--- title: Amazon Web Services description: >- Amazon Web Services (AWS) is a collection of web services that together make up a cloud computing platform. breadcrumbs: Docs > Integrations > Amazon Web Services --- # Amazon Web Services ## Overview{% #overview %} Connect to Amazon Web Services (AWS) to: - See automatic AWS status updates in your Events Explorer - Get CloudWatch metrics for EC2 hosts without installing the Agent - Tag your EC2 hosts with EC2-specific information - See EC2 scheduled maintenance events in your stream - Collect CloudWatch metrics and events from many other AWS products - See CloudWatch alarms in your Events Explorer To quickly get started using the AWS integration, check out the [AWS getting started guide](https://docs.datadoghq.com/getting_started/integrations/aws.md). Datadog's Amazon Web Services integration collects logs, events, and [most metrics from CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html) for over [90 AWS services](https://docs.datadoghq.com/integrations.md#cat-aws). ## Setup{% #setup %} Use one of the following methods to integrate your AWS accounts into Datadog for metric, event, tag, and log collection. ### Automatic{% #automatic %} - **CloudFormation (Best for quickly getting started)** To set up the AWS integration with CloudFormation, see the [the AWS getting started guide](https://docs.datadoghq.com/getting_started/integrations/aws.md). - **Terraform** To set up the AWS integration with Terraform, see [the AWS integration with Terraform](https://docs.datadoghq.com/integrations/guide/aws-terraform-setup.md). - **Control Tower** To set up the AWS integration when provisioning a new AWS account with [Control Tower Account Factory](https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html), see the [Control Tower setup guide](https://aws.amazon.com/blogs/awsmarketplace/deploy-datadogs-aws-integration-accounts-aws-control-tower-account-factory-customization/). - **Multi-Account setup for AWS Organizations** To set up the AWS Integration for multiple accounts within an AWS Organization, see the [AWS Organizations setup guide](https://docs.datadoghq.com/integrations/guide/aws-organizations-setup.md). ### Manual{% #manual %} - **Role delegation** To set up the AWS integration manually with role delegation, see the [manual setup guide](https://docs.datadoghq.com/integrations/guide/aws-manual-setup.md). - **Access keys (GovCloud or China\* Only)** To set up the AWS integration with access keys, see the [manual setup guide](https://docs.datadoghq.com/integrations/guide/aws-manual-setup.md?tab=accesskeysgovcloudorchinaonly). \* *All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the [Restricted Service Locations](https://www.datadoghq.com/legal/restricted-service-locations/) section on our website.* **Note**: After setup is complete, you can configure integration settings (such as which AWS regions and integrations to collect data from) in the [Datadog AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services). ## AWS IAM permissions{% #aws-iam-permissions %} AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events and other data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the **Datadog AWS Integration IAM Role** in your AWS account. ### AWS integration IAM policy{% #aws-integration-iam-policy %} ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "account:GetAccountInformation", "airflow:GetEnvironment", "airflow:ListEnvironments", "apigateway:GET", "appsync:ListGraphqlApis", "autoscaling:Describe*", "backup:List*", "batch:DescribeJobDefinitions", "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "bcm-data-exports:GetExport", "bcm-data-exports:ListExports", "budgets:ViewBudget", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrail", "cloudtrail:GetTrailStatus", "cloudtrail:ListTrails", "cloudtrail:LookupEvents", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "codebuild:BatchGetProjects", "codebuild:ListProjects", "codedeploy:BatchGet*", "codedeploy:List*", "cur:DescribeReportDefinitions", "directconnect:Describe*", "dms:DescribeReplicationInstances", "dynamodb:Describe*", "dynamodb:List*", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "eks:DescribeCluster", "eks:ListClusters", "elasticache:Describe*", "elasticache:List*", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeTags", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "es:DescribeElasticsearchDomains", "es:ListDomainNames", "es:ListTags", "events:CreateEventBus", "fsx:DescribeFileSystems", "fsx:ListTagsForResource", "glue:BatchGetJobs", "glue:GetJob", "glue:GetJobs", "glue:ListJobs", "health:DescribeAffectedEntities", "health:DescribeEventDetails", "health:DescribeEvents", "iam:ListAccountAliases", "iot:GetV2LoggingOptions", "kinesis:Describe*", "kinesis:List*", "lambda:List*", "logs:DeleteSubscriptionFilter", "logs:DescribeDeliveries", "logs:DescribeDeliverySources", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeSubscriptionFilters", "logs:FilterLogEvents", "logs:GetDeliveryDestination", "logs:PutSubscriptionFilter", "logs:TestMetricFilter", "network-firewall:DescribeLoggingConfiguration", "network-firewall:ListFirewalls", "oam:ListAttachedLinks", "oam:ListSinks", "organizations:Describe*", "organizations:List*", "rds:Describe*", "rds:List*", "redshift-serverless:ListNamespaces", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", "route53:List*", "route53resolver:ListResolverQueryLogConfigs", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketTagging", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutBucketNotification", "ses:Get*", "ses:List*", "sns:GetSubscriptionAttributes", "sns:List*", "sns:Publish", "sqs:ListQueues", "ssm:GetServiceSetting", "ssm:ListCommands", "states:DescribeStateMachine", "states:ListStateMachines", "support:DescribeTrustedAdvisor*", "support:RefreshTrustedAdvisorCheck", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "timestream:DescribeEndpoints", "trustedadvisor:ListRecommendationResources", "trustedadvisor:ListRecommendations", "wafv2:ListLoggingConfigurations", "xray:BatchGetTraces", "xray:GetTraceSummaries" ], "Effect": "Allow", "Resource": "*" } ] } ``` ### AWS resource collection IAM policy{% #aws-resource-collection-iam-policy %} To use [resource collection](https://docs.datadoghq.com/integrations/amazon_web_services.md#resource-collection), you must attach AWS's managed SecurityAudit Policy to your Datadog IAM role. **Notes**: - Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role. - To enable Datadog to collect account management resources from `account.GetAlternateContact` and `account.GetContactInformation`, you need to [enable trusted access for AWS account management](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html). - AWS China accounts are not supported. - Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable **Usage** (`AWS/Usage`) metrics in the **Metric Collection** tab of the [Datadog AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services/). ## Log collection{% #log-collection %} There are two ways of sending AWS service logs to Datadog: - [Amazon Data Firehose destination](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-kinesis-firehose-destination.md): Use the Datadog destination in your Amazon Data Firehose delivery stream to forward logs to Datadog. It is recommended to use this approach when sending logs from CloudWatch in a very high volume. - [Forwarder Lambda function](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function.md): Deploy the Datadog Forwarder Lambda function, which subscribes to S3 buckets or your CloudWatch log groups and forwards logs to Datadog. Datadog also recommends you use this approach for sending logs from S3 or other resources that cannot directly stream data to Amazon Data Firehose. ## Metric collection{% #metric-collection %} There are two ways to send AWS metrics to Datadog: - [Metric polling](https://docs.datadoghq.com/integrations/guide/cloud-metric-delay.md#aws): API polling comes out of the box with the AWS integration. A metric-by-metric crawl of the CloudWatch API pulls data and sends it to Datadog. New metrics are pulled every ten minutes, on average. - [Metric streams with Amazon Data Firehose](https://docs.datadoghq.com/integrations/guide/aws-cloudwatch-metric-streams-with-kinesis-data-firehose.md): You can use Amazon CloudWatch Metric Streams and Amazon Data Firehose to see your metrics. **Note**: This method has a two to three minute latency, and requires a separate setup. You can find a full list of the available sub-integrations on the [Integrations page](https://docs.datadoghq.com/integrations.md#cat-aws). Many of these integrations are installed by default when Datadog recognizes data coming in from your AWS account. See the [AWS Integration Billing page](https://docs.datadoghq.com/account_management/billing/aws.md) for options to exclude specific resources for cost control. ## Resource collection{% #resource-collection %} Some Datadog products leverage information about how your AWS resources (such as S3 buckets, RDS snapshots, and CloudFront distributions) are configured. Datadog collects this information by making read-only API calls to your AWS account. **Note**: If you use AWS CloudTrail or GuardDuty, there may be some associated costs. Datadog's resource collection makes periodic calls to AWS APIs, which can increase CloudTrail log volume (affecting S3 storage costs) and may result in higher GuardDuty charges due to additional data being analyzed. ### AWS resource collection IAM policy{% #aws-resource-collection-iam-policy-1 %} To use [resource collection](https://docs.datadoghq.com/integrations/amazon_web_services.md#resource-collection), you must attach AWS's managed SecurityAudit Policy to your Datadog IAM role. **Notes**: - Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role. - To enable Datadog to collect account management resources from `account.GetAlternateContact` and `account.GetContactInformation`, you need to [enable trusted access for AWS account management](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-trusted-access.html). - AWS China accounts are not supported. - Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable **Usage** (`AWS/Usage`) metrics in the **Metric Collection** tab of the [Datadog AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services/). ### Resource types and permissions{% #resource-types-and-permissions %} The following sections list the resource types collected for different Datadog products, and the associated permissions required for the Datadog IAM role to collect data on your behalf. Add these permissions to your **existing** AWS integration IAM policy (with attached `SecurityAudit` policy). {% collapsible-section #cloud-cost-management %} #### Cloud Cost Management (CCM) | Resource Type | Permissions | | ------------------------ | ----------------------------- | | aws:ec2:availabilityzone | ec2:DescribeAvailabilityZones | | aws:ec2:instance | ec2:DescribeInstances | | aws:ec2:volume | ec2:DescribeVolumes | {% /collapsible-section %} {% collapsible-section #cloudcraft %} #### Cloudcraft | Resource Type | Permissions | | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | aws:apigateway:api | apigateway:GET | | aws:apigatewayv2:api | apigateway:GetApis,apigateway:GetRoutes | | aws:autoscaling:group | autoscaling:DescribeAutoScalingGroups | | aws:cloudfront:distribution | cloudfront:GetDistribution,cloudfront:ListDistributions | | aws:directconnect:connection | directconnect:DescribeConnections | | aws:docdb:cluster | rds:DescribeDBClusters | | aws:dynamodb:table | dynamodb:DescribeContinuousBackups,dynamodb:DescribeTable,dynamodb:DescribeTimeToLive,dynamodb:ListTables | | aws:ec2:availabilityzone | ec2:DescribeAvailabilityZones | | aws:ec2:customergateway | ec2:DescribeCustomerGateways | | aws:ec2:ebs-encryption-by-default | ec2:GetEbsEncryptionByDefault | | aws:ec2:instance | ec2:DescribeInstances | | aws:ec2:securitygroup | ec2:DescribeSecurityGroups | | aws:ec2:snapshot | ec2:DescribeSnapshotAttribute,ec2:DescribeSnapshots | | aws:ec2:subnet | ec2:DescribeSubnets | | aws:ec2:transitgateway | ec2:DescribeTransitGateways | | aws:ec2:volume | ec2:DescribeVolumes | | aws:ec2:vpc | ec2:DescribeVpcs | | aws:ec2:vpcendpoint | ec2:DescribeVpcEndpoints | | aws:ec2:vpcinternetgateway | ec2:DescribeInternetGateways | | aws:ec2:vpcnatgateway | ec2:DescribeNatGateways | | aws:ec2:vpnconnection | ec2:DescribeVpnConnections | | aws:ec2:vpngateway | ec2:DescribeVpnGateways | | aws:ecr:repository | ecr:DescribeRepositories,ecr:GetLifecyclePolicy,ecr:GetRepositoryPolicy | | aws:ecrpublic:repository | ecr-public:DescribeImages,ecr-public:DescribeRepositories,ecr-public:GetRepositoryPolicy | | aws:ecs:cluster | ecs:DescribeClusters,ecs:ListClusters | | aws:ecs:service | ecs:DescribeServices,ecs:ListClusters,ecs:ListServices | | aws:ecs:task | ecs:DescribeServices,ecs:DescribeTasks,ecs:ListClusters,ecs:ListServices,ecs:ListTasks | | aws:efs:accesspoint | elasticfilesystem:DescribeAccessPoints | | aws:efs:filesystem | elasticfilesystem:DescribeFileSystems,elasticfilesystem:DescribeLifecycleConfiguration | | aws:efs:mounttarget | elasticfilesystem:DescribeFileSystems,elasticfilesystem:DescribeMountTargetSecurityGroups,elasticfilesystem:DescribeMountTargets | | aws:eks:cluster | eks:DescribeCluster,eks:ListClusters | | aws:eks:nodegroup | eks:DescribeCluster,eks:DescribeNodeGroup,eks:ListClusters,eks:ListNodeGroups | | aws:elasticache:cachesubnetgroup | elasticache:DescribeCacheSubnetGroups | | aws:elasticache:cluster | elasticache:DescribeCacheClusters | | aws:elasticache:parametergroup | elasticache:DescribeCacheParameterGroups | | aws:elasticache:replicationgroup | elasticache:DescribeReplicationGroups | | aws:elasticache:securitygroup | elasticache:DescribeCacheSecurityGroups | | aws:elasticache:snapshot | elasticache:DescribeSnapshots | | aws:elasticache:user | elasticache:DescribeUsers | | aws:elasticache:usergroup | elasticache:DescribeUserGroups | | aws:elasticloadbalancing:loadbalancer | elasticloadbalancing:DescribeInstanceHealth,elasticloadbalancing:DescribeLoadBalancerAttributes,elasticloadbalancing:DescribeLoadBalancerPolicies,elasticloadbalancing:DescribeLoadBalancers | | aws:elasticloadbalancingv2:loadbalancer | elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeLoadBalancerAttributes,elasticloadbalancing:DescribeLoadBalancers | | aws:elasticsearchservice:domain | es:DescribeElasticsearchDomains,es:ListDomainNames | | aws:eventbridge:eventbus | events:ListEventBuses,events:ListRules | | aws:fsx:backup | fsx:DescribeBackups | | aws:fsx:file-system | fsx:DescribeFileSystems | | aws:glacier:vault | glacier:GetVaultNotifications,glacier:ListVaults | | aws:keyspaces:keyspace | cassandra:Select | | aws:kinesis:stream | kinesis:DescribeStreamSummary,kinesis:ListStreams | | aws:lambda:function | lambda:GetFunction,lambda:GetPolicy,lambda:ListFunctionUrlConfigs,lambda:ListFunctions,lambda:ListProvisionedConcurrencyConfigs | | aws:neptune:cluster | rds:DescribeDBClusters | | aws:neptune:cluster-snapshot | rds:DescribeDBClusterSnapshotAttributes,rds:DescribeDBClusterSnapshots | | aws:neptune:dbinstance | rds:DescribeDBInstances | | aws:rds:cluster | rds:DescribeDBClusters | | aws:rds:cluster-snapshot | rds:DescribeDBClusterSnapshotAttributes,rds:DescribeDBClusterSnapshots | | aws:rds:dbclusterparametergroup | rds:DescribeDBClusterParameterGroups | | aws:rds:dbinstanceautomatedbackup | rds:DescribeDBInstanceAutomatedBackups | | aws:rds:dbparametergroup | rds:DescribeDBParameterGroups,rds:DescribeDBParameters | | aws:rds:dbsubnetgroup | rds:DescribeDBSubnetGroups | | aws:rds:eventsubscription | rds:DescribeEventSubscriptions | | aws:rds:exporttask | rds:DescribeExportTasks | | aws:rds:instance | rds:DescribeDBInstances | | aws:rds:optiongroup | rds:DescribeOptionGroups | | aws:rds:reserveddbinstance | rds:DescribeReservedDBInstances | | aws:rds:securitygroup | rds:DescribeDBSecurityGroups | | aws:rds:snapshot | rds:DescribeDBSnapshotAttributes,rds:DescribeDBSnapshots | | aws:redshift:eventsubscription | redshift:DescribeEventSubscriptions | | aws:redshift:parametergroup | redshift:DescribeClusterParameterGroups | | aws:redshift:securitygroup | redshift:DescribeClusterSecurityGroups | | aws:redshift:snapshot | redshift:DescribeClusterSnapshots,redshift:DescribeClusters | | aws:redshift:subnetgroup | redshift:DescribeClusterSubnetGroups,redshift:DescribeClusters | | aws:route53:hostedzone | route53:GetDNSSEC,route53:GetHostedZone,route53:ListHostedZones | | aws:s3:bucket | s3:GetAccelerateConfiguration,s3:GetAnalyticsConfiguration,s3:GetBucketAbac,s3:GetBucketAcl,s3:GetBucketLogging,s3:GetBucketMetadataConfiguration,s3:GetBucketNotification,s3:GetBucketObjectLockConfiguration,s3:GetBucketOwnershipControls,s3:GetBucketPolicy,s3:GetBucketPolicyStatus,s3:GetBucketPublicAccessBlock,s3:GetBucketVersioning,s3:GetBucketWebsite,s3:GetEncryptionConfiguration,s3:GetIntelligentTieringConfiguration,s3:GetInventoryConfiguration,s3:GetLifecycleConfiguration,s3:GetReplicationConfiguration,s3:ListAllMyBuckets | | aws:ses:addon-instance | ses:ListAddonInstances | | aws:ses:addon-subscription | ses:ListAddonSubscriptions | | aws:ses:address-list | ses:ListAddressLists | | aws:ses:archive | ses:GetArchive,ses:ListArchives | | aws:ses:configuration-set | ses:DescribeConfigurationSet,ses:ListConfigurationSets | | aws:ses:contact-list | ses:GetContactList,ses:ListContactLists | | aws:ses:custom-verification-email-template | ses:GetCustomVerificationEmailTemplate,ses:ListCustomVerificationEmailTemplates | | aws:ses:dedicated-ip-pool | ses:GetDedicatedIpPool,ses:ListDedicatedIpPools | | aws:ses:identity | ses:GetIdentityDkimAttributes,ses:GetIdentityMailFromDomainAttributes,ses:GetIdentityVerificationAttributes,ses:ListIdentities | | aws:ses:ingress-point | ses:GetIngressPoint,ses:ListIngressPoints | | aws:ses:multi-region-endpoint | ses:GetMultiRegionEndpoint,ses:ListMultiRegionEndpoints | | aws:ses:relay | ses:GetRelay,ses:ListRelays | | aws:ses:rule-set | ses:GetRuleSet,ses:ListRuleSets | | aws:ses:template | ses:GetTemplate,ses:ListTemplates | | aws:ses:traffic-policy | ses:GetTrafficPolicy,ses:ListTrafficPolicies | | aws:sns:subscription | sns:ListSubscriptions | | aws:sns:topic | sns:GetTopicAttributes,sns:ListTopics | | aws:sqs:queue | sqs:GetQueueAttributes,sqs:GetQueueUrl,sqs:ListQueues | | aws:timestreamwrite:table | timestream:ListTables | | aws:waf:acl | waf:GetWebACL,waf:ListWebACLs | | aws:waf:rule | waf:GetRule,waf:ListRules | | aws:waf:rulegroup | waf:GetRuleGroup,waf:ListRuleGroups | | aws:wafregional:acl | waf-regional:GetWebACL,waf-regional:ListWebACLs | | aws:wafregional:rule | waf-regional:GetRule,waf-regional:ListRules | | aws:wafregional:rulegroup | waf-regional:GetRuleGroup,waf-regional:ListRuleGroups | | aws:wafv2:acl | wafv2:GetLoggingConfiguration,wafv2:GetWebACL,wafv2:ListResourcesForWebACL,wafv2:ListWebACLs | {% /collapsible-section %} {% collapsible-section #cloud-security-monitoring %} #### Cloud Security Monitoring (CSM) | Resource Type | Permissions | | ---------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | aws:accessanalyzer:analyzer | access-analyzer:GetAnalyzer,access-analyzer:ListAnalyzers | | aws:account:account | account:GetAlternateContact,account:GetContactInformation,account:GetPrimaryEmail,organizations:DescribeOrganization,organizations:ListAccounts | | aws:acm:acm | acm:DescribeCertificate,acm:ListCertificates | | aws:acmpca:certificateauthority | acm-pca:DescribeCertificateAuthority,acm-pca:ListCertificateAuthorities | | aws:amp:rulegroupsnamespace | aps:DescribeRuleGroupsNamespace,aps:DescribeWorkspace,aps:ListRuleGroupsNamespaces,aps:ListWorkspaces | | aws:amp:scraper | aps:DescribeScraper,aps:ListScrapers | | aws:amp:workspace | aps:DescribeWorkspace,aps:ListWorkspaces | | aws:amplify:app | amplify:ListApps | | aws:amplify:backend-environment | amplify:ListApps,amplify:ListBackendEnvironments | | aws:amplify:branch | amplify:ListApps,amplify:ListBranches | | aws:amplify:domain-association | amplify:ListApps,amplify:ListDomainAssociations | | aws:amplify:job | amplify:ListApps,amplify:ListBranches,amplify:ListJobs | | aws:amplify:webhook | amplify:ListApps,amplify:ListWebhooks | | aws:apigateway:account | apigateway:GetAccount | | aws:apigateway:api | apigateway:GET | | aws:apigateway:apikey | apigateway:GetApiKeys | | aws:apigateway:authorizer | apigateway:GET,apigateway:GetAuthorizers | | aws:apigateway:basepathmapping | apigateway:GetBasePathMappings,apigateway:GetDomainNames | | aws:apigateway:clientcertificate | apigateway:GetClientCertificates | | aws:apigateway:deployment | apigateway:GET,apigateway:GetDeployments | | aws:apigateway:documentationpart | apigateway:GET,apigateway:GetDocumentationParts | | aws:apigateway:domainname | apigateway:GetDomainNames | | aws:apigateway:domainnameaccessassociation | apigateway:GetDomainNameAccessAssociations | | aws:apigateway:gatewayresponse | apigateway:GET,apigateway:GetGatewayResponses | | aws:apigateway:integration | apigateway:GET,apigateway:GetMethod,apigateway:GetResources | | aws:apigateway:model | apigateway:GET,apigateway:GetModels | | aws:apigateway:requestvalidator | apigateway:GET,apigateway:GetRequestValidators | | aws:apigateway:resource | apigateway:GET,apigateway:GetResources | | aws:apigateway:stage | apigateway:GET | | aws:apigateway:usageplan | apigateway:GetApiKeys,apigateway:GetUsagePlans | | aws:apigateway:usageplankey | apigateway:GetApiKeys,apigateway:GetUsagePlanKeys,apigateway:GetUsagePlans | | aws:apigateway:vpclink | apigateway:GetVpcLinks | | aws:apigatewayv2:api | apigateway:GetApis,apigateway:GetRoutes | | aws:apigatewayv2:apimapping | apigateway:GetApiMappings,apigateway:GetDomainNames | | aws:apigatewayv2:authorizer | apigateway:GetApis,apigateway:GetAuthorizers | | aws:apigatewayv2:deployment | apigateway:GetApis,apigateway:GetDeployments | | aws:apigatewayv2:domainname | apigateway:GetDomainNames | | aws:apigatewayv2:integration | apigateway:GetApis,apigateway:GetIntegrations | | aws:apigatewayv2:integrationresponse | apigateway:GetApis,apigateway:GetIntegrationResponses,apigateway:GetIntegrations | | aws:apigatewayv2:model | apigateway:GetApis,apigateway:GetModels | | aws:apigatewayv2:route | apigateway:GetApis,apigateway:GetRoutes | | aws:apigatewayv2:routeresponse | apigateway:GetApis,apigateway:GetRouteResponses,apigateway:GetRoutes | | aws:apigatewayv2:stage | apigateway:GetApis,apigateway:GetStages | | aws:apigatewayv2:vpclink | apigateway:GetVpcLinks | | aws:appintegrations:application | app-integrations:GetApplication,app-integrations:ListApplicationAssociations,app-integrations:ListApplications | | aws:appintegrations:application-association | app-integrations:ListApplicationAssociations,app-integrations:ListApplications | | aws:appintegrations:data-integration | app-integrations:GetDataIntegration,app-integrations:ListDataIntegrationAssociations,app-integrations:ListDataIntegrations | | aws:appintegrations:data-integration-association | app-integrations:ListDataIntegrationAssociations,app-integrations:ListDataIntegrations | | aws:appintegrations:event-integration | app-integrations:ListEventIntegrations | | aws:appintegrations:event-integration-association | app-integrations:ListEventIntegrationAssociations,app-integrations:ListEventIntegrations | | aws:applicationautoscaling:scalingactivity | applicationautoscaling:DescribeScalingActivities | | aws:applicationautoscaling:scalingpolicy | applicationautoscaling:DescribeScalingPolicies | | aws:applicationautoscaling:scheduled-action | applicationautoscaling:DescribeScheduledActions | | aws:apprunner:autoscaling-configuration | apprunner:DescribeAutoScalingConfiguration,apprunner:ListAutoScalingConfigurations | | aws:apprunner:connection | apprunner:ListConnections | | aws:apprunner:observability-configuration | apprunner:DescribeObservabilityConfiguration,apprunner:ListObservabilityConfigurations | | aws:apprunner:service | apprunner:DescribeService,apprunner:ListServices | | aws:apprunner:vpc-connector | apprunner:DescribeVpcConnector,apprunner:ListVpcConnectors | | aws:apprunner:vpc-ingress-connection | apprunner:DescribeVpcIngressConnection,apprunner:ListVpcIngressConnections | | aws:appstream:app-block | appstream:DescribeAppBlocks | | aws:appstream:app-block-builder | appstream:DescribeAppBlockBuilders | | aws:appstream:application | appstream:DescribeApplications | | aws:appstream:fleet | appstream:DescribeFleets | | aws:appstream:image | appstream:DescribeImages | | aws:appstream:image-builder | appstream:DescribeImageBuilders | | aws:appstream:public-image | appstream:DescribeImages | | aws:appstream:stack | appstream:DescribeStacks | | aws:appsync:api | appsync:ListApis | | aws:appsync:channel-namespace | appsync:ListApis,appsync:ListChannelNamespaces | | aws:appsync:data-source | appsync:ListDataSources,appsync:ListGraphqlApis | | aws:appsync:domain-name | appsync:ListDomainNames | | aws:appsync:function | appsync:ListFunctions,appsync:ListGraphqlApis | | aws:appsync:graphqlapi | appsync:GetGraphqlApi,appsync:ListGraphqlApis | | aws:appsync:source-api-association | appsync:ListGraphqlApis,appsync:ListSourceApiAssociations | | aws:athena:capacityreservation | athena:ListCapacityReservations | | aws:athena:datacatalog | athena:ListDataCatalogs | | aws:athena:named-query | athena:BatchGetNamedQuery,athena:ListNamedQueries | | aws:athena:prepared-statement | athena:BatchGetPreparedStatement,athena:GetWorkGroup,athena:ListPreparedStatements,athena:ListWorkGroups | | aws:athena:workgroup | athena:GetWorkGroup,athena:ListWorkGroups | | aws:auditmanager:assessment | auditmanager:GetAssessment,auditmanager:ListAssessments | | aws:auditmanager:assessmentcontrolset | auditmanager:GetAssessment,auditmanager:ListAssessments | | aws:auditmanager:assessmentframework | auditmanager:GetAssessmentFramework,auditmanager:ListAssessmentFrameworks | | aws:auditmanager:control | auditmanager:GetControl,auditmanager:ListControls | | aws:autoscaling:group | autoscaling:DescribeAutoScalingGroups | | aws:autoscaling:launchconfiguration | autoscaling:DescribeLaunchConfigurations | | aws:autoscaling:policy | autoscaling:DescribePolicies | | aws:autoscaling:scheduled-action | autoscaling:DescribeScheduledActions | | aws:b2bi:capability | b2bi:GetCapability,b2bi:ListCapabilities | | aws:b2bi:partnership | b2bi:GetPartnership,b2bi:GetProfile,b2bi:ListPartnerships,b2bi:ListProfiles | | aws:b2bi:profile | b2bi:GetProfile,b2bi:ListProfiles | | aws:b2bi:transformer | b2bi:GetTransformer,b2bi:ListTransformers | | aws:backup-gateway:gateway | backup-gateway:GetGateway,backup-gateway:ListGateways | | aws:backup-gateway:hypervisor | backup-gateway:GetHypervisor,backup-gateway:ListHypervisors | | aws:backup-gateway:virtual-machine | backup-gateway:GetVirtualMachine,backup-gateway:ListVirtualMachines | | aws:backup:framework | backup:DescribeFramework,backup:ListFrameworks | | aws:backup:legalhold | backup:GetLegalHold,backup:ListLegalHolds | | aws:backup:plan | backup:ListBackupPlans | | aws:backup:protected-resource | backup:ListProtectedResources | | aws:backup:recoverypoint | backup:ListBackupVaults,backup:ListRecoveryPointsByBackupVault | | aws:backup:vault | backup:ListBackupVaults | | aws:batch:compute-environment | batch:DescribeComputeEnvironments | | aws:batch:job-definition | batch:DescribeJobDefinitions | | aws:batch:job-queue | batch:DescribeJobQueues | | aws:batch:scheduling-policy | batch:DescribeSchedulingPolicies,batch:ListSchedulingPolicies | | aws:bedrock:agent | bedrock:GetAgent,bedrock:ListAgentCollaborators,bedrock:ListAgentVersions,bedrock:ListAgents | | aws:bedrock:agent-action-group | bedrock:GetAgentActionGroup,bedrock:ListAgentActionGroups,bedrock:ListAgents | | aws:bedrock:agent-alias | bedrock:GetAgentAlias,bedrock:ListAgentAliases,bedrock:ListAgents | | aws:bedrock:application-inference-profile | bedrock:GetInferenceProfile,bedrock:ListInferenceProfiles | | aws:bedrock:async-invoke | bedrock:GetAsyncInvoke,bedrock:ListAsyncInvokes | | aws:bedrock:blueprint | bedrock:GetBlueprint,bedrock:ListBlueprints | | aws:bedrock:custom-model | bedrock:GetCustomModel,bedrock:ListCustomModels | | aws:bedrock:data-source | bedrock:GetDataSource,bedrock:GetKnowledgeBase,bedrock:ListDataSources,bedrock:ListKnowledgeBaseDocuments,bedrock:ListKnowledgeBases | | aws:bedrock:evaluation-job | bedrock:GetEvaluationJob,bedrock:ListEvaluationJobs | | aws:bedrock:flow | bedrock:GetFlow,bedrock:GetFlowVersion,bedrock:ListFlows | | aws:bedrock:flow-alias | bedrock:GetFlowAlias,bedrock:ListFlowAliases,bedrock:ListFlows | | aws:bedrock:foundationmodel | bedrock:GetFoundationModel,bedrock:ListFoundationModels | | aws:bedrock:guardrail | bedrock:GetGuardrail,bedrock:ListGuardrails | | aws:bedrock:imported-model | bedrock:GetImportedModel,bedrock:ListImportedModels | | aws:bedrock:ingestion-job | bedrock:GetDataSource,bedrock:GetIngestionJob,bedrock:GetKnowledgeBase,bedrock:ListDataSources,bedrock:ListIngestionJobs,bedrock:ListKnowledgeBases | | aws:bedrock:knowledge-base | bedrock:GetKnowledgeBase,bedrock:ListKnowledgeBases | | aws:bedrock:marketplace-model-endpoint | bedrock:GetMarketplaceModelEndpoint,bedrock:ListMarketplaceModelEndpoints | | aws:bedrock:model-copy-job | bedrock:GetModelCopyJob,bedrock:ListModelCopyJobs | | aws:bedrock:model-customization-job | bedrock:GetModelCustomizationJob,bedrock:ListModelCustomizationJobs | | aws:bedrock:model-invocation-job | bedrock:GetModelInvocationJob,bedrock:ListModelInvocationJobs | | aws:bedrock:prompt | bedrock:GetPrompt,bedrock:ListPrompts | | aws:bedrock:prompt-router | bedrock:ListPromptRouters | | aws:bedrock:provisioned-model-throughput | bedrock:ListProvisionedModelThroughputs | | aws:bedrock:settings | bedrock:GetModelInvocationLoggingConfiguration | | aws:bedrock:system-defined-inference-profile | bedrock:GetInferenceProfile,bedrock:ListInferenceProfiles | | aws:cloudformation:generatedtemplate | cloudformation:DescribeGeneratedTemplate,cloudformation:ListGeneratedTemplates | | aws:cloudformation:resourcescan | cloudformation:DescribeResourceScan,cloudformation:ListResourceScans | | aws:cloudformation:stack | cloudformation:DescribeStacks,cloudformation:ListStacks | | aws:cloudformation:stackset | cloudformation:ListStackSets | | aws:cloudformation:type | cloudformation:ListTypes | | aws:cloudfront:anycast-ip-list | cloudfront:GetAnycastIpList,cloudfront:ListAnycastIpLists | | aws:cloudfront:cache-policy | cloudfront:GetCachePolicy,cloudfront:ListCachePolicies | | aws:cloudfront:continuous-deployment-policy | cloudfront:GetContinuousDeploymentPolicy,cloudfront:ListContinuousDeploymentPolicies | | aws:cloudfront:distribution | cloudfront:GetDistribution,cloudfront:ListDistributions | | aws:cloudfront:field-level-encryption-config | cloudfront:GetFieldLevelEncryptionConfig,cloudfront:ListFieldLevelEncryptionConfigs | | aws:cloudfront:field-level-encryption-profile | cloudfront:GetFieldLevelEncryptionProfile,cloudfront:ListFieldLevelEncryptionProfiles | | aws:cloudfront:function | cloudfront:ListFunctions | | aws:cloudfront:keygroup | cloudfront:ListKeyGroups | | aws:cloudfront:managed-cache-policy | cloudfront:GetCachePolicy,cloudfront:ListCachePolicies | | aws:cloudfront:managed-origin-request-policy | cloudfront:GetOriginRequestPolicy,cloudfront:ListOriginRequestPolicies | | aws:cloudfront:managed-response-headers-policy | cloudfront:GetResponseHeadersPolicy,cloudfront:ListResponseHeadersPolicies | | aws:cloudfront:origin-request-policy | cloudfront:GetOriginRequestPolicy,cloudfront:ListOriginRequestPolicies | | aws:cloudfront:originaccesscontrol | cloudfront:ListOriginAccessControls | | aws:cloudfront:publickey | cloudfront:ListPublicKeys | | aws:cloudfront:realtime-log-config | cloudfront:ListRealtimeLogConfigs | | aws:cloudfront:response-headers-policy | cloudfront:GetResponseHeadersPolicy,cloudfront:ListResponseHeadersPolicies | | aws:cloudfront:streaming-distribution | cloudfront:GetStreamingDistribution,cloudfront:ListStreamingDistributions | | aws:cloudfront:vpc-origin | cloudfront:GetVpcOrigin,cloudfront:ListVpcOrigins | | aws:cloudhsm:backup | cloudhsm:DescribeBackups | | aws:cloudhsm:cluster | cloudhsm:DescribeClusters | | aws:cloudtrail:trail | cloudtrail:DescribeTrails,cloudtrail:GetEventSelectors,cloudtrail:GetTrailStatus | | aws:cloudwatch:metricalarm | cloudwatch:DescribeAlarms | | aws:cloudwatchlogs:log-group | logs:DescribeLogGroups,logs:DescribeSubscriptionFilters | | aws:cloudwatchlogs:metricfilter | logs:DescribeMetricFilters | | aws:codeartifact:domain | codeartifact:DescribeDomain,codeartifact:ListDomains | | aws:codeartifact:package | codeartifact:ListPackages,codeartifact:ListRepositories | | aws:codeartifact:package-group | codeartifact:DescribePackageGroup,codeartifact:ListDomains,codeartifact:ListPackageGroups | | aws:codeartifact:repository | codeartifact:DescribeRepository,codeartifact:ListRepositories | | aws:codebuild:project | codebuild:BatchGetProjects,codebuild:ListProjects | | aws:codebuild:source-credentials | codebuild:ListSourceCredentials | | aws:codedeploy:application | codedeploy:BatchGetApplications,codedeploy:ListApplications | | aws:codedeploy:deployment-config | codedeploy:GetDeploymentConfig,codedeploy:ListDeploymentConfigs | | aws:codeguru-profiler:finding | codeguru-profiler:ListFindingsReports,codeguru-profiler:ListProfilingGroups | | aws:codeguru-profiler:profilinggroup | codeguru-profiler:ListProfilingGroups | | aws:codeguru-reviewer:association | codeguru-reviewer:ListRepositoryAssociations | | aws:codeguru-reviewer:codereview | codeguru-reviewer:ListCodeReviews | | aws:codepipeline:actiontype | codepipeline:GetActionType,codepipeline:ListActionTypes | | aws:codepipeline:pipeline | codepipeline:GetPipeline,codepipeline:ListPipelines | | aws:codepipeline:webhook | codepipeline:ListWebhooks | | aws:cognitoidentity:identitypool | cognito-identity:DescribeIdentityPool,cognito-identity:GetIdentityPoolRoles,cognito-identity:ListIdentityPools | | aws:cognitoidentityprovider:userpool | cognito-idp:DescribeUserPool,cognito-idp:ListIdentityProviders,cognito-idp:ListUserPools | | aws:comprehend:document-classification-job | comprehend:ListDocumentClassificationJobs | | aws:comprehend:document-classifier | comprehend:ListDocumentClassifiers | | aws:comprehend:dominant-language-detection-job | comprehend:ListDominantLanguageDetectionJobs | | aws:comprehend:endpoint | comprehend:ListEndpoints | | aws:comprehend:entities-detection-job | comprehend:ListEntitiesDetectionJobs | | aws:comprehend:entity-recognizer | comprehend:ListEntityRecognizers | | aws:comprehend:events-detection-job | comprehend:ListEventsDetectionJobs | | aws:comprehend:flywheel | comprehend:DescribeFlywheel,comprehend:ListFlywheels | | aws:comprehend:flywheel-dataset | comprehend:DescribeFlywheel,comprehend:ListDatasets,comprehend:ListFlywheels | | aws:comprehend:key-phrases-detection-job | comprehend:ListKeyPhrasesDetectionJobs | | aws:comprehend:pii-entities-detection-job | comprehend:ListPiiEntitiesDetectionJobs | | aws:comprehend:sentiment-detection-job | comprehend:ListSentimentDetectionJobs | | aws:comprehend:targeted-sentiment-detection-job | comprehend:ListTargetedSentimentDetectionJobs | | aws:comprehend:topics-detection-job | comprehend:ListTopicsDetectionJobs | | aws:configservice:recorder | config:DescribeConfigurationRecorders | | aws:configservice:recorderstatus | config:DescribeConfigurationRecorderStatus | | aws:connect:agent-status | connect:DescribeAgentStatus,connect:DescribeInstance,connect:ListAgentStatuses,connect:ListInstances | | aws:connect:authentication-profile | connect:DescribeAuthenticationProfile,connect:DescribeInstance,connect:ListAuthenticationProfiles,connect:ListInstances | | aws:connect:contact-flow | connect:DescribeContactFlow,connect:DescribeInstance,connect:ListContactFlows,connect:ListInstances | | aws:connect:contact-flow-module | connect:DescribeContactFlowModule,connect:DescribeInstance,connect:ListContactFlowModules,connect:ListInstances | | aws:connect:hours-of-operation | connect:DescribeHoursOfOperation,connect:DescribeInstance,connect:ListHoursOfOperations,connect:ListInstances | | aws:connect:instance | connect:DescribeInstance,connect:ListInstances | | aws:connect:integration-association | connect:DescribeInstance,connect:ListInstances,connect:ListIntegrationAssociations | | aws:connect:queue | connect:DescribeInstance,connect:DescribeQueue,connect:ListInstances,connect:ListQueues | | aws:connect:quick-connect | connect:DescribeInstance,connect:DescribeQuickConnect,connect:ListInstances,connect:ListQuickConnects | | aws:connect:routing-profile | connect:DescribeInstance,connect:DescribeRoutingProfile,connect:ListInstances,connect:ListRoutingProfiles | | aws:connect:security-profile | connect:DescribeInstance,connect:DescribeSecurityProfile,connect:ListInstances,connect:ListSecurityProfiles | | aws:connect:user | connect:DescribeInstance,connect:DescribeUser,connect:ListInstances,connect:ListUsers | | aws:controltower:enabled-baseline | controltower:ListEnabledBaselines | | aws:controltower:enabled-control | controltower:ListEnabledControls | | aws:controltower:landing-zone | controltower:GetLandingZone,controltower:ListLandingZones | | aws:costexplorer:anomalymonitor | ce:GetAnomalyMonitors | | aws:costexplorer:anomalysubscription | ce:GetAnomalySubscriptions | | aws:costexplorer:costcategory | ce:DescribeCostCategoryDefinition,ce:GetCostCategories | | aws:databrew:dataset | databrew:ListDatasets | | aws:databrew:job | databrew:ListJobs | | aws:databrew:project | databrew:ListProjects | | aws:databrew:recipe | databrew:ListRecipes | | aws:databrew:ruleset | databrew:ListRulesets | | aws:databrew:schedule | databrew:ListSchedules | | aws:datasync:agent | datasync:DescribeAgent,datasync:ListAgents | | aws:datasync:location-efs | datasync:DescribeLocationEfs,datasync:ListLocations | | aws:datasync:location-fsx-lustre | datasync:DescribeLocationFsxLustre,datasync:ListLocations | | aws:datasync:location-fsx-ontap | datasync:DescribeLocationFsxOntap,datasync:ListLocations | | aws:datasync:location-fsx-openzfs | datasync:DescribeLocationFsxOpenZfs,datasync:ListLocations | | aws:datasync:location-fsx-windows | datasync:DescribeLocationFsxWindows,datasync:ListLocations | | aws:datasync:location-hdfs | datasync:DescribeLocationHdfs,datasync:ListLocations | | aws:datasync:location-nfs | datasync:DescribeLocationNfs,datasync:ListLocations | | aws:datasync:location-objectstorage | datasync:DescribeLocationObjectStorage,datasync:ListLocations | | aws:datasync:location-s3 | datasync:DescribeLocationS3,datasync:ListLocations | | aws:datasync:location-smb | datasync:DescribeLocationSmb,datasync:ListLocations | | aws:datasync:task | datasync:DescribeTask,datasync:ListTasks | | aws:datazone:domain | datazone:GetDomain,datazone:ListDomains | | aws:dax:cluster | dax:DescribeClusters | | aws:deadline:budget | deadline:GetBudget,deadline:ListBudgets,deadline:ListFarms | | aws:deadline:farm | deadline:ListFarms | | aws:deadline:fleet | deadline:ListFarms,deadline:ListFleets | | aws:deadline:license-endpoint | deadline:GetLicenseEndpoint,deadline:ListLicenseEndpoints | | aws:deadline:monitor | deadline:ListMonitors | | aws:deadline:queue | deadline:GetQueue,deadline:ListFarms,deadline:ListQueues | | aws:deadline:worker | deadline:ListFarms,deadline:ListFleets,deadline:ListWorkers | | aws:detective:graph | detective:ListGraphs | | aws:devicefarm:device | devicefarm:ListDevices,devicefarm:ListProjects | | aws:devicefarm:deviceinstance | devicefarm:ListDeviceInstances | | aws:devicefarm:devicepool | devicefarm:ListDevicePools,devicefarm:ListProjects | | aws:devicefarm:instanceprofile | devicefarm:ListInstanceProfiles | | aws:devicefarm:networkprofile | devicefarm:ListNetworkProfiles,devicefarm:ListProjects | | aws:devicefarm:project | devicefarm:ListProjects | | aws:devicefarm:session | devicefarm:ListProjects,devicefarm:ListRemoteAccessSessions | | aws:devicefarm:testgrid-project | devicefarm:ListTestGridProjects | | aws:devicefarm:testgrid-session | devicefarm:ListTestGridProjects,devicefarm:ListTestGridSessions | | aws:devicefarm:upload | devicefarm:GetUpload,devicefarm:ListProjects,devicefarm:ListUploads | | aws:devicefarm:vpceconfiguration | devicefarm:ListVPCEConfigurations | | aws:directconnect:connection | directconnect:DescribeConnections | | aws:directconnect:gateway | directconnect:DescribeDirectConnectGatewayAssociations,directconnect:DescribeDirectConnectGateways | | aws:directconnect:virtualinterface | directconnect:DescribeVirtualInterfaces | | aws:dlm:policy | dlm:GetLifecyclePolicies,dlm:GetLifecyclePolicy | | aws:dms:certificate | dms:DescribeCertificates | | aws:dms:data-migration | dms:DescribeDataMigrations | | aws:dms:data-provider | dms:DescribeDataProviders | | aws:dms:endpoint | dms:DescribeEndpoints | | aws:dms:event-subscription | dms:DescribeEventSubscriptions | | aws:dms:instance-profile | dms:DescribeInstanceProfiles | | aws:dms:migration-project | dms:DescribeMigrationProjects | | aws:dms:replication-config | dms:DescribeReplicationConfigs | | aws:dms:replication-subnet-group | dms:DescribeReplicationSubnetGroups | | aws:dms:replicationinstance | dms:DescribeReplicationInstances | | aws:dms:replicationtask | dms:DescribeReplicationTasks | | aws:docdb:cluster | rds:DescribeDBClusters | | aws:docdb:clustersnapshot | rds:DescribeDBClusterSnapshotAttributes,rds:DescribeDBClusterSnapshots,rds:DescribeDBClusters | | aws:docdb:dbinstance | rds:DescribeDBInstances | | aws:docdbelastic:cluster | docdb-elastic:GetCluster,docdb-elastic:ListClusters | | aws:docdbelastic:cluster-snapshot | docdb-elastic:GetClusterSnapshot,docdb-elastic:ListClusterSnapshots | | aws:drs:job | drs:DescribeJobs | | aws:drs:launch-configuration-template | drs:DescribeLaunchConfigurationTemplates | | aws:drs:recovery-instance | drs:DescribeRecoveryInstances | | aws:drs:replication-configuration-template | drs:DescribeReplicationConfigurationTemplates | | aws:drs:source-network | drs:DescribeSourceNetworks | | aws:drs:source-server | drs:DescribeSourceServers | | aws:ds:directory | ds:DescribeDirectories | | aws:dsql:cluster | dsql:GetCluster,dsql:ListClusters | | aws:dynamodb:backup | dynamodb:DescribeBackup,dynamodb:ListBackups | | aws:dynamodb:export | dynamodb:DescribeExport,dynamodb:ListExports | | aws:dynamodb:global-table | dynamodb:DescribeGlobalTable,dynamodb:ListGlobalTables | | aws:dynamodb:stream | dynamodb:DescribeStream,dynamodb:ListStreams | | aws:dynamodb:table | dynamodb:DescribeContinuousBackups,dynamodb:DescribeTable,dynamodb:DescribeTimeToLive,dynamodb:ListTables | | aws:ec2:availabilityzone | ec2:DescribeAvailabilityZones | | aws:ec2:awsmanagedprefixlist | ec2:DescribeManagedPrefixLists,ec2:GetManagedPrefixListEntries | | aws:ec2:capacityreservation | ec2:DescribeCapacityReservations | | aws:ec2:capacityreservationfleet | ec2:DescribeCapacityReservationFleets | | aws:ec2:carriergateway | ec2:DescribeCarrierGateways | | aws:ec2:client-vpn-endpoint | ec2:DescribeClientVpnEndpoints | | aws:ec2:co-ip-pool | ec2:DescribeCoipPools | | aws:ec2:customergateway | ec2:DescribeCustomerGateways | | aws:ec2:customermanagedprefixlist | ec2:DescribeManagedPrefixLists,ec2:GetManagedPrefixListEntries | | aws:ec2:dedicatedhost | ec2:DescribeHosts | | aws:ec2:dhcpoptions | ec2:DescribeDhcpOptions | | aws:ec2:ebs-encryption-by-default | ec2:GetEbsEncryptionByDefault | | aws:ec2:egressonlyinternetgateway | ec2:DescribeEgressOnlyInternetGateways | | aws:ec2:elasticip | ec2:DescribeAddresses | | aws:ec2:fleet | ec2:DescribeFleets | | aws:ec2:fpga-image | ec2:DescribeFpgaImages | | aws:ec2:image | ec2:DescribeImageAttribute,ec2:DescribeImages | | aws:ec2:instance | ec2:DescribeInstances | | aws:ec2:instance-event-window | ec2:DescribeInstanceEventWindows | | aws:ec2:instanceconnectendpoint | ec2:DescribeInstanceConnectEndpoints | | aws:ec2:instancetype | ec2:DescribeInstanceTypes | | aws:ec2:ipam | ec2:DescribeIpams | | aws:ec2:ipam-external-resource-verification-token | ec2:DescribeIpamExternalResourceVerificationTokens | | aws:ec2:ipam-pool | ec2:DescribeIpamPools | | aws:ec2:ipam-resource-discovery | ec2:DescribeIpamResourceDiscoveries | | aws:ec2:ipam-resource-discovery-association | ec2:DescribeIpamResourceDiscoveryAssociations | | aws:ec2:ipam-scope | ec2:DescribeIpamScopes | | aws:ec2:ipv6pool-ec2 | ec2:DescribeIpv6Pools | | aws:ec2:keypair | ec2:DescribeKeyPairs | | aws:ec2:launchtemplate | ec2:DescribeLaunchTemplates | | aws:ec2:launchtemplateversion | ec2:DescribeLaunchTemplateVersions,ec2:DescribeLaunchTemplates | | aws:ec2:local-gateway | ec2:DescribeLocalGateways | | aws:ec2:local-gateway-route-table | ec2:DescribeLocalGatewayRouteTables | | aws:ec2:local-gateway-route-table-vpc-association | ec2:DescribeLocalGatewayRouteTableVpcAssociations | | aws:ec2:local-gateway-virtual-interface | ec2:DescribeLocalGatewayVirtualInterfaces | | aws:ec2:local-gateway-virtual-interface-group | ec2:DescribeLocalGatewayVirtualInterfaceGroups | | aws:ec2:networkacl | ec2:DescribeNetworkAcls | | aws:ec2:networkinterface | ec2:DescribeNetworkInterfaces | | aws:ec2:placementgroup | ec2:DescribePlacementGroups | | aws:ec2:public-fpga-image | ec2:DescribeFpgaImages | | aws:ec2:publicimage | ec2:DescribeImages | | aws:ec2:region | ec2:DescribeRegions | | aws:ec2:reservedinstance | ec2:DescribeReservedInstances | | aws:ec2:routetable | ec2:DescribeRouteTables | | aws:ec2:securitygroup | ec2:DescribeSecurityGroups | | aws:ec2:securitygrouprule | ec2:DescribeSecurityGroupRules,ec2:DescribeSecurityGroups | | aws:ec2:settings | ec2:DescribeVpcBlockPublicAccessExclusions,ec2:DescribeVpcBlockPublicAccessOptions,ec2:GetAllowedImagesSettings,ec2:GetEbsDefaultKmsKeyId,ec2:GetEbsEncryptionByDefault,ec2:GetImageBlockPublicAccessState,ec2:GetInstanceMetadataDefaults,ec2:GetSerialConsoleAccessStatus,ec2:GetSnapshotBlockPublicAccessState | | aws:ec2:snapshot | ec2:DescribeSnapshotAttribute,ec2:DescribeSnapshots | | aws:ec2:spotfleetrequest | ec2:DescribeSpotFleetRequests | | aws:ec2:spotinstancerequest | ec2:DescribeSpotInstanceRequests | | aws:ec2:subnet | ec2:DescribeSubnets | | aws:ec2:traffic-mirror-filter | ec2:DescribeTrafficMirrorFilters | | aws:ec2:traffic-mirror-filter-rule | ec2:DescribeTrafficMirrorFilterRules,ec2:DescribeTrafficMirrorFilters | | aws:ec2:traffic-mirror-session | ec2:DescribeTrafficMirrorSessions | | aws:ec2:traffic-mirror-target | ec2:DescribeTrafficMirrorTargets | | aws:ec2:transitgateway | ec2:DescribeTransitGateways | | aws:ec2:transitgateway-routetable-announcement | ec2:DescribeTransitGatewayRouteTableAnnouncements | | aws:ec2:transitgatewayattachment | ec2:DescribeTransitGatewayAttachments | | aws:ec2:transitgatewayconnectpeer | ec2:DescribeTransitGatewayConnectPeers | | aws:ec2:transitgatewaymulticastdomain | ec2:DescribeTransitGatewayMulticastDomains | | aws:ec2:transitgatewaypeeringattachment | ec2:DescribeTransitGatewayPeeringAttachments | | aws:ec2:transitgatewaypolicytable | ec2:DescribeTransitGatewayPolicyTables | | aws:ec2:transitgatewayroutetable | ec2:DescribeTransitGatewayRouteTables,ec2:GetTransitGatewayPrefixListReferences,ec2:SearchTransitGatewayRoutes | | aws:ec2:transitgatewayvpcattachment | ec2:DescribeTransitGatewayVpcAttachments | | aws:ec2:verified-access-endpoint | ec2:DescribeVerifiedAccessEndpoints,ec2:GetVerifiedAccessEndpointPolicy,ec2:GetVerifiedAccessEndpointTargets | | aws:ec2:verified-access-group | ec2:DescribeVerifiedAccessGroups,ec2:GetVerifiedAccessGroupPolicy | | aws:ec2:verified-access-instance | ec2:DescribeVerifiedAccessInstances | | aws:ec2:verified-access-trust-provider | ec2:DescribeVerifiedAccessTrustProviders | | aws:ec2:volume | ec2:DescribeVolumes | | aws:ec2:vpc | ec2:DescribeVpcs | | aws:ec2:vpcendpoint | ec2:DescribeVpcEndpoints | | aws:ec2:vpcendpoint-service | ec2:DescribeVpcEndpointServices | | aws:ec2:vpcendpoint-service-permission | ec2:DescribeVpcEndpointServicePermissions,ec2:DescribeVpcEndpointServices | | aws:ec2:vpcendpointconnectionnotification | ec2:DescribeVpcEndpointConnectionNotifications | | aws:ec2:vpcflowlog | ec2:DescribeFlowLogs | | aws:ec2:vpcinternetgateway | ec2:DescribeInternetGateways | | aws:ec2:vpcnatgateway | ec2:DescribeNatGateways | | aws:ec2:vpcpeeringconnection | ec2:DescribeVpcPeeringConnections | | aws:ec2:vpnconnection | ec2:DescribeVpnConnections | | aws:ec2:vpngateway | ec2:DescribeVpnGateways | | aws:ecr:image | ecr:DescribeImages,ecr:DescribeRepositories | | aws:ecr:registry | ecr:DescribeRegistry,ecr:GetRegistryPolicy,ecr:GetRegistryScanningConfiguration | | aws:ecr:repository | ecr:DescribeRepositories,ecr:GetLifecyclePolicy,ecr:GetRepositoryPolicy | | aws:ecrpublic:image | ecr-public:DescribeImages,ecr-public:DescribeRepositories | | aws:ecrpublic:registry | ecr-public:DescribeRegistries | | aws:ecrpublic:repository | ecr-public:DescribeImages,ecr-public:DescribeRepositories,ecr-public:GetRepositoryPolicy | | aws:ecs:capacityprovider | ecs:DescribeCapacityProviders | | aws:ecs:cluster | ecs:DescribeClusters,ecs:ListClusters | | aws:ecs:instance | ecs:DescribeContainerInstances,ecs:ListClusters,ecs:ListContainerInstances | | aws:ecs:service | ecs:DescribeServices,ecs:ListClusters,ecs:ListServices | | aws:ecs:service-deployment | ecs:DescribeServiceDeployments,ecs:DescribeServices,ecs:ListClusters,ecs:ListServiceDeployments,ecs:ListServices | | aws:ecs:task | ecs:DescribeServices,ecs:DescribeTasks,ecs:ListClusters,ecs:ListServices,ecs:ListTasks | | aws:ecs:task-definition | ecs:DescribeServices,ecs:DescribeTaskDefinition,ecs:DescribeTasks,ecs:ListClusters,ecs:ListServices,ecs:ListTasks | | aws:efs:accesspoint | elasticfilesystem:DescribeAccessPoints | | aws:efs:filesystem | elasticfilesystem:DescribeFileSystems,elasticfilesystem:DescribeLifecycleConfiguration | | aws:efs:mounttarget | elasticfilesystem:DescribeFileSystems,elasticfilesystem:DescribeMountTargetSecurityGroups,elasticfilesystem:DescribeMountTargets | | aws:eks:access-entry | eks:DescribeAccessEntry,eks:DescribeCluster,eks:ListAccessEntries,eks:ListClusters | | aws:eks:access-policy | eks:DescribeAccessEntry,eks:DescribeCluster,eks:ListAccessEntries,eks:ListAssociatedAccessPolicies,eks:ListClusters | | aws:eks:addon | eks:DescribeAddon,eks:DescribeCluster,eks:ListAddons,eks:ListClusters | | aws:eks:cluster | eks:DescribeCluster,eks:ListClusters | | aws:eks:eks-anywhere-subscription | eks:ListEksAnywhereSubscriptions | | aws:eks:fargateprofile | eks:DescribeCluster,eks:DescribeFargateProfile,eks:ListClusters,eks:ListFargateProfiles | | aws:eks:identityproviderconfig | eks:DescribeCluster,eks:DescribeIdentityProviderConfig,eks:ListClusters,eks:ListIdentityProviderConfigs | | aws:eks:insight | eks:DescribeCluster,eks:DescribeInsight,eks:ListClusters,eks:ListInsights | | aws:eks:nodegroup | eks:DescribeCluster,eks:DescribeNodeGroup,eks:ListClusters,eks:ListNodeGroups | | aws:eks:podidentityassociation | eks:DescribeCluster,eks:DescribePodIdentityAssociation,eks:ListClusters,eks:ListPodIdentityAssociations | | aws:eks:update | eks:DescribeCluster,eks:DescribeUpdate,eks:ListClusters,eks:ListUpdates | | aws:elasticache:cachesubnetgroup | elasticache:DescribeCacheSubnetGroups | | aws:elasticache:cluster | elasticache:DescribeCacheClusters | | aws:elasticache:global-replicationgroup | elasticache:DescribeGlobalReplicationGroups | | aws:elasticache:parametergroup | elasticache:DescribeCacheParameterGroups | | aws:elasticache:replicationgroup | elasticache:DescribeReplicationGroups | | aws:elasticache:reserved-instance | elasticache:DescribeReservedCacheNodes | | aws:elasticache:securitygroup | elasticache:DescribeCacheSecurityGroups | | aws:elasticache:serverless-cache | elasticache:DescribeServerlessCaches | | aws:elasticache:serverless-cache-snapshot | elasticache:DescribeServerlessCacheSnapshots | | aws:elasticache:snapshot | elasticache:DescribeSnapshots | | aws:elasticache:user | elasticache:DescribeUsers | | aws:elasticache:usergroup | elasticache:DescribeUserGroups | | aws:elasticbeanstalk:environment | elasticbeanstalk:DescribeConfigurationSettings,elasticbeanstalk:DescribeEnvironments | | aws:elasticloadbalancing:loadbalancer | elasticloadbalancing:DescribeInstanceHealth,elasticloadbalancing:DescribeLoadBalancerAttributes,elasticloadbalancing:DescribeLoadBalancerPolicies,elasticloadbalancing:DescribeLoadBalancers | | aws:elasticloadbalancingv2:listener-rule | elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeLoadBalancers,elasticloadbalancing:DescribeRules | | aws:elasticloadbalancingv2:loadbalancer | elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeLoadBalancerAttributes,elasticloadbalancing:DescribeLoadBalancers | | aws:elasticloadbalancingv2:targetgroup | elasticloadbalancing:DescribeTargetGroups,elasticloadbalancing:DescribeTargetHealth | | aws:elasticloadbalancingv2:truststore | elasticloadbalancing:DescribeTrustStores | | aws:elasticsearchservice:domain | es:DescribeElasticsearchDomains,es:ListDomainNames | | aws:emr:cluster | elasticmapreduce:DescribeCluster,elasticmapreduce:GetAutoTerminationPolicy,elasticmapreduce:GetManagedScalingPolicy,elasticmapreduce:ListClusters | | aws:emr:instance | elasticmapreduce:ListClusters,elasticmapreduce:ListInstances | | aws:emr:instance-fleet | elasticmapreduce:DescribeCluster,elasticmapreduce:ListClusters,elasticmapreduce:ListInstanceFleets | | aws:emr:instance-group | elasticmapreduce:DescribeCluster,elasticmapreduce:ListClusters,elasticmapreduce:ListInstanceGroups | | aws:emr:security-configuration | elasticmapreduce:DescribeSecurityConfiguration,elasticmapreduce:ListSecurityConfigurations | | aws:emr:settings | elasticmapreduce:GetBlockPublicAccessConfiguration | | aws:emrcontainers:managed-endpoint | emr-containers:ListManagedEndpoints,emr-containers:ListVirtualClusters | | aws:emrcontainers:security-configuration | emr-containers:ListSecurityConfigurations | | aws:emrcontainers:virtual-cluster | emr-containers:ListVirtualClusters | | aws:emrserverless:application | emr-serverless:GetApplication,emr-serverless:ListApplications | | aws:eventbridge:api-destination | events:ListApiDestinations,events:ListConnections | | aws:eventbridge:archive | events:ListArchives,events:ListEventBuses | | aws:eventbridge:connection | events:ListConnections | | aws:eventbridge:endpoint | events:ListEndpoints | | aws:eventbridge:event-source | events:ListEventSources | | aws:eventbridge:eventbus | events:ListEventBuses,events:ListRules | | aws:eventbridge:replay | events:ListReplays | | aws:eventbridge:rule | events:ListEventBuses,events:ListRules | | aws:eventbridge:ruletarget | events:ListEventBuses,events:ListRules,events:ListTargetsByRule | | aws:firehose:delivery-stream | firehose:DescribeDeliveryStream,firehose:ListDeliveryStreams | | aws:frauddetector:batch-import-job | frauddetector:GetBatchImportJobs | | aws:frauddetector:batch-prediction-job | frauddetector:GetBatchPredictionJobs | | aws:frauddetector:detector | frauddetector:GetDetectors | | aws:frauddetector:detector-version | frauddetector:DescribeDetector,frauddetector:GetDetectorVersion,frauddetector:GetDetectors | | aws:frauddetector:entity-type | frauddetector:GetEntityTypes | | aws:frauddetector:event-type | frauddetector:GetEventTypes | | aws:frauddetector:external-model | frauddetector:GetExternalModels | | aws:frauddetector:label | frauddetector:GetLabels | | aws:frauddetector:list | frauddetector:GetListsMetadata | | aws:frauddetector:model | frauddetector:GetModels | | aws:frauddetector:model-version | frauddetector:DescribeModelVersions | | aws:frauddetector:outcome | frauddetector:GetOutcomes | | aws:frauddetector:rule | frauddetector:GetDetectors,frauddetector:GetRules | | aws:frauddetector:variable | frauddetector:GetVariables | | aws:fsx:association | fsx:DescribeDataRepositoryAssociations | | aws:fsx:backup | fsx:DescribeBackups | | aws:fsx:file-cache | fsx:DescribeFileCaches | | aws:fsx:file-system | fsx:DescribeFileSystems | | aws:fsx:snapshot | fsx:DescribeSnapshots | | aws:fsx:storage-virtual-machine | fsx:DescribeStorageVirtualMachines | | aws:fsx:task | fsx:DescribeDataRepositoryTasks | | aws:fsx:volume | fsx:DescribeVolumes | | aws:gamelift:alias | gamelift:ListAliases | | aws:gamelift:build | gamelift:ListBuilds | | aws:gamelift:container-fleet | gamelift:ListContainerFleets | | aws:gamelift:container-group-definition | gamelift:ListContainerGroupDefinitions | | aws:gamelift:game-server-group | gamelift:ListGameServerGroups | | aws:gamelift:game-session-queue | gamelift:DescribeGameSessionQueues | | aws:gamelift:location | gamelift:ListLocations | | aws:gamelift:matchmaking-configuration | gamelift:DescribeMatchmakingConfigurations | | aws:gamelift:matchmaking-rule-set | gamelift:DescribeMatchmakingRuleSets | | aws:gamelift:script | gamelift:ListScripts | | aws:glacier:vault | glacier:GetVaultNotifications,glacier:ListVaults | | aws:globalaccelerator:accelerator | globalaccelerator:ListAccelerators | | aws:globalaccelerator:endpointgroup | globalaccelerator:ListAccelerators,globalaccelerator:ListEndpointGroups,globalaccelerator:ListListeners | | aws:globalaccelerator:listener | globalaccelerator:ListAccelerators,globalaccelerator:ListListeners | | aws:glue:registry | glue:ListRegistries | | aws:grafana:workspace | grafana:DescribeWorkspace,grafana:ListWorkspaces | | aws:greengrass:bulk-deployment | greengrass:GetBulkDeploymentStatus,greengrass:ListBulkDeployments | | aws:greengrass:component | greengrass:GetComponent,greengrass:ListComponents | | aws:greengrass:connectivity-info | greengrass:GetConnectivityInfo,greengrass:ListCoreDevices | | aws:greengrass:connector-definition | greengrass:ListConnectorDefinitions | | aws:greengrass:core-definition | greengrass:ListCoreDefinitions | | aws:greengrass:core-device | greengrass:GetCoreDevice,greengrass:ListCoreDevices | | aws:greengrass:deployment | greengrass:ListDeployments,greengrass:ListGroups | | aws:greengrass:device-definition | greengrass:ListDeviceDefinitions | | aws:greengrass:function-definition | greengrass:ListFunctionDefinitions | | aws:greengrass:group | greengrass:GetGroup,greengrass:ListGroups | | aws:greengrass:logger-definition | greengrass:ListLoggerDefinitions | | aws:greengrass:resource-definition | greengrass:ListResourceDefinitions | | aws:greengrass:subscription-definition | greengrass:ListSubscriptionDefinitions | | aws:guardduty:detector | guardduty:GetCoverageStatistics,guardduty:GetDetector,guardduty:ListDetectors | | aws:guardduty:filter | guardduty:GetFilter,guardduty:ListDetectors,guardduty:ListFilters | | aws:guardduty:ipset | guardduty:GetIPSet,guardduty:ListDetectors,guardduty:ListIPSets | | aws:guardduty:malwareprotectionplan | guardduty:GetMalwareProtectionPlan,guardduty:ListMalwareProtectionPlans | | aws:guardduty:publishingdestination | guardduty:DescribePublishingDestination,guardduty:ListDetectors,guardduty:ListPublishingDestinations | | aws:guardduty:settings | guardduty:GetAdministratorAccount,guardduty:GetMalwareScanSettings,guardduty:GetMasterAccount,guardduty:ListDetectors | | aws:guardduty:threatintelset | guardduty:GetThreatIntelSet,guardduty:ListDetectors,guardduty:ListThreatIntelSets | | aws:health:settings | health:DescribeHealthServiceStatusForOrganization,organizations:DescribeOrganization | | aws:healthlake:datastore | healthlake:ListFHIRDatastores | | aws:iam:accesskeymetadata | iam:GetUser,iam:ListAccessKeys,iam:ListUsers,iam:ListVirtualMFADevices | | aws:iam:account | iam:GetAccountPasswordPolicy,iam:GetAccountSummary,organizations:DescribeOrganization | | aws:iam:aws-managed-policy | iam:GetPolicyVersion,iam:ListPolicies | | aws:iam:credentialreport | iam:GenerateCredentialReport,iam:GetCredentialReport | | aws:iam:group | iam:GetGroup,iam:ListAttachedGroupPolicies,iam:ListGroups | | aws:iam:groupinlinepolicy | iam:GetGroupPolicy,iam:ListGroupPolicies,iam:ListGroups | | aws:iam:instanceprofile | iam:GetInstanceProfile,iam:ListInstanceProfiles | | aws:iam:open-id-connect-provider | iam:GetOpenIDConnectProvider,iam:ListOpenIDConnectProviders | | aws:iam:policy | iam:GetPolicy,iam:GetPolicyVersion,iam:ListPolicies | | aws:iam:role | iam:GetAccountAuthorizationDetails,iam:GetRole,iam:ListAttachedRolePolicies | | aws:iam:roleinlinepolicy | iam:GetAccountAuthorizationDetails,iam:GetRole,iam:GetRolePolicy,iam:ListRolePolicies | | aws:iam:saml-provider | iam:GetSAMLProvider,iam:ListSAMLProviders | | aws:iam:server-certificate | iam:ListServerCertificates | | aws:iam:service-specific-credential | iam:ListServiceSpecificCredentials | | aws:iam:user | iam:GetLoginProfile,iam:GetUser,iam:ListAttachedUserPolicies,iam:ListGroupsForUser,iam:ListMFADevices,iam:ListSSHPublicKeys,iam:ListUsers,iam:ListVirtualMFADevices | | aws:iam:userinlinepolicy | iam:GetUser,iam:GetUserPolicy,iam:ListUserPolicies,iam:ListUsers,iam:ListVirtualMFADevices | | aws:iam:virtualmfadevice | iam:ListUsers,iam:ListVirtualMFADevices | | aws:identitystore:group | identitystore:ListGroups,organizations:DescribeOrganization,sso:ListInstances | | aws:identitystore:user | identitystore:ListGroupMembershipsForMember,identitystore:ListUsers,organizations:DescribeOrganization,sso:ListInstances | | aws:imagebuilder:component-version | imagebuilder:ListComponents | | aws:imagebuilder:container-recipe | imagebuilder:GetContainerRecipe,imagebuilder:ListContainerRecipes | | aws:imagebuilder:distribution-configuration | imagebuilder:GetDistributionConfiguration,imagebuilder:ListDistributionConfigurations | | aws:imagebuilder:image-pipeline | imagebuilder:ListImagePipelines | | aws:imagebuilder:image-recipe | imagebuilder:GetImageRecipe,imagebuilder:ListImageRecipes | | aws:imagebuilder:image-version | imagebuilder:ListImages | | aws:imagebuilder:infrastructure-configuration | imagebuilder:GetInfrastructureConfiguration,imagebuilder:ListInfrastructureConfigurations | | aws:imagebuilder:lifecycle-policy | imagebuilder:GetLifecyclePolicy,imagebuilder:ListLifecyclePolicies | | aws:imagebuilder:public-component | imagebuilder:ListComponents | | aws:imagebuilder:public-container-recipe | imagebuilder:GetContainerRecipe,imagebuilder:ListContainerRecipes | | aws:imagebuilder:public-image | imagebuilder:ListImages | | aws:imagebuilder:public-image-recipe | imagebuilder:GetImageRecipe,imagebuilder:ListImageRecipes | | aws:imagebuilder:public-workflow | imagebuilder:GetWorkflow,imagebuilder:ListWorkflows | | aws:imagebuilder:workflow | imagebuilder:GetWorkflow,imagebuilder:ListWorkflows | | aws:inspector2:coveredresource | inspector2:ListCoverage | | aws:iot:authorizer | iot:DescribeAuthorizer,iot:ListAuthorizers | | aws:iot:cert | iot:DescribeCertificate,iot:ListCertificates | | aws:iot:certificateprovider | iot:DescribeCertificateProvider,iot:ListCertificateProviders | | aws:iot:dimension | iot:DescribeDimension,iot:ListDimensions | | aws:iot:domainconfiguration | iot:DescribeDomainConfiguration,iot:ListDomainConfigurations | | aws:iot:fleetmetric | iot:DescribeFleetMetric,iot:ListFleetMetrics | | aws:iot:job | iot:DescribeJob,iot:ListJobs | | aws:iot:jobtemplate | iot:DescribeJobTemplate,iot:ListJobTemplates | | aws:iot:policy | iot:GetPolicy,iot:ListPolicies | | aws:iot:provisioningtemplate | iot:DescribeProvisioningTemplate,iot:ListProvisioningTemplates | | aws:iot:rolealias | iot:DescribeRoleAlias,iot:ListRoleAliases | | aws:iot:securityprofile | iot:DescribeSecurityProfile,iot:ListSecurityProfiles | | aws:iot:stream | iot:DescribeStream,iot:ListStreams | | aws:iot:thing | iot:DescribeThing,iot:ListThings | | aws:iot:thinggroup | iot:DescribeThingGroup,iot:ListThingGroups | | aws:iot:thingtype | iot:DescribeThingType,iot:ListThingTypes | | aws:iot:tunnel | iot:DescribeTunnel,iot:ListTunnels | | aws:iotfleetwise:campaign | iotfleetwise:GetCampaign,iotfleetwise:ListCampaigns | | aws:iotfleetwise:decoder-manifest | iotfleetwise:ListDecoderManifests | | aws:iotfleetwise:fleet | iotfleetwise:ListFleets | | aws:iotfleetwise:model-manifest | iotfleetwise:ListModelManifests | | aws:iotfleetwise:signal-catalog | iotfleetwise:GetSignalCatalog,iotfleetwise:ListSignalCatalogs | | aws:iotfleetwise:state-template | iotfleetwise:GetStateTemplate,iotfleetwise:ListStateTemplates | | aws:iotfleetwise:vehicle | iotfleetwise:GetVehicle,iotfleetwise:ListVehicles | | aws:iotsitewise:asset | iotsitewise:DescribeAsset,iotsitewise:DescribeAssetModel,iotsitewise:ListAssetModels,iotsitewise:ListAssets | | aws:iotsitewise:asset-model | iotsitewise:DescribeAssetModel,iotsitewise:ListAssetModels | | aws:iotsitewise:dashboard | iotsitewise:DescribeDashboard,iotsitewise:DescribePortal,iotsitewise:DescribeProject,iotsitewise:ListDashboards,iotsitewise:ListPortals,iotsitewise:ListProjects | | aws:iotsitewise:dataset | iotsitewise:DescribeDataset,iotsitewise:ListDatasets | | aws:iotsitewise:gateway | iotsitewise:ListGateways | | aws:iotsitewise:portal | iotsitewise:DescribePortal,iotsitewise:ListPortals | | aws:iotsitewise:project | iotsitewise:DescribePortal,iotsitewise:DescribeProject,iotsitewise:ListPortals,iotsitewise:ListProjects | | aws:iotsitewise:timeseries | iotsitewise:ListTimeSeries | | aws:iottwinmaker:component-type | iottwinmaker:GetComponentType,iottwinmaker:GetWorkspace,iottwinmaker:ListComponentTypes,iottwinmaker:ListWorkspaces | | aws:iottwinmaker:entity | iottwinmaker:GetEntity,iottwinmaker:GetWorkspace,iottwinmaker:ListEntities,iottwinmaker:ListWorkspaces | | aws:iottwinmaker:scene | iottwinmaker:GetScene,iottwinmaker:GetWorkspace,iottwinmaker:ListScenes,iottwinmaker:ListWorkspaces | | aws:iottwinmaker:workspace | iottwinmaker:GetWorkspace,iottwinmaker:ListWorkspaces | | aws:iotwireless:destination | iotwireless:ListDestinations | | aws:iotwireless:device-profile | iotwireless:GetDeviceProfile,iotwireless:ListDeviceProfiles | | aws:iotwireless:gateway | iotwireless:GetWirelessGateway,iotwireless:ListWirelessGateways | | aws:iotwireless:multicast-group | iotwireless:GetMulticastGroup,iotwireless:ListMulticastGroups | | aws:iotwireless:network-analyzer-configuration | iotwireless:GetNetworkAnalyzerConfiguration,iotwireless:ListNetworkAnalyzerConfigurations | | aws:iotwireless:service-profile | iotwireless:GetServiceProfile,iotwireless:ListServiceProfiles | | aws:iotwireless:wireless-device | iotwireless:GetWirelessDevice,iotwireless:ListWirelessDevices | | aws:ivs:channel | ivs:GetChannel,ivs:ListChannels | | aws:ivs:composition | ivs:GetComposition,ivs:ListCompositions | | aws:ivs:encoder-configuration | ivs:GetEncoderConfiguration,ivs:ListEncoderConfigurations | | aws:ivs:ingest-configuration | ivs:GetIngestConfiguration,ivs:ListIngestConfigurations | | aws:ivs:playback-key-pair | ivs:ListPlaybackKeyPairs | | aws:ivs:playback-restriction-policy | ivs:ListPlaybackRestrictionPolicies | | aws:ivs:public-key | ivs:GetPublicKey,ivs:ListPublicKeys | | aws:ivs:recording-configuration | ivs:GetRecordingConfiguration,ivs:ListRecordingConfigurations | | aws:ivs:stage | ivs:GetStage,ivs:ListStages | | aws:ivs:storage-configuration | ivs:ListStorageConfigurations | | aws:ivs:stream-key | ivs:GetChannel,ivs:ListChannels,ivs:ListStreamKeys | | aws:ivschat:logging-configuration | ivschat:GetLoggingConfiguration,ivschat:ListLoggingConfigurations | | aws:ivschat:room | ivschat:GetRoom,ivschat:ListRooms | | aws:kafka:cluster | kafka:DescribeClusterV2,kafka:ListClustersV2 | | aws:kafka:configuration | kafka:ListConfigurations | | aws:kafka:node | kafka:DescribeClusterV2,kafka:ListClustersV2,kafka:ListNodes | | aws:kafka:replicator | kafka:DescribeReplicator,kafka:ListReplicators | | aws:kafka:vpc-connection | kafka:DescribeVpcConnection,kafka:ListVpcConnections | | aws:kafkaconnect:connector | kafkaconnect:DescribeConnector,kafkaconnect:ListConnectors | | aws:kafkaconnect:connector-operation | kafkaconnect:DescribeConnector,kafkaconnect:DescribeConnectorOperation,kafkaconnect:ListConnectorOperations,kafkaconnect:ListConnectors | | aws:kafkaconnect:custom-plugin | kafkaconnect:DescribeCustomPlugin,kafkaconnect:ListCustomPlugins | | aws:kafkaconnect:worker-configuration | kafkaconnect:ListWorkerConfigurations | | aws:keyspaces:keyspace | cassandra:Select | | aws:keyspaces:table | cassandra:Select | | aws:kinesis:stream | kinesis:DescribeStreamSummary,kinesis:ListStreams | | aws:kinesisvideo:channel | kinesisvideo:ListSignalingChannels | | aws:kinesisvideo:stream | kinesisvideo:ListStreams | | aws:kms:alias | kms:GetKeyPolicy,kms:ListAliases | | aws:kms:custom-key-store | kms:DescribeCustomKeyStores | | aws:kms:key | kms:DescribeKey,kms:GetKeyRotationStatus,kms:ListKeys | | aws:lakeformation:data-lake-settings | lakeformation:GetDataLakeSettings | | aws:lakeformation:permissions | lakeformation:ListPermissions | | aws:lambda:codesigningconfig | lambda:ListCodeSigningConfigs | | aws:lambda:eventsourcemapping | lambda:ListEventSourceMappings,lambda:ListFunctions | | aws:lambda:function | lambda:GetFunction,lambda:GetPolicy,lambda:ListFunctionUrlConfigs,lambda:ListFunctions,lambda:ListProvisionedConcurrencyConfigs | | aws:lambda:layer | lambda:GetLayerVersionPolicy,lambda:ListLayers | | aws:launchwizard:deployment | launchwizard:GetDeployment,launchwizard:ListDeployments | | aws:lexv2:bot | lex:DescribeBot,lex:ListBots | | aws:lightsail:alarm | lightsail:GetAlarms | | aws:lightsail:bucket | lightsail:GetBuckets | | aws:lightsail:certificate | lightsail:GetCertificates | | aws:lightsail:container-service | lightsail:GetContainerServices | | aws:lightsail:disk | lightsail:GetDisks | | aws:lightsail:disk-snapshot | lightsail:GetDiskSnapshots | | aws:lightsail:distribution | lightsail:GetDistributions | | aws:lightsail:instance | lightsail:GetInstancePortStates,lightsail:GetInstances | | aws:lightsail:loadbalancer | lightsail:GetLoadBalancers | | aws:lightsail:relational-database | lightsail:GetRelationalDatabaseParameters,lightsail:GetRelationalDatabases | | aws:lightsail:relational-database-snapshot | lightsail:GetRelationalDatabaseSnapshots | | aws:lightsail:static-ip | lightsail:GetStaticIps | | aws:location:api-key | geo:DescribeKey,geo:ListKeys | | aws:location:geofence-collection | geo:DescribeGeofenceCollection,geo:ListGeofenceCollections | | aws:location:map | geo:DescribeMap,geo:ListMaps | | aws:location:place-index | geo:DescribePlaceIndex,geo:ListPlaceIndexes | | aws:location:route-calculator | geo:DescribeRouteCalculator,geo:ListRouteCalculators | | aws:location:tracker | geo:DescribeTracker,geo:ListTrackers | | aws:m2:application | m2:GetApplication,m2:ListApplications | | aws:m2:environment | m2:GetEnvironment,m2:ListEnvironments | | aws:macie2:allow-list | macie2:GetAllowList,macie2:GetMacieSession,macie2:ListAllowLists | | aws:macie2:custom-data-identifier | macie2:GetCustomDataIdentifier,macie2:GetMacieSession,macie2:ListCustomDataIdentifiers | | aws:macie2:member | macie2:GetMacieSession,macie2:ListMembers | | aws:macie2:settings | macie2:GetMacieSession | | aws:managedblockchain:accessor | managedblockchain:GetAccessor,managedblockchain:ListAccessors | | aws:managedblockchain:invitation | managedblockchain:ListInvitations | | aws:managedblockchain:member | managedblockchain:GetMember,managedblockchain:ListMembers,managedblockchain:ListNetworks | | aws:managedblockchain:network | managedblockchain:GetNetwork,managedblockchain:ListNetworks | | aws:managedblockchain:node | managedblockchain:GetNode,managedblockchain:ListMembers,managedblockchain:ListNetworks,managedblockchain:ListNodes | | aws:managedblockchain:proposal | managedblockchain:GetProposal,managedblockchain:ListNetworks,managedblockchain:ListProposals | | aws:mediaconnect:bridge | mediaconnect:DescribeBridge,mediaconnect:ListBridges | | aws:mediaconnect:entitlement | mediaconnect:ListEntitlements | | aws:mediaconnect:flow | mediaconnect:DescribeFlow,mediaconnect:ListFlows | | aws:mediaconnect:gateway | mediaconnect:DescribeGateway,mediaconnect:ListGateways | | aws:mediaconnect:gatewayinstance | mediaconnect:DescribeGatewayInstance,mediaconnect:ListGatewayInstances | | aws:medialive:channel | medialive:ListChannels | | aws:medialive:channel-placement-group | medialive:ListChannelPlacementGroups,medialive:ListClusters | | aws:medialive:cloudwatch-alarm-template | medialive:ListCloudWatchAlarmTemplates | | aws:medialive:cloudwatch-alarm-template-group | medialive:ListCloudWatchAlarmTemplateGroups | | aws:medialive:cluster | medialive:ListClusters | | aws:medialive:eventbridge-rule-template | medialive:ListEventBridgeRuleTemplates | | aws:medialive:eventbridge-rule-template-group | medialive:ListEventBridgeRuleTemplateGroups | | aws:medialive:input | medialive:ListInputs | | aws:medialive:input-device | medialive:ListInputDevices | | aws:medialive:input-security-group | medialive:ListInputSecurityGroups | | aws:medialive:multiplex | medialive:ListMultiplexes | | aws:medialive:network | medialive:ListNetworks | | aws:medialive:node | medialive:ListClusters,medialive:ListNodes | | aws:medialive:reservation | medialive:ListReservations | | aws:medialive:sdi-source | medialive:ListSdiSources | | aws:medialive:signal-map | medialive:ListSignalMaps | | aws:mediapackage-v2:channel | mediapackagev2:GetChannel,mediapackagev2:GetChannelGroup,mediapackagev2:GetChannelPolicy,mediapackagev2:ListChannelGroups,mediapackagev2:ListChannels | | aws:mediapackage-v2:channel-group | mediapackagev2:GetChannelGroup,mediapackagev2:ListChannelGroups | | aws:mediapackage-v2:harvest-job | mediapackagev2:GetChannelGroup,mediapackagev2:ListChannelGroups,mediapackagev2:ListHarvestJobs | | aws:mediapackage-v2:origin-endpoint | mediapackagev2:GetChannelGroup,mediapackagev2:GetOriginEndpoint,mediapackagev2:GetOriginEndpointPolicy,mediapackagev2:ListChannelGroups,mediapackagev2:ListChannels,mediapackagev2:ListOriginEndpoints | | aws:mediapackage-vod:assets | mediapackage-vod:DescribeAsset,mediapackage-vod:ListAssets | | aws:mediapackage-vod:packaging-configurations | mediapackage-vod:ListPackagingConfigurations | | aws:mediapackage-vod:packaging-groups | mediapackage-vod:ListPackagingGroups | | aws:mediapackage:harvest-jobs | mediapackage:ListHarvestJobs | | aws:mediapackage:origin-endpoints | mediapackage:ListOriginEndpoints | | aws:memorydb:acl | memorydb:DescribeAcls | | aws:memorydb:cluster | memorydb:DescribeClusters,memorydb:DescribeMultiRegionClusters | | aws:memorydb:parameter-group | memorydb:DescribeParameterGroups | | aws:memorydb:reserved-node | memorydb:DescribeReservedNodes | | aws:memorydb:snapshot | memorydb:DescribeSnapshots | | aws:memorydb:subnet-group | memorydb:DescribeSubnetGroups | | aws:memorydb:user | memorydb:DescribeUsers | | aws:migrationhubrefactorspaces:application | refactor-spaces:ListApplications,refactor-spaces:ListEnvironments | | aws:migrationhubrefactorspaces:environment | refactor-spaces:ListEnvironments | | aws:migrationhubrefactorspaces:route | refactor-spaces:ListApplications,refactor-spaces:ListEnvironments,refactor-spaces:ListRoutes | | aws:migrationhubrefactorspaces:service | refactor-spaces:ListApplications,refactor-spaces:ListEnvironments,refactor-spaces:ListServices | | aws:mq:broker | mq:DescribeBroker,mq:ListBrokers | | aws:mq:configuration | mq:ListConfigurations | | aws:mq:configurationrevision | mq:DescribeConfigurationRevision,mq:ListConfigurationRevisions,mq:ListConfigurations | | aws:mq:user | mq:DescribeBroker,mq:DescribeUser,mq:ListBrokers | | aws:mwaa:environment | airflow:GetEnvironment,airflow:ListEnvironments | | aws:neptune:cluster | rds:DescribeDBClusters | | aws:neptune:cluster-snapshot | rds:DescribeDBClusterSnapshotAttributes,rds:DescribeDBClusterSnapshots | | aws:neptune:dbinstance | rds:DescribeDBInstances | | aws:network-firewall:firewall | network-firewall:DescribeFirewall,network-firewall:DescribeFirewallPolicy,network-firewall:DescribeLoggingConfiguration,network-firewall:ListFirewalls | | aws:network-firewall:rulegroup | network-firewall:DescribeRuleGroup,network-firewall:ListRuleGroups | | aws:network-firewall:tls-configuration | network-firewall:DescribeTLSInspectionConfiguration,network-firewall:ListTLSInspectionConfigurations | | aws:network-firewall:vpc-endpoint-association | network-firewall:DescribeVpcEndpointAssociation,network-firewall:ListVpcEndpointAssociations | | aws:networkmanager:attachment | networkmanager:ListAttachments | | aws:networkmanager:connect-peer | networkmanager:GetConnectPeer,networkmanager:ListConnectPeers | | aws:networkmanager:connection | networkmanager:DescribeGlobalNetworks,networkmanager:GetConnections | | aws:networkmanager:core-network | networkmanager:GetCoreNetwork,networkmanager:ListCoreNetworks | | aws:networkmanager:device | networkmanager:DescribeGlobalNetworks,networkmanager:GetDevices | | aws:networkmanager:global-network | networkmanager:DescribeGlobalNetworks | | aws:networkmanager:link | networkmanager:DescribeGlobalNetworks,networkmanager:GetLinks | | aws:networkmanager:peering | networkmanager:ListPeerings | | aws:networkmanager:site | networkmanager:DescribeGlobalNetworks,networkmanager:GetSites | | aws:opensearch:domain | es:DescribeDomain,es:ListDomainNames | | aws:opensearchserverless:collection | aoss:BatchGetCollection,aoss:ListCollections | | aws:organizations:account | organizations:DescribeOrganization,organizations:ListAccountsForParent,organizations:ListDelegatedAdministrators,organizations:ListOrganizationalUnitsForParent,organizations:ListPoliciesForTarget,organizations:ListRoots | | aws:organizations:features | iam:ListOrganizationsFeatures,organizations:DescribeOrganization,organizations:ListDelegatedAdministrators | | aws:organizations:organization | organizations:DescribeOrganization,organizations:ListDelegatedAdministrators | | aws:organizations:organizationalunit | organizations:DescribeOrganization,organizations:ListAccountsForParent,organizations:ListDelegatedAdministrators,organizations:ListOrganizationalUnitsForParent,organizations:ListPoliciesForTarget,organizations:ListRoots | | aws:organizations:policy | organizations:DescribeOrganization,organizations:DescribePolicy,organizations:ListDelegatedAdministrators,organizations:ListPolicies,organizations:ListTargetsForPolicy | | aws:organizations:root | organizations:DescribeOrganization,organizations:ListAccountsForParent,organizations:ListDelegatedAdministrators,organizations:ListOrganizationalUnitsForParent,organizations:ListPoliciesForTarget,organizations:ListRoots | | aws:osis:pipeline | osis:GetPipeline,osis:ListPipelines | | aws:osis:pipeline-blueprint | osis:GetPipelineBlueprint,osis:ListPipelineBlueprints | | aws:outposts:outpost | outposts:ListOutposts | | aws:payment-cryptography:alias | payment-cryptography:GetKey,payment-cryptography:ListAliases,payment-cryptography:ListKeys | | aws:payment-cryptography:key | payment-cryptography:GetKey,payment-cryptography:ListKeys | | aws:pca-connector-ad:connector | pca-connector-ad:ListConnectors | | aws:pca-connector-ad:directory-registration | pca-connector-ad:ListDirectoryRegistrations | | aws:pca-connector-ad:template | pca-connector-ad:ListConnectors,pca-connector-ad:ListTemplates | | aws:pca-connector-scep:connector | pca-connector-scep:ListConnectors | | aws:pcs:cluster | pcs:GetCluster,pcs:ListClusters | | aws:pcs:compute-node-group | pcs:GetComputeNodeGroup,pcs:ListClusters,pcs:ListComputeNodeGroups | | aws:pcs:queue | pcs:GetQueue,pcs:ListClusters,pcs:ListQueues | | aws:personalize:algorithm | personalize:DescribeAlgorithm,personalize:DescribeRecipe,personalize:ListRecipes | | aws:personalize:batch-inference-job | personalize:DescribeBatchInferenceJob,personalize:ListBatchInferenceJobs | | aws:personalize:batch-segment-job | personalize:DescribeBatchSegmentJob,personalize:ListBatchSegmentJobs | | aws:personalize:campaign | personalize:DescribeCampaign,personalize:ListCampaigns | | aws:personalize:data-deletion-job | personalize:DescribeDataDeletionJob,personalize:ListDataDeletionJobs | | aws:personalize:dataset | personalize:DescribeDataset,personalize:ListDatasets | | aws:personalize:dataset-export-job | personalize:DescribeDatasetExportJob,personalize:ListDatasetExportJobs | | aws:personalize:dataset-group | personalize:DescribeDatasetGroup,personalize:ListDatasetGroups | | aws:personalize:dataset-import-job | personalize:DescribeDatasetImportJob,personalize:ListDatasetImportJobs | | aws:personalize:event-tracker | personalize:DescribeEventTracker,personalize:ListEventTrackers | | aws:personalize:feature-transformation | personalize:DescribeFeatureTransformation,personalize:DescribeRecipe,personalize:ListRecipes | | aws:personalize:filter | personalize:DescribeFilter,personalize:ListFilters | | aws:personalize:metric-attribution | personalize:DescribeMetricAttribution,personalize:ListMetricAttributions | | aws:personalize:recipe | personalize:DescribeRecipe,personalize:ListRecipes | | aws:personalize:recommender | personalize:DescribeRecommender,personalize:ListRecommenders | | aws:personalize:schema | personalize:DescribeSchema,personalize:ListSchemas | | aws:personalize:solution | personalize:DescribeSolution,personalize:ListSolutions | | aws:pinpoint:app | mobiletargeting:GetApps,mobiletargeting:GetEventStream | | aws:pinpoint:campaign | mobiletargeting:GetApps,mobiletargeting:GetCampaigns | | aws:pinpoint:channel | mobiletargeting:GetApps,mobiletargeting:GetChannels | | aws:pinpoint:journey | mobiletargeting:GetApps,mobiletargeting:ListJourneys | | aws:pinpoint:segment | mobiletargeting:GetApps,mobiletargeting:GetSegments | | aws:pinpoint:template | mobiletargeting:ListTemplates | | aws:pipes:pipe | pipes:ListPipes | | aws:profile:domain | profile:GetDomain,profile:ListDomains | | aws:proton:component | proton:GetComponent,proton:ListComponents | | aws:proton:deployment | proton:GetDeployment,proton:ListDeployments | | aws:proton:environment | proton:GetEnvironment,proton:ListEnvironments | | aws:proton:environment-account-connection | proton:GetEnvironmentAccountConnection,proton:ListEnvironmentAccountConnections | | aws:proton:environment-template | proton:GetEnvironmentTemplate,proton:ListEnvironmentTemplates | | aws:proton:environment-template-version | proton:GetEnvironmentTemplate,proton:GetEnvironmentTemplateVersion,proton:ListEnvironmentTemplateVersions,proton:ListEnvironmentTemplates | | aws:proton:repository | proton:GetRepository,proton:ListRepositories | | aws:proton:service | proton:GetService,proton:ListServices | | aws:proton:service-instance | proton:GetServiceInstance,proton:ListServiceInstances | | aws:proton:service-template | proton:GetServiceTemplate,proton:ListServiceTemplates | | aws:proton:service-template-version | proton:GetServiceTemplate,proton:GetServiceTemplateVersion,proton:ListServiceTemplateVersions,proton:ListServiceTemplates | | aws:qbusiness:application | qbusiness:GetApplication,qbusiness:ListApplications | | aws:qbusiness:data-accessor | qbusiness:GetApplication,qbusiness:GetDataAccessor,qbusiness:ListApplications,qbusiness:ListDataAccessors | | aws:qbusiness:data-source | qbusiness:GetApplication,qbusiness:GetDataSource,qbusiness:GetIndex,qbusiness:ListApplications,qbusiness:ListDataSources,qbusiness:ListIndices | | aws:qbusiness:index | qbusiness:GetApplication,qbusiness:GetIndex,qbusiness:ListApplications,qbusiness:ListIndices | | aws:qbusiness:plugin | qbusiness:GetApplication,qbusiness:GetPlugin,qbusiness:ListApplications,qbusiness:ListPlugins | | aws:qbusiness:retriever | qbusiness:GetApplication,qbusiness:GetRetriever,qbusiness:ListApplications,qbusiness:ListRetrievers | | aws:qbusiness:subscription | qbusiness:GetApplication,qbusiness:ListApplications,qbusiness:ListSubscriptions | | aws:qbusiness:web-experience | qbusiness:GetApplication,qbusiness:GetWebExperience,qbusiness:ListApplications,qbusiness:ListWebExperiences | | aws:quicksight:account | quicksight:DescribeAccountSettings | | aws:quicksight:analysis | quicksight:DescribeAccountSettings,quicksight:DescribeAnalysis,quicksight:ListAnalyses | | aws:quicksight:brand | quicksight:DescribeAccountSettings,quicksight:DescribeBrand,quicksight:ListBrands | | aws:quicksight:custom-permission | quicksight:DescribeAccountSettings,quicksight:ListCustomPermissions | | aws:quicksight:dashboard | quicksight:DescribeAccountSettings,quicksight:DescribeDashboard,quicksight:ListDashboards | | aws:quicksight:data-set | quicksight:DescribeAccountSettings,quicksight:ListDataSets | | aws:quicksight:data-source | quicksight:DescribeAccountSettings,quicksight:ListDataSources | | aws:quicksight:folder | quicksight:DescribeAccountSettings,quicksight:DescribeFolder,quicksight:ListFolders | | aws:quicksight:group | quicksight:DescribeAccountSettings,quicksight:ListGroups,quicksight:ListNamespaces | | aws:quicksight:ingestion | quicksight:DescribeAccountSettings,quicksight:ListDataSets,quicksight:ListIngestions | | aws:quicksight:namespace | quicksight:DescribeAccountSettings,quicksight:ListNamespaces | | aws:quicksight:refresh-schedule | quicksight:DescribeAccountSettings,quicksight:ListDataSets,quicksight:ListRefreshSchedules | | aws:quicksight:template | quicksight:DescribeAccountSettings,quicksight:DescribeTemplate,quicksight:ListTemplates | | aws:quicksight:theme | quicksight:DescribeAccountSettings,quicksight:DescribeTheme,quicksight:ListThemes | | aws:quicksight:topic | quicksight:DescribeAccountSettings,quicksight:DescribeTopic,quicksight:ListTopics | | aws:quicksight:user | quicksight:DescribeAccountSettings,quicksight:ListUsers | | aws:quicksight:vpc-connection | quicksight:DescribeAccountSettings,quicksight:ListVPCConnections | | aws:ram:customer-managed-permission | ram:ListPermissions | | aws:ram:permission | ram:ListPermissions | | aws:ram:resource-share | ram:GetResourceShares | | aws:ram:resource-share-invitation | ram:GetResourceShareInvitations | | aws:rbin:rule | rbin:GetRule,rbin:ListRules | | aws:rds:blue-green-deployment | rds:DescribeBlueGreenDeployments | | aws:rds:cluster | rds:DescribeDBClusters | | aws:rds:cluster-endpoint | rds:DescribeDBClusterEndpoints,rds:DescribeDBClusters | | aws:rds:cluster-snapshot | rds:DescribeDBClusterSnapshotAttributes,rds:DescribeDBClusterSnapshots | | aws:rds:db-cluster-automated-backup | rds:DescribeDBClusterAutomatedBackups | | aws:rds:db-shard-group | rds:DescribeDBShardGroups | | aws:rds:dbclusterparametergroup | rds:DescribeDBClusterParameterGroups | | aws:rds:dbinstanceautomatedbackup | rds:DescribeDBInstanceAutomatedBackups | | aws:rds:dbparametergroup | rds:DescribeDBParameterGroups,rds:DescribeDBParameters | | aws:rds:dbsubnetgroup | rds:DescribeDBSubnetGroups | | aws:rds:eventsubscription | rds:DescribeEventSubscriptions | | aws:rds:exporttask | rds:DescribeExportTasks | | aws:rds:globalcluster | rds:DescribeGlobalClusters | | aws:rds:instance | rds:DescribeDBInstances | | aws:rds:integration | rds:DescribeIntegrations | | aws:rds:optiongroup | rds:DescribeOptionGroups | | aws:rds:proxy | rds:DescribeDBProxies | | aws:rds:proxy-endpoint | rds:DescribeDBProxyEndpoints | | aws:rds:proxy-target-group | rds:DescribeDBProxies,rds:DescribeDBProxyTargetGroups,rds:DescribeDBProxyTargets | | aws:rds:reserveddbinstance | rds:DescribeReservedDBInstances | | aws:rds:securitygroup | rds:DescribeDBSecurityGroups | | aws:rds:snapshot | rds:DescribeDBSnapshotAttributes,rds:DescribeDBSnapshots | | aws:rds:snapshot-tenant-database | rds:DescribeDBSnapshotTenantDatabases | | aws:rds:tenant-database | rds:DescribeTenantDatabases | | aws:redshift:cluster | redshift:DescribeClusterParameters,redshift:DescribeClusters,redshift:DescribeEndpointAccess,redshift:DescribeLoggingStatus | | aws:redshift:eventsubscription | redshift:DescribeEventSubscriptions | | aws:redshift:hsm-client-certificate | redshift:DescribeHsmClientCertificates | | aws:redshift:hsm-configuration | redshift:DescribeHsmConfigurations | | aws:redshift:integration | redshift:DescribeIntegrations | | aws:redshift:parametergroup | redshift:DescribeClusterParameterGroups | | aws:redshift:redshift-idc-application | redshift:DescribeRedshiftIdcApplications | | aws:redshift:securitygroup | redshift:DescribeClusterSecurityGroups | | aws:redshift:snapshot | redshift:DescribeClusterSnapshots,redshift:DescribeClusters | | aws:redshift:subnetgroup | redshift:DescribeClusterSubnetGroups,redshift:DescribeClusters | | aws:redshiftserverless:endpoint-access | redshift-serverless:ListEndpointAccess | | aws:redshiftserverless:managed-workgroup | redshift-serverless:ListManagedWorkgroups | | aws:redshiftserverless:namespace | redshift-serverless:ListNamespaces | | aws:redshiftserverless:recovery-point | redshift-serverless:ListNamespaces,redshift-serverless:ListRecoveryPoints | | aws:redshiftserverless:snapshot | redshift-serverless:GetSnapshot,redshift-serverless:ListNamespaces,redshift-serverless:ListSnapshots | | aws:redshiftserverless:workgroup | redshift-serverless:ListWorkgroups | | aws:rekognition:collection | rekognition:DescribeCollection,rekognition:ListCollections | | aws:rekognition:project | rekognition:DescribeProjects | | aws:rekognition:project-version | rekognition:DescribeProjectVersions,rekognition:DescribeProjects | | aws:rekognition:stream-processor | rekognition:DescribeStreamProcessor,rekognition:ListStreamProcessors | | aws:resiliencehub:app-assessment | resiliencehub:DescribeAppAssessment,resiliencehub:ListAppAssessments | | aws:resiliencehub:application | resiliencehub:DescribeApp,resiliencehub:ListApps | | aws:resiliencehub:resiliency-policy | resiliencehub:ListResiliencyPolicies | | aws:resourceexplorer2:index | resource-explorer-2:GetIndex | | aws:resourceexplorer2:managed-view | resource-explorer-2:GetManagedView,resource-explorer-2:ListManagedViews | | aws:resourceexplorer2:view | resource-explorer-2:GetView,resource-explorer-2:ListViews | | aws:resourcegroups:group | resource-groups:GetGroup,resource-groups:ListGroups | | aws:route53-recovery-control:assertion-safety-rule | route53-recovery-control-config:ListControlPanels,route53-recovery-control-config:ListSafetyRules | | aws:route53-recovery-control:cluster | route53-recovery-control-config:ListClusters | | aws:route53-recovery-control:control-panel | route53-recovery-control-config:ListControlPanels,route53-recovery-control-config:ListSafetyRules | | aws:route53-recovery-control:gating-safety-rule | route53-recovery-control-config:ListControlPanels,route53-recovery-control-config:ListSafetyRules | | aws:route53-recovery-control:routing-control | route53-recovery-control-config:ListControlPanels,route53-recovery-control-config:ListRoutingControls | | aws:route53-recovery-readiness:cell | route53-recovery-readiness:ListCells | | aws:route53-recovery-readiness:readiness-check | route53-recovery-readiness:ListReadinessChecks | | aws:route53-recovery-readiness:recovery-group | route53-recovery-readiness:ListRecoveryGroups | | aws:route53-recovery-readiness:resource-set | route53-recovery-readiness:ListResourceSets | | aws:route53:hostedzone | route53:GetDNSSEC,route53:GetHostedZone,route53:ListHostedZones | | aws:route53:queryloggingconfig | route53:ListQueryLoggingConfigs | | aws:route53:resourcerecordset | route53:ListHostedZones,route53:ListResourceRecordSets | | aws:route53domains:domain | route53domains:ListDomains | | aws:route53resolver:firewall-config | route53resolver:ListFirewallConfigs | | aws:route53resolver:firewall-domain-list | route53resolver:ListFirewallDomainLists | | aws:route53resolver:firewall-rule-group | route53resolver:ListFirewallRuleGroups,route53resolver:ListFirewallRules | | aws:route53resolver:firewall-rule-group-association | route53resolver:ListFirewallRuleGroupAssociations | | aws:route53resolver:outpost-resolver | route53resolver:ListOutpostResolvers | | aws:route53resolver:resolver-config | route53resolver:ListResolverConfigs | | aws:route53resolver:resolver-dnssec-config | route53resolver:ListResolverDnssecConfigs | | aws:route53resolver:resolver-endpoint | route53resolver:ListResolverEndpoints | | aws:route53resolver:resolver-query-log-config | route53resolver:ListResolverQueryLogConfigs | | aws:route53resolver:resolver-rule | route53resolver:ListResolverRules | | aws:rum:app-monitor | rum:GetAppMonitor,rum:ListAppMonitors | | aws:s3-object-lambda:object-lambda-access-point | s3:GetAccessPointForObjectLambda,s3:ListAccessPointsForObjectLambda | | aws:s3:accessgrant | s3:ListAccessGrants | | aws:s3:accesspoint | s3:GetAccessPointPolicy,s3:ListAccessPoints | | aws:s3:bucket | s3:GetAccelerateConfiguration,s3:GetAnalyticsConfiguration,s3:GetBucketAbac,s3:GetBucketAcl,s3:GetBucketLogging,s3:GetBucketMetadataConfiguration,s3:GetBucketNotification,s3:GetBucketObjectLockConfiguration,s3:GetBucketOwnershipControls,s3:GetBucketPolicy,s3:GetBucketPolicyStatus,s3:GetBucketPublicAccessBlock,s3:GetBucketVersioning,s3:GetBucketWebsite,s3:GetEncryptionConfiguration,s3:GetIntelligentTieringConfiguration,s3:GetInventoryConfiguration,s3:GetLifecycleConfiguration,s3:GetReplicationConfiguration,s3:ListAllMyBuckets | | aws:s3control:accountpublicaccessblock | s3:GetBucketPublicAccessBlock | | aws:s3express:bucket | s3express:GetBucketPolicy,s3express:GetEncryptionConfiguration,s3express:ListAllMyDirectoryBuckets | | aws:s3outposts:bucket | s3-outposts:ListOutpostsWithS3,s3-outposts:ListRegionalBuckets | | aws:s3outposts:endpoint | s3-outposts:ListEndpoints | | aws:s3outposts:outpost | s3-outposts:ListOutpostsWithS3 | | aws:sagemaker:inference-recommendations-job | sagemaker:DescribeInferenceRecommendationsJob,sagemaker:ListInferenceRecommendationsJobs | | aws:sagemaker:notebookinstance | sagemaker:DescribeNotebookInstance,sagemaker:ListNotebookInstances | | aws:sagemaker:pipeline | sagemaker:DescribePipeline,sagemaker:ListPipelines | | aws:scheduler:group | scheduler:ListScheduleGroups | | aws:scheduler:schedule | scheduler:GetSchedule,scheduler:ListSchedules | | aws:schemas:aws-schema | schemas:DescribeSchema,schemas:ListRegistries,schemas:ListSchemas | | aws:schemas:discoverer | schemas:ListDiscoverers | | aws:schemas:registry | schemas:ListRegistries | | aws:schemas:schema | schemas:DescribeSchema,schemas:ListRegistries,schemas:ListSchemas | | aws:secretsmanager:secret | secretsmanager:DescribeSecret,secretsmanager:GetResourcePolicy,secretsmanager:ListSecrets | | aws:securityhub:automation-rule | securityhub:BatchGetAutomationRules,securityhub:DescribeHub,securityhub:ListAutomationRules | | aws:securityhub:configuration-policy | organizations:DescribeOrganization,securityhub:DescribeHub,securityhub:GetConfigurationPolicy,securityhub:ListConfigurationPolicies | | aws:securityhub:finding-aggregator | securityhub:DescribeHub,securityhub:GetFindingAggregator,securityhub:ListFindingAggregators | | aws:securityhub:hub | securityhub:DescribeHub | | aws:securityhub:product | securityhub:DescribeHub,securityhub:DescribeProducts | | aws:securitylake:data-lake | securitylake:ListDataLakes | | aws:securitylake:subscriber | securitylake:ListSubscribers | | aws:servicecatalog:application | servicecatalog:GetApplication,servicecatalog:ListApplications | | aws:servicecatalog:attribute-group | servicecatalog:GetAttributeGroup,servicecatalog:ListAttributeGroups | | aws:servicecatalog:portfolio | servicecatalog:DescribePortfolio,servicecatalog:ListPortfolios | | aws:servicecatalog:product | servicecatalog:DescribeProduct,servicecatalog:SearchProducts | | aws:servicediscovery:namespace | servicediscovery:GetNamespace,servicediscovery:ListNamespaces | | aws:servicediscovery:service | servicediscovery:GetService,servicediscovery:ListServices | | aws:servicequotas:quota-change | servicequotas:ListRequestedServiceQuotaChangeHistory,servicequotas:ListServices | | aws:ses:addon-instance | ses:ListAddonInstances | | aws:ses:addon-subscription | ses:ListAddonSubscriptions | | aws:ses:address-list | ses:ListAddressLists | | aws:ses:archive | ses:GetArchive,ses:ListArchives | | aws:ses:configuration-set | ses:DescribeConfigurationSet,ses:ListConfigurationSets | | aws:ses:contact-list | ses:GetContactList,ses:ListContactLists | | aws:ses:custom-verification-email-template | ses:GetCustomVerificationEmailTemplate,ses:ListCustomVerificationEmailTemplates | | aws:ses:dedicated-ip-pool | ses:GetDedicatedIpPool,ses:ListDedicatedIpPools | | aws:ses:identity | ses:GetIdentityDkimAttributes,ses:GetIdentityMailFromDomainAttributes,ses:GetIdentityVerificationAttributes,ses:ListIdentities | | aws:ses:ingress-point | ses:GetIngressPoint,ses:ListIngressPoints | | aws:ses:multi-region-endpoint | ses:GetMultiRegionEndpoint,ses:ListMultiRegionEndpoints | | aws:ses:relay | ses:GetRelay,ses:ListRelays | | aws:ses:rule-set | ses:GetRuleSet,ses:ListRuleSets | | aws:ses:template | ses:GetTemplate,ses:ListTemplates | | aws:ses:traffic-policy | ses:GetTrafficPolicy,ses:ListTrafficPolicies | | aws:sfn:activity | states:DescribeActivity,states:ListActivities | | aws:sfn:execution | states:DescribeExecution,states:ListExecutions,states:ListStateMachines | | aws:sfn:statemachine | states:DescribeStateMachine,states:ListStateMachines | | aws:sfn:statemachinealias | states:DescribeStateMachineAlias,states:ListStateMachineAliases,states:ListStateMachines | | aws:shield:attack | shield:DescribeAttack,shield:ListAttacks | | aws:shield:protection | shield:ListProtections | | aws:shield:protection-group | shield:ListProtectionGroups,shield:ListResourcesInProtectionGroup | | aws:shield:settings | shield:DescribeEmergencyContactSettings,shield:DescribeSubscription,shield:GetSubscriptionState | | aws:signer:signing-profile | signer:GetSigningProfile,signer:ListSigningProfiles | | aws:smsvoice:configuration-set | sms-voice:DescribeConfigurationSets | | aws:smsvoice:opt-out-list | sms-voice:DescribeOptOutLists | | aws:smsvoice:phone-number | sms-voice:DescribePhoneNumbers | | aws:smsvoice:pool | sms-voice:DescribePools | | aws:smsvoice:protect-configuration | sms-voice:DescribeProtectConfigurations | | aws:smsvoice:registration | sms-voice:DescribeRegistrations | | aws:smsvoice:registration-attachment | sms-voice:DescribeRegistrationAttachments | | aws:smsvoice:sender-id | sms-voice:DescribeSenderIds | | aws:smsvoice:verified-destination-number | sms-voice:DescribeVerifiedDestinationNumbers | | aws:snowball:cluster | snowball:DescribeCluster,snowball:ListClusters | | aws:snowball:job | snowball:DescribeJob,snowball:ListJobs | | aws:sns:platform-application | sns:ListPlatformApplications | | aws:sns:topic | sns:GetTopicAttributes,sns:ListTopics | | aws:socialmessaging:waba | social-messaging:GetLinkedWhatsAppBusinessAccount,social-messaging:ListLinkedWhatsAppBusinessAccounts | | aws:sqs:queue | sqs:GetQueueAttributes,sqs:GetQueueUrl,sqs:ListQueues | | aws:ssm-incidents:incident-record | ssm-incidents:GetIncidentRecord,ssm-incidents:ListIncidentRecords | | aws:ssm-incidents:replication-set | ssm-incidents:GetReplicationSet,ssm-incidents:ListReplicationSets | | aws:ssm-incidents:response-plan | ssm-incidents:GetResponsePlan,ssm-incidents:ListResponsePlans | | aws:ssm:document | ssm:DescribeDocument,ssm:DescribeDocumentPermission,ssm:ListDocuments | | aws:ssm:instance | ssm:DescribeInstanceInformation,ssm:ListComplianceItems,ssm:ListInventoryEntries | | aws:sso:application | organizations:DescribeOrganization,sso:GetApplicationAssignmentConfiguration,sso:ListApplicationAssignments,sso:ListApplications,sso:ListInstances | | aws:sso:application-provider | sso:ListApplicationProviders | | aws:sso:instance | organizations:DescribeOrganization,sso:DescribeInstanceAccessControlAttributeConfiguration,sso:ListInstances | | aws:sso:permission-set | organizations:DescribeOrganization,sso:DescribePermissionSet,sso:GetInlinePolicyForPermissionSet,sso:GetPermissionsBoundaryForPermissionSet,sso:ListCustomerManagedPolicyReferencesInPermissionSet,sso:ListInstances,sso:ListManagedPoliciesInPermissionSet,sso:ListPermissionSets | | aws:sso:trusted-token-issuer | organizations:DescribeOrganization,sso:DescribeTrustedTokenIssuer,sso:ListInstances,sso:ListTrustedTokenIssuers | | aws:storagegateway:cache-report | storagegateway:ListCacheReports | | aws:storagegateway:device | storagegateway:DescribeGatewayInformation,storagegateway:DescribeVTLDevices,storagegateway:ListGateways | | aws:storagegateway:fs-association | storagegateway:DescribeFileSystemAssociations,storagegateway:ListFileSystemAssociations | | aws:storagegateway:gateway | storagegateway:DescribeGatewayInformation,storagegateway:ListGateways | | aws:storagegateway:nfs-fileshare | storagegateway:DescribeNFSFileShares,storagegateway:ListFileShares | | aws:storagegateway:smb-fileshare | storagegateway:DescribeSMBFileShares,storagegateway:ListFileShares | | aws:storagegateway:tape | storagegateway:DescribeGatewayInformation,storagegateway:DescribeTapes,storagegateway:ListGateways | | aws:storagegateway:tapepool | storagegateway:ListTapePools | | aws:storagegateway:volume | storagegateway:ListVolumes | | aws:synthetics:canary | synthetics:DescribeCanaries | | aws:synthetics:group | synthetics:GetGroup,synthetics:ListGroups | | aws:textract:adapter | textract:GetAdapter,textract:ListAdapters | | aws:textract:adapter-version | textract:GetAdapterVersion,textract:ListAdapterVersions,textract:ListAdapters | | aws:timestream:scheduled-query | timestream:ListScheduledQueries | | aws:timestreamwrite:table | timestream:ListTables | | aws:transcribe:call-analytics-category | transcribe:ListCallAnalyticsCategories | | aws:transcribe:call-analytics-job | transcribe:GetCallAnalyticsJob,transcribe:ListCallAnalyticsJobs | | aws:transcribe:language-model | transcribe:ListLanguageModels | | aws:transcribe:medical-scribe-job | transcribe:GetMedicalScribeJob,transcribe:ListMedicalScribeJobs | | aws:transcribe:medical-transcription-job | transcribe:GetMedicalTranscriptionJob,transcribe:ListMedicalTranscriptionJobs | | aws:transcribe:medical-vocabulary | transcribe:GetMedicalVocabulary,transcribe:ListMedicalVocabularies | | aws:transcribe:transcription-job | transcribe:GetTranscriptionJob,transcribe:ListTranscriptionJobs | | aws:transcribe:vocabulary | transcribe:GetVocabulary,transcribe:ListVocabularies | | aws:transcribe:vocabulary-filter | transcribe:GetVocabularyFilter,transcribe:ListVocabularyFilters | | aws:transfer:agreement | transfer:DescribeAgreement,transfer:DescribeServer,transfer:ListAgreements,transfer:ListServers | | aws:transfer:certificate | transfer:DescribeCertificate,transfer:ListCertificates | | aws:transfer:connector | transfer:DescribeConnector,transfer:ListConnectors | | aws:transfer:host-key | transfer:DescribeHostKey,transfer:DescribeServer,transfer:ListHostKeys,transfer:ListServers | | aws:transfer:profile | transfer:DescribeProfile,transfer:ListProfiles | | aws:transfer:server | transfer:DescribeServer,transfer:ListServers | | aws:transfer:user | transfer:DescribeServer,transfer:DescribeUser,transfer:ListServers,transfer:ListUsers | | aws:transfer:webapp | transfer:DescribeWebApp,transfer:ListWebApps | | aws:transfer:workflow | transfer:DescribeWorkflow,transfer:ListWorkflows | | aws:translate:parallel-data | translate:GetParallelData,translate:ListParallelData | | aws:translate:terminology | translate:GetTerminology,translate:ListTerminologies | | aws:verifiedpermissions:identity-source | verifiedpermissions:GetPolicyStore,verifiedpermissions:ListIdentitySources,verifiedpermissions:ListPolicyStores | | aws:verifiedpermissions:policy | verifiedpermissions:GetPolicyStore,verifiedpermissions:ListPolicies,verifiedpermissions:ListPolicyStores | | aws:verifiedpermissions:policy-store | verifiedpermissions:GetPolicyStore,verifiedpermissions:ListPolicyStores | | aws:verifiedpermissions:policy-template | verifiedpermissions:GetPolicyStore,verifiedpermissions:ListPolicyStores,verifiedpermissions:ListPolicyTemplates | | aws:vpc-lattice:access-log-subscription | vpc-lattice:GetService,vpc-lattice:GetServiceNetwork,vpc-lattice:ListAccessLogSubscriptions,vpc-lattice:ListServiceNetworks,vpc-lattice:ListServices | | aws:vpc-lattice:listener | vpc-lattice:GetListener,vpc-lattice:GetService,vpc-lattice:ListListeners,vpc-lattice:ListServices | | aws:vpc-lattice:resource-configuration | vpc-lattice:GetResourceConfiguration,vpc-lattice:ListResourceConfigurations | | aws:vpc-lattice:resource-endpoint-association | vpc-lattice:GetResourceConfiguration,vpc-lattice:ListResourceConfigurations,vpc-lattice:ListResourceEndpointAssociations | | aws:vpc-lattice:resource-gateway | vpc-lattice:GetResourceGateway,vpc-lattice:ListResourceGateways | | aws:vpc-lattice:rule | vpc-lattice:GetListener,vpc-lattice:GetRule,vpc-lattice:GetService,vpc-lattice:ListListeners,vpc-lattice:ListRules,vpc-lattice:ListServices | | aws:vpc-lattice:service | vpc-lattice:GetService,vpc-lattice:ListServices | | aws:vpc-lattice:service-network | vpc-lattice:GetServiceNetwork,vpc-lattice:ListServiceNetworks | | aws:vpc-lattice:service-network-resource-association | vpc-lattice:ListServiceNetworkResourceAssociations | | aws:vpc-lattice:service-network-service-association | vpc-lattice:GetServiceNetwork,vpc-lattice:ListServiceNetworkServiceAssociations,vpc-lattice:ListServiceNetworks | | aws:vpc-lattice:service-network-vpc-association | vpc-lattice:GetServiceNetwork,vpc-lattice:ListServiceNetworkVpcAssociations,vpc-lattice:ListServiceNetworks | | aws:vpc-lattice:target-group | vpc-lattice:GetTargetGroup,vpc-lattice:ListTargetGroups | | aws:waf:acl | waf:GetWebACL,waf:ListWebACLs | | aws:waf:rule | waf:GetRule,waf:ListRules | | aws:waf:rulegroup | waf:GetRuleGroup,waf:ListRuleGroups | | aws:wafregional:acl | waf-regional:GetWebACL,waf-regional:ListWebACLs | | aws:wafregional:rule | waf-regional:GetRule,waf-regional:ListRules | | aws:wafregional:rulegroup | waf-regional:GetRuleGroup,waf-regional:ListRuleGroups | | aws:wafv2:acl | wafv2:GetLoggingConfiguration,wafv2:GetWebACL,wafv2:ListResourcesForWebACL,wafv2:ListWebACLs | | aws:wafv2:ipset | wafv2:GetIPSet,wafv2:ListIPSets | | aws:wafv2:regexpatternset | wafv2:GetRegexPatternSet,wafv2:ListRegexPatternSets | | aws:wafv2:rulegroup | wafv2:GetRuleGroup,wafv2:ListRuleGroups | | aws:workmail:organization | workmail:DescribeOrganization,workmail:ListOrganizations | | aws:workspaces-web:browser-settings | workspaces-web:GetBrowserSettings,workspaces-web:ListBrowserSettings | | aws:workspaces-web:data-protection-settings | workspaces-web:GetDataProtectionSettings,workspaces-web:ListDataProtectionSettings | | aws:workspaces-web:identity-provider | workspaces-web:GetIdentityProvider,workspaces-web:ListIdentityProviders,workspaces-web:ListPortals | | aws:workspaces-web:ip-access-settings | workspaces-web:GetIpAccessSettings,workspaces-web:ListIpAccessSettings | | aws:workspaces-web:network-settings | workspaces-web:GetNetworkSettings,workspaces-web:ListNetworkSettings | | aws:workspaces-web:portal | workspaces-web:ListPortals | | aws:workspaces-web:trust-store | workspaces-web:GetTrustStore,workspaces-web:ListTrustStores | | aws:workspaces-web:user-access-logging-settings | workspaces-web:GetUserAccessLoggingSettings,workspaces-web:ListUserAccessLoggingSettings | | aws:workspaces-web:user-settings | workspaces-web:GetUserSettings,workspaces-web:ListUserSettings | | aws:workspaces:amazon-bundle | workspaces:DescribeWorkspaceBundles | | aws:workspaces:application | workspaces:DescribeApplications | | aws:workspaces:bundle | workspaces:DescribeWorkspaceBundles | | aws:workspaces:connection-alias | workspaces:DescribeConnectionAliases | | aws:workspaces:directory | workspaces:DescribeWorkspaceDirectories | | aws:workspaces:image | workspaces:DescribeWorkspaceImages | | aws:workspaces:ip-group | workspaces:DescribeIpGroups | | aws:workspaces:pool | workspaces:DescribeWorkspacesPools | | aws:workspaces:workspace | workspaces:DescribeWorkspaces | | aws:xray:group | xray:GetGroups | | aws:xray:sampling-rule | xray:GetSamplingRules | {% /collapsible-section %} {% collapsible-section #network-performance-monitoring %} #### Cloud Network Monitoring (CNM) | Resource Type | Permissions | | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | aws:ec2:egressonlyinternetgateway | ec2:DescribeEgressOnlyInternetGateways | | aws:ec2:transitgateway | ec2:DescribeTransitGateways | | aws:ec2:vpcendpointconnectionnotification | ec2:DescribeVpcEndpointConnectionNotifications | | aws:ec2:vpcinternetgateway | ec2:DescribeInternetGateways | | aws:ec2:vpcnatgateway | ec2:DescribeNatGateways | | aws:ec2:vpcpeeringconnection | ec2:DescribeVpcPeeringConnections | | aws:ec2:vpngateway | ec2:DescribeVpnGateways | | aws:network-firewall:firewall | network-firewall:DescribeFirewall,network-firewall:DescribeFirewallPolicy,network-firewall:DescribeLoggingConfiguration,network-firewall:ListFirewalls | {% /collapsible-section %} {% collapsible-section #resource-catalog %} #### Resource Catalog | Resource Type | Permissions | | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | aws:acm:acm | acm:DescribeCertificate,acm:ListCertificates | | aws:applicationautoscaling:scalingpolicy | applicationautoscaling:DescribeScalingPolicies | | aws:autoscaling:group | autoscaling:DescribeAutoScalingGroups | | aws:cloudformation:stack | cloudformation:DescribeStacks,cloudformation:ListStacks | | aws:cloudfront:distribution | cloudfront:GetDistribution,cloudfront:ListDistributions | | aws:cloudfront:function | cloudfront:ListFunctions | | aws:cloudtrail:trail | cloudtrail:DescribeTrails,cloudtrail:GetEventSelectors,cloudtrail:GetTrailStatus | | aws:cloudwatchlogs:log-group | logs:DescribeLogGroups,logs:DescribeSubscriptionFilters | | aws:docdb:cluster | rds:DescribeDBClusters | | aws:dynamodb:table | dynamodb:DescribeContinuousBackups,dynamodb:DescribeTable,dynamodb:DescribeTimeToLive,dynamodb:ListTables | | aws:ec2:image | ec2:DescribeImageAttribute,ec2:DescribeImages | | aws:ec2:instance | ec2:DescribeInstances | | aws:ec2:networkacl | ec2:DescribeNetworkAcls | | aws:ec2:networkinterface | ec2:DescribeNetworkInterfaces | | aws:ec2:securitygroup | ec2:DescribeSecurityGroups | | aws:ec2:snapshot | ec2:DescribeSnapshotAttribute,ec2:DescribeSnapshots | | aws:ec2:volume | ec2:DescribeVolumes | | aws:ec2:vpc | ec2:DescribeVpcs | | aws:ec2:vpcendpoint | ec2:DescribeVpcEndpoints | | aws:ec2:vpcendpoint-service | ec2:DescribeVpcEndpointServices | | aws:ec2:vpcnatgateway | ec2:DescribeNatGateways | | aws:ec2:vpcpeeringconnection | ec2:DescribeVpcPeeringConnections | | aws:ecr:repository | ecr:DescribeRepositories,ecr:GetLifecyclePolicy,ecr:GetRepositoryPolicy | | aws:ecrpublic:repository | ecr-public:DescribeImages,ecr-public:DescribeRepositories,ecr-public:GetRepositoryPolicy | | aws:ecs:cluster | ecs:DescribeClusters,ecs:ListClusters | | aws:ecs:service | ecs:DescribeServices,ecs:ListClusters,ecs:ListServices | | aws:ecs:task | ecs:DescribeServices,ecs:DescribeTasks,ecs:ListClusters,ecs:ListServices,ecs:ListTasks | | aws:ecs:task-definition | ecs:DescribeServices,ecs:DescribeTaskDefinition,ecs:DescribeTasks,ecs:ListClusters,ecs:ListServices,ecs:ListTasks | | aws:efs:accesspoint | elasticfilesystem:DescribeAccessPoints | | aws:efs:filesystem | elasticfilesystem:DescribeFileSystems,elasticfilesystem:DescribeLifecycleConfiguration | | aws:eks:cluster | eks:DescribeCluster,eks:ListClusters | | aws:elasticache:cluster | elasticache:DescribeCacheClusters | | aws:elasticloadbalancing:loadbalancer | elasticloadbalancing:DescribeInstanceHealth,elasticloadbalancing:DescribeLoadBalancerAttributes,elasticloadbalancing:DescribeLoadBalancerPolicies,elasticloadbalancing:DescribeLoadBalancers | | aws:elasticloadbalancingv2:loadbalancer | elasticloadbalancing:DescribeListeners,elasticloadbalancing:DescribeLoadBalancerAttributes,elasticloadbalancing:DescribeLoadBalancers | | aws:elasticsearchservice:domain | es:DescribeElasticsearchDomains,es:ListDomainNames | | aws:emr:cluster | elasticmapreduce:DescribeCluster,elasticmapreduce:GetAutoTerminationPolicy,elasticmapreduce:GetManagedScalingPolicy,elasticmapreduce:ListClusters | | aws:eventbridge:eventbus | events:ListEventBuses,events:ListRules | | aws:iam:account | iam:GetAccountPasswordPolicy,iam:GetAccountSummary,organizations:DescribeOrganization | | aws:iam:policy | iam:GetPolicy,iam:GetPolicyVersion,iam:ListPolicies | | aws:iam:role | iam:GetAccountAuthorizationDetails,iam:GetRole,iam:ListAttachedRolePolicies | | aws:iam:server-certificate | iam:ListServerCertificates | | aws:iam:user | iam:GetLoginProfile,iam:GetUser,iam:ListAttachedUserPolicies,iam:ListGroupsForUser,iam:ListMFADevices,iam:ListSSHPublicKeys,iam:ListUsers,iam:ListVirtualMFADevices | | aws:kms:key | kms:DescribeKey,kms:GetKeyRotationStatus,kms:ListKeys | | aws:lambda:function | lambda:GetFunction,lambda:GetPolicy,lambda:ListFunctionUrlConfigs,lambda:ListFunctions,lambda:ListProvisionedConcurrencyConfigs | | aws:mq:broker | mq:DescribeBroker,mq:ListBrokers | | aws:pipes:pipe | pipes:ListPipes | | aws:rds:cluster | rds:DescribeDBClusters | | aws:rds:instance | rds:DescribeDBInstances | | aws:rds:snapshot | rds:DescribeDBSnapshotAttributes,rds:DescribeDBSnapshots | | aws:redshift:cluster | redshift:DescribeClusterParameters,redshift:DescribeClusters,redshift:DescribeEndpointAccess,redshift:DescribeLoggingStatus | | aws:s3:bucket | s3:GetAccelerateConfiguration,s3:GetAnalyticsConfiguration,s3:GetBucketAbac,s3:GetBucketAcl,s3:GetBucketLogging,s3:GetBucketMetadataConfiguration,s3:GetBucketNotification,s3:GetBucketObjectLockConfiguration,s3:GetBucketOwnershipControls,s3:GetBucketPolicy,s3:GetBucketPolicyStatus,s3:GetBucketPublicAccessBlock,s3:GetBucketVersioning,s3:GetBucketWebsite,s3:GetEncryptionConfiguration,s3:GetIntelligentTieringConfiguration,s3:GetInventoryConfiguration,s3:GetLifecycleConfiguration,s3:GetReplicationConfiguration,s3:ListAllMyBuckets | | aws:s3control:accountpublicaccessblock | s3:GetBucketPublicAccessBlock | | aws:secretsmanager:secret | secretsmanager:DescribeSecret,secretsmanager:GetResourcePolicy,secretsmanager:ListSecrets | | aws:sfn:statemachine | states:DescribeStateMachine,states:ListStateMachines | | aws:sns:topic | sns:GetTopicAttributes,sns:ListTopics | | aws:sqs:queue | sqs:GetQueueAttributes,sqs:GetQueueUrl,sqs:ListQueues | {% /collapsible-section %} {% collapsible-section #storage-management %} #### Storage Management Storage Management needs the following permissions to enable S3 Inventory on source buckets and read the generated reports from destination buckets: | Resource Type | Permissions | | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | aws:s3:bucket | s3:GetAccelerateConfiguration,s3:GetAnalyticsConfiguration,s3:GetBucket*,s3:GetEncryptionConfiguration,s3:GetInventoryConfiguration,s3:GetLifecycleConfiguration,s3:GetMetricsConfiguration,s3:GetObject, // **Note**: This can be scoped to the destination buckets and prefixess3:GetReplicationConfiguration,s3:ListAllMyBuckets,s3:ListBucket, // **Note**: This can be scoped to the destination buckets and prefixess3:PutBucketNotification | {% /collapsible-section %} #### Upcoming releases{% #upcoming-releases %} The permissions listed here reflect resources planned to be added within the next 30 days. Include these permissions in your **existing** AWS integration IAM policy (with attached `SecurityAudit` policy) to get the full benefits of Datadog's resource coverage and tracking. {% collapsible-section #upcoming-permissions %} #### Permissions for upcoming releases ```json [ "There are no future permissions currently" ] ``` {% /collapsible-section %} ### Cloud Security{% #cloud-security %} #### Setup{% #setup-1 %} If you do not have the AWS integration set up for your AWS account, complete the [set up process](https://docs.datadoghq.com/integrations/amazon_web_services.md?tab=roledelegation#setup) above. Ensure that you enable Cloud Security when mentioned. **Note:** The AWS integration must be set up with **Role delegation** to use this feature. To add Cloud Security to an existing AWS integration, follow the steps below to enable resource collection. 1. Provide the necessary permissions to the Datadog IAM role by attaching the AWS managed `SecurityAudit` policy to your Datadog AWS IAM role. You can find this policy in the [AWS console](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/SecurityAudit). 1. Complete the setup in the [Datadog AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services) with the steps below. Alternatively, you can use the [Update an AWS Integration](https://docs.datadoghq.com/integrations/guide/aws-manual-setup.md) API endpoint. 1. Select the AWS account where you wish to enable resource collection. 1. On the **Resource collection** tab, click **Enable** next to Cloud Security. You are redirected to the Cloud Security Setup page, and a setup dialog automatically opens for the selected account. 1. On the setup dialog, switch the **Enable Resource Scanning** toggle to the on position. 1. Click **Done** to complete the setup. ## Alarm collection{% #alarm-collection %} There are two ways to send AWS CloudWatch alarms to the Datadog Events Explorer: - Alarm polling: Alarm polling comes out of the box with the AWS integration and fetches metric alarms through the [DescribeAlarmHistory](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DescribeAlarmHistory.html#API_DescribeAlarmHistory_RequestParameters) API. If you follow this method, your alarms are categorized under the event source `Amazon Web Services`. **Note**: The crawler does not collect composite alarms. - SNS topic: You can see all AWS CloudWatch alarms in your Events Explorer by subscribing the alarms to an SNS topic, then forwarding the SNS messages to Datadog. To learn how to receive SNS messages as events in Datadog, see [Receive SNS messages](https://docs.datadoghq.com/integrations/amazon_sns.md#receive-sns-messages). If you follow this method, your alarms are categorized under the event source `Amazon SNS`. To page a specific Datadog On-Call team when an alarm fires, append the `oncall_team` query parameter to the SNS webhook URL. See [Page a Datadog On-Call team from SNS](https://docs.datadoghq.com/integrations/amazon_sns.md#page-a-datadog-on-call-team-from-sns) for setup instructions. ## Data Collected{% #data-collected %} ### Metrics{% #metrics %} | | | | | **aws.logs.delivery\_errors**(count) | The number of log events for which CloudWatch Logs received an error when forwarding data to the subscription destination.*Shown as event* | | **aws.logs.delivery\_throttling**(count) | The number of log events for which CloudWatch Logs was throttled when forwarding data to the subscription destination.*Shown as event* | | **aws.logs.forwarded\_bytes**(gauge) | The volume of log events in compressed bytes forwarded to the subscription destination.*Shown as byte* | | **aws.logs.forwarded\_log\_events**(count) | The number of log events forwarded to the subscription destination.*Shown as event* | | **aws.logs.incoming\_bytes**(gauge) | The volume of log events in uncompressed bytes uploaded to Cloudwatch Logs.*Shown as byte* | | **aws.logs.incoming\_log\_events**(count) | The number of log events uploaded to Cloudwatch Logs.*Shown as event* | | **aws.usage.call\_count**(count) | The number of specified operations performed in your account*Shown as operation* | | **aws.usage.resource\_count**(count) | The number of specified resources in your account*Shown as resource* | **Note**: You can enable the collection of AWS custom metrics, as well as metrics from services that Datadog doesn't have an integration for. See the [AWS Integration and CloudWatch FAQ](https://docs.datadoghq.com/integrations/guide/aws-integration-and-cloudwatch-faq.md#can-i-collect-aws-custom-metrics-through-the-integration) for more information. ### Events{% #events %} Events from AWS are collected on a per AWS-service basis. See [your AWS service's documentation](https://docs.datadoghq.com/integrations.md#cat-aws) to learn more about collected events. ### Tags{% #tags %} The following tags are collected with the AWS integration. **Note**: Some tags only display on specific metrics. | Integration | Datadog Tag Keys | | -------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | All | `region` | | [API Gateway](https://docs.datadoghq.com/integrations/amazon_api_gateway.md) | `apiid`, `apiname`, `method`, `resource`, `stage` | | [App Runner](https://docs.datadoghq.com/integrations/amazon_app_runner.md) | `instance`, `serviceid`, `servicename` | | [Auto Scaling](https://docs.datadoghq.com/integrations/amazon_auto_scaling.md) | `autoscalinggroupname`, `autoscaling_group` | | [Billing](https://docs.datadoghq.com/integrations/amazon_billing.md) | `account_id`, `budget_name`, `budget_type`, `currency`, `servicename`, `time_unit` | | [CloudFront](https://docs.datadoghq.com/integrations/amazon_cloudfront.md) | `distributionid` | | [CodeBuild](https://docs.datadoghq.com/integrations/amazon_codebuild.md) | `project_name` | | [CodeDeploy](https://docs.datadoghq.com/integrations/amazon_codedeploy.md) | `application`, `creator`, `deployment_config`, `deployment_group`, `deployment_option`, `deployment_type`, `status` | | [DirectConnect](https://docs.datadoghq.com/integrations/amazon_directconnect.md) | `connectionid` | | [DynamoDB](https://docs.datadoghq.com/integrations/amazon_dynamodb.md) | `globalsecondaryindexname`, `operation`, `streamlabel`, `tablename` | | [EBS](https://docs.datadoghq.com/integrations/amazon_ebs.md) | `volumeid`, `volume-name`, `volume-type` | | [EC2](https://docs.datadoghq.com/integrations/amazon_ec2.md) | `autoscaling_group`, `availability-zone`, `image`, `instance-id`, `instance-type`, `kernel`, `name`, `security_group_name` | | [ECS](https://docs.datadoghq.com/integrations/amazon_ecs.md) | `clustername`, `servicename`, `instance_id` | | [EFS](https://docs.datadoghq.com/integrations/amazon_efs.md) | `filesystemid` | | [ElastiCache](https://docs.datadoghq.com/integrations/amazon_elasticache.md) | `cachenodeid`, `cache_node_type`, `cacheclusterid`, `cluster_name`, `engine`, `engine_version`, `preferred_availability-zone`, `replication_group` | | [ElasticBeanstalk](https://docs.datadoghq.com/integrations/amazon_elasticbeanstalk.md) | `environmentname`, `enviromentid` | | [ELB](https://docs.datadoghq.com/integrations/amazon_elb.md) | `availability-zone`, `hostname`, `loadbalancername`, `name`, `targetgroup` | | [EMR](https://docs.datadoghq.com/integrations/amazon_emr.md) | `cluster_name`, `jobflowid` | | [ES](https://docs.datadoghq.com/integrations/amazon_es.md) | `dedicated_master_enabled`, `ebs_enabled`, `elasticsearch_version`, `instance_type`, `zone_awareness_enabled` | | [Firehose](https://docs.datadoghq.com/integrations/amazon_firehose.md) | `deliverystreamname` | | [FSx](https://docs.datadoghq.com/integrations/amazon_fsx.md) | `filesystemid`, `filesystemtype` | | [Health](https://docs.datadoghq.com/integrations/amazon_health.md) | `event_category`, `status`, `service` | | [IoT](https://docs.datadoghq.com/integrations/amazon_iot.md) | `actiontype`, `protocol`, `rulename` | | [Kinesis](https://docs.datadoghq.com/integrations/amazon_kinesis.md) | `streamname`, `name`, `state` | | [KMS](https://docs.datadoghq.com/integrations/amazon_kms.md) | `keyid` | | [Lambda](https://docs.datadoghq.com/integrations/amazon_lambda.md) | `functionname`, `resource`, `executedversion`, `memorysize`, `runtime` | | [Machine Learning](https://docs.datadoghq.com/integrations/amazon_machine_learning.md) | `mlmodelid`, `requestmode` | | [MQ](https://docs.datadoghq.com/integrations/amazon_mq.md) | `broker`, `queue`, `topic` | | [Polly](https://docs.datadoghq.com/integrations/amazon_polly.md) | `operation` | | [RDS](https://docs.datadoghq.com/integrations/amazon_rds.md) | `auto_minor_version_upgrade`, `dbinstanceclass`, `dbclusteridentifier`, `dbinstanceidentifier`, `dbname`, `engine`, `engineversion`, `hostname`, `name`, `publicly_accessible`, `secondary_availability-zone` | | [RDS Proxy](https://docs.datadoghq.com/integrations/amazon_rds_proxy.md) | `proxyname`, `target`, `targetgroup`, `targetrole` | | [Redshift](https://docs.datadoghq.com/integrations/amazon_redshift.md) | `clusteridentifier`, `latency`, `nodeid`, `service_class`, `stage`, `wlmid` | | [Route 53](https://docs.datadoghq.com/integrations/amazon_route53.md) | `healthcheckid` | | [S3](https://docs.datadoghq.com/integrations/amazon_s3.md) | `bucketname`, `filterid`, `storagetype` | | [SES](https://docs.datadoghq.com/integrations/amazon_ses.md) | Tag keys are custom set in AWS. | | [SNS](https://docs.datadoghq.com/integrations/amazon_sns.md) | `topicname` | | [SQS](https://docs.datadoghq.com/integrations/amazon_sqs.md) | `queuename` | | [VPC](https://docs.datadoghq.com/integrations/amazon_vpc.md) | `nategatewayid`, `vpnid`, `tunnelipaddress` | | [WorkSpaces](https://docs.datadoghq.com/integrations/amazon_workspaces.md) | `directoryid`, `workspaceid` | ### Service Checks{% #service-checks %} **aws.status** Returns `CRITICAL` if one or more AWS regions are experiencing issues. Returns `OK` otherwise. *Statuses: ok, critical* ## Troubleshooting{% #troubleshooting %} See the [AWS Integration Troubleshooting guide](https://docs.datadoghq.com/integrations/guide/aws-integration-troubleshooting.md) to resolve issues related to the AWS integration. ## Further Reading{% #further-reading %} - [Monitor AWS control plane API usage metrics in Datadog](https://www.datadoghq.com/blog/monitor-aws-control-plane-api-usage-metrics/) - [Highlights from AWS re:Invent 2024](https://www.datadoghq.com/blog/aws-reinvent-2024-recap/) - [Best practices for creating least-privilege AWS IAM policies](https://www.datadoghq.com/blog/iam-least-privilege/)