Amazon Web Services

Docs > Integrations > Amazon Web Services

Overview

Connect to Amazon Web Services (AWS) to:

See automatic AWS status updates in your Events Explorer
Get CloudWatch metrics for EC2 hosts without installing the Agent
Tag your EC2 hosts with EC2-specific information
See EC2 scheduled maintenance events in your stream
Collect CloudWatch metrics and events from many other AWS products
See CloudWatch alarms in your Events Explorer

To quickly get started using the AWS integration, check out the AWS getting started guide.

Datadog’s Amazon Web Services integration collects logs, events, and most metrics from CloudWatch for over 90 AWS services.

Setup

Use one of the following methods to integrate your AWS accounts into Datadog for metric, event, tag, and log collection.

Automatic

CloudFormation (Best for quickly getting started) To set up the AWS integration with CloudFormation, see the the AWS getting started guide.
Terraform To set up the AWS integration with Terraform, see the AWS integration with Terraform.
Control Tower To set up the AWS integration when provisioning a new AWS account with Control Tower Account Factory, see the Control Tower setup guide.
Multi-Account setup for AWS Organizations To set up the AWS Integration for multiple accounts within an AWS Organization, see the AWS Organizations setup guide.

Manual

Role delegation To set up the AWS integration manually with role delegation, see the manual setup guide.
Access keys (GovCloud or China* Only) To set up the AWS integration with access keys, see the manual setup guide.
* All use of Datadog Services in (or in connection with environments within) mainland China is subject to the disclaimer published in the Restricted Service Locations section on our website.

Note: After setup is complete, you can configure integration settings (such as which AWS regions and integrations to collect data from) in the Datadog AWS integration page.

AWS IAM permissions

AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events and other data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.

AWS integration IAM policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetAccountInformation",
        "airflow:GetEnvironment",
        "airflow:ListEnvironments",
        "apigateway:GET",
        "appsync:ListGraphqlApis",
        "autoscaling:Describe*",
        "backup:List*",
        "batch:DescribeJobDefinitions",
        "batch:DescribeJobQueues",
        "batch:DescribeJobs",
        "batch:ListJobs",
        "bcm-data-exports:GetExport",
        "bcm-data-exports:ListExports",
        "budgets:ViewBudget",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codebuild:BatchGetProjects",
        "codebuild:ListProjects",
        "codedeploy:BatchGet*",
        "codedeploy:List*",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dms:DescribeReplicationInstances",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:DescribeAccessPoints",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "es:DescribeElasticsearchDomains",
        "es:ListDomainNames",
        "es:ListTags",
        "events:CreateEventBus",
        "fsx:DescribeFileSystems",
        "fsx:ListTagsForResource",
        "health:DescribeAffectedEntities",
        "health:DescribeEventDetails",
        "health:DescribeEvents",
        "iam:ListAccountAliases",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "logs:DeleteSubscriptionFilter",
        "logs:DescribeDeliveries",
        "logs:DescribeDeliverySources",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeSubscriptionFilters",
        "logs:FilterLogEvents",
        "logs:GetDeliveryDestination",
        "logs:PutSubscriptionFilter",
        "logs:TestMetricFilter",
        "network-firewall:DescribeLoggingConfiguration",
        "network-firewall:ListFirewalls",
        "oam:ListAttachedLinks",
        "oam:ListSinks",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift-serverless:ListNamespaces",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "route53:List*",
        "route53resolver:ListResolverQueryLogConfigs",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:PutBucketNotification",
        "ses:Get*",
        "ses:List*",
        "sns:GetSubscriptionAttributes",
        "sns:List*",
        "sns:Publish",
        "sqs:ListQueues",
        "ssm:GetServiceSetting",
        "ssm:ListCommands",
        "states:DescribeStateMachine",
        "states:ListStateMachines",
        "support:DescribeTrustedAdvisor*",
        "support:RefreshTrustedAdvisorCheck",
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "timestream:DescribeEndpoints",
        "wafv2:ListLoggingConfigurations",
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS Govcloud and AWS China accounts are not currently supported.
Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable Usage (AWS/Usage) metrics in the Metric Collection tab of the Datadog AWS integration page.

Log collection

There are two ways of sending AWS service logs to Datadog:

Amazon Data Firehose destination: Use the Datadog destination in your Amazon Data Firehose delivery stream to forward logs to Datadog. It is recommended to use this approach when sending logs from CloudWatch in a very high volume.
Forwarder Lambda function: Deploy the Datadog Forwarder Lambda function, which subscribes to S3 buckets or your CloudWatch log groups and forwards logs to Datadog. Datadog also recommends you use this approach for sending logs from S3 or other resources that cannot directly stream data to Amazon Data Firehose.

Metric collection

There are two ways to send AWS metrics to Datadog:

Metric polling: API polling comes out of the box with the AWS integration. A metric-by-metric crawl of the CloudWatch API pulls data and sends it to Datadog. New metrics are pulled every ten minutes, on average.
Metric streams with Amazon Data Firehose: You can use Amazon CloudWatch Metric Streams and Amazon Data Firehose to see your metrics. Note: This method has a two to three minute latency, and requires a separate setup.

You can find a full list of the available sub-integrations on the Integrations page. Many of these integrations are installed by default when Datadog recognizes data coming in from your AWS account. See the AWS Integration Billing page for options to exclude specific resources for cost control.

Resource collection

Some Datadog products leverage information about how your AWS resources (such as S3 buckets, RDS snapshots, and CloudFront distributions) are configured. Datadog collects this information by making read-only API calls to your AWS account.

Note: If you use AWS CloudTrail or GuardDuty, there may be some associated costs. Datadog’s resource collection makes periodic calls to AWS APIs, which can increase CloudTrail log volume (affecting S3 storage costs) and may result in higher GuardDuty charges due to additional data being analyzed.

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS Govcloud and AWS China accounts are not currently supported.
Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable Usage (AWS/Usage) metrics in the Metric Collection tab of the Datadog AWS integration page.

Resource types and permissions

The following sections list the resource types collected for different Datadog products, and the associated permissions required for the Datadog IAM role to collect data on your behalf. Add these permissions to your existing AWS integration IAM policy (with attached SecurityAudit policy).

Cloud Cost Management (CCM)

Resource Type	Permissions
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:instance	ec2:DescribeInstances

Cloudcraft

Resource Type	Permissions
aws:apigateway:api	apigateway:GET
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:directconnect:connection	directconnect:DescribeConnections
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:customergateway	ec2:DescribeCustomerGateways
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:efs:mounttarget	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeMountTargetSecurityGroups, elasticfilesystem:DescribeMountTargets
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:elasticache:cachesubnetgroup	elasticache:DescribeCacheSubnetGroups
aws:elasticache:parametergroup	elasticache:DescribeCacheParameterGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:securitygroup	elasticache:DescribeCacheSecurityGroups
aws:elasticache:snapshot	elasticache:DescribeSnapshots
aws:elasticache:user	elasticache:DescribeUsers
aws:elasticache:usergroup	elasticache:DescribeUserGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:fsx:backup	fsx:DescribeBackups
aws:fsx:file-system	fsx:DescribeFileSystems
aws:glacier:vault	glacier:GetVaultNotifications, glacier:ListVaults
aws:keyspaces:keyspace	cassandra:Select
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:dbclusterparametergroup	rds:DescribeDBClusterParameterGroups
aws:rds:dbinstanceautomatedbackup	rds:DescribeDBInstanceAutomatedBackups
aws:rds:dbparametergroup	rds:DescribeDBParameterGroups
aws:rds:dbsubnetgroup	rds:DescribeDBSubnetGroups
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:exporttask	rds:DescribeExportTasks
aws:rds:instance	rds:DescribeDBInstances
aws:rds:optiongroup	rds:DescribeOptionGroups
aws:rds:securitygroup	rds:DescribeDBSecurityGroups
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:rds:reserveddbinstance	rds:DescribeReservedDBInstances
aws:redshift:eventsubscription	redshift:DescribeEventSubscriptions
aws:redshift:parametergroup	redshift:DescribeClusterParameterGroups
aws:redshift:securitygroup	redshift:DescribeClusterSecurityGroups
aws:redshift:snapshot	redshift:DescribeClusterSnapshots, redshift:DescribeClusters
aws:redshift:subnetgroup	redshift:DescribeClusterSubnetGroups, redshift:DescribeClusters
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:sns:subscription	sns:ListSubscriptions
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ec2:subnet	ec2:DescribeSubnets
aws:timestreamwrite:table	timestream:ListTables
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:waf:acl	waf:GetWebACL, waf:ListWebACLs
aws:waf:rule	waf:GetRule, waf:ListRules
aws:waf:rulegroup	waf:GetRuleGroup, waf:ListRuleGroups
aws:wafregional:acl	waf-regional:GetWebACL, waf-regional:ListWebACLs
aws:wafregional:rule	waf-regional:GetRule, waf-regional:ListRules
aws:wafregional:rulegroup	waf-regional:GetRuleGroup, waf-regional:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs

Cloud Security Monitoring (CSM)

Resource Type	Permissions
aws:accessanalyzer:analyzer	access-analyzer:GetAnalyzer, access-analyzer:ListAnalyzers
aws:account:account	organizations:DescribeOrganization, account:GetAlternateContact, account:GetContactInformation, account:GetPrimaryEmail, organizations:ListAccounts
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:acmpca:certificateauthority	acm-pca:DescribeCertificateAuthority, acm-pca:ListCertificateAuthorities
aws:amp:rulegroupsnamespace	aps:DescribeRuleGroupsNamespace, aps:DescribeWorkspace, aps:ListRuleGroupsNamespaces, aps:ListWorkspaces
aws:amp:scraper	aps:DescribeScraper, aps:ListScrapers
aws:amp:workspace	aps:DescribeWorkspace, aps:ListWorkspaces
aws:amplify:app	amplify:ListApps
aws:amplify:backend-environment	amplify:ListApps, amplify:ListBackendEnvironments
aws:amplify:branch	amplify:ListApps, amplify:ListBranches
aws:amplify:domain-association	amplify:ListApps, amplify:ListDomainAssociations
aws:amplify:job	amplify:ListApps, amplify:ListBranches, amplify:ListJobs
aws:amplify:webhook	amplify:ListApps, amplify:ListWebhooks
aws:apigateway:account	apigateway:GetAccount
aws:apigateway:api	apigateway:GET
aws:apigateway:apikey	apigateway:GetApiKeys
aws:apigateway:authorizer	apigateway:GetAuthorizers, apigateway:GET
aws:apigateway:basepathmapping	apigateway:GetBasePathMappings, apigateway:GetDomainNames
aws:apigateway:clientcertificate	apigateway:GetClientCertificates
aws:apigateway:deployment	apigateway:GetDeployments, apigateway:GET
aws:apigateway:documentationpart	apigateway:GetDocumentationParts, apigateway:GET
aws:apigateway:domainname	apigateway:GetDomainNames
aws:apigateway:domainnameaccessassociation	apigateway:GetDomainNameAccessAssociations
aws:apigateway:gatewayresponse	apigateway:GetGatewayResponses, apigateway:GET
aws:apigateway:integration	apigateway:GetMethod, apigateway:GetResources, apigateway:GET
aws:apigateway:model	apigateway:GetModels, apigateway:GET
aws:apigateway:requestvalidator	apigateway:GetRequestValidators, apigateway:GET
aws:apigateway:resource	apigateway:GetResources, apigateway:GET
aws:apigateway:stage	apigateway:GET, apigateway:GET
aws:apigateway:usageplan	apigateway:GetApiKeys, apigateway:GetUsagePlans
aws:apigateway:usageplankey	apigateway:GetApiKeys, apigateway:GetUsagePlanKeys, apigateway:GetUsagePlans
aws:apigateway:vpclink	apigateway:GetVpcLinks
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:apimapping	apigateway:GetApiMappings, apigateway:GetDomainNames
aws:apigatewayv2:authorizer	apigateway:GetApis, apigateway:GetAuthorizers
aws:apigatewayv2:deployment	apigateway:GetApis, apigateway:GetDeployments
aws:apigatewayv2:domainname	apigateway:GetDomainNames
aws:apigatewayv2:integration	apigateway:GetApis, apigateway:GetIntegrations
aws:apigatewayv2:integrationresponse	apigateway:GetApis, apigateway:GetIntegrationResponses, apigateway:GetIntegrations
aws:apigatewayv2:model	apigateway:GetApis, apigateway:GetModels
aws:apigatewayv2:route	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:routeresponse	apigateway:GetApis, apigateway:GetRouteResponses, apigateway:GetRoutes
aws:apigatewayv2:stage	apigateway:GetApis, apigateway:GetStages
aws:apigatewayv2:vpclink	apigateway:GetVpcLinks
aws:appintegrations:application	app-integrations:GetApplication, app-integrations:ListApplicationAssociations, app-integrations:ListApplications
aws:appintegrations:application-association	app-integrations:ListApplicationAssociations, app-integrations:ListApplications
aws:appintegrations:data-integration	app-integrations:GetDataIntegration, app-integrations:ListDataIntegrationAssociations, app-integrations:ListDataIntegrations
aws:appintegrations:data-integration-association	app-integrations:ListDataIntegrationAssociations, app-integrations:ListDataIntegrations
aws:appintegrations:event-integration	app-integrations:ListEventIntegrations
aws:appintegrations:event-integration-association	app-integrations:ListEventIntegrationAssociations, app-integrations:ListEventIntegrations
aws:applicationautoscaling:scalingactivity	applicationautoscaling:DescribeScalingActivities
aws:applicationautoscaling:scalingpolicy	applicationautoscaling:DescribeScalingPolicies
aws:applicationautoscaling:scheduled-action	applicationautoscaling:DescribeScheduledActions
aws:apprunner:autoscaling-configuration	apprunner:DescribeAutoScalingConfiguration, apprunner:ListAutoScalingConfigurations
aws:apprunner:connection	apprunner:ListConnections
aws:apprunner:observability-configuration	apprunner:DescribeObservabilityConfiguration, apprunner:ListObservabilityConfigurations
aws:apprunner:service	apprunner:DescribeService, apprunner:ListServices
aws:apprunner:vpc-connector	apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors
aws:apprunner:vpc-ingress-connection	apprunner:DescribeVpcIngressConnection, apprunner:ListVpcIngressConnections
aws:appstream:app-block	appstream:DescribeAppBlocks
aws:appstream:app-block-builder	appstream:DescribeAppBlockBuilders
aws:appstream:application	appstream:DescribeApplications
aws:appstream:fleet	appstream:DescribeFleets
aws:appstream:image	appstream:DescribeImages
aws:appstream:image-builder	appstream:DescribeImageBuilders
aws:appstream:stack	appstream:DescribeStacks
aws:appstream:public-image	appstream:DescribeImages
aws:appsync:api	appsync:ListApis
aws:appsync:channel-namespace	appsync:ListApis, appsync:ListChannelNamespaces
aws:appsync:data-source	appsync:ListDataSources, appsync:ListGraphqlApis
aws:appsync:domain-name	appsync:ListDomainNames
aws:appsync:function	appsync:ListFunctions, appsync:ListGraphqlApis
aws:appsync:graphqlapi	appsync:GetGraphqlApi, appsync:ListGraphqlApis
aws:appsync:source-api-association	appsync:ListGraphqlApis, appsync:ListSourceApiAssociations
aws:athena:capacityreservation	athena:ListCapacityReservations
aws:athena:datacatalog	athena:ListDataCatalogs
aws:athena:named-query	athena:BatchGetNamedQuery, athena:ListNamedQueries
aws:athena:prepared-statement	athena:BatchGetPreparedStatement, athena:GetWorkGroup, athena:ListPreparedStatements, athena:ListWorkGroups
aws:athena:workgroup	athena:GetWorkGroup, athena:ListWorkGroups
aws:auditmanager:assessment	auditmanager:GetAssessment, auditmanager:ListAssessments
aws:auditmanager:assessmentcontrolset	auditmanager:GetAssessment, auditmanager:ListAssessments
aws:auditmanager:assessmentframework	auditmanager:GetAssessmentFramework, auditmanager:ListAssessmentFrameworks
aws:auditmanager:control	auditmanager:GetControl, auditmanager:ListControls
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:autoscaling:launchconfiguration	autoscaling:DescribeLaunchConfigurations
aws:autoscaling:policy	autoscaling:DescribePolicies
aws:autoscaling:scheduled-action	autoscaling:DescribeScheduledActions
aws:b2bi:capability	b2bi:GetCapability, b2bi:ListCapabilities
aws:b2bi:partnership	b2bi:GetPartnership, b2bi:GetProfile, b2bi:ListPartnerships, b2bi:ListProfiles
aws:b2bi:profile	b2bi:GetProfile, b2bi:ListProfiles
aws:b2bi:transformer	b2bi:GetTransformer, b2bi:ListTransformers
aws:backup:framework	backup:DescribeFramework, backup:ListFrameworks
aws:backup:legalhold	backup:GetLegalHold, backup:ListLegalHolds
aws:backup:plan	backup:ListBackupPlans
aws:backup:protected-resource	backup:ListProtectedResources
aws:backup:recoverypoint	backup:ListBackupVaults, backup:ListRecoveryPointsByBackupVault
aws:backup:vault	backup:ListBackupVaults
aws:backup-gateway:gateway	backup-gateway:GetGateway, backup-gateway:ListGateways
aws:backup-gateway:hypervisor	backup-gateway:GetHypervisor, backup-gateway:ListHypervisors
aws:backup-gateway:virtual-machine	backup-gateway:GetVirtualMachine, backup-gateway:ListVirtualMachines
aws:batch:compute-environment	batch:DescribeComputeEnvironments
aws:batch:job-definition	batch:DescribeJobDefinitions
aws:batch:job-queue	batch:DescribeJobQueues
aws:batch:scheduling-policy	batch:DescribeSchedulingPolicies, batch:ListSchedulingPolicies
aws:bedrock:foundationmodel	bedrock:GetFoundationModel, bedrock:ListFoundationModels
aws:bedrock:system-defined-inference-profile	bedrock:GetInferenceProfile, bedrock:ListInferenceProfiles
aws:bedrock:agent	bedrock:GetAgent, bedrock:ListAgentCollaborators, bedrock:ListAgentVersions, bedrock:ListAgents
aws:bedrock:agent-action-group	bedrock:GetAgentActionGroup, bedrock:ListAgentActionGroups, bedrock:ListAgents
aws:bedrock:agent-alias	bedrock:GetAgentAlias, bedrock:ListAgentAliases, bedrock:ListAgents
aws:bedrock:application-inference-profile	bedrock:GetInferenceProfile, bedrock:ListInferenceProfiles
aws:bedrock:blueprint	bedrock:GetBlueprint, bedrock:ListBlueprints
aws:bedrock:custom-model	bedrock:GetCustomModel, bedrock:ListCustomModels
aws:bedrock:data-source	bedrock:GetDataSource, bedrock:GetKnowledgeBase, bedrock:ListDataSources, bedrock:ListKnowledgeBaseDocuments, bedrock:ListKnowledgeBases
aws:bedrock:flow	bedrock:GetFlow, bedrock:GetFlowVersion, bedrock:ListFlows
aws:bedrock:flow-alias	bedrock:GetFlowAlias, bedrock:ListFlowAliases, bedrock:ListFlows
aws:bedrock:guardrail	bedrock:GetGuardrail, bedrock:ListGuardrails, bedrock:ListGuardrails
aws:bedrock:imported-model	bedrock:GetImportedModel, bedrock:ListImportedModels
aws:bedrock:ingestion-job	bedrock:GetDataSource, bedrock:GetIngestionJob, bedrock:GetKnowledgeBase, bedrock:ListDataSources, bedrock:ListIngestionJobs, bedrock:ListKnowledgeBases
aws:bedrock:knowledge-base	bedrock:GetKnowledgeBase, bedrock:ListKnowledgeBases
aws:bedrock:marketplace-model-endpoint	bedrock:GetMarketplaceModelEndpoint, bedrock:ListMarketplaceModelEndpoints
aws:bedrock:prompt	bedrock:GetPrompt, bedrock:ListPrompts
aws:bedrock:prompt-router	bedrock:ListPromptRouters
aws:bedrock:provisioned-model-throughput	bedrock:ListProvisionedModelThroughputs
aws:bedrock:async-invoke	bedrock:GetAsyncInvoke, bedrock:ListAsyncInvokes
aws:bedrock:evaluation-job	bedrock:GetEvaluationJob, bedrock:ListEvaluationJobs
aws:bedrock:model-copy-job	bedrock:GetModelCopyJob, bedrock:ListModelCopyJobs
aws:bedrock:model-customization-job	bedrock:GetModelCustomizationJob, bedrock:ListModelCustomizationJobs
aws:bedrock:model-invocation-job	bedrock:GetModelInvocationJob, bedrock:ListModelInvocationJobs
aws:bedrock:settings	bedrock:GetModelInvocationLoggingConfiguration
aws:cloudformation:generatedtemplate	cloudformation:DescribeGeneratedTemplate, cloudformation:ListGeneratedTemplates
aws:cloudformation:resourcescan	cloudformation:DescribeResourceScan, cloudformation:ListResourceScans
aws:cloudformation:stack	cloudformation:DescribeStacks, cloudformation:ListStacks
aws:cloudformation:stackset	cloudformation:ListStackSets
aws:cloudformation:type	cloudformation:ListTypes
aws:cloudfront:anycast-ip-list	cloudfront:GetAnycastIpList, cloudfront:ListAnycastIpLists
aws:cloudfront:cache-policy	cloudfront:GetCachePolicy, cloudfront:ListCachePolicies
aws:cloudfront:continuous-deployment-policy	cloudfront:GetContinuousDeploymentPolicy, cloudfront:ListContinuousDeploymentPolicies
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudfront:field-level-encryption-config	cloudfront:GetFieldLevelEncryptionConfig, cloudfront:ListFieldLevelEncryptionConfigs
aws:cloudfront:field-level-encryption-profile	cloudfront:GetFieldLevelEncryptionProfile, cloudfront:ListFieldLevelEncryptionProfiles
aws:cloudfront:function	cloudfront:ListFunctions
aws:cloudfront:keygroup	cloudfront:ListKeyGroups
aws:cloudfront:origin-request-policy	cloudfront:GetOriginRequestPolicy, cloudfront:ListOriginRequestPolicies
aws:cloudfront:originaccesscontrol	cloudfront:ListOriginAccessControls
aws:cloudfront:publickey	cloudfront:ListPublicKeys
aws:cloudfront:realtime-log-config	cloudfront:ListRealtimeLogConfigs
aws:cloudfront:response-headers-policy	cloudfront:GetResponseHeadersPolicy, cloudfront:ListResponseHeadersPolicies
aws:cloudfront:streaming-distribution	cloudfront:GetStreamingDistribution, cloudfront:ListStreamingDistributions
aws:cloudfront:vpc-origin	cloudfront:GetVpcOrigin, cloudfront:ListVpcOrigins
aws:cloudfront:managed-cache-policy	cloudfront:GetCachePolicy, cloudfront:ListCachePolicies
aws:cloudfront:managed-origin-request-policy	cloudfront:GetOriginRequestPolicy, cloudfront:ListOriginRequestPolicies
aws:cloudfront:managed-response-headers-policy	cloudfront:GetResponseHeadersPolicy, cloudfront:ListResponseHeadersPolicies
aws:cloudhsm:backup	cloudhsm:DescribeBackups
aws:cloudhsm:cluster	cloudhsm:DescribeClusters
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:cloudwatchlogs:log-group	logs:DescribeLogGroups, logs:DescribeSubscriptionFilters
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:codeartifact:domain	codeartifact:DescribeDomain, codeartifact:ListDomains
aws:codeartifact:package	codeartifact:ListPackages, codeartifact:ListRepositories
aws:codeartifact:package-group	codeartifact:DescribePackageGroup, codeartifact:ListDomains, codeartifact:ListPackageGroups
aws:codeartifact:repository	codeartifact:DescribeRepository, codeartifact:ListRepositories
aws:codebuild:project	codebuild:BatchGetProjects, codebuild:ListProjects
aws:codebuild:source-credentials	codebuild:ListSourceCredentials
aws:codedeploy:application	codedeploy:BatchGetApplications, codedeploy:ListApplications
aws:codedeploy:deployment-config	codedeploy:GetDeploymentConfig, codedeploy:ListDeploymentConfigs
aws:codeguru-profiler:finding	codeguru-profiler:ListFindingsReports, codeguru-profiler:ListProfilingGroups
aws:codeguru-profiler:profilinggroup	codeguru-profiler:ListProfilingGroups
aws:codeguru-reviewer:association	codeguru-reviewer:ListRepositoryAssociations
aws:codeguru-reviewer:codereview	codeguru-reviewer:ListCodeReviews
aws:codeguru-security:finding	codeguru-security:GetFindings, codeguru-security:ListScans
aws:codeguru-security:scanname	codeguru-security:GetScan, codeguru-security:ListScans
aws:codepipeline:actiontype	codepipeline:GetActionType, codepipeline:ListActionTypes
aws:codepipeline:pipeline	codepipeline:GetPipeline, codepipeline:ListPipelines
aws:codepipeline:webhook	codepipeline:ListWebhooks
aws:cognitoidentity:identitypool	cognito-identity:DescribeIdentityPool, cognito-identity:GetIdentityPoolRoles, cognito-identity:ListIdentityPools
aws:cognitoidentityprovider:userpool	cognito-idp:DescribeUserPool, cognito-idp:ListIdentityProviders, cognito-idp:ListUserPools
aws:comprehend:document-classification-job	comprehend:ListDocumentClassificationJobs
aws:comprehend:document-classifier	comprehend:ListDocumentClassifiers
aws:comprehend:dominant-language-detection-job	comprehend:ListDominantLanguageDetectionJobs
aws:comprehend:endpoint	comprehend:ListEndpoints
aws:comprehend:entities-detection-job	comprehend:ListEntitiesDetectionJobs
aws:comprehend:entity-recognizer	comprehend:ListEntityRecognizers
aws:comprehend:events-detection-job	comprehend:ListEventsDetectionJobs
aws:comprehend:flywheel	comprehend:DescribeFlywheel, comprehend:ListFlywheels
aws:comprehend:flywheel-dataset	comprehend:DescribeFlywheel, comprehend:ListDatasets, comprehend:ListFlywheels
aws:comprehend:key-phrases-detection-job	comprehend:ListKeyPhrasesDetectionJobs
aws:comprehend:pii-entities-detection-job	comprehend:ListPiiEntitiesDetectionJobs
aws:comprehend:sentiment-detection-job	comprehend:ListSentimentDetectionJobs
aws:comprehend:targeted-sentiment-detection-job	comprehend:ListTargetedSentimentDetectionJobs
aws:comprehend:topics-detection-job	comprehend:ListTopicsDetectionJobs
aws:configservice:recorder	config:DescribeConfigurationRecorders
aws:configservice:recorderstatus	config:DescribeConfigurationRecorderStatus
aws:connect:agent-status	connect:DescribeAgentStatus, connect:DescribeInstance, connect:ListAgentStatuses, connect:ListInstances
aws:connect:authentication-profile	connect:DescribeAuthenticationProfile, connect:DescribeInstance, connect:ListAuthenticationProfiles, connect:ListInstances
aws:connect:contact-flow	connect:DescribeContactFlow, connect:DescribeInstance, connect:ListContactFlows, connect:ListInstances
aws:connect:contact-flow-module	connect:DescribeContactFlowModule, connect:DescribeInstance, connect:ListContactFlowModules, connect:ListInstances
aws:connect:hours-of-operation	connect:DescribeHoursOfOperation, connect:DescribeInstance, connect:ListHoursOfOperations, connect:ListInstances
aws:connect:instance	connect:DescribeInstance, connect:ListInstances
aws:connect:integration-association	connect:DescribeInstance, connect:ListInstances, connect:ListIntegrationAssociations
aws:connect:queue	connect:DescribeInstance, connect:DescribeQueue, connect:ListInstances, connect:ListQueues
aws:connect:quick-connect	connect:DescribeInstance, connect:DescribeQuickConnect, connect:ListInstances, connect:ListQuickConnects
aws:connect:routing-profile	connect:DescribeInstance, connect:DescribeRoutingProfile, connect:ListInstances, connect:ListRoutingProfiles
aws:connect:security-profile	connect:DescribeInstance, connect:DescribeSecurityProfile, connect:ListInstances, connect:ListSecurityProfiles
aws:connect:user	connect:DescribeInstance, connect:DescribeUser, connect:ListInstances, connect:ListUsers
aws:controltower:enabled-baseline	controltower:ListEnabledBaselines
aws:controltower:enabled-control	controltower:ListEnabledControls
aws:controltower:landing-zone	controltower:GetLandingZone, controltower:ListLandingZones
aws:costexplorer:anomalymonitor	ce:GetAnomalyMonitors
aws:costexplorer:anomalysubscription	ce:GetAnomalySubscriptions
aws:costexplorer:costcategory	ce:DescribeCostCategoryDefinition, ce:GetCostCategories
aws:profile:domain	profile:GetDomain, profile:ListDomains
aws:dms:certificate	dms:DescribeCertificates
aws:dms:data-migration	dms:DescribeDataMigrations
aws:dms:data-provider	dms:DescribeDataProviders
aws:dms:endpoint	dms:DescribeEndpoints
aws:dms:event-subscription	dms:DescribeEventSubscriptions
aws:dms:instance-profile	dms:DescribeInstanceProfiles
aws:dms:migration-project	dms:DescribeMigrationProjects
aws:dms:replication-config	dms:DescribeReplicationConfigs
aws:dms:replication-subnet-group	dms:DescribeReplicationSubnetGroups
aws:dms:replicationinstance	dms:DescribeReplicationInstances
aws:dms:replicationtask	dms:DescribeReplicationTasks
aws:databrew:dataset	databrew:ListDatasets
aws:databrew:job	databrew:ListJobs
aws:databrew:project	databrew:ListProjects
aws:databrew:recipe	databrew:ListRecipes
aws:databrew:ruleset	databrew:ListRulesets
aws:databrew:schedule	databrew:ListSchedules
aws:datasync:agent	datasync:DescribeAgent, datasync:ListAgents
aws:datasync:location-efs	datasync:DescribeLocationEfs, datasync:ListLocations
aws:datasync:location-fsx-lustre	datasync:DescribeLocationFsxLustre, datasync:ListLocations
aws:datasync:location-fsx-ontap	datasync:DescribeLocationFsxOntap, datasync:ListLocations
aws:datasync:location-fsx-openzfs	datasync:DescribeLocationFsxOpenZfs, datasync:ListLocations
aws:datasync:location-fsx-windows	datasync:DescribeLocationFsxWindows, datasync:ListLocations
aws:datasync:location-hdfs	datasync:DescribeLocationHdfs, datasync:ListLocations
aws:datasync:location-nfs	datasync:DescribeLocationNfs, datasync:ListLocations
aws:datasync:location-objectstorage	datasync:DescribeLocationObjectStorage, datasync:ListLocations
aws:datasync:location-s3	datasync:DescribeLocationS3, datasync:ListLocations
aws:datasync:location-smb	datasync:DescribeLocationSmb, datasync:ListLocations
aws:datasync:task	datasync:DescribeTask, datasync:ListTasks
aws:datazone:domain	datazone:GetDomain, datazone:ListDomains
aws:dax:cluster	dax:DescribeClusters
aws:deadline:budget	deadline:GetBudget, deadline:ListBudgets, deadline:ListFarms
aws:deadline:farm	deadline:ListFarms
aws:deadline:fleet	deadline:ListFarms, deadline:ListFleets
aws:deadline:license-endpoint	deadline:GetLicenseEndpoint, deadline:ListLicenseEndpoints
aws:deadline:monitor	deadline:ListMonitors
aws:deadline:queue	deadline:GetQueue, deadline:ListFarms, deadline:ListQueues
aws:deadline:worker	deadline:ListFarms, deadline:ListFleets, deadline:ListWorkers
aws:detective:graph	detective:ListGraphs
aws:devicefarm:device	devicefarm:ListDevices, devicefarm:ListProjects
aws:devicefarm:deviceinstance	devicefarm:ListDeviceInstances
aws:devicefarm:devicepool	devicefarm:ListDevicePools, devicefarm:ListProjects
aws:devicefarm:instanceprofile	devicefarm:ListInstanceProfiles
aws:devicefarm:networkprofile	devicefarm:ListNetworkProfiles, devicefarm:ListProjects
aws:devicefarm:project	devicefarm:ListProjects
aws:devicefarm:session	devicefarm:ListProjects, devicefarm:ListRemoteAccessSessions
aws:devicefarm:testgrid-project	devicefarm:ListTestGridProjects
aws:devicefarm:testgrid-session	devicefarm:ListTestGridProjects, devicefarm:ListTestGridSessions
aws:devicefarm:upload	devicefarm:GetUpload, devicefarm:ListProjects, devicefarm:ListUploads
aws:devicefarm:vpceconfiguration	devicefarm:ListVPCEConfigurations
aws:directconnect:connection	directconnect:DescribeConnections
aws:directconnect:gateway	directconnect:DescribeDirectConnectGatewayAssociations, directconnect:DescribeDirectConnectGateways
aws:directconnect:virtualinterface	directconnect:DescribeVirtualInterfaces
aws:ds:directory	ds:DescribeDirectories
aws:dlm:policy	dlm:GetLifecyclePolicies, dlm:GetLifecyclePolicy
aws:docdb:cluster	rds:DescribeDBClusters
aws:docdb:clustersnapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots, rds:DescribeDBClusters
aws:docdb:dbinstance	rds:DescribeDBInstances
aws:docdbelastic:cluster	docdb-elastic:GetCluster, docdb-elastic:ListClusters
aws:docdbelastic:cluster-snapshot	docdb-elastic:GetClusterSnapshot, docdb-elastic:ListClusterSnapshots
aws:drs:job	drs:DescribeJobs
aws:drs:launch-configuration-template	drs:DescribeLaunchConfigurationTemplates
aws:drs:recovery-instance	drs:DescribeRecoveryInstances
aws:drs:replication-configuration-template	drs:DescribeReplicationConfigurationTemplates
aws:drs:source-network	drs:DescribeSourceNetworks
aws:drs:source-server	drs:DescribeSourceServers
aws:dsql:cluster	dsql:GetCluster, dsql:ListClusters
aws:dynamodb:backup	dynamodb:DescribeBackup, dynamodb:ListBackups
aws:dynamodb:global-table	dynamodb:DescribeGlobalTable, dynamodb:ListGlobalTables
aws:dynamodb:stream	dynamodb:DescribeStream, dynamodb:ListStreams
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:dynamodb:export	dynamodb:DescribeExport, dynamodb:ListExports
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:instance-event-window	ec2:DescribeInstanceEventWindows
aws:ec2:fpga-image	ec2:DescribeFpgaImages
aws:ec2:carriergateway	ec2:DescribeCarrierGateways
aws:ec2:customergateway	ec2:DescribeCustomerGateways
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:instancetype	ec2:DescribeInstanceTypes
aws:ec2:launchtemplate	ec2:DescribeLaunchTemplates
aws:ec2:launchtemplateversion	ec2:DescribeLaunchTemplateVersions, ec2:DescribeLaunchTemplates
aws:ec2:co-ip-pool	ec2:DescribeCoipPools
aws:ec2:local-gateway	ec2:DescribeLocalGateways
aws:ec2:local-gateway-route-table	ec2:DescribeLocalGatewayRouteTables
aws:ec2:local-gateway-route-table-vpc-association	ec2:DescribeLocalGatewayRouteTableVpcAssociations
aws:ec2:local-gateway-virtual-interface	ec2:DescribeLocalGatewayVirtualInterfaces
aws:ec2:local-gateway-virtual-interface-group	ec2:DescribeLocalGatewayVirtualInterfaceGroups
aws:ec2:dhcpoptions	ec2:DescribeDhcpOptions
aws:ec2:instanceconnectendpoint	ec2:DescribeInstanceConnectEndpoints
aws:ec2:ipam	ec2:DescribeIpams
aws:ec2:ipam-external-resource-verification-token	ec2:DescribeIpamExternalResourceVerificationTokens
aws:ec2:ipam-pool	ec2:DescribeIpamPools
aws:ec2:ipam-resource-discovery	ec2:DescribeIpamResourceDiscoveries
aws:ec2:ipam-resource-discovery-association	ec2:DescribeIpamResourceDiscoveryAssociations
aws:ec2:ipam-scope	ec2:DescribeIpamScopes
aws:ec2:ipv6pool-ec2	ec2:DescribeIpv6Pools
aws:ec2:keypair	ec2:DescribeKeyPairs
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:placementgroup	ec2:DescribePlacementGroups
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:customermanagedprefixlist	ec2:DescribeManagedPrefixLists, ec2:GetManagedPrefixListEntries
aws:ec2:awsmanagedprefixlist	ec2:DescribeManagedPrefixLists, ec2:GetManagedPrefixListEntries
aws:ec2:public-fpga-image	ec2:DescribeFpgaImages
aws:ec2:publicimage	ec2:DescribeImages
aws:ec2:region	ec2:DescribeRegions
aws:ec2:capacityreservation	ec2:DescribeCapacityReservations
aws:ec2:capacityreservationfleet	ec2:DescribeCapacityReservationFleets
aws:ec2:dedicatedhost	ec2:DescribeHosts
aws:ec2:fleet	ec2:DescribeFleets
aws:ec2:reservedinstance	ec2:DescribeReservedInstances
aws:ec2:spotfleetrequest	ec2:DescribeSpotFleetRequests
aws:ec2:spotinstancerequest	ec2:DescribeSpotInstanceRequests
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:securitygrouprule	ec2:DescribeSecurityGroupRules, ec2:DescribeSecurityGroups
aws:ec2:settings	ec2:DescribeVpcBlockPublicAccessExclusions, ec2:DescribeVpcBlockPublicAccessOptions, ec2:GetAllowedImagesSettings, ec2:GetEbsDefaultKmsKeyId, ec2:GetEbsEncryptionByDefault, ec2:GetImageBlockPublicAccessState, ec2:GetInstanceMetadataDefaults, ec2:GetSerialConsoleAccessStatus, ec2:GetSnapshotBlockPublicAccessState
aws:ec2:traffic-mirror-filter	ec2:DescribeTrafficMirrorFilters
aws:ec2:traffic-mirror-filter-rule	ec2:DescribeTrafficMirrorFilterRules, ec2:DescribeTrafficMirrorFilters
aws:ec2:traffic-mirror-session	ec2:DescribeTrafficMirrorSessions
aws:ec2:traffic-mirror-target	ec2:DescribeTrafficMirrorTargets
aws:ec2:verified-access-endpoint	ec2:DescribeVerifiedAccessEndpoints, ec2:GetVerifiedAccessEndpointPolicy, ec2:GetVerifiedAccessEndpointTargets
aws:ec2:verified-access-group	ec2:DescribeVerifiedAccessGroups, ec2:GetVerifiedAccessGroupPolicy
aws:ec2:verified-access-instance	ec2:DescribeVerifiedAccessInstances
aws:ec2:verified-access-trust-provider	ec2:DescribeVerifiedAccessTrustProviders
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpcendpoint-service	ec2:DescribeVpcEndpointServices
aws:ec2:vpcendpoint-service-permission	ec2:DescribeVpcEndpointServicePermissions, ec2:DescribeVpcEndpointServices
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcflowlog	ec2:DescribeFlowLogs
aws:ec2:egressonlyinternetgateway	ec2:DescribeEgressOnlyInternetGateways
aws:ec2:elasticip	ec2:DescribeAddresses
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:routetable	ec2:DescribeRouteTables
aws:ec2:vpcendpointconnectionnotification	ec2:DescribeVpcEndpointConnectionNotifications
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:ec2:client-vpn-endpoint	ec2:DescribeClientVpnEndpoints
aws:ecr:image	ecr:DescribeImages, ecr:DescribeRepositories
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecr:registry	ecr:DescribeRegistry, ecr:GetRegistryPolicy, ecr:GetRegistryScanningConfiguration
aws:ecrpublic:image	ecr-public:DescribeImages, ecr-public:DescribeRepositories
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecrpublic:registry	ecr-public:DescribeRegistries
aws:ecs:capacityprovider	ecs:DescribeCapacityProviders
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:instance	ecs:DescribeContainerInstances, ecs:ListClusters, ecs:ListContainerInstances
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:service-deployment	ecs:DescribeServiceDeployments, ecs:DescribeServices, ecs:ListClusters, ecs:ListServiceDeployments, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:ecs:task-definition	ecs:DescribeServices, ecs:DescribeTaskDefinition, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:efs:mounttarget	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeMountTargetSecurityGroups, elasticfilesystem:DescribeMountTargets
aws:eks:access-entry	eks:DescribeAccessEntry, eks:DescribeCluster, eks:ListAccessEntries, eks:ListClusters
aws:eks:access-policy	eks:DescribeAccessEntry, eks:DescribeCluster, eks:ListAccessEntries, eks:ListAssociatedAccessPolicies, eks:ListClusters
aws:eks:addon	eks:DescribeAddon, eks:DescribeCluster, eks:ListAddons, eks:ListClusters
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:eks-anywhere-subscription	eks:ListEksAnywhereSubscriptions
aws:eks:fargateprofile	eks:DescribeCluster, eks:DescribeFargateProfile, eks:ListClusters, eks:ListFargateProfiles
aws:eks:identityproviderconfig	eks:DescribeCluster, eks:DescribeIdentityProviderConfig, eks:ListClusters, eks:ListIdentityProviderConfigs
aws:eks:insight	eks:DescribeCluster, eks:DescribeInsight, eks:ListClusters, eks:ListInsights
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:eks:podidentityassociation	eks:DescribeCluster, eks:DescribePodIdentityAssociation, eks:ListClusters, eks:ListPodIdentityAssociations
aws:eks:update	eks:DescribeCluster, eks:DescribeUpdate, eks:ListClusters, eks:ListUpdates
aws:elasticache:cachesubnetgroup	elasticache:DescribeCacheSubnetGroups
aws:elasticache:global-replicationgroup	elasticache:DescribeGlobalReplicationGroups
aws:elasticache:parametergroup	elasticache:DescribeCacheParameterGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:reserved-instance	elasticache:DescribeReservedCacheNodes
aws:elasticache:securitygroup	elasticache:DescribeCacheSecurityGroups
aws:elasticache:serverless-cache	elasticache:DescribeServerlessCaches
aws:elasticache:serverless-cache-snapshot	elasticache:DescribeServerlessCacheSnapshots
aws:elasticache:snapshot	elasticache:DescribeSnapshots
aws:elasticache:user	elasticache:DescribeUsers
aws:elasticache:usergroup	elasticache:DescribeUserGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticbeanstalk:environment	elasticbeanstalk:DescribeConfigurationSettings, elasticbeanstalk:DescribeEnvironments
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:listener-rule	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeRules
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:targetgroup	elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth
aws:elasticloadbalancingv2:truststore	elasticloadbalancing:DescribeTrustStores
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:emr:cluster	elasticmapreduce:DescribeCluster, elasticmapreduce:GetAutoTerminationPolicy, elasticmapreduce:GetManagedScalingPolicy, elasticmapreduce:ListClusters
aws:emr:instance	elasticmapreduce:ListClusters, elasticmapreduce:ListInstances
aws:emr:instance-fleet	elasticmapreduce:DescribeCluster, elasticmapreduce:ListClusters, elasticmapreduce:ListInstanceFleets
aws:emr:instance-group	elasticmapreduce:DescribeCluster, elasticmapreduce:ListClusters, elasticmapreduce:ListInstanceGroups
aws:emr:security-configuration	elasticmapreduce:DescribeSecurityConfiguration, elasticmapreduce:ListSecurityConfigurations
aws:emrcontainers:managed-endpoint	emr-containers:ListManagedEndpoints, emr-containers:ListVirtualClusters
aws:emrcontainers:security-configuration	emr-containers:ListSecurityConfigurations
aws:emrcontainers:virtual-cluster	emr-containers:ListVirtualClusters
aws:emrserverless:application	emr-serverless:GetApplication, emr-serverless:ListApplications
aws:emr:settings	elasticmapreduce:GetBlockPublicAccessConfiguration
aws:eventbridge:api-destination	events:ListApiDestinations, events:ListConnections
aws:eventbridge:archive	events:ListArchives, events:ListEventBuses
aws:eventbridge:connection	events:ListConnections
aws:eventbridge:endpoint	events:ListEndpoints
aws:eventbridge:event-source	events:ListEventSources
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:eventbridge:replay	events:ListReplays
aws:eventbridge:rule	events:ListEventBuses, events:ListRules
aws:eventbridge:ruletarget	events:ListEventBuses, events:ListRules, events:ListTargetsByRule
aws:firehose:delivery-stream	firehose:DescribeDeliveryStream, firehose:ListDeliveryStreams
aws:frauddetector:batch-import-job	frauddetector:GetBatchImportJobs
aws:frauddetector:batch-prediction-job	frauddetector:GetBatchPredictionJobs
aws:frauddetector:detector	frauddetector:GetDetectors
aws:frauddetector:detector-version	frauddetector:DescribeDetector, frauddetector:GetDetectorVersion, frauddetector:GetDetectors
aws:frauddetector:entity-type	frauddetector:GetEntityTypes
aws:frauddetector:event-type	frauddetector:GetEventTypes
aws:frauddetector:external-model	frauddetector:GetExternalModels
aws:frauddetector:label	frauddetector:GetLabels
aws:frauddetector:list	frauddetector:GetListsMetadata
aws:frauddetector:model	frauddetector:GetModels
aws:frauddetector:model-version	frauddetector:DescribeModelVersions
aws:frauddetector:outcome	frauddetector:GetOutcomes
aws:frauddetector:rule	frauddetector:GetDetectors, frauddetector:GetRules
aws:frauddetector:variable	frauddetector:GetVariables
aws:fsx:association	fsx:DescribeDataRepositoryAssociations
aws:fsx:backup	fsx:DescribeBackups
aws:fsx:file-cache	fsx:DescribeFileCaches
aws:fsx:file-system	fsx:DescribeFileSystems
aws:fsx:snapshot	fsx:DescribeSnapshots
aws:fsx:storage-virtual-machine	fsx:DescribeStorageVirtualMachines
aws:fsx:task	fsx:DescribeDataRepositoryTasks
aws:fsx:volume	fsx:DescribeVolumes
aws:gamelift:alias	gamelift:ListAliases
aws:gamelift:build	gamelift:ListBuilds
aws:gamelift:container-fleet	gamelift:ListContainerFleets
aws:gamelift:container-group-definition	gamelift:ListContainerGroupDefinitions
aws:gamelift:game-server-group	gamelift:ListGameServerGroups
aws:gamelift:game-session-queue	gamelift:DescribeGameSessionQueues
aws:gamelift:location	gamelift:ListLocations
aws:gamelift:matchmaking-configuration	gamelift:DescribeMatchmakingConfigurations
aws:gamelift:matchmaking-rule-set	gamelift:DescribeMatchmakingRuleSets
aws:gamelift:script	gamelift:ListScripts
aws:glacier:vault	glacier:GetVaultNotifications, glacier:ListVaults
aws:globalaccelerator:accelerator	globalaccelerator:ListAccelerators
aws:globalaccelerator:endpointgroup	globalaccelerator:ListAccelerators, globalaccelerator:ListEndpointGroups, globalaccelerator:ListListeners
aws:globalaccelerator:listener	globalaccelerator:ListAccelerators, globalaccelerator:ListListeners
aws:glue:registry	glue:ListRegistries
aws:grafana:workspace	grafana:DescribeWorkspace, grafana:ListWorkspaces
aws:greengrass:bulk-deployment	greengrass:GetBulkDeploymentStatus, greengrass:ListBulkDeployments
aws:greengrass:connector-definition	greengrass:ListConnectorDefinitions
aws:greengrass:core-definition	greengrass:ListCoreDefinitions
aws:greengrass:deployment	greengrass:ListDeployments, greengrass:ListGroups
aws:greengrass:device-definition	greengrass:ListDeviceDefinitions
aws:greengrass:function-definition	greengrass:ListFunctionDefinitions
aws:greengrass:group	greengrass:GetGroup, greengrass:ListGroups
aws:greengrass:logger-definition	greengrass:ListLoggerDefinitions
aws:greengrass:resource-definition	greengrass:ListResourceDefinitions
aws:greengrass:subscription-definition	greengrass:ListSubscriptionDefinitions
aws:greengrass:component	greengrass:GetComponent, greengrass:ListComponents
aws:greengrass:connectivity-info	greengrass:GetConnectivityInfo, greengrass:ListCoreDevices
aws:greengrass:core-device	greengrass:GetCoreDevice, greengrass:ListCoreDevices
aws:guardduty:detector	guardduty:GetCoverageStatistics, guardduty:GetDetector, guardduty:ListDetectors
aws:guardduty:filter	guardduty:GetFilter, guardduty:ListDetectors, guardduty:ListFilters
aws:guardduty:ipset	guardduty:GetIPSet, guardduty:ListDetectors, guardduty:ListIPSets
aws:guardduty:malwareprotectionplan	guardduty:GetMalwareProtectionPlan, guardduty:ListMalwareProtectionPlans
aws:guardduty:publishingdestination	guardduty:DescribePublishingDestination, guardduty:ListDetectors, guardduty:ListPublishingDestinations
aws:guardduty:settings	guardduty:GetAdministratorAccount, guardduty:GetMalwareScanSettings, guardduty:GetMasterAccount, guardduty:ListDetectors
aws:guardduty:threatintelset	guardduty:GetThreatIntelSet, guardduty:ListDetectors, guardduty:ListThreatIntelSets
aws:health:settings	health:DescribeHealthServiceStatusForOrganization, organizations:DescribeOrganization
aws:healthlake:datastore	healthlake:ListFHIRDatastores
aws:iam:account	organizations:DescribeOrganization, iam:GetAccountPasswordPolicy, iam:GetAccountSummary
aws:iam:instanceprofile	iam:GetInstanceProfile, iam:ListInstanceProfiles
aws:iam:open-id-connect-provider	iam:GetOpenIDConnectProvider, iam:ListOpenIDConnectProviders
aws:iam:saml-provider	iam:GetSAMLProvider, iam:ListSAMLProviders
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:service-specific-credential	iam:ListServiceSpecificCredentials
aws:iam:group	iam:GetGroup, iam:ListAttachedGroupPolicies, iam:ListGroups
aws:iam:groupinlinepolicy	iam:GetGroupPolicy, iam:ListGroupPolicies, iam:ListGroups
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:aws-managed-policy	iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:roleinlinepolicy	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:GetRolePolicy, iam:ListRolePolicies
aws:iam:accesskeymetadata	iam:GetUser, iam:ListAccessKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:userinlinepolicy	iam:GetUser, iam:GetUserPolicy, iam:ListUserPolicies, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:virtualmfadevice	iam:ListUsers, iam:ListVirtualMFADevices
aws:identitystore:group	organizations:DescribeOrganization, identitystore:ListGroups, sso:ListInstances
aws:identitystore:user	organizations:DescribeOrganization, identitystore:ListGroupMembershipsForMember, sso:ListInstances, identitystore:ListUsers
aws:imagebuilder:component-version	imagebuilder:ListComponents
aws:imagebuilder:container-recipe	imagebuilder:GetContainerRecipe, imagebuilder:ListContainerRecipes
aws:imagebuilder:distribution-configuration	imagebuilder:GetDistributionConfiguration, imagebuilder:ListDistributionConfigurations
aws:imagebuilder:image-pipeline	imagebuilder:ListImagePipelines
aws:imagebuilder:image-recipe	imagebuilder:GetImageRecipe, imagebuilder:ListImageRecipes
aws:imagebuilder:image-version	imagebuilder:ListImages
aws:imagebuilder:infrastructure-configuration	imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListInfrastructureConfigurations
aws:imagebuilder:lifecycle-policy	imagebuilder:GetLifecyclePolicy, imagebuilder:ListLifecyclePolicies
aws:imagebuilder:workflow	imagebuilder:GetWorkflow, imagebuilder:ListWorkflows
aws:imagebuilder:public-component	imagebuilder:ListComponents
aws:imagebuilder:public-container-recipe	imagebuilder:GetContainerRecipe, imagebuilder:ListContainerRecipes
aws:imagebuilder:public-image	imagebuilder:ListImages
aws:imagebuilder:public-image-recipe	imagebuilder:GetImageRecipe, imagebuilder:ListImageRecipes
aws:imagebuilder:public-workflow	imagebuilder:GetWorkflow, imagebuilder:ListWorkflows
aws:inspector2:coveredresource	inspector2:ListCoverage
aws:iot:authorizer	iot:DescribeAuthorizer, iot:ListAuthorizers
aws:iot:cert	iot:DescribeCertificate, iot:ListCertificates
aws:iot:certificateprovider	iot:DescribeCertificateProvider, iot:ListCertificateProviders
aws:iot:dimension	iot:DescribeDimension, iot:ListDimensions
aws:iot:domainconfiguration	iot:DescribeDomainConfiguration, iot:ListDomainConfigurations
aws:iot:fleetmetric	iot:DescribeFleetMetric, iot:ListFleetMetrics
aws:iot:job	iot:DescribeJob, iot:ListJobs
aws:iot:jobtemplate	iot:DescribeJobTemplate, iot:ListJobTemplates
aws:iot:policy	iot:GetPolicy, iot:ListPolicies
aws:iot:provisioningtemplate	iot:DescribeProvisioningTemplate, iot:ListProvisioningTemplates
aws:iot:rolealias	iot:DescribeRoleAlias, iot:ListRoleAliases
aws:iot:securityprofile	iot:DescribeSecurityProfile, iot:ListSecurityProfiles
aws:iot:stream	iot:DescribeStream, iot:ListStreams
aws:iot:thing	iot:DescribeThing, iot:ListThings
aws:iot:thinggroup	iot:DescribeThingGroup, iot:ListThingGroups
aws:iot:thingtype	iot:DescribeThingType, iot:ListThingTypes
aws:iotfleetwise:campaign	iotfleetwise:GetCampaign, iotfleetwise:ListCampaigns
aws:iotfleetwise:decoder-manifest	iotfleetwise:ListDecoderManifests
aws:iotfleetwise:fleet	iotfleetwise:ListFleets
aws:iotfleetwise:model-manifest	iotfleetwise:ListModelManifests
aws:iotfleetwise:signal-catalog	iotfleetwise:GetSignalCatalog, iotfleetwise:ListSignalCatalogs
aws:iotfleetwise:state-template	iotfleetwise:GetStateTemplate, iotfleetwise:ListStateTemplates
aws:iotfleetwise:vehicle	iotfleetwise:GetVehicle, iotfleetwise:ListVehicles
aws:iot:tunnel	iot:DescribeTunnel, iot:ListTunnels
aws:iotsitewise:asset	iotsitewise:DescribeAsset, iotsitewise:DescribeAssetModel, iotsitewise:ListAssetModels, iotsitewise:ListAssets
aws:iotsitewise:asset-model	iotsitewise:DescribeAssetModel, iotsitewise:ListAssetModels
aws:iotsitewise:dashboard	iotsitewise:DescribeDashboard, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListDashboards, iotsitewise:ListPortals, iotsitewise:ListProjects
aws:iotsitewise:dataset	iotsitewise:DescribeDataset, iotsitewise:ListDatasets
aws:iotsitewise:gateway	iotsitewise:ListGateways
aws:iotsitewise:portal	iotsitewise:DescribePortal, iotsitewise:ListPortals
aws:iotsitewise:project	iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListPortals, iotsitewise:ListProjects
aws:iotsitewise:timeseries	iotsitewise:ListTimeSeries
aws:iottwinmaker:component-type	iottwinmaker:GetComponentType, iottwinmaker:GetWorkspace, iottwinmaker:ListComponentTypes, iottwinmaker:ListWorkspaces
aws:iottwinmaker:entity	iottwinmaker:GetEntity, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListWorkspaces
aws:iottwinmaker:scene	iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListScenes, iottwinmaker:ListWorkspaces
aws:iottwinmaker:workspace	iottwinmaker:GetWorkspace, iottwinmaker:ListWorkspaces
aws:iotwireless:destination	iotwireless:ListDestinations
aws:iotwireless:device-profile	iotwireless:GetDeviceProfile, iotwireless:ListDeviceProfiles
aws:iotwireless:gateway	iotwireless:GetWirelessGateway, iotwireless:ListWirelessGateways
aws:iotwireless:multicast-group	iotwireless:GetMulticastGroup, iotwireless:ListMulticastGroups
aws:iotwireless:network-analyzer-configuration	iotwireless:GetNetworkAnalyzerConfiguration, iotwireless:ListNetworkAnalyzerConfigurations
aws:iotwireless:service-profile	iotwireless:GetServiceProfile, iotwireless:ListServiceProfiles
aws:iotwireless:wireless-device	iotwireless:GetWirelessDevice, iotwireless:ListWirelessDevices
aws:ivs:channel	ivs:GetChannel, ivs:ListChannels
aws:ivs:playback-key-pair	ivs:ListPlaybackKeyPairs
aws:ivs:playback-restriction-policy	ivs:ListPlaybackRestrictionPolicies
aws:ivs:recording-configuration	ivs:GetRecordingConfiguration, ivs:ListRecordingConfigurations
aws:ivs:stream-key	ivs:GetChannel, ivs:ListChannels, ivs:ListStreamKeys
aws:ivschat:logging-configuration	ivschat:GetLoggingConfiguration, ivschat:ListLoggingConfigurations
aws:ivschat:room	ivschat:GetRoom, ivschat:ListRooms
aws:ivs:composition	ivs:GetComposition, ivs:ListCompositions
aws:ivs:encoder-configuration	ivs:GetEncoderConfiguration, ivs:ListEncoderConfigurations
aws:ivs:ingest-configuration	ivs:GetIngestConfiguration, ivs:ListIngestConfigurations
aws:ivs:public-key	ivs:GetPublicKey, ivs:ListPublicKeys
aws:ivs:stage	ivs:GetStage, ivs:ListStages
aws:ivs:storage-configuration	ivs:ListStorageConfigurations
aws:kafka:cluster	kafka:DescribeClusterV2, kafka:ListClustersV2
aws:kafka:configuration	kafka:ListConfigurations
aws:kafka:node	kafka:DescribeClusterV2, kafka:ListClustersV2, kafka:ListNodes
aws:kafka:replicator	kafka:DescribeReplicator, kafka:ListReplicators
aws:kafka:vpc-connection	kafka:DescribeVpcConnection, kafka:ListVpcConnections
aws:kafkaconnect:connector	kafkaconnect:DescribeConnector, kafkaconnect:ListConnectors
aws:kafkaconnect:connector-operation	kafkaconnect:DescribeConnector, kafkaconnect:DescribeConnectorOperation, kafkaconnect:ListConnectorOperations, kafkaconnect:ListConnectors
aws:kafkaconnect:custom-plugin	kafkaconnect:DescribeCustomPlugin, kafkaconnect:ListCustomPlugins
aws:kafkaconnect:worker-configuration	kafkaconnect:ListWorkerConfigurations
aws:keyspaces:keyspace	cassandra:Select
aws:keyspaces:table	cassandra:Select, cassandra:Select, cassandra:Select
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:kinesisvideo:channel	kinesisvideo:ListSignalingChannels
aws:kinesisvideo:stream	kinesisvideo:ListStreams
aws:kms:alias	kms:GetKeyPolicy, kms:ListAliases
aws:kms:custom-key-store	kms:DescribeCustomKeyStores
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lakeformation:data-lake-settings	lakeformation:GetDataLakeSettings
aws:lakeformation:permissions	lakeformation:ListPermissions
aws:lambda:eventsourcemapping	lambda:ListEventSourceMappings, lambda:ListFunctions
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:lambda:codesigningconfig	lambda:ListCodeSigningConfigs
aws:lambda:function	lambda:GetPolicy, lambda:ListFunctions
aws:lambda:layer	lambda:GetLayerVersionPolicy, lambda:ListLayers
aws:launchwizard:deployment	launchwizard:GetDeployment, launchwizard:ListDeployments
aws:lexv2:bot	lex:DescribeBot, lex:ListBots
aws:lightsail:alarm	lightsail:GetAlarms
aws:lightsail:bucket	lightsail:GetBuckets
aws:lightsail:certificate	lightsail:GetCertificates
aws:lightsail:container-service	lightsail:GetContainerServices
aws:lightsail:disk	lightsail:GetDisks
aws:lightsail:disk-snapshot	lightsail:GetDiskSnapshots
aws:lightsail:distribution	lightsail:GetDistributions
aws:lightsail:instance	lightsail:GetInstancePortStates, lightsail:GetInstances
aws:lightsail:loadbalancer	lightsail:GetLoadBalancers
aws:lightsail:relational-database	lightsail:GetRelationalDatabaseParameters, lightsail:GetRelationalDatabases
aws:lightsail:relational-database-snapshot	lightsail:GetRelationalDatabaseSnapshots
aws:lightsail:static-ip	lightsail:GetStaticIps
aws:location:api-key	geo:DescribeKey, geo:ListKeys
aws:location:geofence-collection	geo:DescribeGeofenceCollection, geo:ListGeofenceCollections
aws:location:map	geo:DescribeMap, geo:ListMaps
aws:location:place-index	geo:DescribePlaceIndex, geo:ListPlaceIndexes
aws:location:route-calculator	geo:DescribeRouteCalculator, geo:ListRouteCalculators
aws:location:tracker	geo:DescribeTracker, geo:ListTrackers
aws:m2:application	m2:GetApplication, m2:ListApplications
aws:m2:environment	m2:GetEnvironment, m2:ListEnvironments
aws:macie2:allow-list	macie2:GetAllowList, macie2:GetMacieSession, macie2:ListAllowLists
aws:macie2:custom-data-identifier	macie2:GetCustomDataIdentifier, macie2:GetMacieSession, macie2:ListCustomDataIdentifiers
aws:macie2:member	macie2:GetMacieSession, macie2:ListMembers
aws:macie2:settings	macie2:GetMacieSession
aws:ses:addon-instance	ses:ListAddonInstances
aws:ses:addon-subscription	ses:ListAddonSubscriptions
aws:ses:address-list	ses:ListAddressLists
aws:ses:archive	ses:GetArchive, ses:ListArchives
aws:ses:ingress-point	ses:GetIngressPoint, ses:ListIngressPoints
aws:ses:relay	ses:GetRelay, ses:ListRelays
aws:ses:rule-set	ses:GetRuleSet, ses:ListRuleSets
aws:ses:traffic-policy	ses:GetTrafficPolicy, ses:ListTrafficPolicies
aws:managedblockchain:accessor	managedblockchain:GetAccessor, managedblockchain:ListAccessors
aws:managedblockchain:invitation	managedblockchain:ListInvitations
aws:managedblockchain:member	managedblockchain:GetMember, managedblockchain:ListMembers, managedblockchain:ListNetworks
aws:managedblockchain:network	managedblockchain:GetNetwork, managedblockchain:ListNetworks
aws:managedblockchain:node	managedblockchain:GetNode, managedblockchain:ListMembers, managedblockchain:ListNetworks, managedblockchain:ListNodes
aws:managedblockchain:proposal	managedblockchain:GetProposal, managedblockchain:ListNetworks, managedblockchain:ListProposals
aws:mediaconnect:bridge	mediaconnect:DescribeBridge, mediaconnect:ListBridges
aws:mediaconnect:entitlement	mediaconnect:ListEntitlements
aws:mediaconnect:flow	mediaconnect:DescribeFlow, mediaconnect:ListFlows
aws:mediaconnect:gateway	mediaconnect:DescribeGateway, mediaconnect:ListGateways
aws:mediaconnect:gatewayinstance	mediaconnect:DescribeGatewayInstance, mediaconnect:ListGatewayInstances
aws:medialive:channel	medialive:ListChannels
aws:medialive:channel-placement-group	medialive:ListChannelPlacementGroups, medialive:ListClusters
aws:medialive:cloudwatch-alarm-template	medialive:ListCloudWatchAlarmTemplates
aws:medialive:cloudwatch-alarm-template-group	medialive:ListCloudWatchAlarmTemplateGroups
aws:medialive:cluster	medialive:ListClusters
aws:medialive:eventbridge-rule-template	medialive:ListEventBridgeRuleTemplates
aws:medialive:eventbridge-rule-template-group	medialive:ListEventBridgeRuleTemplateGroups
aws:medialive:input	medialive:ListInputs
aws:medialive:input-device	medialive:ListInputDevices
aws:medialive:input-security-group	medialive:ListInputSecurityGroups
aws:medialive:multiplex	medialive:ListMultiplexes
aws:medialive:network	medialive:ListNetworks
aws:medialive:node	medialive:ListClusters, medialive:ListNodes
aws:medialive:reservation	medialive:ListReservations
aws:medialive:sdi-source	medialive:ListSdiSources
aws:medialive:signal-map	medialive:ListSignalMaps
aws:mediapackage:harvest-jobs	mediapackage:ListHarvestJobs
aws:mediapackage:origin-endpoints	mediapackage:ListOriginEndpoints
aws:mediapackage-v2:channel	mediapackagev2:GetChannel, mediapackagev2:GetChannelGroup, mediapackagev2:GetChannelPolicy, mediapackagev2:ListChannelGroups, mediapackagev2:ListChannels
aws:mediapackage-v2:channel-group	mediapackagev2:GetChannelGroup, mediapackagev2:ListChannelGroups
aws:mediapackage-v2:harvest-job	mediapackagev2:GetChannelGroup, mediapackagev2:ListChannelGroups, mediapackagev2:ListHarvestJobs
aws:mediapackage-v2:origin-endpoint	mediapackagev2:GetChannelGroup, mediapackagev2:GetOriginEndpoint, mediapackagev2:GetOriginEndpointPolicy, mediapackagev2:ListChannelGroups, mediapackagev2:ListChannels, mediapackagev2:ListOriginEndpoints
aws:mediapackage-vod:assets	mediapackage-vod:DescribeAsset, mediapackage-vod:ListAssets
aws:mediapackage-vod:packaging-configurations	mediapackage-vod:ListPackagingConfigurations
aws:mediapackage-vod:packaging-groups	mediapackage-vod:ListPackagingGroups
aws:memorydb:acl	memorydb:DescribeAcls
aws:memorydb:cluster	memorydb:DescribeClusters, memorydb:DescribeMultiRegionClusters
aws:memorydb:parameter-group	memorydb:DescribeParameterGroups
aws:memorydb:reserved-node	memorydb:DescribeReservedNodes
aws:memorydb:snapshot	memorydb:DescribeSnapshots
aws:memorydb:subnet-group	memorydb:DescribeSubnetGroups
aws:memorydb:user	memorydb:DescribeUsers
aws:cloudwatch:metricalarm	cloudwatch:DescribeAlarms
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:migrationhubrefactorspaces:application	refactor-spaces:ListApplications, refactor-spaces:ListEnvironments
aws:migrationhubrefactorspaces:environment	refactor-spaces:ListEnvironments
aws:migrationhubrefactorspaces:route	refactor-spaces:ListApplications, refactor-spaces:ListEnvironments, refactor-spaces:ListRoutes
aws:migrationhubrefactorspaces:service	refactor-spaces:ListApplications, refactor-spaces:ListEnvironments, refactor-spaces:ListServices
aws:mq:broker	mq:DescribeBroker, mq:ListBrokers
aws:mq:configuration	mq:ListConfigurations
aws:mq:configurationrevision	mq:DescribeConfigurationRevision, mq:ListConfigurationRevisions, mq:ListConfigurations
aws:mq:user	mq:DescribeBroker, mq:DescribeUser, mq:ListBrokers
aws:mwaa:environment	airflow:GetEnvironment, airflow:ListEnvironments
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:network-firewall:rulegroup	network-firewall:DescribeRuleGroup, network-firewall:ListRuleGroups
aws:network-firewall:tls-configuration	network-firewall:DescribeTLSInspectionConfiguration, network-firewall:ListTLSInspectionConfigurations
aws:network-firewall:vpc-endpoint-association	network-firewall:DescribeVpcEndpointAssociation, network-firewall:ListVpcEndpointAssociations
aws:networkmanager:attachment	networkmanager:ListAttachments
aws:networkmanager:connect-peer	networkmanager:GetConnectPeer, networkmanager:ListConnectPeers
aws:networkmanager:connection	networkmanager:DescribeGlobalNetworks, networkmanager:GetConnections
aws:networkmanager:core-network	networkmanager:GetCoreNetwork, networkmanager:ListCoreNetworks
aws:networkmanager:device	networkmanager:DescribeGlobalNetworks, networkmanager:GetDevices
aws:networkmanager:global-network	networkmanager:DescribeGlobalNetworks
aws:networkmanager:link	networkmanager:DescribeGlobalNetworks, networkmanager:GetLinks
aws:networkmanager:peering	networkmanager:ListPeerings
aws:networkmanager:site	networkmanager:DescribeGlobalNetworks, networkmanager:GetSites
aws:opensearch:domain	es:DescribeDomain, es:ListDomainNames
aws:opensearchserverless:collection	aoss:BatchGetCollection, aoss:ListCollections
aws:organizations:account	organizations:DescribeOrganization, organizations:ListAccountsForParent, organizations:ListDelegatedAdministrators, organizations:ListOrganizationalUnitsForParent, organizations:ListPoliciesForTarget, organizations:ListRoots
aws:organizations:features	organizations:DescribeOrganization, organizations:ListDelegatedAdministrators, iam:ListOrganizationsFeatures
aws:organizations:organization	organizations:DescribeOrganization, organizations:ListDelegatedAdministrators
aws:organizations:organizationalunit	organizations:DescribeOrganization, organizations:ListAccountsForParent, organizations:ListDelegatedAdministrators, organizations:ListOrganizationalUnitsForParent, organizations:ListPoliciesForTarget, organizations:ListRoots
aws:organizations:policy	organizations:DescribeOrganization, organizations:DescribePolicy, organizations:ListDelegatedAdministrators, organizations:ListPolicies, organizations:ListTargetsForPolicy
aws:organizations:root	organizations:DescribeOrganization, organizations:ListAccountsForParent, organizations:ListDelegatedAdministrators, organizations:ListOrganizationalUnitsForParent, organizations:ListPoliciesForTarget, organizations:ListRoots
aws:osis:pipeline	osis:GetPipeline, osis:ListPipelines
aws:osis:pipeline-blueprint	osis:GetPipelineBlueprint, osis:ListPipelineBlueprints
aws:payment-cryptography:alias	payment-cryptography:GetKey, payment-cryptography:ListAliases, payment-cryptography:ListKeys
aws:payment-cryptography:key	payment-cryptography:GetKey, payment-cryptography:ListKeys
aws:pca-connector-ad:connector	pca-connector-ad:ListConnectors
aws:pca-connector-ad:directory-registration	pca-connector-ad:ListDirectoryRegistrations
aws:pca-connector-ad:template	pca-connector-ad:ListConnectors, pca-connector-ad:ListTemplates
aws:pca-connector-scep:connector	pca-connector-scep:ListConnectors
aws:pcs:cluster	pcs:GetCluster, pcs:ListClusters
aws:pcs:compute-node-group	pcs:GetComputeNodeGroup, pcs:ListClusters, pcs:ListComputeNodeGroups
aws:pcs:queue	pcs:GetQueue, pcs:ListClusters, pcs:ListQueues
aws:personalize:batch-inference-job	personalize:DescribeBatchInferenceJob, personalize:ListBatchInferenceJobs
aws:personalize:batch-segment-job	personalize:DescribeBatchSegmentJob, personalize:ListBatchSegmentJobs
aws:personalize:campaign	personalize:DescribeCampaign, personalize:ListCampaigns
aws:personalize:data-deletion-job	personalize:DescribeDataDeletionJob, personalize:ListDataDeletionJobs
aws:personalize:dataset	personalize:DescribeDataset, personalize:ListDatasets
aws:personalize:dataset-export-job	personalize:DescribeDatasetExportJob, personalize:ListDatasetExportJobs
aws:personalize:dataset-group	personalize:DescribeDatasetGroup, personalize:ListDatasetGroups
aws:personalize:dataset-import-job	personalize:DescribeDatasetImportJob, personalize:ListDatasetImportJobs
aws:personalize:event-tracker	personalize:DescribeEventTracker, personalize:ListEventTrackers
aws:personalize:filter	personalize:DescribeFilter, personalize:ListFilters
aws:personalize:metric-attribution	personalize:DescribeMetricAttribution, personalize:ListMetricAttributions
aws:personalize:recommender	personalize:DescribeRecommender, personalize:ListRecommenders
aws:personalize:schema	personalize:DescribeSchema, personalize:ListSchemas
aws:personalize:solution	personalize:DescribeSolution, personalize:ListSolutions
aws:personalize:algorithm	personalize:DescribeAlgorithm, personalize:DescribeRecipe, personalize:ListRecipes
aws:personalize:feature-transformation	personalize:DescribeFeatureTransformation, personalize:DescribeRecipe, personalize:ListRecipes
aws:personalize:recipe	personalize:DescribeRecipe, personalize:ListRecipes
aws:pinpoint:app	mobiletargeting:GetApps, mobiletargeting:GetEventStream
aws:pinpoint:campaign	mobiletargeting:GetApps, mobiletargeting:GetCampaigns
aws:pinpoint:channel	mobiletargeting:GetApps, mobiletargeting:GetChannels
aws:pinpoint:journey	mobiletargeting:GetApps, mobiletargeting:ListJourneys
aws:pinpoint:segment	mobiletargeting:GetApps, mobiletargeting:GetSegments
aws:pinpoint:template	mobiletargeting:ListTemplates
aws:smsvoice:configuration-set	sms-voice:DescribeConfigurationSets
aws:smsvoice:opt-out-list	sms-voice:DescribeOptOutLists
aws:smsvoice:phone-number	sms-voice:DescribePhoneNumbers
aws:smsvoice:pool	sms-voice:DescribePools
aws:smsvoice:protect-configuration	sms-voice:DescribeProtectConfigurations
aws:smsvoice:registration	sms-voice:DescribeRegistrations
aws:smsvoice:registration-attachment	sms-voice:DescribeRegistrationAttachments
aws:smsvoice:sender-id	sms-voice:DescribeSenderIds
aws:smsvoice:verified-destination-number	sms-voice:DescribeVerifiedDestinationNumbers
aws:pipes:pipe	pipes:ListPipes
aws:proton:component	proton:GetComponent, proton:ListComponents
aws:proton:deployment	proton:GetDeployment, proton:ListDeployments
aws:proton:environment	proton:GetEnvironment, proton:ListEnvironments
aws:proton:environment-account-connection	proton:GetEnvironmentAccountConnection, proton:ListEnvironmentAccountConnections
aws:proton:environment-template	proton:GetEnvironmentTemplate, proton:ListEnvironmentTemplates
aws:proton:environment-template-version	proton:GetEnvironmentTemplate, proton:GetEnvironmentTemplateVersion, proton:ListEnvironmentTemplateVersions, proton:ListEnvironmentTemplates
aws:proton:repository	proton:GetRepository, proton:ListRepositories
aws:proton:service	proton:GetService, proton:ListServices
aws:proton:service-instance	proton:GetServiceInstance, proton:ListServiceInstances
aws:proton:service-template	proton:GetServiceTemplate, proton:ListServiceTemplates
aws:proton:service-template-version	proton:GetServiceTemplate, proton:GetServiceTemplateVersion, proton:ListServiceTemplateVersions, proton:ListServiceTemplates
aws:qbusiness:application	qbusiness:GetApplication, qbusiness:ListApplications
aws:qbusiness:data-accessor	qbusiness:GetApplication, qbusiness:GetDataAccessor, qbusiness:ListApplications, qbusiness:ListDataAccessors
aws:qbusiness:data-source	qbusiness:GetApplication, qbusiness:GetDataSource, qbusiness:GetIndex, qbusiness:ListApplications, qbusiness:ListDataSources, qbusiness:ListIndices
aws:qbusiness:index	qbusiness:GetApplication, qbusiness:GetIndex, qbusiness:ListApplications, qbusiness:ListIndices
aws:qbusiness:plugin	qbusiness:GetApplication, qbusiness:GetPlugin, qbusiness:ListApplications, qbusiness:ListPlugins
aws:qbusiness:retriever	qbusiness:GetApplication, qbusiness:GetRetriever, qbusiness:ListApplications, qbusiness:ListRetrievers
aws:qbusiness:subscription	qbusiness:GetApplication, qbusiness:ListApplications, qbusiness:ListSubscriptions
aws:qbusiness:web-experience	qbusiness:GetApplication, qbusiness:GetWebExperience, qbusiness:ListApplications, qbusiness:ListWebExperiences
aws:quicksight:account	quicksight:DescribeAccountSettings
aws:quicksight:analysis	quicksight:DescribeAccountSettings, quicksight:DescribeAnalysis, quicksight:ListAnalyses
aws:quicksight:brand	quicksight:DescribeAccountSettings, quicksight:DescribeBrand, quicksight:ListBrands
aws:quicksight:custom-permission	quicksight:DescribeAccountSettings, quicksight:ListCustomPermissions
aws:quicksight:dashboard	quicksight:DescribeAccountSettings, quicksight:DescribeDashboard, quicksight:ListDashboards
aws:quicksight:data-set	quicksight:DescribeAccountSettings, quicksight:ListDataSets
aws:quicksight:data-source	quicksight:DescribeAccountSettings, quicksight:ListDataSources
aws:quicksight:folder	quicksight:DescribeAccountSettings, quicksight:DescribeFolder, quicksight:ListFolders
aws:quicksight:group	quicksight:DescribeAccountSettings, quicksight:ListGroups, quicksight:ListNamespaces
aws:quicksight:ingestion	quicksight:DescribeAccountSettings, quicksight:ListDataSets, quicksight:ListIngestions
aws:quicksight:namespace	quicksight:DescribeAccountSettings, quicksight:ListNamespaces
aws:quicksight:refresh-schedule	quicksight:DescribeAccountSettings, quicksight:ListDataSets, quicksight:ListRefreshSchedules
aws:quicksight:template	quicksight:DescribeAccountSettings, quicksight:DescribeTemplate, quicksight:ListTemplates
aws:quicksight:theme	quicksight:DescribeAccountSettings, quicksight:DescribeTheme, quicksight:ListThemes
aws:quicksight:topic	quicksight:DescribeAccountSettings, quicksight:DescribeTopic, quicksight:ListTopics
aws:quicksight:user	quicksight:DescribeAccountSettings, quicksight:ListUsers
aws:quicksight:vpc-connection	quicksight:DescribeAccountSettings, quicksight:ListVPCConnections
aws:ram:customer-managed-permission	ram:ListPermissions
aws:ram:resource-share	ram:GetResourceShares
aws:ram:resource-share-invitation	ram:GetResourceShareInvitations
aws:ram:permission	ram:ListPermissions
aws:rbin:rule	rbin:GetRule, rbin:ListRules
aws:rds:blue-green-deployment	rds:DescribeBlueGreenDeployments
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-endpoint	rds:DescribeDBClusterEndpoints, rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:db-cluster-automated-backup	rds:DescribeDBClusterAutomatedBackups
aws:rds:db-shard-group	rds:DescribeDBShardGroups
aws:rds:dbclusterparametergroup	rds:DescribeDBClusterParameterGroups
aws:rds:dbinstanceautomatedbackup	rds:DescribeDBInstanceAutomatedBackups
aws:rds:dbparametergroup	rds:DescribeDBParameterGroups
aws:rds:dbsubnetgroup	rds:DescribeDBSubnetGroups
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:exporttask	rds:DescribeExportTasks
aws:rds:globalcluster	rds:DescribeGlobalClusters
aws:rds:instance	rds:DescribeDBInstances
aws:rds:integration	rds:DescribeIntegrations
aws:rds:optiongroup	rds:DescribeOptionGroups
aws:rds:proxy	rds:DescribeDBProxies
aws:rds:proxy-endpoint	rds:DescribeDBProxyEndpoints
aws:rds:proxy-target-group	rds:DescribeDBProxies, rds:DescribeDBProxyTargetGroups, rds:DescribeDBProxyTargets
aws:rds:securitygroup	rds:DescribeDBSecurityGroups
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:rds:snapshot-tenant-database	rds:DescribeDBSnapshotTenantDatabases
aws:rds:tenant-database	rds:DescribeTenantDatabases
aws:rds:reserveddbinstance	rds:DescribeReservedDBInstances
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:redshift:eventsubscription	redshift:DescribeEventSubscriptions
aws:redshift:hsm-client-certificate	redshift:DescribeHsmClientCertificates
aws:redshift:hsm-configuration	redshift:DescribeHsmConfigurations
aws:redshift:integration	redshift:DescribeIntegrations
aws:redshift:parametergroup	redshift:DescribeClusterParameterGroups
aws:redshift:redshift-idc-application	redshift:DescribeRedshiftIdcApplications
aws:redshift:securitygroup	redshift:DescribeClusterSecurityGroups
aws:redshift:snapshot	redshift:DescribeClusterSnapshots, redshift:DescribeClusters
aws:redshift:subnetgroup	redshift:DescribeClusterSubnetGroups, redshift:DescribeClusters
aws:redshiftserverless:endpoint-access	redshift-serverless:ListEndpointAccess
aws:redshiftserverless:managed-workgroup	redshift-serverless:ListManagedWorkgroups
aws:redshiftserverless:namespace	redshift-serverless:ListNamespaces
aws:redshiftserverless:recovery-point	redshift-serverless:ListNamespaces, redshift-serverless:ListRecoveryPoints
aws:redshiftserverless:snapshot	redshift-serverless:GetSnapshot, redshift-serverless:ListNamespaces, redshift-serverless:ListSnapshots
aws:redshiftserverless:workgroup	redshift-serverless:ListWorkgroups
aws:rekognition:collection	rekognition:DescribeCollection, rekognition:ListCollections
aws:rekognition:project	rekognition:DescribeProjects
aws:rekognition:project-version	rekognition:DescribeProjectVersions, rekognition:DescribeProjects
aws:rekognition:stream-processor	rekognition:DescribeStreamProcessor, rekognition:ListStreamProcessors
aws:resiliencehub:app-assessment	resiliencehub:DescribeAppAssessment, resiliencehub:ListAppAssessments
aws:resiliencehub:application	resiliencehub:DescribeApp, resiliencehub:ListApps
aws:resiliencehub:resiliency-policy	resiliencehub:ListResiliencyPolicies
aws:resourceexplorer2:index	resource-explorer-2:GetIndex
aws:resourceexplorer2:view	resource-explorer-2:GetView, resource-explorer-2:ListViews
aws:resourceexplorer2:managed-view	resource-explorer-2:GetManagedView, resource-explorer-2:ListManagedViews
aws:resourcegroups:group	resource-groups:GetGroup, resource-groups:ListGroups
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:route53:queryloggingconfig	route53:ListQueryLoggingConfigs
aws:route53:resourcerecordset	route53:ListHostedZones, route53:ListResourceRecordSets
aws:route53domains:domain	route53domains:ListDomains
aws:route53-recovery-control:assertion-safety-rule	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListSafetyRules
aws:route53-recovery-control:cluster	route53-recovery-control-config:ListClusters
aws:route53-recovery-control:control-panel	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListSafetyRules
aws:route53-recovery-control:gating-safety-rule	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListSafetyRules
aws:route53-recovery-control:routing-control	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListRoutingControls
aws:route53-recovery-readiness:cell	route53-recovery-readiness:ListCells
aws:route53-recovery-readiness:readiness-check	route53-recovery-readiness:ListReadinessChecks
aws:route53-recovery-readiness:recovery-group	route53-recovery-readiness:ListRecoveryGroups
aws:route53-recovery-readiness:resource-set	route53-recovery-readiness:ListResourceSets
aws:route53resolver:firewall-config	route53resolver:ListFirewallConfigs
aws:route53resolver:firewall-domain-list	route53resolver:ListFirewallDomainLists
aws:route53resolver:firewall-rule-group	route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules
aws:route53resolver:firewall-rule-group-association	route53resolver:ListFirewallRuleGroupAssociations
aws:route53resolver:outpost-resolver	route53resolver:ListOutpostResolvers
aws:route53resolver:resolver-config	route53resolver:ListResolverConfigs
aws:route53resolver:resolver-dnssec-config	route53resolver:ListResolverDnssecConfigs
aws:route53resolver:resolver-endpoint	route53resolver:ListResolverEndpoints
aws:route53resolver:resolver-query-log-config	route53resolver:ListResolverQueryLogConfigs
aws:route53resolver:resolver-rule	route53resolver:ListResolverRules
aws:rum:app-monitor	rum:GetAppMonitor, rum:ListAppMonitors
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:s3:accessgrant	s3:ListAccessGrants
aws:s3:accesspoint	s3:GetAccessPointPolicy, s3:ListAccessPoints
aws:s3express:bucket	s3express:GetEncryptionConfiguration, s3express:GetBucketPolicy, s3express:ListAllMyDirectoryBuckets
aws:s3-object-lambda:object-lambda-access-point	s3:GetAccessPointForObjectLambda, s3:ListAccessPointsForObjectLambda
aws:outposts:outpost	s3-outposts:ListOutpostsWithS3
aws:s3outposts:bucket	s3-outposts:ListOutpostsWithS3, s3-outposts:ListRegionalBuckets
aws:s3outposts:endpoint	s3-outposts:ListEndpoints
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:sagemaker:notebookinstance	sagemaker:DescribeNotebookInstance, sagemaker:ListNotebookInstances
aws:sagemaker:inference-recommendations-job	sagemaker:DescribeInferenceRecommendationsJob, sagemaker:ListInferenceRecommendationsJobs
aws:sagemaker:pipeline	sagemaker:DescribePipeline, sagemaker:ListPipelines
aws:scheduler:group	scheduler:ListScheduleGroups
aws:scheduler:schedule	scheduler:GetSchedule, scheduler:ListSchedules
aws:schemas:discoverer	schemas:ListDiscoverers
aws:schemas:registry	schemas:ListRegistries
aws:schemas:schema	schemas:DescribeSchema, schemas:ListRegistries, schemas:ListSchemas
aws:schemas:aws-schema	schemas:DescribeSchema, schemas:ListRegistries, schemas:ListSchemas
aws:schemas:registry	schemas:ListRegistries
aws:secretsmanager:secret	secretsmanager:DescribeSecret, secretsmanager:GetResourcePolicy, secretsmanager:ListSecrets
aws:securityhub:automation-rule	securityhub:BatchGetAutomationRules, securityhub:DescribeHub, securityhub:ListAutomationRules
aws:securityhub:configuration-policy	securityhub:DescribeHub, organizations:DescribeOrganization, securityhub:GetConfigurationPolicy, securityhub:ListConfigurationPolicies
aws:securityhub:finding-aggregator	securityhub:DescribeHub, securityhub:GetFindingAggregator, securityhub:ListFindingAggregators
aws:securityhub:hub	securityhub:DescribeHub
aws:securityhub:product	securityhub:DescribeHub, securityhub:DescribeProducts
aws:securitylake:data-lake	securitylake:ListDataLakes
aws:securitylake:subscriber	securitylake:ListSubscribers
aws:servicecatalog:application	servicecatalog:GetApplication, servicecatalog:ListApplications
aws:servicecatalog:attribute-group	servicecatalog:GetAttributeGroup, servicecatalog:ListAttributeGroups
aws:servicecatalog:portfolio	servicecatalog:DescribePortfolio, servicecatalog:ListPortfolios
aws:servicecatalog:product	servicecatalog:DescribeProduct, servicecatalog:SearchProducts
aws:servicediscovery:namespace	servicediscovery:GetNamespace, servicediscovery:ListNamespaces
aws:servicediscovery:service	servicediscovery:GetService, servicediscovery:ListServices
aws:servicequotas:quota-change	servicequotas:ListRequestedServiceQuotaChangeHistory, servicequotas:ListServices
aws:ses:configuration-set	ses:DescribeConfigurationSet, ses:ListConfigurationSets
aws:ses:custom-verification-email-template	ses:GetCustomVerificationEmailTemplate, ses:ListCustomVerificationEmailTemplates
aws:ses:identity	ses:GetIdentityDkimAttributes, ses:GetIdentityMailFromDomainAttributes, ses:GetIdentityVerificationAttributes, ses:ListIdentities
aws:ses:template	ses:GetTemplate, ses:ListTemplates
aws:ses:contact-list	ses:GetContactList, ses:ListContactLists
aws:ses:dedicated-ip-pool	ses:GetDedicatedIpPool, ses:ListDedicatedIpPools
aws:ses:multi-region-endpoint	ses:GetMultiRegionEndpoint, ses:ListMultiRegionEndpoints
aws:sfn:statemachine	states:DescribeStateMachine, states:ListStateMachines
aws:sfn:activity	states:DescribeActivity, states:ListActivities
aws:sfn:execution	states:DescribeExecution, states:ListExecutions, states:ListStateMachines
aws:sfn:statemachinealias	states:DescribeStateMachineAlias, states:ListStateMachineAliases, states:ListStateMachines
aws:shield:attack	shield:DescribeAttack, shield:ListAttacks
aws:shield:protection	shield:ListProtections
aws:shield:protection-group	shield:ListProtectionGroups, shield:ListResourcesInProtectionGroup
aws:shield:settings	shield:DescribeEmergencyContactSettings, shield:DescribeSubscription, shield:GetSubscriptionState
aws:signer:signing-profile	signer:GetSigningProfile, signer:ListSigningProfiles
aws:snowball:cluster	snowball:DescribeCluster, snowball:ListClusters
aws:snowball:job	snowball:DescribeJob, snowball:ListJobs
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sns:platform-application	sns:ListPlatformApplications
aws:socialmessaging:waba	social-messaging:GetLinkedWhatsAppBusinessAccount, social-messaging:ListLinkedWhatsAppBusinessAccounts
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ssm:document	ssm:DescribeDocument, ssm:DescribeDocumentPermission, ssm:ListDocuments
aws:ssm:instance	ssm:DescribeInstanceInformation, ssm:ListComplianceItems
aws:ssm-incidents:incident-record	ssm-incidents:GetIncidentRecord, ssm-incidents:ListIncidentRecords
aws:ssm-incidents:replication-set	ssm-incidents:GetReplicationSet, ssm-incidents:ListReplicationSets
aws:ssm-incidents:response-plan	ssm-incidents:GetResponsePlan, ssm-incidents:ListResponsePlans
aws:sso:application	organizations:DescribeOrganization, sso:GetApplicationAssignmentConfiguration, sso:ListApplicationAssignments, sso:ListApplications, sso:ListInstances
aws:sso:instance	sso:DescribeInstanceAccessControlAttributeConfiguration, organizations:DescribeOrganization, sso:ListInstances
aws:sso:permission-set	organizations:DescribeOrganization, sso:DescribePermissionSet, sso:GetInlinePolicyForPermissionSet, sso:GetPermissionsBoundaryForPermissionSet, sso:ListCustomerManagedPolicyReferencesInPermissionSet, sso:ListInstances, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets
aws:sso:trusted-token-issuer	organizations:DescribeOrganization, sso:DescribeTrustedTokenIssuer, sso:ListInstances, sso:ListTrustedTokenIssuers
aws:sso:application-provider	sso:ListApplicationProviders
aws:storagegateway:cache-report	storagegateway:ListCacheReports
aws:storagegateway:device	storagegateway:DescribeGatewayInformation, storagegateway:DescribeVTLDevices, storagegateway:ListGateways
aws:storagegateway:fs-association	storagegateway:DescribeFileSystemAssociations, storagegateway:ListFileSystemAssociations
aws:storagegateway:gateway	storagegateway:DescribeGatewayInformation, storagegateway:ListGateways
aws:storagegateway:nfs-fileshare	storagegateway:DescribeNFSFileShares, storagegateway:ListFileShares
aws:storagegateway:smb-fileshare	storagegateway:DescribeSMBFileShares, storagegateway:ListFileShares
aws:storagegateway:tape	storagegateway:DescribeGatewayInformation, storagegateway:DescribeTapes, storagegateway:ListGateways
aws:storagegateway:tapepool	storagegateway:ListTapePools
aws:storagegateway:volume	storagegateway:ListVolumes
aws:ec2:subnet	ec2:DescribeSubnets
aws:synthetics:canary	synthetics:DescribeCanaries
aws:synthetics:group	synthetics:GetGroup, synthetics:ListGroups
aws:textract:adapter	textract:GetAdapter, textract:ListAdapters
aws:textract:adapter-version	textract:GetAdapterVersion, textract:ListAdapterVersions, textract:ListAdapters
aws:timestream:scheduled-query	timestream:ListScheduledQueries
aws:timestreamwrite:table	timestream:ListTables
aws:transcribe:call-analytics-category	transcribe:ListCallAnalyticsCategories
aws:transcribe:call-analytics-job	transcribe:GetCallAnalyticsJob, transcribe:ListCallAnalyticsJobs
aws:transcribe:language-model	transcribe:ListLanguageModels
aws:transcribe:medical-scribe-job	transcribe:GetMedicalScribeJob, transcribe:ListMedicalScribeJobs
aws:transcribe:medical-transcription-job	transcribe:GetMedicalTranscriptionJob, transcribe:ListMedicalTranscriptionJobs
aws:transcribe:medical-vocabulary	transcribe:GetMedicalVocabulary, transcribe:ListMedicalVocabularies
aws:transcribe:transcription-job	transcribe:GetTranscriptionJob, transcribe:ListTranscriptionJobs
aws:transcribe:vocabulary	transcribe:GetVocabulary, transcribe:ListVocabularies
aws:transcribe:vocabulary-filter	transcribe:GetVocabularyFilter, transcribe:ListVocabularyFilters
aws:transfer:agreement	transfer:DescribeAgreement, transfer:DescribeServer, transfer:ListAgreements, transfer:ListServers
aws:transfer:certificate	transfer:DescribeCertificate, transfer:ListCertificates
aws:transfer:connector	transfer:DescribeConnector, transfer:ListConnectors
aws:transfer:host-key	transfer:DescribeHostKey, transfer:DescribeServer, transfer:ListHostKeys, transfer:ListServers
aws:transfer:profile	transfer:DescribeProfile, transfer:ListProfiles
aws:transfer:server	transfer:DescribeServer, transfer:ListServers
aws:transfer:user	transfer:DescribeServer, transfer:DescribeUser, transfer:ListServers, transfer:ListUsers
aws:transfer:webapp	transfer:DescribeWebApp, transfer:ListWebApps
aws:transfer:workflow	transfer:DescribeWorkflow, transfer:ListWorkflows
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:ec2:transitgateway-routetable-announcement	ec2:DescribeTransitGatewayRouteTableAnnouncements
aws:ec2:transitgatewayattachment	ec2:DescribeTransitGatewayAttachments
aws:ec2:transitgatewayconnectpeer	ec2:DescribeTransitGatewayConnectPeers
aws:ec2:transitgatewaymulticastdomain	ec2:DescribeTransitGatewayMulticastDomains
aws:ec2:transitgatewaypeeringattachment	ec2:DescribeTransitGatewayPeeringAttachments
aws:ec2:transitgatewaypolicytable	ec2:DescribeTransitGatewayPolicyTables
aws:ec2:transitgatewayroutetable	ec2:DescribeTransitGatewayRouteTables, ec2:GetTransitGatewayPrefixListReferences, ec2:SearchTransitGatewayRoutes
aws:ec2:transitgatewayvpcattachment	ec2:DescribeTransitGatewayVpcAttachments
aws:translate:parallel-data	translate:GetParallelData, translate:ListParallelData
aws:translate:terminology	translate:GetTerminology, translate:ListTerminologies
aws:verifiedpermissions:identity-source	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListIdentitySources, verifiedpermissions:ListPolicyStores
aws:verifiedpermissions:policy	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListPolicies, verifiedpermissions:ListPolicyStores
aws:verifiedpermissions:policy-store	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListPolicyStores
aws:verifiedpermissions:policy-template	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListPolicyStores, verifiedpermissions:ListPolicyTemplates
aws:vpc-lattice:access-log-subscription	vpc-lattice:GetService, vpc-lattice:GetServiceNetwork, vpc-lattice:ListAccessLogSubscriptions, vpc-lattice:ListServiceNetworks, vpc-lattice:ListServices
aws:vpc-lattice:listener	vpc-lattice:GetListener, vpc-lattice:GetService, vpc-lattice:ListListeners, vpc-lattice:ListServices
aws:vpc-lattice:resource-configuration	vpc-lattice:GetResourceConfiguration, vpc-lattice:ListResourceConfigurations
aws:vpc-lattice:resource-endpoint-association	vpc-lattice:GetResourceConfiguration, vpc-lattice:ListResourceConfigurations, vpc-lattice:ListResourceEndpointAssociations
aws:vpc-lattice:resource-gateway	vpc-lattice:GetResourceGateway, vpc-lattice:ListResourceGateways
aws:vpc-lattice:rule	vpc-lattice:GetListener, vpc-lattice:GetRule, vpc-lattice:GetService, vpc-lattice:ListListeners, vpc-lattice:ListRules, vpc-lattice:ListServices
aws:vpc-lattice:service	vpc-lattice:GetService, vpc-lattice:ListServices
aws:vpc-lattice:service-network	vpc-lattice:GetServiceNetwork, vpc-lattice:ListServiceNetworks
aws:vpc-lattice:service-network-resource-association	vpc-lattice:ListServiceNetworkResourceAssociations
aws:vpc-lattice:service-network-service-association	vpc-lattice:GetServiceNetwork, vpc-lattice:ListServiceNetworkServiceAssociations, vpc-lattice:ListServiceNetworks
aws:vpc-lattice:service-network-vpc-association	vpc-lattice:GetServiceNetwork, vpc-lattice:ListServiceNetworkVpcAssociations, vpc-lattice:ListServiceNetworks
aws:vpc-lattice:target-group	vpc-lattice:GetTargetGroup, vpc-lattice:ListTargetGroups
aws:waf:acl	waf:GetWebACL, waf:ListWebACLs
aws:waf:rule	waf:GetRule, waf:ListRules
aws:waf:rulegroup	waf:GetRuleGroup, waf:ListRuleGroups
aws:wafregional:acl	waf-regional:GetWebACL, waf-regional:ListWebACLs
aws:wafregional:rule	waf-regional:GetRule, waf-regional:ListRules
aws:wafregional:rulegroup	waf-regional:GetRuleGroup, waf-regional:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:workmail:organization	workmail:DescribeOrganization, workmail:ListOrganizations
aws:workspaces:application	workspaces:DescribeApplications
aws:workspaces:bundle	workspaces:DescribeWorkspaceBundles
aws:workspaces:connection-alias	workspaces:DescribeConnectionAliases
aws:workspaces:directory	workspaces:DescribeWorkspaceDirectories
aws:workspaces:image	workspaces:DescribeWorkspaceImages
aws:workspaces:ip-group	workspaces:DescribeIpGroups
aws:workspaces:pool	workspaces:DescribeWorkspacesPools
aws:workspaces:workspace	workspaces:DescribeWorkspaces
aws:workspaces:amazon-bundle	workspaces:DescribeWorkspaceBundles
aws:workspaces-web:browser-settings	workspaces-web:GetBrowserSettings, workspaces-web:ListBrowserSettings
aws:workspaces-web:data-protection-settings	workspaces-web:GetDataProtectionSettings, workspaces-web:ListDataProtectionSettings
aws:workspaces-web:identity-provider	workspaces-web:GetIdentityProvider, workspaces-web:ListIdentityProviders, workspaces-web:ListPortals
aws:workspaces-web:ip-access-settings	workspaces-web:GetIpAccessSettings, workspaces-web:ListIpAccessSettings
aws:workspaces-web:network-settings	workspaces-web:GetNetworkSettings, workspaces-web:ListNetworkSettings
aws:workspaces-web:portal	workspaces-web:ListPortals
aws:workspaces-web:trust-store	workspaces-web:GetTrustStore, workspaces-web:ListTrustStores
aws:workspaces-web:user-access-logging-settings	workspaces-web:GetUserAccessLoggingSettings, workspaces-web:ListUserAccessLoggingSettings
aws:workspaces-web:user-settings	workspaces-web:GetUserSettings, workspaces-web:ListUserSettings
aws:xray:group	xray:GetGroups
aws:xray:sampling-rule	xray:GetSamplingRules
aws:iam:credentialreport	iam:GenerateCredentialReport, iam:GetCredentialReport

Cloud Network Monitoring (CNM)

Resource Type	Permissions
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ec2:egressonlyinternetgateway	ec2:DescribeEgressOnlyInternetGateways
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcendpointconnectionnotification	ec2:DescribeVpcEndpointConnectionNotifications
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:ec2:transitgateway	ec2:DescribeTransitGateways

Resource Catalog

Resource Type	Permissions
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:applicationautoscaling:scalingpolicy	applicationautoscaling:DescribeScalingPolicies
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:cloudformation:stack	cloudformation:DescribeStacks, cloudformation:ListStacks
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudfront:function	cloudfront:ListFunctions
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:cloudwatchlogs:log-group	logs:DescribeLogGroups, logs:DescribeSubscriptionFilters
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpcendpoint-service	ec2:DescribeVpcEndpointServices
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:ecs:task-definition	ecs:DescribeServices, ecs:DescribeTaskDefinition, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:emr:cluster	elasticmapreduce:DescribeCluster, elasticmapreduce:GetAutoTerminationPolicy, elasticmapreduce:GetManagedScalingPolicy, elasticmapreduce:ListClusters
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:iam:account	organizations:DescribeOrganization, iam:GetAccountPasswordPolicy, iam:GetAccountSummary
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:mq:broker	mq:DescribeBroker, mq:ListBrokers
aws:pipes:pipe	pipes:ListPipes
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:instance	rds:DescribeDBInstances
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:s3:bucket	s3:GetBucketAcl, s3:GetEncryptionConfiguration, s3:GetLifecycleConfiguration, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetReplicationConfiguration, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetBucketPublicAccessBlock, s3:GetInventoryConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:secretsmanager:secret	secretsmanager:DescribeSecret, secretsmanager:GetResourcePolicy, secretsmanager:ListSecrets
aws:sfn:statemachine	states:DescribeStateMachine, states:ListStateMachines
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues

Upcoming releases

The permissions listed here reflect resources planned to be added within the next 30 days. Include these permissions in your existing AWS integration IAM policy (with attached SecurityAudit policy) to get the full benefits of Datadog’s resource coverage and tracking.

Permissions for upcoming releases

Cloud Security

Setup

If you do not have the AWS integration set up for your AWS account, complete the set up process above. Ensure that you enable Cloud Security when mentioned.

Note: The AWS integration must be set up with Role delegation to use this feature.

To add Cloud Security to an existing AWS integration, follow the steps below to enable resource collection.

Provide the necessary permissions to the Datadog IAM role by attaching the AWS managed SecurityAudit policy to your Datadog AWS IAM role. You can find this policy in the AWS console.
Complete the setup in the Datadog AWS integration page with the steps below. Alternatively, you can use the Update an AWS Integration API endpoint.
1. Select the AWS account where you wish to enable resource collection.
2. On the Resource collection tab, click Enable next to Cloud Security. You are redirected to the Cloud Security Setup page, and a setup dialog automatically opens for the selected account.
3. On the setup dialog, switch the Enable Resource Scanning toggle to the on position.
4. Click Done to complete the setup.

Alarm collection

There are two ways to send AWS CloudWatch alarms to the Datadog Events Explorer:

Alarm polling: Alarm polling comes out of the box with the AWS integration and fetches metric alarms through the DescribeAlarmHistory API. If you follow this method, your alarms are categorized under the event source Amazon Web Services. Note: The crawler does not collect composite alarms.
SNS topic: You can see all AWS CloudWatch alarms in your Events Explorer by subscribing the alarms to an SNS topic, then forwarding the SNS messages to Datadog. To learn how to receive SNS messages as events in Datadog, see Receive SNS messages. If you follow this method, your alarms are categorized under the event source Amazon SNS.

Data Collected

Metrics


aws.logs.delivery_errors (count)	The number of log events for which CloudWatch Logs received an error when forwarding data to the subscription destination. Shown as event
aws.logs.delivery_throttling (count)	The number of log events for which CloudWatch Logs was throttled when forwarding data to the subscription destination. Shown as event
aws.logs.forwarded_bytes (gauge)	The volume of log events in compressed bytes forwarded to the subscription destination. Shown as byte
aws.logs.forwarded_log_events (count)	The number of log events forwarded to the subscription destination. Shown as event
aws.logs.incoming_bytes (gauge)	The volume of log events in uncompressed bytes uploaded to Cloudwatch Logs. Shown as byte
aws.logs.incoming_log_events (count)	The number of log events uploaded to Cloudwatch Logs. Shown as event
aws.usage.call_count (count)	The number of specified operations performed in your account Shown as operation
aws.usage.resource_count (count)	The number of specified resources in your account Shown as resource

Note: You can enable the collection of AWS custom metrics, as well as metrics from services that Datadog doesn’t have an integration for. See the AWS Integration and CloudWatch FAQ for more information.

Events

Events from AWS are collected on a per AWS-service basis. See your AWS service’s documentation to learn more about collected events.

Integration	Datadog Tag Keys
All	`region`
API Gateway	`apiid`, `apiname`, `method`, `resource`, `stage`
App Runner	`instance`, `serviceid`, `servicename`
Auto Scaling	`autoscalinggroupname`, `autoscaling_group`
Billing	`account_id`, `budget_name`, `budget_type`, `currency`, `servicename`, `time_unit`
CloudFront	`distributionid`
CodeBuild	`project_name`
CodeDeploy	`application`, `creator`, `deployment_config`, `deployment_group`, `deployment_option`, `deployment_type`, `status`
DirectConnect	`connectionid`
DynamoDB	`globalsecondaryindexname`, `operation`, `streamlabel`, `tablename`
EBS	`volumeid`, `volume-name`, `volume-type`
EC2	`autoscaling_group`, `availability-zone`, `image`, `instance-id`, `instance-type`, `kernel`, `name`, `security_group_name`
ECS	`clustername`, `servicename`, `instance_id`
EFS	`filesystemid`
ElastiCache	`cachenodeid`, `cache_node_type`, `cacheclusterid`, `cluster_name`, `engine`, `engine_version`, `preferred_availability-zone`, `replication_group`
ElasticBeanstalk	`environmentname`, `enviromentid`
ELB	`availability-zone`, `hostname`, `loadbalancername`, `name`, `targetgroup`
EMR	`cluster_name`, `jobflowid`
ES	`dedicated_master_enabled`, `ebs_enabled`, `elasticsearch_version`, `instance_type`, `zone_awareness_enabled`
Firehose	`deliverystreamname`
FSx	`filesystemid`, `filesystemtype`
Health	`event_category`, `status`, `service`
IoT	`actiontype`, `protocol`, `rulename`
Kinesis	`streamname`, `name`, `state`
KMS	`keyid`
Lambda	`functionname`, `resource`, `executedversion`, `memorysize`, `runtime`
Machine Learning	`mlmodelid`, `requestmode`
MQ	`broker`, `queue`, `topic`
OpsWorks	`stackid`, `layerid`, `instanceid`
Polly	`operation`
RDS	`auto_minor_version_upgrade`, `dbinstanceclass`, `dbclusteridentifier`, `dbinstanceidentifier`, `dbname`, `engine`, `engineversion`, `hostname`, `name`, `publicly_accessible`, `secondary_availability-zone`
RDS Proxy	`proxyname`, `target`, `targetgroup`, `targetrole`
Redshift	`clusteridentifier`, `latency`, `nodeid`, `service_class`, `stage`, `wlmid`
Route 53	`healthcheckid`
S3	`bucketname`, `filterid`, `storagetype`
SES	Tag keys are custom set in AWS.
SNS	`topicname`
SQS	`queuename`
VPC	`nategatewayid`, `vpnid`, `tunnelipaddress`
WorkSpaces	`directoryid`, `workspaceid`