
### AIDevOpsAgentFullAccess
通过 AWS 管理控制台提供对 Amazon A DevOps gent 的完全访问权限
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AIDevOpsAgentSpaceAccess",
"Effect": "Allow",
"Action": [
"aidevops:CreateAgentSpace",
"aidevops:DeleteAgentSpace",
"aidevops:GetAgentSpace",
"aidevops:ListAgentSpaces",
"aidevops:UpdateAgentSpace"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsServiceAccess",
"Effect": "Allow",
"Action": [
"aidevops:DeregisterService",
"aidevops:GetService",
"aidevops:ListServices",
"aidevops:RegisterService",
"aidevops:SearchServiceAccessibleResource"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsAssociationAccess",
"Effect": "Allow",
"Action": [
"aidevops:AssociateService",
"aidevops:DisassociateService",
"aidevops:GetAssociation",
"aidevops:ListAssociations",
"aidevops:UpdateAssociation",
"aidevops:ValidateAwsAssociations"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsWebhookAccess",
"Effect": "Allow",
"Action": [
"aidevops:ListWebhooks"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsOperatorAppAccess",
"Effect": "Allow",
"Action": [
"aidevops:DisableOperatorApp",
"aidevops:EnableOperatorApp",
"aidevops:GetOperatorApp",
"aidevops:UpdateOperatorAppIdpConfig"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsKnowledgeAccess",
"Effect": "Allow",
"Action": [
"aidevops:CreateKnowledgeItem",
"aidevops:DeleteKnowledgeItem",
"aidevops:GetKnowledgeItem",
"aidevops:ListKnowledgeItems",
"aidevops:ListKnowledgeItemVersions",
"aidevops:UpdateKnowledgeItem"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsBacklogAccess",
"Effect": "Allow",
"Action": [
"aidevops:CreateBacklogTask",
"aidevops:GetBacklogTask",
"aidevops:ListBacklogTasks",
"aidevops:ListGoals",
"aidevops:UpdateBacklogTask",
"aidevops:UpdateGoal"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsRecommendationAccess",
"Effect": "Allow",
"Action": [
"aidevops:GetRecommendation",
"aidevops:ListRecommendations",
"aidevops:UpdateRecommendation"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsAgentChatAccess",
"Effect": "Allow",
"Action": [
"aidevops:CreateChat",
"aidevops:ListChats",
"aidevops:ListPendingMessages",
"aidevops:SendMessage"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsJournalAccess",
"Effect": "Allow",
"Action": [
"aidevops:ListExecutions",
"aidevops:ListJournalRecords"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsTopologyAccess",
"Effect": "Allow",
"Action": [
"aidevops:DiscoverTopology"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsSupportAccess",
"Effect": "Allow",
"Action": [
"aidevops:DescribeSupportLevel",
"aidevops:EndChatForCase",
"aidevops:InitiateChatForCase"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsUsageAccess",
"Effect": "Allow",
"Action": [
"aidevops:GetAccountUsage"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsTaggingAccess",
"Effect": "Allow",
"Action": [
"aidevops:ListTagsForResource",
"aidevops:TagResource",
"aidevops:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AIDevOpsVendedLogs",
"Effect": "Allow",
"Action": [
"aidevops:AllowVendedLogDeliveryForResource"
],
"Resource": "*"
}
]
}
```
### AIDevOpsOperatorAppAccessPolicy
提供使用 AWS DevOps 操作员 Web 应用程序访问代理空间的权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOperatorAgentSpaceActions",
"Effect": "Allow",
"Action": [
"aidevops:GetAgentSpace",
"aidevops:GetAssociation",
"aidevops:ListAssociations",
"aidevops:CreateBacklogTask",
"aidevops:GetBacklogTask",
"aidevops:UpdateBacklogTask",
"aidevops:ListBacklogTasks",
"aidevops:ListJournalRecords",
"aidevops:DiscoverTopology",
"aidevops:ListGoals",
"aidevops:ListRecommendations",
"aidevops:ListExecutions",
"aidevops:GetRecommendation",
"aidevops:UpdateRecommendation",
"aidevops:CreateKnowledgeItem",
"aidevops:ListKnowledgeItems",
"aidevops:ListKnowledgeItemVersions",
"aidevops:GetKnowledgeItem",
"aidevops:UpdateKnowledgeItem",
"aidevops:DeleteKnowledgeItem",
"aidevops:ListPendingMessages",
"aidevops:InitiateChatForCase",
"aidevops:EndChatForCase",
"aidevops:DescribeSupportLevel",
"aidevops:ListChats",
"aidevops:CreateChat",
"aidevops:SendMessage"
],
"Resource": "arn:aws:aidevops:*:*:agentspace/${aws:PrincipalTag/AgentSpaceId}",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowOperatorAccountActions",
"Effect": "Allow",
"Action": [
"aidevops:GetAccountUsage"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "AllowSupportOperatorActions",
"Effect": "Allow",
"Action": [
"support:DescribeCases",
"support:InitiateChatForCase",
"support:DescribeSupportLevel"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
]
}
```
### AIDevOpsAgentAccessPolicy
提供 AWS DevOps 代理对客户 AWS 资源进行调查和分析所需的权限。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AIOPSServiceAccess",
"Effect": "Allow",
"Action": [
"access-analyzer:GetAnalyzer",
"access-analyzer:List*",
"acm-pca:Describe*",
"acm-pca:GetCertificate",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:List*",
"acm:DescribeCertificate",
"acm:GetAccountConfiguration",
"aidevops:GetKnowledgeItem",
"aidevops:ListKnowledgeItems",
"airflow:List*",
"amplify:GetApp",
"amplify:GetBranch",
"amplify:GetDomainAssociation",
"amplify:List*",
"aoss:BatchGetCollection",
"aoss:BatchGetLifecyclePolicy",
"aoss:BatchGetVpcEndpoint",
"aoss:GetAccessPolicy",
"aoss:GetSecurityConfig",
"aoss:GetSecurityPolicy",
"aoss:List*",
"appconfig:GetApplication",
"appconfig:GetConfigurationProfile",
"appconfig:GetEnvironment",
"appconfig:GetHostedConfigurationVersion",
"appconfig:List*",
"appflow:Describe*",
"appflow:List*",
"application-autoscaling:Describe*",
"application-signals:BatchGetServiceLevelObjectiveBudgetReport",
"application-signals:GetService",
"application-signals:GetServiceLevelObjective",
"application-signals:List*",
"applicationinsights:Describe*",
"applicationinsights:List*",
"apprunner:Describe*",
"apprunner:List*",
"appstream:Describe*",
"appstream:List*",
"appsync:GetApiAssociation",
"appsync:GetDataSource",
"appsync:GetDomainName",
"appsync:GetFunction",
"appsync:GetGraphqlApi",
"appsync:GetGraphqlApiEnvironmentVariables",
"appsync:GetIntrospectionSchema",
"appsync:GetResolver",
"appsync:GetSourceApiAssociation",
"appsync:List*",
"aps:Describe*",
"aps:List*",
"arc-zonal-shift:GetManagedResource",
"arc-zonal-shift:List*",
"athena:GetCapacityAssignmentConfiguration",
"athena:GetCapacityReservation",
"athena:GetDataCatalog",
"athena:GetNamedQuery",
"athena:GetPreparedStatement",
"athena:GetWorkGroup",
"athena:List*",
"auditmanager:GetAssessment",
"auditmanager:List*",
"autoscaling:Describe*",
"backup-gateway:GetHypervisor",
"backup-gateway:List*",
"backup:Describe*",
"backup:GetBackupPlan",
"backup:GetBackupSelection",
"backup:GetBackupVaultAccessPolicy",
"backup:GetBackupVaultNotifications",
"backup:GetRestoreTestingPlan",
"backup:GetRestoreTestingSelection",
"backup:List*",
"batch:DescribeComputeEnvironments",
"batch:DescribeJobQueues",
"batch:DescribeSchedulingPolicies",
"batch:List*",
"bedrock:GetAgent",
"bedrock:GetAgentActionGroup",
"bedrock:GetAgentAlias",
"bedrock:GetAgentKnowledgeBase",
"bedrock:GetDataSource",
"bedrock:GetGuardrail",
"bedrock:GetKnowledgeBase",
"bedrock:List*",
"budgets:Describe*",
"budgets:List*",
"ce:Describe*",
"ce:GetAnomalyMonitors",
"ce:GetAnomalySubscriptions",
"ce:List*",
"chatbot:Describe*",
"chatbot:GetMicrosoftTeamsChannelConfiguration",
"chatbot:List*",
"cleanrooms-ml:GetTrainingDataset",
"cleanrooms-ml:List*",
"cleanrooms:GetAnalysisTemplate",
"cleanrooms:GetCollaboration",
"cleanrooms:GetConfiguredTable",
"cleanrooms:GetConfiguredTableAnalysisRule",
"cleanrooms:GetConfiguredTableAssociation",
"cleanrooms:GetMembership",
"cleanrooms:List*",
"cloudformation:Describe*",
"cloudformation:GetResource",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:List*",
"cloudfront:Describe*",
"cloudfront:GetCachePolicy",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetContinuousDeploymentPolicy",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetFunction",
"cloudfront:GetKeyGroup",
"cloudfront:GetMonitoringSubscription",
"cloudfront:GetOriginAccessControl",
"cloudfront:GetOriginRequestPolicy",
"cloudfront:GetPublicKey",
"cloudfront:GetRealtimeLogConfig",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:List*",
"cloudtrail:Describe*",
"cloudtrail:GetChannel",
"cloudtrail:GetEventConfiguration",
"cloudtrail:GetEventDataStore",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetQueryResults",
"cloudtrail:GetResourcePolicy",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:List*",
"cloudtrail:LookupEvents",
"cloudtrail:StartQuery",
"cloudwatch:Describe*",
"cloudwatch:GenerateQuery",
"cloudwatch:GetDashboard",
"cloudwatch:GetInsightRuleReport",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricStream",
"cloudwatch:GetService",
"cloudwatch:GetServiceLevelObjective",
"cloudwatch:List*",
"codeartifact:Describe*",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:GetRepositoryPermissionsPolicy",
"codeartifact:List*",
"codebuild:BatchGetFleets",
"codebuild:List*",
"codecommit:GetRepository",
"codecommit:GetRepositoryTriggers",
"codedeploy:BatchGetDeployments",
"codedeploy:BatchGetDeploymentTargets",
"codedeploy:GetApplication",
"codedeploy:GetDeploymentConfig",
"codedeploy:GetDeploymentTarget",
"codedeploy:List*",
"codeguru-profiler:Describe*",
"codeguru-profiler:GetNotificationConfiguration",
"codeguru-profiler:GetPolicy",
"codeguru-profiler:List*",
"codeguru-reviewer:Describe*",
"codeguru-reviewer:List*",
"codepipeline:GetPipeline",
"codepipeline:GetPipelineState",
"codepipeline:List*",
"codestar-connections:GetConnection",
"codestar-connections:GetRepositoryLink",
"codestar-connections:GetSyncConfiguration",
"codestar-connections:List*",
"codestar-notifications:Describe*",
"codestar-notifications:List*",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:ListIdentityPools",
"cognito-identity:ListTagsForResource",
"cognito-idp:AdminListGroupsForUser",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:DescribeResourceServer",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:DescribeUserImportJob",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:GetGroup",
"cognito-idp:GetLogDeliveryConfiguration",
"cognito-idp:GetUICustomization",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:GetWebACLForResource",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListResourceServers",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUserPools",
"cognito-idp:ListTagsForResource",
"comprehend:Describe*",
"comprehend:List*",
"config:Describe*",
"config:GetStoredQuery",
"config:List*",
"connect:Describe*",
"connect:GetTaskTemplate",
"connect:List*",
"databrew:Describe*",
"databrew:List*",
"datapipeline:Describe*",
"datapipeline:GetPipelineDefinition",
"datapipeline:List*",
"datasync:Describe*",
"datasync:List*",
"deadline:GetFarm",
"deadline:GetFleet",
"deadline:GetLicenseEndpoint",
"deadline:GetMonitor",
"deadline:GetQueue",
"deadline:GetQueueEnvironment",
"deadline:GetQueueFleetAssociation",
"deadline:GetStorageProfile",
"deadline:List*",
"detective:GetMembers",
"detective:List*",
"devicefarm:GetDevicePool",
"devicefarm:GetInstanceProfile",
"devicefarm:GetNetworkProfile",
"devicefarm:GetProject",
"devicefarm:GetTestGridProject",
"devicefarm:GetVPCEConfiguration",
"devicefarm:List*",
"devops-guru:Describe*",
"devops-guru:GetResourceCollection",
"devops-guru:List*",
"dms:Describe*",
"dms:List*",
"ds:Describe*",
"dynamodb:Describe*",
"dynamodb:GetResourcePolicy",
"dynamodb:List*",
"ec2:Describe*",
"ec2:GetAssociatedEnclaveCertificateIamRoles",
"ec2:GetIpamPoolAllocations",
"ec2:GetIpamPoolCidrs",
"ec2:GetManagedPrefixListEntries",
"ec2:GetNetworkInsightsAccessScopeContent",
"ec2:GetSnapshotBlockPublicAccessState",
"ec2:GetTransitGatewayMulticastDomainAssociations",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:GetVerifiedAccessEndpointPolicy",
"ec2:GetVerifiedAccessGroupPolicy",
"ec2:GetVerifiedAccessInstanceWebAcl",
"ec2:SearchLocalGatewayRoutes",
"ec2:SearchTransitGatewayRoutes",
"ecr:Describe*",
"ecr:GetLifecyclePolicy",
"ecr:GetRegistryPolicy",
"ecr:GetRepositoryPolicy",
"ecr:List*",
"ecs:Describe*",
"ecs:List*",
"eks:AccessKubernetesApi",
"eks:Describe*",
"eks:List*",
"elasticache:Describe*",
"elasticache:List*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticfilesystem:Describe*",
"elasticloadbalancing:GetResourcePolicy",
"elasticloadbalancing:GetTrustStoreCaCertificatesBundle",
"elasticloadbalancing:GetTrustStoreRevocationContent",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"emr-containers:Describe*",
"emr-containers:List*",
"emr-serverless:GetApplication",
"emr-serverless:List*",
"es:Describe*",
"es:List*",
"events:Describe*",
"events:List*",
"evidently:GetExperiment",
"evidently:GetFeature",
"evidently:GetLaunch",
"evidently:GetProject",
"evidently:GetSegment",
"evidently:List*",
"firehose:Describe*",
"firehose:List*",
"fis:GetExperimentTemplate",
"fis:GetTargetAccountConfiguration",
"fis:List*",
"fms:GetNotificationChannel",
"fms:GetPolicy",
"fms:List*",
"forecast:Describe*",
"forecast:List*",
"frauddetector:BatchGetVariable",
"frauddetector:Describe*",
"frauddetector:GetDetectors",
"frauddetector:GetDetectorVersion",
"frauddetector:GetEntityTypes",
"frauddetector:GetEventTypes",
"frauddetector:GetExternalModels",
"frauddetector:GetLabels",
"frauddetector:GetListElements",
"frauddetector:GetListsMetadata",
"frauddetector:GetModelVersion",
"frauddetector:GetOutcomes",
"frauddetector:GetRules",
"frauddetector:GetVariables",
"frauddetector:List*",
"fsx:Describe*",
"gamelift:Describe*",
"gamelift:List*",
"globalaccelerator:Describe*",
"globalaccelerator:List*",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetJob",
"glue:GetRegistry",
"glue:GetSchema",
"glue:GetSchemaVersion",
"glue:GetTable",
"glue:GetTags",
"glue:GetTrigger",
"glue:List*",
"glue:querySchemaVersionMetadata",
"grafana:Describe*",
"grafana:List*",
"greengrass:Describe*",
"greengrass:GetDeployment",
"greengrass:List*",
"groundstation:GetConfig",
"groundstation:GetDataflowEndpointGroup",
"groundstation:GetMissionProfile",
"groundstation:List*",
"guardduty:GetDetector",
"guardduty:GetFilter",
"guardduty:GetIPSet",
"guardduty:GetMalwareProtectionPlan",
"guardduty:GetMasterAccount",
"guardduty:GetMembers",
"guardduty:GetThreatIntelSet",
"guardduty:List*",
"health:DescribeEvents",
"health:DescribeEventDetails",
"healthlake:Describe*",
"healthlake:List*",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetServerCertificate",
"iam:GetServiceLinkedRoleDeletionStatus",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviders",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListServerCertificates",
"iam:ListVirtualMFADevices",
"identitystore:DescribeGroup",
"identitystore:DescribeGroupMembership",
"identitystore:ListGroupMemberships",
"identitystore:ListGroups",
"imagebuilder:GetComponent",
"imagebuilder:GetContainerRecipe",
"imagebuilder:GetDistributionConfiguration",
"imagebuilder:GetImage",
"imagebuilder:GetImagePipeline",
"imagebuilder:GetImageRecipe",
"imagebuilder:GetInfrastructureConfiguration",
"imagebuilder:GetLifecyclePolicy",
"imagebuilder:GetWorkflow",
"imagebuilder:List*",
"inspector2:List*",
"inspector:Describe*",
"inspector:List*",
"internetmonitor:GetMonitor",
"internetmonitor:List*",
"iot:Describe*",
"iot:GetPackage",
"iot:GetPackageVersion",
"iot:GetPolicy",
"iot:GetThingShadow",
"iot:GetTopicRule",
"iot:GetTopicRuleDestination",
"iot:GetV2LoggingOptions",
"iot:List*",
"iotanalytics:Describe*",
"iotanalytics:List*",
"iotevents:Describe*",
"iotevents:List*",
"iotsitewise:Describe*",
"iotsitewise:List*",
"iotwireless:GetDestination",
"iotwireless:GetDeviceProfile",
"iotwireless:GetFuotaTask",
"iotwireless:GetMulticastGroup",
"iotwireless:GetNetworkAnalyzerConfiguration",
"iotwireless:GetServiceProfile",
"iotwireless:GetWirelessDevice",
"iotwireless:GetWirelessGateway",
"iotwireless:GetWirelessGatewayTaskDefinition",
"iotwireless:List*",
"ivs:GetChannel",
"ivs:GetEncoderConfiguration",
"ivs:GetPlaybackRestrictionPolicy",
"ivs:GetRecordingConfiguration",
"ivs:GetStage",
"ivs:List*",
"ivschat:GetLoggingConfiguration",
"ivschat:GetRoom",
"ivschat:List*",
"kafka:Describe*",
"kafka:GetClusterPolicy",
"kafka:List*",
"kafkaconnect:Describe*",
"kafkaconnect:List*",
"kendra:Describe*",
"kendra:List*",
"kinesis:Describe*",
"kinesis:GetResourcePolicy",
"kinesis:List*",
"kinesisanalytics:Describe*",
"kinesisanalytics:List*",
"kinesisvideo:Describe*",
"kms:DescribeKey",
"kms:ListResourceTags",
"kms:ListKeys",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListKeyRotations",
"lakeformation:Describe*",
"lakeformation:GetLFTag",
"lakeformation:GetResourceLFTags",
"lakeformation:List*",
"lambda:GetAlias",
"lambda:GetCodeSigningConfig",
"lambda:GetEventSourceMapping",
"lambda:GetFunctionCodeSigningConfig",
"lambda:GetFunctionConfiguration",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetFunctionRecursionConfig",
"lambda:GetFunctionUrlConfig",
"lambda:GetLayerVersion",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:GetRuntimeManagementConfig",
"lambda:List*",
"launchwizard:GetDeployment",
"launchwizard:List*",
"license-manager:GetLicense",
"license-manager:List*",
"lightsail:GetAlarms",
"lightsail:GetBuckets",
"lightsail:GetCertificates",
"lightsail:GetContainerServices",
"lightsail:GetDisk",
"lightsail:GetDisks",
"lightsail:GetInstance",
"lightsail:GetInstances",
"lightsail:GetLoadBalancer",
"lightsail:GetLoadBalancers",
"lightsail:GetLoadBalancerTlsCertificates",
"lightsail:GetStaticIp",
"lightsail:GetStaticIps",
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetDataProtectionPolicy",
"logs:GetDelivery",
"logs:GetDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:GetDeliverySource",
"logs:GetLogAnomalyDetector",
"logs:GetLogDelivery",
"logs:GetLogGroupFields",
"logs:GetQueryResults",
"logs:List*",
"logs:StartQuery",
"logs:StopLiveTail",
"logs:StopQuery",
"logs:TestMetricFilter",
"m2:GetApplication",
"m2:GetEnvironment",
"m2:List*",
"macie2:GetAllowList",
"macie2:GetCustomDataIdentifier",
"macie2:GetFindingsFilter",
"macie2:GetMacieSession",
"macie2:List*",
"mediaconnect:Describe*",
"mediaconnect:List*",
"medialive:Describe*",
"medialive:GetCloudWatchAlarmTemplate",
"medialive:GetCloudWatchAlarmTemplateGroup",
"medialive:GetEventBridgeRuleTemplate",
"medialive:GetEventBridgeRuleTemplateGroup",
"medialive:GetSignalMap",
"medialive:List*",
"mediapackage-vod:Describe*",
"mediapackage-vod:List*",
"mediapackage:Describe*",
"mediapackage:List*",
"mediapackagev2:GetChannel",
"mediapackagev2:GetChannelGroup",
"mediapackagev2:GetChannelPolicy",
"mediapackagev2:GetOriginEndpoint",
"mediapackagev2:GetOriginEndpointPolicy",
"mediapackagev2:List*",
"memorydb:Describe*",
"memorydb:List*",
"mobiletargeting:GetInAppTemplate",
"mobiletargeting:List*",
"mq:Describe*",
"mq:List*",
"network-firewall:Describe*",
"network-firewall:List*",
"networkmanager:Describe*",
"networkmanager:GetConnectAttachment",
"networkmanager:GetConnectPeer",
"networkmanager:GetCoreNetwork",
"networkmanager:GetCoreNetworkPolicy",
"networkmanager:GetCustomerGatewayAssociations",
"networkmanager:GetDevices",
"networkmanager:GetLinkAssociations",
"networkmanager:GetLinks",
"networkmanager:GetSites",
"networkmanager:GetSiteToSiteVpnAttachment",
"networkmanager:GetTransitGatewayPeering",
"networkmanager:GetTransitGatewayRegistrations",
"networkmanager:GetTransitGatewayRouteTableAttachment",
"networkmanager:GetVpcAttachment",
"networkmanager:List*",
"oam:GetLink",
"oam:GetSink",
"oam:GetSinkPolicy",
"oam:List*",
"omics:GetAnnotationStore",
"omics:GetReferenceStore",
"omics:GetRunGroup",
"omics:GetSequenceStore",
"omics:GetVariantStore",
"omics:GetWorkflow",
"omics:List*",
"organizations:Describe*",
"organizations:List*",
"osis:GetPipeline",
"osis:List*",
"payment-cryptography:GetAlias",
"payment-cryptography:GetKey",
"payment-cryptography:List*",
"pca-connector-ad:GetConnector",
"pca-connector-ad:GetDirectoryRegistration",
"pca-connector-ad:GetServicePrincipalName",
"pca-connector-ad:GetTemplate",
"pca-connector-ad:GetTemplateGroupAccessControlEntry",
"pca-connector-ad:List*",
"pca-connector-scep:GetChallengeMetadata",
"pca-connector-scep:GetConnector",
"pca-connector-scep:List*",
"personalize:Describe*",
"personalize:List*",
"pi:DescribeDimensionKeys",
"pi:GetResourceMetadata",
"pi:GetResourceMetrics",
"pi:ListAvailableResourceDimensions",
"pi:ListAvailableResourceMetrics",
"pipes:Describe*",
"pipes:List*",
"proton:GetEnvironmentTemplate",
"proton:GetServiceTemplate",
"proton:List*",
"qbusiness:GetApplication",
"qbusiness:GetDataSource",
"qbusiness:GetIndex",
"qbusiness:GetPlugin",
"qbusiness:GetRetriever",
"qbusiness:GetWebExperience",
"qbusiness:List*",
"ram:GetPermission",
"ram:GetResourceShares",
"ram:List*",
"rds:Describe*",
"rds:List*",
"redshift-serverless:GetNamespace",
"redshift-serverless:GetWorkgroup",
"redshift-serverless:List*",
"redshift:Describe*",
"refactor-spaces:GetApplication",
"refactor-spaces:GetEnvironment",
"refactor-spaces:GetRoute",
"refactor-spaces:List*",
"rekognition:Describe*",
"rekognition:List*",
"resiliencehub:Describe*",
"resiliencehub:List*",
"resource-explorer-2:GetDefaultView",
"resource-explorer-2:GetIndex",
"resource-explorer-2:GetView",
"resource-explorer-2:List*",
"resource-explorer-2:Search",
"resource-groups:GetGroup",
"resource-groups:GetGroupConfiguration",
"resource-groups:GetGroupQuery",
"resource-groups:GetTags",
"resource-groups:List*",
"route53-recovery-control-config:Describe*",
"route53-recovery-control-config:List*",
"route53-recovery-readiness:GetCell",
"route53-recovery-readiness:GetReadinessCheck",
"route53-recovery-readiness:GetRecoveryGroup",
"route53-recovery-readiness:GetResourceSet",
"route53-recovery-readiness:List*",
"route53:GetDNSSEC",
"route53:GetHealthCheck",
"route53:GetHealthCheckStatus",
"route53:GetHostedZone",
"route53:List*",
"route53profiles:GetProfile",
"route53profiles:GetProfileAssociation",
"route53profiles:GetProfileResourceAssociation",
"route53profiles:List*",
"route53resolver:GetFirewallDomainList",
"route53resolver:GetFirewallRuleGroup",
"route53resolver:GetFirewallRuleGroupAssociation",
"route53resolver:GetOutpostResolver",
"route53resolver:GetResolverConfig",
"route53resolver:GetResolverQueryLogConfig",
"route53resolver:GetResolverQueryLogConfigAssociation",
"route53resolver:GetResolverRule",
"route53resolver:GetResolverRuleAssociation",
"route53resolver:List*",
"rum:GetAppMonitor",
"rum:List*",
"s3-outposts:ListEndpoints",
"s3-outposts:ListOutpostsWithS3",
"s3:GetAccessGrant",
"s3:GetAccessGrantsInstance",
"s3:GetAccessGrantsLocation",
"s3:GetAccessPoint",
"s3:GetAccessPointConfigurationForObjectLambda",
"s3:GetAccessPointForObjectLambda",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyForObjectLambda",
"s3:GetAccessPointPolicyStatusForObjectLambda",
"s3:GetBucketAbac",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketMetadataTableConfiguration",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetMultiRegionAccessPoint",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus",
"s3:GetReplicationConfiguration",
"s3:GetStorageLensConfiguration",
"s3:GetStorageLensConfigurationTagging",
"s3:GetStorageLensGroup",
"s3:ListAllMyBuckets",
"sagemaker:Describe*",
"sagemaker:List*",
"scheduler:GetSchedule",
"scheduler:GetScheduleGroup",
"scheduler:List*",
"schemas:Describe*",
"schemas:GetResourcePolicy",
"schemas:List*",
"secretsmanager:Describe*",
"secretsmanager:GetResourcePolicy",
"secretsmanager:List*",
"securityhub:BatchGetAutomationRules",
"securityhub:BatchGetSecurityControls",
"securityhub:Describe*",
"securityhub:GetConfigurationPolicy",
"securityhub:GetConfigurationPolicyAssociation",
"securityhub:GetEnabledStandards",
"securityhub:GetFindingAggregator",
"securityhub:GetInsights",
"securityhub:List*",
"securitylake:GetSubscriber",
"securitylake:List*",
"servicecatalog:Describe*",
"servicecatalog:GetApplication",
"servicecatalog:GetAttributeGroup",
"servicecatalog:List*",
"servicequotas:GetServiceQuota",
"ses:Describe*",
"ses:GetAccount",
"ses:GetAddonInstance",
"ses:GetAddonSubscription",
"ses:GetArchive",
"ses:GetConfigurationSet",
"ses:GetConfigurationSetEventDestinations",
"ses:GetContactList",
"ses:GetDedicatedIpPool",
"ses:GetDedicatedIps",
"ses:GetEmailIdentity",
"ses:GetEmailTemplate",
"ses:GetIngressPoint",
"ses:GetRelay",
"ses:GetRuleSet",
"ses:GetTemplate",
"ses:GetTrafficPolicy",
"ses:List*",
"shield:Describe*",
"shield:List*",
"signer:GetSigningProfile",
"signer:List*",
"sns:GetDataProtectionPolicy",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:List*",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:List*",
"ssm-contacts:GetContact",
"ssm-contacts:GetContactChannel",
"ssm-contacts:List*",
"ssm-incidents:GetReplicationSet",
"ssm-incidents:GetResponsePlan",
"ssm-incidents:List*",
"ssm-sap:GetApplication",
"ssm-sap:List*",
"ssm:Describe*",
"ssm:GetDefaultPatchBaseline",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:GetPatchBaseline",
"ssm:GetResourcePolicies",
"ssm:List*",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetManagedApplicationInstance",
"sso:GetPermissionsBoundaryForPermissionSet",
"sso:GetSharedSsoConfiguration",
"sso:ListAccountAssignments",
"sso:ListApplicationAssignments",
"sso:ListApplications",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListTagsForResource",
"states:GetExecutionHistory",
"states:Describe*",
"states:List*",
"support:CreateCase",
"support:DescribeCases",
"synthetics:Describe*",
"synthetics:GetCanary",
"synthetics:GetCanaryRuns",
"synthetics:GetGroup",
"synthetics:List*",
"tag:GetResources",
"timestream:Describe*",
"timestream:List*",
"transfer:Describe*",
"transfer:List*",
"verifiedpermissions:GetIdentitySource",
"verifiedpermissions:GetPolicy",
"verifiedpermissions:GetPolicyStore",
"verifiedpermissions:GetPolicyTemplate",
"verifiedpermissions:GetSchema",
"verifiedpermissions:List*",
"vpc-lattice:GetAccessLogSubscription",
"vpc-lattice:GetAuthPolicy",
"vpc-lattice:GetListener",
"vpc-lattice:GetResourcePolicy",
"vpc-lattice:GetRule",
"vpc-lattice:GetService",
"vpc-lattice:GetServiceNetwork",
"vpc-lattice:GetServiceNetworkServiceAssociation",
"vpc-lattice:GetServiceNetworkVpcAssociation",
"vpc-lattice:GetTargetGroup",
"vpc-lattice:List*",
"wafv2:GetIPSet",
"wafv2:GetLoggingConfiguration",
"wafv2:GetRegexPatternSet",
"wafv2:GetRuleGroup",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:List*",
"workspaces-web:GetBrowserSettings",
"workspaces-web:GetIdentityProvider",
"workspaces-web:GetNetworkSettings",
"workspaces-web:GetPortal",
"workspaces-web:GetPortalServiceProviderMetadata",
"workspaces-web:GetTrustStore",
"workspaces-web:GetUserAccessLoggingSettings",
"workspaces-web:GetUserSettings",
"workspaces-web:List*",
"workspaces:Describe*",
"xray:BatchGetTraces",
"xray:GetGroup",
"xray:GetGroups",
"xray:GetSamplingRules",
"xray:GetServiceGraph",
"xray:GetTraceSummaries",
"xray:List*"
],
"Resource": "*"
},
{
"Sid": "AIOPSAPIGatewayAccess",
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:*::/restapis",
"arn:aws:apigateway:*::/restapis/*",
"arn:aws:apigateway:*::/restapis/*/deployments",
"arn:aws:apigateway:*::/restapis/*/deployments/*",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integrations",
"arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integrations/*",
"arn:aws:apigateway:*::/restapis/*/stages",
"arn:aws:apigateway:*::/restapis/*/stages/*",
"arn:aws:apigateway:*::/apis",
"arn:aws:apigateway:*::/apis/*",
"arn:aws:apigateway:*::/apis/*/deployments",
"arn:aws:apigateway:*::/apis/*/deployments/*",
"arn:aws:apigateway:*::/apis/*/integrations",
"arn:aws:apigateway:*::/apis/*/integrations/*",
"arn:aws:apigateway:*::/apis/*/stages",
"arn:aws:apigateway:*::/apis/*/stages/*",
"arn:aws:apigateway:*::/domainnames/*"
]
}
]
}
```