Amazon Web Services

Docs > インテグレーション > Amazon Web Services

概要

Amazon Web Services (AWS) を接続すると、次のことができるようになります。

イベントエクスプローラーで AWS ステータスの自動更新を確認する
Agent をインストールすることなく、EC2 ホストの CloudWatch メトリクスを取得する
EC2 ホストに EC2 固有の情報をタグ付けする
EC2 のスケジュール設定されたメンテナンスイベントをストリームに表示する
その他のさまざまな AWS 製品から CloudWatch メトリクスとイベントを収集する
イベントエクスプローラーで CloudWatch アラームを確認する

AWS インテグレーションをすぐに使い始めるには、AWS スタートガイドをご確認ください。

Datadog の Amazon Web Services インテグレーションは、90 以上の AWS サービスのログ、イベント、CloudWatch からのほとんどのメトリクスを収集します。

セットアップ

以下のいずれかの方法を使用して AWS アカウントを Datadog に統合し、メトリクス、イベント、タグ、ログを収集します。

自動

CloudFormation (すぐに始めたい場合に最適) CloudFormation で AWS インテグレーションを設定するには、AWS スタートガイドを参照してください。
Terraform AWS と Terraform のインテグレーションを設定するには、AWS と Terraform のインテグレーションを参照してください。
Control Tower Control Tower Account Factory で新規に AWS アカウントをプロビジョニングする際の AWS インテグレーション設定は、Control Tower セットアップガイドをご覧ください。
AWS 組織向けマルチアカウント設定 AWS 組織内の複数のアカウントに対して AWS インテグレーションを設定するには、AWS 組織セットアップガイドを参照してください。

手動

ロールの委任 AWS インテグレーションをロールの委任で手動設定する場合は、手動設定ガイドを参照してください。
アクセスキー (GovCloud または China* のみ) アクセスキーによる AWS インテグレーションを設定する場合は、手動設定ガイドを参照してください。
* 中国本土における (または中国本土内の環境に関連する) Datadog サービスの使用はすべて、当社 Web サイトのサービス制限地域セクションに掲載されている免責事項に従うものとします。

AWS IAM permissions

AWS IAM permissions enable Datadog to collect metrics, tags, EventBridge events and other data necessary to monitor your AWS environment. To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Datadog AWS Integration IAM Role in your AWS account.

AWS integration IAM policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "account:GetAccountInformation",
        "airflow:GetEnvironment",
        "airflow:ListEnvironments",
        "apigateway:GET",
        "appsync:ListGraphqlApis",
        "autoscaling:Describe*",
        "backup:List*",
        "batch:DescribeJobDefinitions",
        "batch:DescribeJobQueues",
        "batch:DescribeJobs",
        "batch:ListJobs",
        "bcm-data-exports:GetExport",
        "bcm-data-exports:ListExports",
        "budgets:ViewBudget",
        "cloudfront:GetDistributionConfig",
        "cloudfront:ListDistributions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrail",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTrails",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "codebuild:BatchGetProjects",
        "codebuild:ListProjects",
        "codedeploy:BatchGet*",
        "codedeploy:List*",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dms:DescribeReplicationInstances",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:DescribeCluster",
        "eks:ListClusters",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticfilesystem:DescribeAccessPoints",
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeTags",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "es:DescribeElasticsearchDomains",
        "es:ListDomainNames",
        "es:ListTags",
        "events:CreateEventBus",
        "fsx:DescribeFileSystems",
        "fsx:ListTagsForResource",
        "health:DescribeAffectedEntities",
        "health:DescribeEventDetails",
        "health:DescribeEvents",
        "iam:ListAccountAliases",
        "kinesis:Describe*",
        "kinesis:List*",
        "lambda:List*",
        "logs:DeleteSubscriptionFilter",
        "logs:DescribeDeliveries",
        "logs:DescribeDeliverySources",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:DescribeSubscriptionFilters",
        "logs:FilterLogEvents",
        "logs:GetDeliveryDestination",
        "logs:PutSubscriptionFilter",
        "logs:TestMetricFilter",
        "network-firewall:DescribeLoggingConfiguration",
        "network-firewall:ListFirewalls",
        "oam:ListAttachedLinks",
        "oam:ListSinks",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift-serverless:ListNamespaces",
        "redshift:DescribeClusters",
        "redshift:DescribeLoggingStatus",
        "route53:List*",
        "route53resolver:ListResolverQueryLogConfigs",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:ListAllMyBuckets",
        "s3:PutBucketNotification",
        "ses:Get*",
        "ses:List*",
        "sns:GetSubscriptionAttributes",
        "sns:List*",
        "sns:Publish",
        "sqs:ListQueues",
        "ssm:GetServiceSetting",
        "ssm:ListCommands",
        "states:DescribeStateMachine",
        "states:ListStateMachines",
        "support:DescribeTrustedAdvisor*",
        "support:RefreshTrustedAdvisorCheck",
        "tag:GetResources",
        "tag:GetTagKeys",
        "tag:GetTagValues",
        "timestream:DescribeEndpoints",
        "wafv2:ListLoggingConfigurations",
        "xray:BatchGetTraces",
        "xray:GetTraceSummaries"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS China accounts are not supported.
Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable Usage (AWS/Usage) metrics in the Metric Collection tab of the Datadog AWS integration page.

ログ収集

AWSサービスログを Datadog に送信する方法はいくつかあります。

Amazon Data Firehose destination: Amazon Data Firehose 配信ストリームで Datadog の宛先を使用して、ログを Datadog に転送します。CloudWatch から非常に大量のログを送信する際は、このアプローチを使用することが推奨されます。
Forwarder Lambda 関数: S3 バケットまたは CloudWatch ロググループにサブスクライブする Datadog Forwarder Lambda 関数をデプロイし、ログを Datadog に転送します。また、S3 またはデータを Amazon Data Firehose に直接ストリーミングできないその他のリソースからログを送信する場合、Datadog ではこのアプローチを使用することをお勧めしています。

メトリクスの収集

メトリクスを Datadog に送信する方法は 2 つあります。

メトリクスのポーリング: AWS インテグレーションで利用できる API ポーリングです。CloudWatch API をメトリクス別にクロールしてデータを取得し、Datadog に送信します。新しいメトリクスの取得は平均 10 分毎に行われます。
Amazon Data Firehose でのメトリクスストリーム: Amazon CloudWatch Metric Streams と Amazon Data Firehose を使用してメトリクスを確認します。注: このメソッドには 2 - 3 分のレイテンシーがあり、別途設定が必要となります。

利用可能なサブインテグレーションの一覧は、インテグレーションページでご確認いただけます。これらのインテグレーションの多くは、Datadog が AWS アカウントからのデータ入力を認識した際にデフォルトでインストールされます。コスト管理のために特定のリソースを除外するオプションについては、AWS インテグレーション請求ページをご参照ください。

リソース収集

一部の Datadog 製品は、AWS リソース (S3 バケット、RDS スナップショット、CloudFront ディストリビューションなど) の構成方法に関する情報を活用します。Datadog は、AWS アカウントに対して読み取り専用の API 呼び出しを行うことにより、この情報を収集します。

AWS resource collection IAM policy

To use resource collection, you must attach AWS’s managed SecurityAudit Policy to your Datadog IAM role.

Notes:

Warning messages appear on the AWS integration tile in Datadog if you enable resource collection, but do not have the AWS Security Audit Policy attached to your Datadog IAM role.
To enable Datadog to collect account management resources from account.GetAlternateContact and account.GetContactInformation, you need to enable trusted access for AWS account management.
AWS China accounts are not supported.
Enabling resource collection can also impact your AWS CloudWatch costs. To avoid these charges, disable Usage (AWS/Usage) metrics in the Metric Collection tab of the Datadog AWS integration page.

リソースタイプと権限

以下のセクションでは、Datadog の各プロダクトで収集されるリソースタイプと、Datadog IAM ロールが代理でデータを収集するために必要な権限をまとめています。これらの権限を、既存の AWS インテグレーション IAM ポリシー (SecurityAudit ポリシーをアタッチ済み) に追加してください。

Cloud Cost Management (CCM)

Resource Type	Permissions
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:volume	ec2:DescribeVolumes

Cloudcraft

Resource Type	Permissions
aws:apigateway:api	apigateway:GET
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:directconnect:connection	directconnect:DescribeConnections
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:customergateway	ec2:DescribeCustomerGateways
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:subnet	ec2:DescribeSubnets
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:efs:mounttarget	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeMountTargetSecurityGroups, elasticfilesystem:DescribeMountTargets
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:elasticache:cachesubnetgroup	elasticache:DescribeCacheSubnetGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticache:parametergroup	elasticache:DescribeCacheParameterGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:securitygroup	elasticache:DescribeCacheSecurityGroups
aws:elasticache:snapshot	elasticache:DescribeSnapshots
aws:elasticache:user	elasticache:DescribeUsers
aws:elasticache:usergroup	elasticache:DescribeUserGroups
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:fsx:backup	fsx:DescribeBackups
aws:fsx:file-system	fsx:DescribeFileSystems
aws:glacier:vault	glacier:GetVaultNotifications, glacier:ListVaults
aws:keyspaces:keyspace	cassandra:Select
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:dbclusterparametergroup	rds:DescribeDBClusterParameterGroups
aws:rds:dbinstanceautomatedbackup	rds:DescribeDBInstanceAutomatedBackups
aws:rds:dbparametergroup	rds:DescribeDBParameterGroups, rds:DescribeDBParameters
aws:rds:dbsubnetgroup	rds:DescribeDBSubnetGroups
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:exporttask	rds:DescribeExportTasks
aws:rds:instance	rds:DescribeDBInstances
aws:rds:optiongroup	rds:DescribeOptionGroups
aws:rds:reserveddbinstance	rds:DescribeReservedDBInstances
aws:rds:securitygroup	rds:DescribeDBSecurityGroups
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:eventsubscription	redshift:DescribeEventSubscriptions
aws:redshift:parametergroup	redshift:DescribeClusterParameterGroups
aws:redshift:securitygroup	redshift:DescribeClusterSecurityGroups
aws:redshift:snapshot	redshift:DescribeClusterSnapshots, redshift:DescribeClusters
aws:redshift:subnetgroup	redshift:DescribeClusterSubnetGroups, redshift:DescribeClusters
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:s3:bucket	s3:GetBucketAbac, s3:GetBucketAcl, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketObjectLockConfiguration, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetBucketPublicAccessBlock, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetEncryptionConfiguration, s3:GetInventoryConfiguration, s3:GetLifecycleConfiguration, s3:GetReplicationConfiguration, s3:ListAllMyBuckets
aws:ses:addon-instance	ses:ListAddonInstances
aws:ses:addon-subscription	ses:ListAddonSubscriptions
aws:ses:address-list	ses:ListAddressLists
aws:ses:archive	ses:GetArchive, ses:ListArchives
aws:ses:configuration-set	ses:DescribeConfigurationSet, ses:ListConfigurationSets
aws:ses:contact-list	ses:GetContactList, ses:ListContactLists
aws:ses:custom-verification-email-template	ses:GetCustomVerificationEmailTemplate, ses:ListCustomVerificationEmailTemplates
aws:ses:dedicated-ip-pool	ses:GetDedicatedIpPool, ses:ListDedicatedIpPools
aws:ses:identity	ses:GetIdentityDkimAttributes, ses:GetIdentityMailFromDomainAttributes, ses:GetIdentityVerificationAttributes, ses:ListIdentities
aws:ses:ingress-point	ses:GetIngressPoint, ses:ListIngressPoints
aws:ses:multi-region-endpoint	ses:GetMultiRegionEndpoint, ses:ListMultiRegionEndpoints
aws:ses:relay	ses:GetRelay, ses:ListRelays
aws:ses:rule-set	ses:GetRuleSet, ses:ListRuleSets
aws:ses:template	ses:GetTemplate, ses:ListTemplates
aws:ses:traffic-policy	ses:GetTrafficPolicy, ses:ListTrafficPolicies
aws:sns:subscription	sns:ListSubscriptions
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:timestreamwrite:table	timestream:ListTables
aws:waf:acl	waf:GetWebACL, waf:ListWebACLs
aws:waf:rule	waf:GetRule, waf:ListRules
aws:waf:rulegroup	waf:GetRuleGroup, waf:ListRuleGroups
aws:wafregional:acl	waf-regional:GetWebACL, waf-regional:ListWebACLs
aws:wafregional:rule	waf-regional:GetRule, waf-regional:ListRules
aws:wafregional:rulegroup	waf-regional:GetRuleGroup, waf-regional:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs

Cloud Security Monitoring (CSM)

Resource Type	Permissions
aws:accessanalyzer:analyzer	access-analyzer:GetAnalyzer, access-analyzer:ListAnalyzers
aws:account:account	account:GetAlternateContact, account:GetContactInformation, account:GetPrimaryEmail, organizations:DescribeOrganization, organizations:ListAccounts
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:acmpca:certificateauthority	acm-pca:DescribeCertificateAuthority, acm-pca:ListCertificateAuthorities
aws:amp:rulegroupsnamespace	aps:DescribeRuleGroupsNamespace, aps:DescribeWorkspace, aps:ListRuleGroupsNamespaces, aps:ListWorkspaces
aws:amp:scraper	aps:DescribeScraper, aps:ListScrapers
aws:amp:workspace	aps:DescribeWorkspace, aps:ListWorkspaces
aws:amplify:app	amplify:ListApps
aws:amplify:backend-environment	amplify:ListApps, amplify:ListBackendEnvironments
aws:amplify:branch	amplify:ListApps, amplify:ListBranches
aws:amplify:domain-association	amplify:ListApps, amplify:ListDomainAssociations
aws:amplify:job	amplify:ListApps, amplify:ListBranches, amplify:ListJobs
aws:amplify:webhook	amplify:ListApps, amplify:ListWebhooks
aws:apigateway:account	apigateway:GetAccount
aws:apigateway:api	apigateway:GET
aws:apigateway:apikey	apigateway:GetApiKeys
aws:apigateway:authorizer	apigateway:GET, apigateway:GetAuthorizers
aws:apigateway:basepathmapping	apigateway:GetBasePathMappings, apigateway:GetDomainNames
aws:apigateway:clientcertificate	apigateway:GetClientCertificates
aws:apigateway:deployment	apigateway:GET, apigateway:GetDeployments
aws:apigateway:documentationpart	apigateway:GET, apigateway:GetDocumentationParts
aws:apigateway:domainname	apigateway:GetDomainNames
aws:apigateway:domainnameaccessassociation	apigateway:GetDomainNameAccessAssociations
aws:apigateway:gatewayresponse	apigateway:GET, apigateway:GetGatewayResponses
aws:apigateway:integration	apigateway:GET, apigateway:GetMethod, apigateway:GetResources
aws:apigateway:model	apigateway:GET, apigateway:GetModels
aws:apigateway:requestvalidator	apigateway:GET, apigateway:GetRequestValidators
aws:apigateway:resource	apigateway:GET, apigateway:GetResources
aws:apigateway:stage	apigateway:GET
aws:apigateway:usageplan	apigateway:GetApiKeys, apigateway:GetUsagePlans
aws:apigateway:usageplankey	apigateway:GetApiKeys, apigateway:GetUsagePlanKeys, apigateway:GetUsagePlans
aws:apigateway:vpclink	apigateway:GetVpcLinks
aws:apigatewayv2:api	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:apimapping	apigateway:GetApiMappings, apigateway:GetDomainNames
aws:apigatewayv2:authorizer	apigateway:GetApis, apigateway:GetAuthorizers
aws:apigatewayv2:deployment	apigateway:GetApis, apigateway:GetDeployments
aws:apigatewayv2:domainname	apigateway:GetDomainNames
aws:apigatewayv2:integration	apigateway:GetApis, apigateway:GetIntegrations
aws:apigatewayv2:integrationresponse	apigateway:GetApis, apigateway:GetIntegrationResponses, apigateway:GetIntegrations
aws:apigatewayv2:model	apigateway:GetApis, apigateway:GetModels
aws:apigatewayv2:route	apigateway:GetApis, apigateway:GetRoutes
aws:apigatewayv2:routeresponse	apigateway:GetApis, apigateway:GetRouteResponses, apigateway:GetRoutes
aws:apigatewayv2:stage	apigateway:GetApis, apigateway:GetStages
aws:apigatewayv2:vpclink	apigateway:GetVpcLinks
aws:appintegrations:application	app-integrations:GetApplication, app-integrations:ListApplicationAssociations, app-integrations:ListApplications
aws:appintegrations:application-association	app-integrations:ListApplicationAssociations, app-integrations:ListApplications
aws:appintegrations:data-integration	app-integrations:GetDataIntegration, app-integrations:ListDataIntegrationAssociations, app-integrations:ListDataIntegrations
aws:appintegrations:data-integration-association	app-integrations:ListDataIntegrationAssociations, app-integrations:ListDataIntegrations
aws:appintegrations:event-integration	app-integrations:ListEventIntegrations
aws:appintegrations:event-integration-association	app-integrations:ListEventIntegrationAssociations, app-integrations:ListEventIntegrations
aws:applicationautoscaling:scalingactivity	applicationautoscaling:DescribeScalingActivities
aws:applicationautoscaling:scalingpolicy	applicationautoscaling:DescribeScalingPolicies
aws:applicationautoscaling:scheduled-action	applicationautoscaling:DescribeScheduledActions
aws:apprunner:autoscaling-configuration	apprunner:DescribeAutoScalingConfiguration, apprunner:ListAutoScalingConfigurations
aws:apprunner:connection	apprunner:ListConnections
aws:apprunner:observability-configuration	apprunner:DescribeObservabilityConfiguration, apprunner:ListObservabilityConfigurations
aws:apprunner:service	apprunner:DescribeService, apprunner:ListServices
aws:apprunner:vpc-connector	apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors
aws:apprunner:vpc-ingress-connection	apprunner:DescribeVpcIngressConnection, apprunner:ListVpcIngressConnections
aws:appstream:app-block	appstream:DescribeAppBlocks
aws:appstream:app-block-builder	appstream:DescribeAppBlockBuilders
aws:appstream:application	appstream:DescribeApplications
aws:appstream:fleet	appstream:DescribeFleets
aws:appstream:image	appstream:DescribeImages
aws:appstream:image-builder	appstream:DescribeImageBuilders
aws:appstream:public-image	appstream:DescribeImages
aws:appstream:stack	appstream:DescribeStacks
aws:appsync:api	appsync:ListApis
aws:appsync:channel-namespace	appsync:ListApis, appsync:ListChannelNamespaces
aws:appsync:data-source	appsync:ListDataSources, appsync:ListGraphqlApis
aws:appsync:domain-name	appsync:ListDomainNames
aws:appsync:function	appsync:ListFunctions, appsync:ListGraphqlApis
aws:appsync:graphqlapi	appsync:GetGraphqlApi, appsync:ListGraphqlApis
aws:appsync:source-api-association	appsync:ListGraphqlApis, appsync:ListSourceApiAssociations
aws:athena:capacityreservation	athena:ListCapacityReservations
aws:athena:datacatalog	athena:ListDataCatalogs
aws:athena:named-query	athena:BatchGetNamedQuery, athena:ListNamedQueries
aws:athena:prepared-statement	athena:BatchGetPreparedStatement, athena:GetWorkGroup, athena:ListPreparedStatements, athena:ListWorkGroups
aws:athena:workgroup	athena:GetWorkGroup, athena:ListWorkGroups
aws:auditmanager:assessment	auditmanager:GetAssessment, auditmanager:ListAssessments
aws:auditmanager:assessmentcontrolset	auditmanager:GetAssessment, auditmanager:ListAssessments
aws:auditmanager:assessmentframework	auditmanager:GetAssessmentFramework, auditmanager:ListAssessmentFrameworks
aws:auditmanager:control	auditmanager:GetControl, auditmanager:ListControls
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:autoscaling:launchconfiguration	autoscaling:DescribeLaunchConfigurations
aws:autoscaling:policy	autoscaling:DescribePolicies
aws:autoscaling:scheduled-action	autoscaling:DescribeScheduledActions
aws:b2bi:capability	b2bi:GetCapability, b2bi:ListCapabilities
aws:b2bi:partnership	b2bi:GetPartnership, b2bi:GetProfile, b2bi:ListPartnerships, b2bi:ListProfiles
aws:b2bi:profile	b2bi:GetProfile, b2bi:ListProfiles
aws:b2bi:transformer	b2bi:GetTransformer, b2bi:ListTransformers
aws:backup-gateway:gateway	backup-gateway:GetGateway, backup-gateway:ListGateways
aws:backup-gateway:hypervisor	backup-gateway:GetHypervisor, backup-gateway:ListHypervisors
aws:backup-gateway:virtual-machine	backup-gateway:GetVirtualMachine, backup-gateway:ListVirtualMachines
aws:backup:framework	backup:DescribeFramework, backup:ListFrameworks
aws:backup:legalhold	backup:GetLegalHold, backup:ListLegalHolds
aws:backup:plan	backup:ListBackupPlans
aws:backup:protected-resource	backup:ListProtectedResources
aws:backup:recoverypoint	backup:ListBackupVaults, backup:ListRecoveryPointsByBackupVault
aws:backup:vault	backup:ListBackupVaults
aws:batch:compute-environment	batch:DescribeComputeEnvironments
aws:batch:job-definition	batch:DescribeJobDefinitions
aws:batch:job-queue	batch:DescribeJobQueues
aws:batch:scheduling-policy	batch:DescribeSchedulingPolicies, batch:ListSchedulingPolicies
aws:bedrock:agent	bedrock:GetAgent, bedrock:ListAgentCollaborators, bedrock:ListAgentVersions, bedrock:ListAgents
aws:bedrock:agent-action-group	bedrock:GetAgentActionGroup, bedrock:ListAgentActionGroups, bedrock:ListAgents
aws:bedrock:agent-alias	bedrock:GetAgentAlias, bedrock:ListAgentAliases, bedrock:ListAgents
aws:bedrock:application-inference-profile	bedrock:GetInferenceProfile, bedrock:ListInferenceProfiles
aws:bedrock:async-invoke	bedrock:GetAsyncInvoke, bedrock:ListAsyncInvokes
aws:bedrock:blueprint	bedrock:GetBlueprint, bedrock:ListBlueprints
aws:bedrock:custom-model	bedrock:GetCustomModel, bedrock:ListCustomModels
aws:bedrock:data-source	bedrock:GetDataSource, bedrock:GetKnowledgeBase, bedrock:ListDataSources, bedrock:ListKnowledgeBaseDocuments, bedrock:ListKnowledgeBases
aws:bedrock:evaluation-job	bedrock:GetEvaluationJob, bedrock:ListEvaluationJobs
aws:bedrock:flow	bedrock:GetFlow, bedrock:GetFlowVersion, bedrock:ListFlows
aws:bedrock:flow-alias	bedrock:GetFlowAlias, bedrock:ListFlowAliases, bedrock:ListFlows
aws:bedrock:foundationmodel	bedrock:GetFoundationModel, bedrock:ListFoundationModels
aws:bedrock:guardrail	bedrock:GetGuardrail, bedrock:ListGuardrails
aws:bedrock:imported-model	bedrock:GetImportedModel, bedrock:ListImportedModels
aws:bedrock:ingestion-job	bedrock:GetDataSource, bedrock:GetIngestionJob, bedrock:GetKnowledgeBase, bedrock:ListDataSources, bedrock:ListIngestionJobs, bedrock:ListKnowledgeBases
aws:bedrock:knowledge-base	bedrock:GetKnowledgeBase, bedrock:ListKnowledgeBases
aws:bedrock:marketplace-model-endpoint	bedrock:GetMarketplaceModelEndpoint, bedrock:ListMarketplaceModelEndpoints
aws:bedrock:model-copy-job	bedrock:GetModelCopyJob, bedrock:ListModelCopyJobs
aws:bedrock:model-customization-job	bedrock:GetModelCustomizationJob, bedrock:ListModelCustomizationJobs
aws:bedrock:model-invocation-job	bedrock:GetModelInvocationJob, bedrock:ListModelInvocationJobs
aws:bedrock:prompt	bedrock:GetPrompt, bedrock:ListPrompts
aws:bedrock:prompt-router	bedrock:ListPromptRouters
aws:bedrock:provisioned-model-throughput	bedrock:ListProvisionedModelThroughputs
aws:bedrock:settings	bedrock:GetModelInvocationLoggingConfiguration
aws:bedrock:system-defined-inference-profile	bedrock:GetInferenceProfile, bedrock:ListInferenceProfiles
aws:cloudformation:generatedtemplate	cloudformation:DescribeGeneratedTemplate, cloudformation:ListGeneratedTemplates
aws:cloudformation:resourcescan	cloudformation:DescribeResourceScan, cloudformation:ListResourceScans
aws:cloudformation:stack	cloudformation:DescribeStacks, cloudformation:ListStacks
aws:cloudformation:stackset	cloudformation:ListStackSets
aws:cloudformation:type	cloudformation:ListTypes
aws:cloudfront:anycast-ip-list	cloudfront:GetAnycastIpList, cloudfront:ListAnycastIpLists
aws:cloudfront:cache-policy	cloudfront:GetCachePolicy, cloudfront:ListCachePolicies
aws:cloudfront:continuous-deployment-policy	cloudfront:GetContinuousDeploymentPolicy, cloudfront:ListContinuousDeploymentPolicies
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudfront:field-level-encryption-config	cloudfront:GetFieldLevelEncryptionConfig, cloudfront:ListFieldLevelEncryptionConfigs
aws:cloudfront:field-level-encryption-profile	cloudfront:GetFieldLevelEncryptionProfile, cloudfront:ListFieldLevelEncryptionProfiles
aws:cloudfront:function	cloudfront:ListFunctions
aws:cloudfront:keygroup	cloudfront:ListKeyGroups
aws:cloudfront:managed-cache-policy	cloudfront:GetCachePolicy, cloudfront:ListCachePolicies
aws:cloudfront:managed-origin-request-policy	cloudfront:GetOriginRequestPolicy, cloudfront:ListOriginRequestPolicies
aws:cloudfront:managed-response-headers-policy	cloudfront:GetResponseHeadersPolicy, cloudfront:ListResponseHeadersPolicies
aws:cloudfront:origin-request-policy	cloudfront:GetOriginRequestPolicy, cloudfront:ListOriginRequestPolicies
aws:cloudfront:originaccesscontrol	cloudfront:ListOriginAccessControls
aws:cloudfront:publickey	cloudfront:ListPublicKeys
aws:cloudfront:realtime-log-config	cloudfront:ListRealtimeLogConfigs
aws:cloudfront:response-headers-policy	cloudfront:GetResponseHeadersPolicy, cloudfront:ListResponseHeadersPolicies
aws:cloudfront:streaming-distribution	cloudfront:GetStreamingDistribution, cloudfront:ListStreamingDistributions
aws:cloudfront:vpc-origin	cloudfront:GetVpcOrigin, cloudfront:ListVpcOrigins
aws:cloudhsm:backup	cloudhsm:DescribeBackups
aws:cloudhsm:cluster	cloudhsm:DescribeClusters
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:cloudwatch:metricalarm	cloudwatch:DescribeAlarms
aws:cloudwatchlogs:log-group	logs:DescribeLogGroups, logs:DescribeSubscriptionFilters
aws:cloudwatchlogs:metricfilter	logs:DescribeMetricFilters
aws:codeartifact:domain	codeartifact:DescribeDomain, codeartifact:ListDomains
aws:codeartifact:package	codeartifact:ListPackages, codeartifact:ListRepositories
aws:codeartifact:package-group	codeartifact:DescribePackageGroup, codeartifact:ListDomains, codeartifact:ListPackageGroups
aws:codeartifact:repository	codeartifact:DescribeRepository, codeartifact:ListRepositories
aws:codebuild:project	codebuild:BatchGetProjects, codebuild:ListProjects
aws:codebuild:source-credentials	codebuild:ListSourceCredentials
aws:codedeploy:application	codedeploy:BatchGetApplications, codedeploy:ListApplications
aws:codedeploy:deployment-config	codedeploy:GetDeploymentConfig, codedeploy:ListDeploymentConfigs
aws:codeguru-profiler:finding	codeguru-profiler:ListFindingsReports, codeguru-profiler:ListProfilingGroups
aws:codeguru-profiler:profilinggroup	codeguru-profiler:ListProfilingGroups
aws:codeguru-reviewer:association	codeguru-reviewer:ListRepositoryAssociations
aws:codeguru-reviewer:codereview	codeguru-reviewer:ListCodeReviews
aws:codepipeline:actiontype	codepipeline:GetActionType, codepipeline:ListActionTypes
aws:codepipeline:pipeline	codepipeline:GetPipeline, codepipeline:ListPipelines
aws:codepipeline:webhook	codepipeline:ListWebhooks
aws:cognitoidentity:identitypool	cognito-identity:DescribeIdentityPool, cognito-identity:GetIdentityPoolRoles, cognito-identity:ListIdentityPools
aws:cognitoidentityprovider:userpool	cognito-idp:DescribeUserPool, cognito-idp:ListIdentityProviders, cognito-idp:ListUserPools
aws:comprehend:document-classification-job	comprehend:ListDocumentClassificationJobs
aws:comprehend:document-classifier	comprehend:ListDocumentClassifiers
aws:comprehend:dominant-language-detection-job	comprehend:ListDominantLanguageDetectionJobs
aws:comprehend:endpoint	comprehend:ListEndpoints
aws:comprehend:entities-detection-job	comprehend:ListEntitiesDetectionJobs
aws:comprehend:entity-recognizer	comprehend:ListEntityRecognizers
aws:comprehend:events-detection-job	comprehend:ListEventsDetectionJobs
aws:comprehend:flywheel	comprehend:DescribeFlywheel, comprehend:ListFlywheels
aws:comprehend:flywheel-dataset	comprehend:DescribeFlywheel, comprehend:ListDatasets, comprehend:ListFlywheels
aws:comprehend:key-phrases-detection-job	comprehend:ListKeyPhrasesDetectionJobs
aws:comprehend:pii-entities-detection-job	comprehend:ListPiiEntitiesDetectionJobs
aws:comprehend:sentiment-detection-job	comprehend:ListSentimentDetectionJobs
aws:comprehend:targeted-sentiment-detection-job	comprehend:ListTargetedSentimentDetectionJobs
aws:comprehend:topics-detection-job	comprehend:ListTopicsDetectionJobs
aws:configservice:recorder	config:DescribeConfigurationRecorders
aws:configservice:recorderstatus	config:DescribeConfigurationRecorderStatus
aws:connect:agent-status	connect:DescribeAgentStatus, connect:DescribeInstance, connect:ListAgentStatuses, connect:ListInstances
aws:connect:authentication-profile	connect:DescribeAuthenticationProfile, connect:DescribeInstance, connect:ListAuthenticationProfiles, connect:ListInstances
aws:connect:contact-flow	connect:DescribeContactFlow, connect:DescribeInstance, connect:ListContactFlows, connect:ListInstances
aws:connect:contact-flow-module	connect:DescribeContactFlowModule, connect:DescribeInstance, connect:ListContactFlowModules, connect:ListInstances
aws:connect:hours-of-operation	connect:DescribeHoursOfOperation, connect:DescribeInstance, connect:ListHoursOfOperations, connect:ListInstances
aws:connect:instance	connect:DescribeInstance, connect:ListInstances
aws:connect:integration-association	connect:DescribeInstance, connect:ListInstances, connect:ListIntegrationAssociations
aws:connect:queue	connect:DescribeInstance, connect:DescribeQueue, connect:ListInstances, connect:ListQueues
aws:connect:quick-connect	connect:DescribeInstance, connect:DescribeQuickConnect, connect:ListInstances, connect:ListQuickConnects
aws:connect:routing-profile	connect:DescribeInstance, connect:DescribeRoutingProfile, connect:ListInstances, connect:ListRoutingProfiles
aws:connect:security-profile	connect:DescribeInstance, connect:DescribeSecurityProfile, connect:ListInstances, connect:ListSecurityProfiles
aws:connect:user	connect:DescribeInstance, connect:DescribeUser, connect:ListInstances, connect:ListUsers
aws:controltower:enabled-baseline	controltower:ListEnabledBaselines
aws:controltower:enabled-control	controltower:ListEnabledControls
aws:controltower:landing-zone	controltower:GetLandingZone, controltower:ListLandingZones
aws:costexplorer:anomalymonitor	ce:GetAnomalyMonitors
aws:costexplorer:anomalysubscription	ce:GetAnomalySubscriptions
aws:costexplorer:costcategory	ce:DescribeCostCategoryDefinition, ce:GetCostCategories
aws:databrew:dataset	databrew:ListDatasets
aws:databrew:job	databrew:ListJobs
aws:databrew:project	databrew:ListProjects
aws:databrew:recipe	databrew:ListRecipes
aws:databrew:ruleset	databrew:ListRulesets
aws:databrew:schedule	databrew:ListSchedules
aws:datasync:agent	datasync:DescribeAgent, datasync:ListAgents
aws:datasync:location-efs	datasync:DescribeLocationEfs, datasync:ListLocations
aws:datasync:location-fsx-lustre	datasync:DescribeLocationFsxLustre, datasync:ListLocations
aws:datasync:location-fsx-ontap	datasync:DescribeLocationFsxOntap, datasync:ListLocations
aws:datasync:location-fsx-openzfs	datasync:DescribeLocationFsxOpenZfs, datasync:ListLocations
aws:datasync:location-fsx-windows	datasync:DescribeLocationFsxWindows, datasync:ListLocations
aws:datasync:location-hdfs	datasync:DescribeLocationHdfs, datasync:ListLocations
aws:datasync:location-nfs	datasync:DescribeLocationNfs, datasync:ListLocations
aws:datasync:location-objectstorage	datasync:DescribeLocationObjectStorage, datasync:ListLocations
aws:datasync:location-s3	datasync:DescribeLocationS3, datasync:ListLocations
aws:datasync:location-smb	datasync:DescribeLocationSmb, datasync:ListLocations
aws:datasync:task	datasync:DescribeTask, datasync:ListTasks
aws:datazone:domain	datazone:GetDomain, datazone:ListDomains
aws:dax:cluster	dax:DescribeClusters
aws:deadline:budget	deadline:GetBudget, deadline:ListBudgets, deadline:ListFarms
aws:deadline:farm	deadline:ListFarms
aws:deadline:fleet	deadline:ListFarms, deadline:ListFleets
aws:deadline:license-endpoint	deadline:GetLicenseEndpoint, deadline:ListLicenseEndpoints
aws:deadline:monitor	deadline:ListMonitors
aws:deadline:queue	deadline:GetQueue, deadline:ListFarms, deadline:ListQueues
aws:deadline:worker	deadline:ListFarms, deadline:ListFleets, deadline:ListWorkers
aws:detective:graph	detective:ListGraphs
aws:devicefarm:device	devicefarm:ListDevices, devicefarm:ListProjects
aws:devicefarm:deviceinstance	devicefarm:ListDeviceInstances
aws:devicefarm:devicepool	devicefarm:ListDevicePools, devicefarm:ListProjects
aws:devicefarm:instanceprofile	devicefarm:ListInstanceProfiles
aws:devicefarm:networkprofile	devicefarm:ListNetworkProfiles, devicefarm:ListProjects
aws:devicefarm:project	devicefarm:ListProjects
aws:devicefarm:session	devicefarm:ListProjects, devicefarm:ListRemoteAccessSessions
aws:devicefarm:testgrid-project	devicefarm:ListTestGridProjects
aws:devicefarm:testgrid-session	devicefarm:ListTestGridProjects, devicefarm:ListTestGridSessions
aws:devicefarm:upload	devicefarm:GetUpload, devicefarm:ListProjects, devicefarm:ListUploads
aws:devicefarm:vpceconfiguration	devicefarm:ListVPCEConfigurations
aws:directconnect:connection	directconnect:DescribeConnections
aws:directconnect:gateway	directconnect:DescribeDirectConnectGatewayAssociations, directconnect:DescribeDirectConnectGateways
aws:directconnect:virtualinterface	directconnect:DescribeVirtualInterfaces
aws:dlm:policy	dlm:GetLifecyclePolicies, dlm:GetLifecyclePolicy
aws:dms:certificate	dms:DescribeCertificates
aws:dms:data-migration	dms:DescribeDataMigrations
aws:dms:data-provider	dms:DescribeDataProviders
aws:dms:endpoint	dms:DescribeEndpoints
aws:dms:event-subscription	dms:DescribeEventSubscriptions
aws:dms:instance-profile	dms:DescribeInstanceProfiles
aws:dms:migration-project	dms:DescribeMigrationProjects
aws:dms:replication-config	dms:DescribeReplicationConfigs
aws:dms:replication-subnet-group	dms:DescribeReplicationSubnetGroups
aws:dms:replicationinstance	dms:DescribeReplicationInstances
aws:dms:replicationtask	dms:DescribeReplicationTasks
aws:docdb:cluster	rds:DescribeDBClusters
aws:docdb:clustersnapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots, rds:DescribeDBClusters
aws:docdb:dbinstance	rds:DescribeDBInstances
aws:docdbelastic:cluster	docdb-elastic:GetCluster, docdb-elastic:ListClusters
aws:docdbelastic:cluster-snapshot	docdb-elastic:GetClusterSnapshot, docdb-elastic:ListClusterSnapshots
aws:drs:job	drs:DescribeJobs
aws:drs:launch-configuration-template	drs:DescribeLaunchConfigurationTemplates
aws:drs:recovery-instance	drs:DescribeRecoveryInstances
aws:drs:replication-configuration-template	drs:DescribeReplicationConfigurationTemplates
aws:drs:source-network	drs:DescribeSourceNetworks
aws:drs:source-server	drs:DescribeSourceServers
aws:ds:directory	ds:DescribeDirectories
aws:dsql:cluster	dsql:GetCluster, dsql:ListClusters
aws:dynamodb:backup	dynamodb:DescribeBackup, dynamodb:ListBackups
aws:dynamodb:export	dynamodb:DescribeExport, dynamodb:ListExports
aws:dynamodb:global-table	dynamodb:DescribeGlobalTable, dynamodb:ListGlobalTables
aws:dynamodb:stream	dynamodb:DescribeStream, dynamodb:ListStreams
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:availabilityzone	ec2:DescribeAvailabilityZones
aws:ec2:awsmanagedprefixlist	ec2:DescribeManagedPrefixLists, ec2:GetManagedPrefixListEntries
aws:ec2:capacityreservation	ec2:DescribeCapacityReservations
aws:ec2:capacityreservationfleet	ec2:DescribeCapacityReservationFleets
aws:ec2:carriergateway	ec2:DescribeCarrierGateways
aws:ec2:client-vpn-endpoint	ec2:DescribeClientVpnEndpoints
aws:ec2:co-ip-pool	ec2:DescribeCoipPools
aws:ec2:customergateway	ec2:DescribeCustomerGateways
aws:ec2:customermanagedprefixlist	ec2:DescribeManagedPrefixLists, ec2:GetManagedPrefixListEntries
aws:ec2:dedicatedhost	ec2:DescribeHosts
aws:ec2:dhcpoptions	ec2:DescribeDhcpOptions
aws:ec2:ebs-encryption-by-default	ec2:GetEbsEncryptionByDefault
aws:ec2:egressonlyinternetgateway	ec2:DescribeEgressOnlyInternetGateways
aws:ec2:elasticip	ec2:DescribeAddresses
aws:ec2:fleet	ec2:DescribeFleets
aws:ec2:fpga-image	ec2:DescribeFpgaImages
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:instance-event-window	ec2:DescribeInstanceEventWindows
aws:ec2:instanceconnectendpoint	ec2:DescribeInstanceConnectEndpoints
aws:ec2:instancetype	ec2:DescribeInstanceTypes
aws:ec2:ipam	ec2:DescribeIpams
aws:ec2:ipam-external-resource-verification-token	ec2:DescribeIpamExternalResourceVerificationTokens
aws:ec2:ipam-pool	ec2:DescribeIpamPools
aws:ec2:ipam-resource-discovery	ec2:DescribeIpamResourceDiscoveries
aws:ec2:ipam-resource-discovery-association	ec2:DescribeIpamResourceDiscoveryAssociations
aws:ec2:ipam-scope	ec2:DescribeIpamScopes
aws:ec2:ipv6pool-ec2	ec2:DescribeIpv6Pools
aws:ec2:keypair	ec2:DescribeKeyPairs
aws:ec2:launchtemplate	ec2:DescribeLaunchTemplates
aws:ec2:launchtemplateversion	ec2:DescribeLaunchTemplateVersions, ec2:DescribeLaunchTemplates
aws:ec2:local-gateway	ec2:DescribeLocalGateways
aws:ec2:local-gateway-route-table	ec2:DescribeLocalGatewayRouteTables
aws:ec2:local-gateway-route-table-vpc-association	ec2:DescribeLocalGatewayRouteTableVpcAssociations
aws:ec2:local-gateway-virtual-interface	ec2:DescribeLocalGatewayVirtualInterfaces
aws:ec2:local-gateway-virtual-interface-group	ec2:DescribeLocalGatewayVirtualInterfaceGroups
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:placementgroup	ec2:DescribePlacementGroups
aws:ec2:public-fpga-image	ec2:DescribeFpgaImages
aws:ec2:publicimage	ec2:DescribeImages
aws:ec2:region	ec2:DescribeRegions
aws:ec2:reservedinstance	ec2:DescribeReservedInstances
aws:ec2:routetable	ec2:DescribeRouteTables
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:securitygrouprule	ec2:DescribeSecurityGroupRules, ec2:DescribeSecurityGroups
aws:ec2:settings	ec2:DescribeVpcBlockPublicAccessExclusions, ec2:DescribeVpcBlockPublicAccessOptions, ec2:GetAllowedImagesSettings, ec2:GetEbsDefaultKmsKeyId, ec2:GetEbsEncryptionByDefault, ec2:GetImageBlockPublicAccessState, ec2:GetInstanceMetadataDefaults, ec2:GetSerialConsoleAccessStatus, ec2:GetSnapshotBlockPublicAccessState
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:spotfleetrequest	ec2:DescribeSpotFleetRequests
aws:ec2:spotinstancerequest	ec2:DescribeSpotInstanceRequests
aws:ec2:subnet	ec2:DescribeSubnets
aws:ec2:traffic-mirror-filter	ec2:DescribeTrafficMirrorFilters
aws:ec2:traffic-mirror-filter-rule	ec2:DescribeTrafficMirrorFilterRules, ec2:DescribeTrafficMirrorFilters
aws:ec2:traffic-mirror-session	ec2:DescribeTrafficMirrorSessions
aws:ec2:traffic-mirror-target	ec2:DescribeTrafficMirrorTargets
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:ec2:transitgateway-routetable-announcement	ec2:DescribeTransitGatewayRouteTableAnnouncements
aws:ec2:transitgatewayattachment	ec2:DescribeTransitGatewayAttachments
aws:ec2:transitgatewayconnectpeer	ec2:DescribeTransitGatewayConnectPeers
aws:ec2:transitgatewaymulticastdomain	ec2:DescribeTransitGatewayMulticastDomains
aws:ec2:transitgatewaypeeringattachment	ec2:DescribeTransitGatewayPeeringAttachments
aws:ec2:transitgatewaypolicytable	ec2:DescribeTransitGatewayPolicyTables
aws:ec2:transitgatewayroutetable	ec2:DescribeTransitGatewayRouteTables, ec2:GetTransitGatewayPrefixListReferences, ec2:SearchTransitGatewayRoutes
aws:ec2:transitgatewayvpcattachment	ec2:DescribeTransitGatewayVpcAttachments
aws:ec2:verified-access-endpoint	ec2:DescribeVerifiedAccessEndpoints, ec2:GetVerifiedAccessEndpointPolicy, ec2:GetVerifiedAccessEndpointTargets
aws:ec2:verified-access-group	ec2:DescribeVerifiedAccessGroups, ec2:GetVerifiedAccessGroupPolicy
aws:ec2:verified-access-instance	ec2:DescribeVerifiedAccessInstances
aws:ec2:verified-access-trust-provider	ec2:DescribeVerifiedAccessTrustProviders
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpcendpoint-service	ec2:DescribeVpcEndpointServices
aws:ec2:vpcendpoint-service-permission	ec2:DescribeVpcEndpointServicePermissions, ec2:DescribeVpcEndpointServices
aws:ec2:vpcendpointconnectionnotification	ec2:DescribeVpcEndpointConnectionNotifications
aws:ec2:vpcflowlog	ec2:DescribeFlowLogs
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:ec2:vpnconnection	ec2:DescribeVpnConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:ecr:image	ecr:DescribeImages, ecr:DescribeRepositories
aws:ecr:registry	ecr:DescribeRegistry, ecr:GetRegistryPolicy, ecr:GetRegistryScanningConfiguration
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:image	ecr-public:DescribeImages, ecr-public:DescribeRepositories
aws:ecrpublic:registry	ecr-public:DescribeRegistries
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:capacityprovider	ecs:DescribeCapacityProviders
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:instance	ecs:DescribeContainerInstances, ecs:ListClusters, ecs:ListContainerInstances
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:service-deployment	ecs:DescribeServiceDeployments, ecs:DescribeServices, ecs:ListClusters, ecs:ListServiceDeployments, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:ecs:task-definition	ecs:DescribeServices, ecs:DescribeTaskDefinition, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:efs:mounttarget	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeMountTargetSecurityGroups, elasticfilesystem:DescribeMountTargets
aws:eks:access-entry	eks:DescribeAccessEntry, eks:DescribeCluster, eks:ListAccessEntries, eks:ListClusters
aws:eks:access-policy	eks:DescribeAccessEntry, eks:DescribeCluster, eks:ListAccessEntries, eks:ListAssociatedAccessPolicies, eks:ListClusters
aws:eks:addon	eks:DescribeAddon, eks:DescribeCluster, eks:ListAddons, eks:ListClusters
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:eks:eks-anywhere-subscription	eks:ListEksAnywhereSubscriptions
aws:eks:fargateprofile	eks:DescribeCluster, eks:DescribeFargateProfile, eks:ListClusters, eks:ListFargateProfiles
aws:eks:identityproviderconfig	eks:DescribeCluster, eks:DescribeIdentityProviderConfig, eks:ListClusters, eks:ListIdentityProviderConfigs
aws:eks:insight	eks:DescribeCluster, eks:DescribeInsight, eks:ListClusters, eks:ListInsights
aws:eks:nodegroup	eks:DescribeCluster, eks:DescribeNodeGroup, eks:ListClusters, eks:ListNodeGroups
aws:eks:podidentityassociation	eks:DescribeCluster, eks:DescribePodIdentityAssociation, eks:ListClusters, eks:ListPodIdentityAssociations
aws:eks:update	eks:DescribeCluster, eks:DescribeUpdate, eks:ListClusters, eks:ListUpdates
aws:elasticache:cachesubnetgroup	elasticache:DescribeCacheSubnetGroups
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticache:global-replicationgroup	elasticache:DescribeGlobalReplicationGroups
aws:elasticache:parametergroup	elasticache:DescribeCacheParameterGroups
aws:elasticache:replicationgroup	elasticache:DescribeReplicationGroups
aws:elasticache:reserved-instance	elasticache:DescribeReservedCacheNodes
aws:elasticache:securitygroup	elasticache:DescribeCacheSecurityGroups
aws:elasticache:serverless-cache	elasticache:DescribeServerlessCaches
aws:elasticache:serverless-cache-snapshot	elasticache:DescribeServerlessCacheSnapshots
aws:elasticache:snapshot	elasticache:DescribeSnapshots
aws:elasticache:user	elasticache:DescribeUsers
aws:elasticache:usergroup	elasticache:DescribeUserGroups
aws:elasticbeanstalk:environment	elasticbeanstalk:DescribeConfigurationSettings, elasticbeanstalk:DescribeEnvironments
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:listener-rule	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancers, elasticloadbalancing:DescribeRules
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:targetgroup	elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth
aws:elasticloadbalancingv2:truststore	elasticloadbalancing:DescribeTrustStores
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:emr:cluster	elasticmapreduce:DescribeCluster, elasticmapreduce:GetAutoTerminationPolicy, elasticmapreduce:GetManagedScalingPolicy, elasticmapreduce:ListClusters
aws:emr:instance	elasticmapreduce:ListClusters, elasticmapreduce:ListInstances
aws:emr:instance-fleet	elasticmapreduce:DescribeCluster, elasticmapreduce:ListClusters, elasticmapreduce:ListInstanceFleets
aws:emr:instance-group	elasticmapreduce:DescribeCluster, elasticmapreduce:ListClusters, elasticmapreduce:ListInstanceGroups
aws:emr:security-configuration	elasticmapreduce:DescribeSecurityConfiguration, elasticmapreduce:ListSecurityConfigurations
aws:emr:settings	elasticmapreduce:GetBlockPublicAccessConfiguration
aws:emrcontainers:managed-endpoint	emr-containers:ListManagedEndpoints, emr-containers:ListVirtualClusters
aws:emrcontainers:security-configuration	emr-containers:ListSecurityConfigurations
aws:emrcontainers:virtual-cluster	emr-containers:ListVirtualClusters
aws:emrserverless:application	emr-serverless:GetApplication, emr-serverless:ListApplications
aws:eventbridge:api-destination	events:ListApiDestinations, events:ListConnections
aws:eventbridge:archive	events:ListArchives, events:ListEventBuses
aws:eventbridge:connection	events:ListConnections
aws:eventbridge:endpoint	events:ListEndpoints
aws:eventbridge:event-source	events:ListEventSources
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:eventbridge:replay	events:ListReplays
aws:eventbridge:rule	events:ListEventBuses, events:ListRules
aws:eventbridge:ruletarget	events:ListEventBuses, events:ListRules, events:ListTargetsByRule
aws:firehose:delivery-stream	firehose:DescribeDeliveryStream, firehose:ListDeliveryStreams
aws:frauddetector:batch-import-job	frauddetector:GetBatchImportJobs
aws:frauddetector:batch-prediction-job	frauddetector:GetBatchPredictionJobs
aws:frauddetector:detector	frauddetector:GetDetectors
aws:frauddetector:detector-version	frauddetector:DescribeDetector, frauddetector:GetDetectorVersion, frauddetector:GetDetectors
aws:frauddetector:entity-type	frauddetector:GetEntityTypes
aws:frauddetector:event-type	frauddetector:GetEventTypes
aws:frauddetector:external-model	frauddetector:GetExternalModels
aws:frauddetector:label	frauddetector:GetLabels
aws:frauddetector:list	frauddetector:GetListsMetadata
aws:frauddetector:model	frauddetector:GetModels
aws:frauddetector:model-version	frauddetector:DescribeModelVersions
aws:frauddetector:outcome	frauddetector:GetOutcomes
aws:frauddetector:rule	frauddetector:GetDetectors, frauddetector:GetRules
aws:frauddetector:variable	frauddetector:GetVariables
aws:fsx:association	fsx:DescribeDataRepositoryAssociations
aws:fsx:backup	fsx:DescribeBackups
aws:fsx:file-cache	fsx:DescribeFileCaches
aws:fsx:file-system	fsx:DescribeFileSystems
aws:fsx:snapshot	fsx:DescribeSnapshots
aws:fsx:storage-virtual-machine	fsx:DescribeStorageVirtualMachines
aws:fsx:task	fsx:DescribeDataRepositoryTasks
aws:fsx:volume	fsx:DescribeVolumes
aws:gamelift:alias	gamelift:ListAliases
aws:gamelift:build	gamelift:ListBuilds
aws:gamelift:container-fleet	gamelift:ListContainerFleets
aws:gamelift:container-group-definition	gamelift:ListContainerGroupDefinitions
aws:gamelift:game-server-group	gamelift:ListGameServerGroups
aws:gamelift:game-session-queue	gamelift:DescribeGameSessionQueues
aws:gamelift:location	gamelift:ListLocations
aws:gamelift:matchmaking-configuration	gamelift:DescribeMatchmakingConfigurations
aws:gamelift:matchmaking-rule-set	gamelift:DescribeMatchmakingRuleSets
aws:gamelift:script	gamelift:ListScripts
aws:glacier:vault	glacier:GetVaultNotifications, glacier:ListVaults
aws:globalaccelerator:accelerator	globalaccelerator:ListAccelerators
aws:globalaccelerator:endpointgroup	globalaccelerator:ListAccelerators, globalaccelerator:ListEndpointGroups, globalaccelerator:ListListeners
aws:globalaccelerator:listener	globalaccelerator:ListAccelerators, globalaccelerator:ListListeners
aws:glue:registry	glue:ListRegistries
aws:grafana:workspace	grafana:DescribeWorkspace, grafana:ListWorkspaces
aws:greengrass:bulk-deployment	greengrass:GetBulkDeploymentStatus, greengrass:ListBulkDeployments
aws:greengrass:component	greengrass:GetComponent, greengrass:ListComponents
aws:greengrass:connectivity-info	greengrass:GetConnectivityInfo, greengrass:ListCoreDevices
aws:greengrass:connector-definition	greengrass:ListConnectorDefinitions
aws:greengrass:core-definition	greengrass:ListCoreDefinitions
aws:greengrass:core-device	greengrass:GetCoreDevice, greengrass:ListCoreDevices
aws:greengrass:deployment	greengrass:ListDeployments, greengrass:ListGroups
aws:greengrass:device-definition	greengrass:ListDeviceDefinitions
aws:greengrass:function-definition	greengrass:ListFunctionDefinitions
aws:greengrass:group	greengrass:GetGroup, greengrass:ListGroups
aws:greengrass:logger-definition	greengrass:ListLoggerDefinitions
aws:greengrass:resource-definition	greengrass:ListResourceDefinitions
aws:greengrass:subscription-definition	greengrass:ListSubscriptionDefinitions
aws:guardduty:detector	guardduty:GetCoverageStatistics, guardduty:GetDetector, guardduty:ListDetectors
aws:guardduty:filter	guardduty:GetFilter, guardduty:ListDetectors, guardduty:ListFilters
aws:guardduty:ipset	guardduty:GetIPSet, guardduty:ListDetectors, guardduty:ListIPSets
aws:guardduty:malwareprotectionplan	guardduty:GetMalwareProtectionPlan, guardduty:ListMalwareProtectionPlans
aws:guardduty:publishingdestination	guardduty:DescribePublishingDestination, guardduty:ListDetectors, guardduty:ListPublishingDestinations
aws:guardduty:settings	guardduty:GetAdministratorAccount, guardduty:GetMalwareScanSettings, guardduty:GetMasterAccount, guardduty:ListDetectors
aws:guardduty:threatintelset	guardduty:GetThreatIntelSet, guardduty:ListDetectors, guardduty:ListThreatIntelSets
aws:health:settings	health:DescribeHealthServiceStatusForOrganization, organizations:DescribeOrganization
aws:healthlake:datastore	healthlake:ListFHIRDatastores
aws:iam:accesskeymetadata	iam:GetUser, iam:ListAccessKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:account	iam:GetAccountPasswordPolicy, iam:GetAccountSummary, organizations:DescribeOrganization
aws:iam:aws-managed-policy	iam:GetPolicyVersion, iam:ListPolicies
aws:iam:credentialreport	iam:GenerateCredentialReport, iam:GetCredentialReport
aws:iam:group	iam:GetGroup, iam:ListAttachedGroupPolicies, iam:ListGroups
aws:iam:groupinlinepolicy	iam:GetGroupPolicy, iam:ListGroupPolicies, iam:ListGroups
aws:iam:instanceprofile	iam:GetInstanceProfile, iam:ListInstanceProfiles
aws:iam:open-id-connect-provider	iam:GetOpenIDConnectProvider, iam:ListOpenIDConnectProviders
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:roleinlinepolicy	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:GetRolePolicy, iam:ListRolePolicies
aws:iam:saml-provider	iam:GetSAMLProvider, iam:ListSAMLProviders
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:service-specific-credential	iam:ListServiceSpecificCredentials
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:userinlinepolicy	iam:GetUser, iam:GetUserPolicy, iam:ListUserPolicies, iam:ListUsers, iam:ListVirtualMFADevices
aws:iam:virtualmfadevice	iam:ListUsers, iam:ListVirtualMFADevices
aws:identitystore:group	identitystore:ListGroups, organizations:DescribeOrganization, sso:ListInstances
aws:identitystore:user	identitystore:ListGroupMembershipsForMember, identitystore:ListUsers, organizations:DescribeOrganization, sso:ListInstances
aws:imagebuilder:component-version	imagebuilder:ListComponents
aws:imagebuilder:container-recipe	imagebuilder:GetContainerRecipe, imagebuilder:ListContainerRecipes
aws:imagebuilder:distribution-configuration	imagebuilder:GetDistributionConfiguration, imagebuilder:ListDistributionConfigurations
aws:imagebuilder:image-pipeline	imagebuilder:ListImagePipelines
aws:imagebuilder:image-recipe	imagebuilder:GetImageRecipe, imagebuilder:ListImageRecipes
aws:imagebuilder:image-version	imagebuilder:ListImages
aws:imagebuilder:infrastructure-configuration	imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListInfrastructureConfigurations
aws:imagebuilder:lifecycle-policy	imagebuilder:GetLifecyclePolicy, imagebuilder:ListLifecyclePolicies
aws:imagebuilder:public-component	imagebuilder:ListComponents
aws:imagebuilder:public-container-recipe	imagebuilder:GetContainerRecipe, imagebuilder:ListContainerRecipes
aws:imagebuilder:public-image	imagebuilder:ListImages
aws:imagebuilder:public-image-recipe	imagebuilder:GetImageRecipe, imagebuilder:ListImageRecipes
aws:imagebuilder:public-workflow	imagebuilder:GetWorkflow, imagebuilder:ListWorkflows
aws:imagebuilder:workflow	imagebuilder:GetWorkflow, imagebuilder:ListWorkflows
aws:inspector2:coveredresource	inspector2:ListCoverage
aws:iot:authorizer	iot:DescribeAuthorizer, iot:ListAuthorizers
aws:iot:cert	iot:DescribeCertificate, iot:ListCertificates
aws:iot:certificateprovider	iot:DescribeCertificateProvider, iot:ListCertificateProviders
aws:iot:dimension	iot:DescribeDimension, iot:ListDimensions
aws:iot:domainconfiguration	iot:DescribeDomainConfiguration, iot:ListDomainConfigurations
aws:iot:fleetmetric	iot:DescribeFleetMetric, iot:ListFleetMetrics
aws:iot:job	iot:DescribeJob, iot:ListJobs
aws:iot:jobtemplate	iot:DescribeJobTemplate, iot:ListJobTemplates
aws:iot:policy	iot:GetPolicy, iot:ListPolicies
aws:iot:provisioningtemplate	iot:DescribeProvisioningTemplate, iot:ListProvisioningTemplates
aws:iot:rolealias	iot:DescribeRoleAlias, iot:ListRoleAliases
aws:iot:securityprofile	iot:DescribeSecurityProfile, iot:ListSecurityProfiles
aws:iot:stream	iot:DescribeStream, iot:ListStreams
aws:iot:thing	iot:DescribeThing, iot:ListThings
aws:iot:thinggroup	iot:DescribeThingGroup, iot:ListThingGroups
aws:iot:thingtype	iot:DescribeThingType, iot:ListThingTypes
aws:iot:tunnel	iot:DescribeTunnel, iot:ListTunnels
aws:iotfleetwise:campaign	iotfleetwise:GetCampaign, iotfleetwise:ListCampaigns
aws:iotfleetwise:decoder-manifest	iotfleetwise:ListDecoderManifests
aws:iotfleetwise:fleet	iotfleetwise:ListFleets
aws:iotfleetwise:model-manifest	iotfleetwise:ListModelManifests
aws:iotfleetwise:signal-catalog	iotfleetwise:GetSignalCatalog, iotfleetwise:ListSignalCatalogs
aws:iotfleetwise:state-template	iotfleetwise:GetStateTemplate, iotfleetwise:ListStateTemplates
aws:iotfleetwise:vehicle	iotfleetwise:GetVehicle, iotfleetwise:ListVehicles
aws:iotsitewise:asset	iotsitewise:DescribeAsset, iotsitewise:DescribeAssetModel, iotsitewise:ListAssetModels, iotsitewise:ListAssets
aws:iotsitewise:asset-model	iotsitewise:DescribeAssetModel, iotsitewise:ListAssetModels
aws:iotsitewise:dashboard	iotsitewise:DescribeDashboard, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListDashboards, iotsitewise:ListPortals, iotsitewise:ListProjects
aws:iotsitewise:dataset	iotsitewise:DescribeDataset, iotsitewise:ListDatasets
aws:iotsitewise:gateway	iotsitewise:ListGateways
aws:iotsitewise:portal	iotsitewise:DescribePortal, iotsitewise:ListPortals
aws:iotsitewise:project	iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListPortals, iotsitewise:ListProjects
aws:iotsitewise:timeseries	iotsitewise:ListTimeSeries
aws:iottwinmaker:component-type	iottwinmaker:GetComponentType, iottwinmaker:GetWorkspace, iottwinmaker:ListComponentTypes, iottwinmaker:ListWorkspaces
aws:iottwinmaker:entity	iottwinmaker:GetEntity, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListWorkspaces
aws:iottwinmaker:scene	iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListScenes, iottwinmaker:ListWorkspaces
aws:iottwinmaker:workspace	iottwinmaker:GetWorkspace, iottwinmaker:ListWorkspaces
aws:iotwireless:destination	iotwireless:ListDestinations
aws:iotwireless:device-profile	iotwireless:GetDeviceProfile, iotwireless:ListDeviceProfiles
aws:iotwireless:gateway	iotwireless:GetWirelessGateway, iotwireless:ListWirelessGateways
aws:iotwireless:multicast-group	iotwireless:GetMulticastGroup, iotwireless:ListMulticastGroups
aws:iotwireless:network-analyzer-configuration	iotwireless:GetNetworkAnalyzerConfiguration, iotwireless:ListNetworkAnalyzerConfigurations
aws:iotwireless:service-profile	iotwireless:GetServiceProfile, iotwireless:ListServiceProfiles
aws:iotwireless:wireless-device	iotwireless:GetWirelessDevice, iotwireless:ListWirelessDevices
aws:ivs:channel	ivs:GetChannel, ivs:ListChannels
aws:ivs:composition	ivs:GetComposition, ivs:ListCompositions
aws:ivs:encoder-configuration	ivs:GetEncoderConfiguration, ivs:ListEncoderConfigurations
aws:ivs:ingest-configuration	ivs:GetIngestConfiguration, ivs:ListIngestConfigurations
aws:ivs:playback-key-pair	ivs:ListPlaybackKeyPairs
aws:ivs:playback-restriction-policy	ivs:ListPlaybackRestrictionPolicies
aws:ivs:public-key	ivs:GetPublicKey, ivs:ListPublicKeys
aws:ivs:recording-configuration	ivs:GetRecordingConfiguration, ivs:ListRecordingConfigurations
aws:ivs:stage	ivs:GetStage, ivs:ListStages
aws:ivs:storage-configuration	ivs:ListStorageConfigurations
aws:ivs:stream-key	ivs:GetChannel, ivs:ListChannels, ivs:ListStreamKeys
aws:ivschat:logging-configuration	ivschat:GetLoggingConfiguration, ivschat:ListLoggingConfigurations
aws:ivschat:room	ivschat:GetRoom, ivschat:ListRooms
aws:kafka:cluster	kafka:DescribeClusterV2, kafka:ListClustersV2
aws:kafka:configuration	kafka:ListConfigurations
aws:kafka:node	kafka:DescribeClusterV2, kafka:ListClustersV2, kafka:ListNodes
aws:kafka:replicator	kafka:DescribeReplicator, kafka:ListReplicators
aws:kafka:vpc-connection	kafka:DescribeVpcConnection, kafka:ListVpcConnections
aws:kafkaconnect:connector	kafkaconnect:DescribeConnector, kafkaconnect:ListConnectors
aws:kafkaconnect:connector-operation	kafkaconnect:DescribeConnector, kafkaconnect:DescribeConnectorOperation, kafkaconnect:ListConnectorOperations, kafkaconnect:ListConnectors
aws:kafkaconnect:custom-plugin	kafkaconnect:DescribeCustomPlugin, kafkaconnect:ListCustomPlugins
aws:kafkaconnect:worker-configuration	kafkaconnect:ListWorkerConfigurations
aws:keyspaces:keyspace	cassandra:Select
aws:keyspaces:table	cassandra:Select
aws:kinesis:stream	kinesis:DescribeStreamSummary, kinesis:ListStreams
aws:kinesisvideo:channel	kinesisvideo:ListSignalingChannels
aws:kinesisvideo:stream	kinesisvideo:ListStreams
aws:kms:alias	kms:GetKeyPolicy, kms:ListAliases
aws:kms:custom-key-store	kms:DescribeCustomKeyStores
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lakeformation:data-lake-settings	lakeformation:GetDataLakeSettings
aws:lakeformation:permissions	lakeformation:ListPermissions
aws:lambda:codesigningconfig	lambda:ListCodeSigningConfigs
aws:lambda:eventsourcemapping	lambda:ListEventSourceMappings, lambda:ListFunctions
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:lambda:layer	lambda:GetLayerVersionPolicy, lambda:ListLayers
aws:launchwizard:deployment	launchwizard:GetDeployment, launchwizard:ListDeployments
aws:lexv2:bot	lex:DescribeBot, lex:ListBots
aws:lightsail:alarm	lightsail:GetAlarms
aws:lightsail:bucket	lightsail:GetBuckets
aws:lightsail:certificate	lightsail:GetCertificates
aws:lightsail:container-service	lightsail:GetContainerServices
aws:lightsail:disk	lightsail:GetDisks
aws:lightsail:disk-snapshot	lightsail:GetDiskSnapshots
aws:lightsail:distribution	lightsail:GetDistributions
aws:lightsail:instance	lightsail:GetInstancePortStates, lightsail:GetInstances
aws:lightsail:loadbalancer	lightsail:GetLoadBalancers
aws:lightsail:relational-database	lightsail:GetRelationalDatabaseParameters, lightsail:GetRelationalDatabases
aws:lightsail:relational-database-snapshot	lightsail:GetRelationalDatabaseSnapshots
aws:lightsail:static-ip	lightsail:GetStaticIps
aws:location:api-key	geo:DescribeKey, geo:ListKeys
aws:location:geofence-collection	geo:DescribeGeofenceCollection, geo:ListGeofenceCollections
aws:location:map	geo:DescribeMap, geo:ListMaps
aws:location:place-index	geo:DescribePlaceIndex, geo:ListPlaceIndexes
aws:location:route-calculator	geo:DescribeRouteCalculator, geo:ListRouteCalculators
aws:location:tracker	geo:DescribeTracker, geo:ListTrackers
aws:m2:application	m2:GetApplication, m2:ListApplications
aws:m2:environment	m2:GetEnvironment, m2:ListEnvironments
aws:macie2:allow-list	macie2:GetAllowList, macie2:GetMacieSession, macie2:ListAllowLists
aws:macie2:custom-data-identifier	macie2:GetCustomDataIdentifier, macie2:GetMacieSession, macie2:ListCustomDataIdentifiers
aws:macie2:member	macie2:GetMacieSession, macie2:ListMembers
aws:macie2:settings	macie2:GetMacieSession
aws:managedblockchain:accessor	managedblockchain:GetAccessor, managedblockchain:ListAccessors
aws:managedblockchain:invitation	managedblockchain:ListInvitations
aws:managedblockchain:member	managedblockchain:GetMember, managedblockchain:ListMembers, managedblockchain:ListNetworks
aws:managedblockchain:network	managedblockchain:GetNetwork, managedblockchain:ListNetworks
aws:managedblockchain:node	managedblockchain:GetNode, managedblockchain:ListMembers, managedblockchain:ListNetworks, managedblockchain:ListNodes
aws:managedblockchain:proposal	managedblockchain:GetProposal, managedblockchain:ListNetworks, managedblockchain:ListProposals
aws:mediaconnect:bridge	mediaconnect:DescribeBridge, mediaconnect:ListBridges
aws:mediaconnect:entitlement	mediaconnect:ListEntitlements
aws:mediaconnect:flow	mediaconnect:DescribeFlow, mediaconnect:ListFlows
aws:mediaconnect:gateway	mediaconnect:DescribeGateway, mediaconnect:ListGateways
aws:mediaconnect:gatewayinstance	mediaconnect:DescribeGatewayInstance, mediaconnect:ListGatewayInstances
aws:medialive:channel	medialive:ListChannels
aws:medialive:channel-placement-group	medialive:ListChannelPlacementGroups, medialive:ListClusters
aws:medialive:cloudwatch-alarm-template	medialive:ListCloudWatchAlarmTemplates
aws:medialive:cloudwatch-alarm-template-group	medialive:ListCloudWatchAlarmTemplateGroups
aws:medialive:cluster	medialive:ListClusters
aws:medialive:eventbridge-rule-template	medialive:ListEventBridgeRuleTemplates
aws:medialive:eventbridge-rule-template-group	medialive:ListEventBridgeRuleTemplateGroups
aws:medialive:input	medialive:ListInputs
aws:medialive:input-device	medialive:ListInputDevices
aws:medialive:input-security-group	medialive:ListInputSecurityGroups
aws:medialive:multiplex	medialive:ListMultiplexes
aws:medialive:network	medialive:ListNetworks
aws:medialive:node	medialive:ListClusters, medialive:ListNodes
aws:medialive:reservation	medialive:ListReservations
aws:medialive:sdi-source	medialive:ListSdiSources
aws:medialive:signal-map	medialive:ListSignalMaps
aws:mediapackage-v2:channel	mediapackagev2:GetChannel, mediapackagev2:GetChannelGroup, mediapackagev2:GetChannelPolicy, mediapackagev2:ListChannelGroups, mediapackagev2:ListChannels
aws:mediapackage-v2:channel-group	mediapackagev2:GetChannelGroup, mediapackagev2:ListChannelGroups
aws:mediapackage-v2:harvest-job	mediapackagev2:GetChannelGroup, mediapackagev2:ListChannelGroups, mediapackagev2:ListHarvestJobs
aws:mediapackage-v2:origin-endpoint	mediapackagev2:GetChannelGroup, mediapackagev2:GetOriginEndpoint, mediapackagev2:GetOriginEndpointPolicy, mediapackagev2:ListChannelGroups, mediapackagev2:ListChannels, mediapackagev2:ListOriginEndpoints
aws:mediapackage-vod:assets	mediapackage-vod:DescribeAsset, mediapackage-vod:ListAssets
aws:mediapackage-vod:packaging-configurations	mediapackage-vod:ListPackagingConfigurations
aws:mediapackage-vod:packaging-groups	mediapackage-vod:ListPackagingGroups
aws:mediapackage:harvest-jobs	mediapackage:ListHarvestJobs
aws:mediapackage:origin-endpoints	mediapackage:ListOriginEndpoints
aws:memorydb:acl	memorydb:DescribeAcls
aws:memorydb:cluster	memorydb:DescribeClusters, memorydb:DescribeMultiRegionClusters
aws:memorydb:parameter-group	memorydb:DescribeParameterGroups
aws:memorydb:reserved-node	memorydb:DescribeReservedNodes
aws:memorydb:snapshot	memorydb:DescribeSnapshots
aws:memorydb:subnet-group	memorydb:DescribeSubnetGroups
aws:memorydb:user	memorydb:DescribeUsers
aws:migrationhubrefactorspaces:application	refactor-spaces:ListApplications, refactor-spaces:ListEnvironments
aws:migrationhubrefactorspaces:environment	refactor-spaces:ListEnvironments
aws:migrationhubrefactorspaces:route	refactor-spaces:ListApplications, refactor-spaces:ListEnvironments, refactor-spaces:ListRoutes
aws:migrationhubrefactorspaces:service	refactor-spaces:ListApplications, refactor-spaces:ListEnvironments, refactor-spaces:ListServices
aws:mq:broker	mq:DescribeBroker, mq:ListBrokers
aws:mq:configuration	mq:ListConfigurations
aws:mq:configurationrevision	mq:DescribeConfigurationRevision, mq:ListConfigurationRevisions, mq:ListConfigurations
aws:mq:user	mq:DescribeBroker, mq:DescribeUser, mq:ListBrokers
aws:mwaa:environment	airflow:GetEnvironment, airflow:ListEnvironments
aws:neptune:cluster	rds:DescribeDBClusters
aws:neptune:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:neptune:dbinstance	rds:DescribeDBInstances
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls
aws:network-firewall:rulegroup	network-firewall:DescribeRuleGroup, network-firewall:ListRuleGroups
aws:network-firewall:tls-configuration	network-firewall:DescribeTLSInspectionConfiguration, network-firewall:ListTLSInspectionConfigurations
aws:network-firewall:vpc-endpoint-association	network-firewall:DescribeVpcEndpointAssociation, network-firewall:ListVpcEndpointAssociations
aws:networkmanager:attachment	networkmanager:ListAttachments
aws:networkmanager:connect-peer	networkmanager:GetConnectPeer, networkmanager:ListConnectPeers
aws:networkmanager:connection	networkmanager:DescribeGlobalNetworks, networkmanager:GetConnections
aws:networkmanager:core-network	networkmanager:GetCoreNetwork, networkmanager:ListCoreNetworks
aws:networkmanager:device	networkmanager:DescribeGlobalNetworks, networkmanager:GetDevices
aws:networkmanager:global-network	networkmanager:DescribeGlobalNetworks
aws:networkmanager:link	networkmanager:DescribeGlobalNetworks, networkmanager:GetLinks
aws:networkmanager:peering	networkmanager:ListPeerings
aws:networkmanager:site	networkmanager:DescribeGlobalNetworks, networkmanager:GetSites
aws:opensearch:domain	es:DescribeDomain, es:ListDomainNames
aws:opensearchserverless:collection	aoss:BatchGetCollection, aoss:ListCollections
aws:organizations:account	organizations:DescribeOrganization, organizations:ListAccountsForParent, organizations:ListDelegatedAdministrators, organizations:ListOrganizationalUnitsForParent, organizations:ListPoliciesForTarget, organizations:ListRoots
aws:organizations:features	iam:ListOrganizationsFeatures, organizations:DescribeOrganization, organizations:ListDelegatedAdministrators
aws:organizations:organization	organizations:DescribeOrganization, organizations:ListDelegatedAdministrators
aws:organizations:organizationalunit	organizations:DescribeOrganization, organizations:ListAccountsForParent, organizations:ListDelegatedAdministrators, organizations:ListOrganizationalUnitsForParent, organizations:ListPoliciesForTarget, organizations:ListRoots
aws:organizations:policy	organizations:DescribeOrganization, organizations:DescribePolicy, organizations:ListDelegatedAdministrators, organizations:ListPolicies, organizations:ListTargetsForPolicy
aws:organizations:root	organizations:DescribeOrganization, organizations:ListAccountsForParent, organizations:ListDelegatedAdministrators, organizations:ListOrganizationalUnitsForParent, organizations:ListPoliciesForTarget, organizations:ListRoots
aws:osis:pipeline	osis:GetPipeline, osis:ListPipelines
aws:osis:pipeline-blueprint	osis:GetPipelineBlueprint, osis:ListPipelineBlueprints
aws:outposts:outpost	outposts:ListOutposts
aws:payment-cryptography:alias	payment-cryptography:GetKey, payment-cryptography:ListAliases, payment-cryptography:ListKeys
aws:payment-cryptography:key	payment-cryptography:GetKey, payment-cryptography:ListKeys
aws:pca-connector-ad:connector	pca-connector-ad:ListConnectors
aws:pca-connector-ad:directory-registration	pca-connector-ad:ListDirectoryRegistrations
aws:pca-connector-ad:template	pca-connector-ad:ListConnectors, pca-connector-ad:ListTemplates
aws:pca-connector-scep:connector	pca-connector-scep:ListConnectors
aws:pcs:cluster	pcs:GetCluster, pcs:ListClusters
aws:pcs:compute-node-group	pcs:GetComputeNodeGroup, pcs:ListClusters, pcs:ListComputeNodeGroups
aws:pcs:queue	pcs:GetQueue, pcs:ListClusters, pcs:ListQueues
aws:personalize:algorithm	personalize:DescribeAlgorithm, personalize:DescribeRecipe, personalize:ListRecipes
aws:personalize:batch-inference-job	personalize:DescribeBatchInferenceJob, personalize:ListBatchInferenceJobs
aws:personalize:batch-segment-job	personalize:DescribeBatchSegmentJob, personalize:ListBatchSegmentJobs
aws:personalize:campaign	personalize:DescribeCampaign, personalize:ListCampaigns
aws:personalize:data-deletion-job	personalize:DescribeDataDeletionJob, personalize:ListDataDeletionJobs
aws:personalize:dataset	personalize:DescribeDataset, personalize:ListDatasets
aws:personalize:dataset-export-job	personalize:DescribeDatasetExportJob, personalize:ListDatasetExportJobs
aws:personalize:dataset-group	personalize:DescribeDatasetGroup, personalize:ListDatasetGroups
aws:personalize:dataset-import-job	personalize:DescribeDatasetImportJob, personalize:ListDatasetImportJobs
aws:personalize:event-tracker	personalize:DescribeEventTracker, personalize:ListEventTrackers
aws:personalize:feature-transformation	personalize:DescribeFeatureTransformation, personalize:DescribeRecipe, personalize:ListRecipes
aws:personalize:filter	personalize:DescribeFilter, personalize:ListFilters
aws:personalize:metric-attribution	personalize:DescribeMetricAttribution, personalize:ListMetricAttributions
aws:personalize:recipe	personalize:DescribeRecipe, personalize:ListRecipes
aws:personalize:recommender	personalize:DescribeRecommender, personalize:ListRecommenders
aws:personalize:schema	personalize:DescribeSchema, personalize:ListSchemas
aws:personalize:solution	personalize:DescribeSolution, personalize:ListSolutions
aws:pinpoint:app	mobiletargeting:GetApps, mobiletargeting:GetEventStream
aws:pinpoint:campaign	mobiletargeting:GetApps, mobiletargeting:GetCampaigns
aws:pinpoint:channel	mobiletargeting:GetApps, mobiletargeting:GetChannels
aws:pinpoint:journey	mobiletargeting:GetApps, mobiletargeting:ListJourneys
aws:pinpoint:segment	mobiletargeting:GetApps, mobiletargeting:GetSegments
aws:pinpoint:template	mobiletargeting:ListTemplates
aws:pipes:pipe	pipes:ListPipes
aws:profile:domain	profile:GetDomain, profile:ListDomains
aws:proton:component	proton:GetComponent, proton:ListComponents
aws:proton:deployment	proton:GetDeployment, proton:ListDeployments
aws:proton:environment	proton:GetEnvironment, proton:ListEnvironments
aws:proton:environment-account-connection	proton:GetEnvironmentAccountConnection, proton:ListEnvironmentAccountConnections
aws:proton:environment-template	proton:GetEnvironmentTemplate, proton:ListEnvironmentTemplates
aws:proton:environment-template-version	proton:GetEnvironmentTemplate, proton:GetEnvironmentTemplateVersion, proton:ListEnvironmentTemplateVersions, proton:ListEnvironmentTemplates
aws:proton:repository	proton:GetRepository, proton:ListRepositories
aws:proton:service	proton:GetService, proton:ListServices
aws:proton:service-instance	proton:GetServiceInstance, proton:ListServiceInstances
aws:proton:service-template	proton:GetServiceTemplate, proton:ListServiceTemplates
aws:proton:service-template-version	proton:GetServiceTemplate, proton:GetServiceTemplateVersion, proton:ListServiceTemplateVersions, proton:ListServiceTemplates
aws:qbusiness:application	qbusiness:GetApplication, qbusiness:ListApplications
aws:qbusiness:data-accessor	qbusiness:GetApplication, qbusiness:GetDataAccessor, qbusiness:ListApplications, qbusiness:ListDataAccessors
aws:qbusiness:data-source	qbusiness:GetApplication, qbusiness:GetDataSource, qbusiness:GetIndex, qbusiness:ListApplications, qbusiness:ListDataSources, qbusiness:ListIndices
aws:qbusiness:index	qbusiness:GetApplication, qbusiness:GetIndex, qbusiness:ListApplications, qbusiness:ListIndices
aws:qbusiness:plugin	qbusiness:GetApplication, qbusiness:GetPlugin, qbusiness:ListApplications, qbusiness:ListPlugins
aws:qbusiness:retriever	qbusiness:GetApplication, qbusiness:GetRetriever, qbusiness:ListApplications, qbusiness:ListRetrievers
aws:qbusiness:subscription	qbusiness:GetApplication, qbusiness:ListApplications, qbusiness:ListSubscriptions
aws:qbusiness:web-experience	qbusiness:GetApplication, qbusiness:GetWebExperience, qbusiness:ListApplications, qbusiness:ListWebExperiences
aws:quicksight:account	quicksight:DescribeAccountSettings
aws:quicksight:analysis	quicksight:DescribeAccountSettings, quicksight:DescribeAnalysis, quicksight:ListAnalyses
aws:quicksight:brand	quicksight:DescribeAccountSettings, quicksight:DescribeBrand, quicksight:ListBrands
aws:quicksight:custom-permission	quicksight:DescribeAccountSettings, quicksight:ListCustomPermissions
aws:quicksight:dashboard	quicksight:DescribeAccountSettings, quicksight:DescribeDashboard, quicksight:ListDashboards
aws:quicksight:data-set	quicksight:DescribeAccountSettings, quicksight:ListDataSets
aws:quicksight:data-source	quicksight:DescribeAccountSettings, quicksight:ListDataSources
aws:quicksight:folder	quicksight:DescribeAccountSettings, quicksight:DescribeFolder, quicksight:ListFolders
aws:quicksight:group	quicksight:DescribeAccountSettings, quicksight:ListGroups, quicksight:ListNamespaces
aws:quicksight:ingestion	quicksight:DescribeAccountSettings, quicksight:ListDataSets, quicksight:ListIngestions
aws:quicksight:namespace	quicksight:DescribeAccountSettings, quicksight:ListNamespaces
aws:quicksight:refresh-schedule	quicksight:DescribeAccountSettings, quicksight:ListDataSets, quicksight:ListRefreshSchedules
aws:quicksight:template	quicksight:DescribeAccountSettings, quicksight:DescribeTemplate, quicksight:ListTemplates
aws:quicksight:theme	quicksight:DescribeAccountSettings, quicksight:DescribeTheme, quicksight:ListThemes
aws:quicksight:topic	quicksight:DescribeAccountSettings, quicksight:DescribeTopic, quicksight:ListTopics
aws:quicksight:user	quicksight:DescribeAccountSettings, quicksight:ListUsers
aws:quicksight:vpc-connection	quicksight:DescribeAccountSettings, quicksight:ListVPCConnections
aws:ram:customer-managed-permission	ram:ListPermissions
aws:ram:permission	ram:ListPermissions
aws:ram:resource-share	ram:GetResourceShares
aws:ram:resource-share-invitation	ram:GetResourceShareInvitations
aws:rbin:rule	rbin:GetRule, rbin:ListRules
aws:rds:blue-green-deployment	rds:DescribeBlueGreenDeployments
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:cluster-endpoint	rds:DescribeDBClusterEndpoints, rds:DescribeDBClusters
aws:rds:cluster-snapshot	rds:DescribeDBClusterSnapshotAttributes, rds:DescribeDBClusterSnapshots
aws:rds:db-cluster-automated-backup	rds:DescribeDBClusterAutomatedBackups
aws:rds:db-shard-group	rds:DescribeDBShardGroups
aws:rds:dbclusterparametergroup	rds:DescribeDBClusterParameterGroups
aws:rds:dbinstanceautomatedbackup	rds:DescribeDBInstanceAutomatedBackups
aws:rds:dbparametergroup	rds:DescribeDBParameterGroups, rds:DescribeDBParameters
aws:rds:dbsubnetgroup	rds:DescribeDBSubnetGroups
aws:rds:eventsubscription	rds:DescribeEventSubscriptions
aws:rds:exporttask	rds:DescribeExportTasks
aws:rds:globalcluster	rds:DescribeGlobalClusters
aws:rds:instance	rds:DescribeDBInstances
aws:rds:integration	rds:DescribeIntegrations
aws:rds:optiongroup	rds:DescribeOptionGroups
aws:rds:proxy	rds:DescribeDBProxies
aws:rds:proxy-endpoint	rds:DescribeDBProxyEndpoints
aws:rds:proxy-target-group	rds:DescribeDBProxies, rds:DescribeDBProxyTargetGroups, rds:DescribeDBProxyTargets
aws:rds:reserveddbinstance	rds:DescribeReservedDBInstances
aws:rds:securitygroup	rds:DescribeDBSecurityGroups
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:rds:snapshot-tenant-database	rds:DescribeDBSnapshotTenantDatabases
aws:rds:tenant-database	rds:DescribeTenantDatabases
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:redshift:eventsubscription	redshift:DescribeEventSubscriptions
aws:redshift:hsm-client-certificate	redshift:DescribeHsmClientCertificates
aws:redshift:hsm-configuration	redshift:DescribeHsmConfigurations
aws:redshift:integration	redshift:DescribeIntegrations
aws:redshift:parametergroup	redshift:DescribeClusterParameterGroups
aws:redshift:redshift-idc-application	redshift:DescribeRedshiftIdcApplications
aws:redshift:securitygroup	redshift:DescribeClusterSecurityGroups
aws:redshift:snapshot	redshift:DescribeClusterSnapshots, redshift:DescribeClusters
aws:redshift:subnetgroup	redshift:DescribeClusterSubnetGroups, redshift:DescribeClusters
aws:redshiftserverless:endpoint-access	redshift-serverless:ListEndpointAccess
aws:redshiftserverless:managed-workgroup	redshift-serverless:ListManagedWorkgroups
aws:redshiftserverless:namespace	redshift-serverless:ListNamespaces
aws:redshiftserverless:recovery-point	redshift-serverless:ListNamespaces, redshift-serverless:ListRecoveryPoints
aws:redshiftserverless:snapshot	redshift-serverless:GetSnapshot, redshift-serverless:ListNamespaces, redshift-serverless:ListSnapshots
aws:redshiftserverless:workgroup	redshift-serverless:ListWorkgroups
aws:rekognition:collection	rekognition:DescribeCollection, rekognition:ListCollections
aws:rekognition:project	rekognition:DescribeProjects
aws:rekognition:project-version	rekognition:DescribeProjectVersions, rekognition:DescribeProjects
aws:rekognition:stream-processor	rekognition:DescribeStreamProcessor, rekognition:ListStreamProcessors
aws:resiliencehub:app-assessment	resiliencehub:DescribeAppAssessment, resiliencehub:ListAppAssessments
aws:resiliencehub:application	resiliencehub:DescribeApp, resiliencehub:ListApps
aws:resiliencehub:resiliency-policy	resiliencehub:ListResiliencyPolicies
aws:resourceexplorer2:index	resource-explorer-2:GetIndex
aws:resourceexplorer2:managed-view	resource-explorer-2:GetManagedView, resource-explorer-2:ListManagedViews
aws:resourceexplorer2:view	resource-explorer-2:GetView, resource-explorer-2:ListViews
aws:resourcegroups:group	resource-groups:GetGroup, resource-groups:ListGroups
aws:route53-recovery-control:assertion-safety-rule	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListSafetyRules
aws:route53-recovery-control:cluster	route53-recovery-control-config:ListClusters
aws:route53-recovery-control:control-panel	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListSafetyRules
aws:route53-recovery-control:gating-safety-rule	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListSafetyRules
aws:route53-recovery-control:routing-control	route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListRoutingControls
aws:route53-recovery-readiness:cell	route53-recovery-readiness:ListCells
aws:route53-recovery-readiness:readiness-check	route53-recovery-readiness:ListReadinessChecks
aws:route53-recovery-readiness:recovery-group	route53-recovery-readiness:ListRecoveryGroups
aws:route53-recovery-readiness:resource-set	route53-recovery-readiness:ListResourceSets
aws:route53:hostedzone	route53:GetDNSSEC, route53:GetHostedZone, route53:ListHostedZones
aws:route53:queryloggingconfig	route53:ListQueryLoggingConfigs
aws:route53:resourcerecordset	route53:ListHostedZones, route53:ListResourceRecordSets
aws:route53domains:domain	route53domains:ListDomains
aws:route53resolver:firewall-config	route53resolver:ListFirewallConfigs
aws:route53resolver:firewall-domain-list	route53resolver:ListFirewallDomainLists
aws:route53resolver:firewall-rule-group	route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules
aws:route53resolver:firewall-rule-group-association	route53resolver:ListFirewallRuleGroupAssociations
aws:route53resolver:outpost-resolver	route53resolver:ListOutpostResolvers
aws:route53resolver:resolver-config	route53resolver:ListResolverConfigs
aws:route53resolver:resolver-dnssec-config	route53resolver:ListResolverDnssecConfigs
aws:route53resolver:resolver-endpoint	route53resolver:ListResolverEndpoints
aws:route53resolver:resolver-query-log-config	route53resolver:ListResolverQueryLogConfigs
aws:route53resolver:resolver-rule	route53resolver:ListResolverRules
aws:rum:app-monitor	rum:GetAppMonitor, rum:ListAppMonitors
aws:s3-object-lambda:object-lambda-access-point	s3:GetAccessPointForObjectLambda, s3:ListAccessPointsForObjectLambda
aws:s3:accessgrant	s3:ListAccessGrants
aws:s3:accesspoint	s3:GetAccessPointPolicy, s3:ListAccessPoints
aws:s3:bucket	s3:GetBucketAbac, s3:GetBucketAcl, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketObjectLockConfiguration, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetBucketPublicAccessBlock, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetEncryptionConfiguration, s3:GetInventoryConfiguration, s3:GetLifecycleConfiguration, s3:GetReplicationConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:s3express:bucket	s3express:GetBucketPolicy, s3express:GetEncryptionConfiguration, s3express:ListAllMyDirectoryBuckets
aws:s3outposts:bucket	s3-outposts:ListOutpostsWithS3, s3-outposts:ListRegionalBuckets
aws:s3outposts:endpoint	s3-outposts:ListEndpoints
aws:s3outposts:outpost	s3-outposts:ListOutpostsWithS3
aws:sagemaker:inference-recommendations-job	sagemaker:DescribeInferenceRecommendationsJob, sagemaker:ListInferenceRecommendationsJobs
aws:sagemaker:notebookinstance	sagemaker:DescribeNotebookInstance, sagemaker:ListNotebookInstances
aws:sagemaker:pipeline	sagemaker:DescribePipeline, sagemaker:ListPipelines
aws:scheduler:group	scheduler:ListScheduleGroups
aws:scheduler:schedule	scheduler:GetSchedule, scheduler:ListSchedules
aws:schemas:aws-schema	schemas:DescribeSchema, schemas:ListRegistries, schemas:ListSchemas
aws:schemas:discoverer	schemas:ListDiscoverers
aws:schemas:registry	schemas:ListRegistries
aws:schemas:schema	schemas:DescribeSchema, schemas:ListRegistries, schemas:ListSchemas
aws:secretsmanager:secret	secretsmanager:DescribeSecret, secretsmanager:GetResourcePolicy, secretsmanager:ListSecrets
aws:securityhub:automation-rule	securityhub:BatchGetAutomationRules, securityhub:DescribeHub, securityhub:ListAutomationRules
aws:securityhub:configuration-policy	organizations:DescribeOrganization, securityhub:DescribeHub, securityhub:GetConfigurationPolicy, securityhub:ListConfigurationPolicies
aws:securityhub:finding-aggregator	securityhub:DescribeHub, securityhub:GetFindingAggregator, securityhub:ListFindingAggregators
aws:securityhub:hub	securityhub:DescribeHub
aws:securityhub:product	securityhub:DescribeHub, securityhub:DescribeProducts
aws:securitylake:data-lake	securitylake:ListDataLakes
aws:securitylake:subscriber	securitylake:ListSubscribers
aws:servicecatalog:application	servicecatalog:GetApplication, servicecatalog:ListApplications
aws:servicecatalog:attribute-group	servicecatalog:GetAttributeGroup, servicecatalog:ListAttributeGroups
aws:servicecatalog:portfolio	servicecatalog:DescribePortfolio, servicecatalog:ListPortfolios
aws:servicecatalog:product	servicecatalog:DescribeProduct, servicecatalog:SearchProducts
aws:servicediscovery:namespace	servicediscovery:GetNamespace, servicediscovery:ListNamespaces
aws:servicediscovery:service	servicediscovery:GetService, servicediscovery:ListServices
aws:servicequotas:quota-change	servicequotas:ListRequestedServiceQuotaChangeHistory, servicequotas:ListServices
aws:ses:addon-instance	ses:ListAddonInstances
aws:ses:addon-subscription	ses:ListAddonSubscriptions
aws:ses:address-list	ses:ListAddressLists
aws:ses:archive	ses:GetArchive, ses:ListArchives
aws:ses:configuration-set	ses:DescribeConfigurationSet, ses:ListConfigurationSets
aws:ses:contact-list	ses:GetContactList, ses:ListContactLists
aws:ses:custom-verification-email-template	ses:GetCustomVerificationEmailTemplate, ses:ListCustomVerificationEmailTemplates
aws:ses:dedicated-ip-pool	ses:GetDedicatedIpPool, ses:ListDedicatedIpPools
aws:ses:identity	ses:GetIdentityDkimAttributes, ses:GetIdentityMailFromDomainAttributes, ses:GetIdentityVerificationAttributes, ses:ListIdentities
aws:ses:ingress-point	ses:GetIngressPoint, ses:ListIngressPoints
aws:ses:multi-region-endpoint	ses:GetMultiRegionEndpoint, ses:ListMultiRegionEndpoints
aws:ses:relay	ses:GetRelay, ses:ListRelays
aws:ses:rule-set	ses:GetRuleSet, ses:ListRuleSets
aws:ses:template	ses:GetTemplate, ses:ListTemplates
aws:ses:traffic-policy	ses:GetTrafficPolicy, ses:ListTrafficPolicies
aws:sfn:activity	states:DescribeActivity, states:ListActivities
aws:sfn:execution	states:DescribeExecution, states:ListExecutions, states:ListStateMachines
aws:sfn:statemachine	states:DescribeStateMachine, states:ListStateMachines
aws:sfn:statemachinealias	states:DescribeStateMachineAlias, states:ListStateMachineAliases, states:ListStateMachines
aws:shield:attack	shield:DescribeAttack, shield:ListAttacks
aws:shield:protection	shield:ListProtections
aws:shield:protection-group	shield:ListProtectionGroups, shield:ListResourcesInProtectionGroup
aws:shield:settings	shield:DescribeEmergencyContactSettings, shield:DescribeSubscription, shield:GetSubscriptionState
aws:signer:signing-profile	signer:GetSigningProfile, signer:ListSigningProfiles
aws:smsvoice:configuration-set	sms-voice:DescribeConfigurationSets
aws:smsvoice:opt-out-list	sms-voice:DescribeOptOutLists
aws:smsvoice:phone-number	sms-voice:DescribePhoneNumbers
aws:smsvoice:pool	sms-voice:DescribePools
aws:smsvoice:protect-configuration	sms-voice:DescribeProtectConfigurations
aws:smsvoice:registration	sms-voice:DescribeRegistrations
aws:smsvoice:registration-attachment	sms-voice:DescribeRegistrationAttachments
aws:smsvoice:sender-id	sms-voice:DescribeSenderIds
aws:smsvoice:verified-destination-number	sms-voice:DescribeVerifiedDestinationNumbers
aws:snowball:cluster	snowball:DescribeCluster, snowball:ListClusters
aws:snowball:job	snowball:DescribeJob, snowball:ListJobs
aws:sns:platform-application	sns:ListPlatformApplications
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:socialmessaging:waba	social-messaging:GetLinkedWhatsAppBusinessAccount, social-messaging:ListLinkedWhatsAppBusinessAccounts
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues
aws:ssm-incidents:incident-record	ssm-incidents:GetIncidentRecord, ssm-incidents:ListIncidentRecords
aws:ssm-incidents:replication-set	ssm-incidents:GetReplicationSet, ssm-incidents:ListReplicationSets
aws:ssm-incidents:response-plan	ssm-incidents:GetResponsePlan, ssm-incidents:ListResponsePlans
aws:ssm:document	ssm:DescribeDocument, ssm:DescribeDocumentPermission, ssm:ListDocuments
aws:ssm:instance	ssm:DescribeInstanceInformation, ssm:ListComplianceItems, ssm:ListInventoryEntries
aws:sso:application	organizations:DescribeOrganization, sso:GetApplicationAssignmentConfiguration, sso:ListApplicationAssignments, sso:ListApplications, sso:ListInstances
aws:sso:application-provider	sso:ListApplicationProviders
aws:sso:instance	organizations:DescribeOrganization, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:ListInstances
aws:sso:permission-set	organizations:DescribeOrganization, sso:DescribePermissionSet, sso:GetInlinePolicyForPermissionSet, sso:GetPermissionsBoundaryForPermissionSet, sso:ListCustomerManagedPolicyReferencesInPermissionSet, sso:ListInstances, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets
aws:sso:trusted-token-issuer	organizations:DescribeOrganization, sso:DescribeTrustedTokenIssuer, sso:ListInstances, sso:ListTrustedTokenIssuers
aws:storagegateway:cache-report	storagegateway:ListCacheReports
aws:storagegateway:device	storagegateway:DescribeGatewayInformation, storagegateway:DescribeVTLDevices, storagegateway:ListGateways
aws:storagegateway:fs-association	storagegateway:DescribeFileSystemAssociations, storagegateway:ListFileSystemAssociations
aws:storagegateway:gateway	storagegateway:DescribeGatewayInformation, storagegateway:ListGateways
aws:storagegateway:nfs-fileshare	storagegateway:DescribeNFSFileShares, storagegateway:ListFileShares
aws:storagegateway:smb-fileshare	storagegateway:DescribeSMBFileShares, storagegateway:ListFileShares
aws:storagegateway:tape	storagegateway:DescribeGatewayInformation, storagegateway:DescribeTapes, storagegateway:ListGateways
aws:storagegateway:tapepool	storagegateway:ListTapePools
aws:storagegateway:volume	storagegateway:ListVolumes
aws:synthetics:canary	synthetics:DescribeCanaries
aws:synthetics:group	synthetics:GetGroup, synthetics:ListGroups
aws:textract:adapter	textract:GetAdapter, textract:ListAdapters
aws:textract:adapter-version	textract:GetAdapterVersion, textract:ListAdapterVersions, textract:ListAdapters
aws:timestream:scheduled-query	timestream:ListScheduledQueries
aws:timestreamwrite:table	timestream:ListTables
aws:transcribe:call-analytics-category	transcribe:ListCallAnalyticsCategories
aws:transcribe:call-analytics-job	transcribe:GetCallAnalyticsJob, transcribe:ListCallAnalyticsJobs
aws:transcribe:language-model	transcribe:ListLanguageModels
aws:transcribe:medical-scribe-job	transcribe:GetMedicalScribeJob, transcribe:ListMedicalScribeJobs
aws:transcribe:medical-transcription-job	transcribe:GetMedicalTranscriptionJob, transcribe:ListMedicalTranscriptionJobs
aws:transcribe:medical-vocabulary	transcribe:GetMedicalVocabulary, transcribe:ListMedicalVocabularies
aws:transcribe:transcription-job	transcribe:GetTranscriptionJob, transcribe:ListTranscriptionJobs
aws:transcribe:vocabulary	transcribe:GetVocabulary, transcribe:ListVocabularies
aws:transcribe:vocabulary-filter	transcribe:GetVocabularyFilter, transcribe:ListVocabularyFilters
aws:transfer:agreement	transfer:DescribeAgreement, transfer:DescribeServer, transfer:ListAgreements, transfer:ListServers
aws:transfer:certificate	transfer:DescribeCertificate, transfer:ListCertificates
aws:transfer:connector	transfer:DescribeConnector, transfer:ListConnectors
aws:transfer:host-key	transfer:DescribeHostKey, transfer:DescribeServer, transfer:ListHostKeys, transfer:ListServers
aws:transfer:profile	transfer:DescribeProfile, transfer:ListProfiles
aws:transfer:server	transfer:DescribeServer, transfer:ListServers
aws:transfer:user	transfer:DescribeServer, transfer:DescribeUser, transfer:ListServers, transfer:ListUsers
aws:transfer:webapp	transfer:DescribeWebApp, transfer:ListWebApps
aws:transfer:workflow	transfer:DescribeWorkflow, transfer:ListWorkflows
aws:translate:parallel-data	translate:GetParallelData, translate:ListParallelData
aws:translate:terminology	translate:GetTerminology, translate:ListTerminologies
aws:verifiedpermissions:identity-source	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListIdentitySources, verifiedpermissions:ListPolicyStores
aws:verifiedpermissions:policy	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListPolicies, verifiedpermissions:ListPolicyStores
aws:verifiedpermissions:policy-store	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListPolicyStores
aws:verifiedpermissions:policy-template	verifiedpermissions:GetPolicyStore, verifiedpermissions:ListPolicyStores, verifiedpermissions:ListPolicyTemplates
aws:vpc-lattice:access-log-subscription	vpc-lattice:GetService, vpc-lattice:GetServiceNetwork, vpc-lattice:ListAccessLogSubscriptions, vpc-lattice:ListServiceNetworks, vpc-lattice:ListServices
aws:vpc-lattice:listener	vpc-lattice:GetListener, vpc-lattice:GetService, vpc-lattice:ListListeners, vpc-lattice:ListServices
aws:vpc-lattice:resource-configuration	vpc-lattice:GetResourceConfiguration, vpc-lattice:ListResourceConfigurations
aws:vpc-lattice:resource-endpoint-association	vpc-lattice:GetResourceConfiguration, vpc-lattice:ListResourceConfigurations, vpc-lattice:ListResourceEndpointAssociations
aws:vpc-lattice:resource-gateway	vpc-lattice:GetResourceGateway, vpc-lattice:ListResourceGateways
aws:vpc-lattice:rule	vpc-lattice:GetListener, vpc-lattice:GetRule, vpc-lattice:GetService, vpc-lattice:ListListeners, vpc-lattice:ListRules, vpc-lattice:ListServices
aws:vpc-lattice:service	vpc-lattice:GetService, vpc-lattice:ListServices
aws:vpc-lattice:service-network	vpc-lattice:GetServiceNetwork, vpc-lattice:ListServiceNetworks
aws:vpc-lattice:service-network-resource-association	vpc-lattice:ListServiceNetworkResourceAssociations
aws:vpc-lattice:service-network-service-association	vpc-lattice:GetServiceNetwork, vpc-lattice:ListServiceNetworkServiceAssociations, vpc-lattice:ListServiceNetworks
aws:vpc-lattice:service-network-vpc-association	vpc-lattice:GetServiceNetwork, vpc-lattice:ListServiceNetworkVpcAssociations, vpc-lattice:ListServiceNetworks
aws:vpc-lattice:target-group	vpc-lattice:GetTargetGroup, vpc-lattice:ListTargetGroups
aws:waf:acl	waf:GetWebACL, waf:ListWebACLs
aws:waf:rule	waf:GetRule, waf:ListRules
aws:waf:rulegroup	waf:GetRuleGroup, waf:ListRuleGroups
aws:wafregional:acl	waf-regional:GetWebACL, waf-regional:ListWebACLs
aws:wafregional:rule	waf-regional:GetRule, waf-regional:ListRules
aws:wafregional:rulegroup	waf-regional:GetRuleGroup, waf-regional:ListRuleGroups
aws:wafv2:acl	wafv2:GetLoggingConfiguration, wafv2:GetWebACL, wafv2:ListResourcesForWebACL, wafv2:ListWebACLs
aws:wafv2:ipset	wafv2:GetIPSet, wafv2:ListIPSets
aws:wafv2:regexpatternset	wafv2:GetRegexPatternSet, wafv2:ListRegexPatternSets
aws:wafv2:rulegroup	wafv2:GetRuleGroup, wafv2:ListRuleGroups
aws:workmail:organization	workmail:DescribeOrganization, workmail:ListOrganizations
aws:workspaces-web:browser-settings	workspaces-web:GetBrowserSettings, workspaces-web:ListBrowserSettings
aws:workspaces-web:data-protection-settings	workspaces-web:GetDataProtectionSettings, workspaces-web:ListDataProtectionSettings
aws:workspaces-web:identity-provider	workspaces-web:GetIdentityProvider, workspaces-web:ListIdentityProviders, workspaces-web:ListPortals
aws:workspaces-web:ip-access-settings	workspaces-web:GetIpAccessSettings, workspaces-web:ListIpAccessSettings
aws:workspaces-web:network-settings	workspaces-web:GetNetworkSettings, workspaces-web:ListNetworkSettings
aws:workspaces-web:portal	workspaces-web:ListPortals
aws:workspaces-web:trust-store	workspaces-web:GetTrustStore, workspaces-web:ListTrustStores
aws:workspaces-web:user-access-logging-settings	workspaces-web:GetUserAccessLoggingSettings, workspaces-web:ListUserAccessLoggingSettings
aws:workspaces-web:user-settings	workspaces-web:GetUserSettings, workspaces-web:ListUserSettings
aws:workspaces:amazon-bundle	workspaces:DescribeWorkspaceBundles
aws:workspaces:application	workspaces:DescribeApplications
aws:workspaces:bundle	workspaces:DescribeWorkspaceBundles
aws:workspaces:connection-alias	workspaces:DescribeConnectionAliases
aws:workspaces:directory	workspaces:DescribeWorkspaceDirectories
aws:workspaces:image	workspaces:DescribeWorkspaceImages
aws:workspaces:ip-group	workspaces:DescribeIpGroups
aws:workspaces:pool	workspaces:DescribeWorkspacesPools
aws:workspaces:workspace	workspaces:DescribeWorkspaces
aws:xray:group	xray:GetGroups
aws:xray:sampling-rule	xray:GetSamplingRules

Network Performance Monitoring (NPM)

Resource Type	Permissions
aws:ec2:egressonlyinternetgateway	ec2:DescribeEgressOnlyInternetGateways
aws:ec2:transitgateway	ec2:DescribeTransitGateways
aws:ec2:vpcendpointconnectionnotification	ec2:DescribeVpcEndpointConnectionNotifications
aws:ec2:vpcinternetgateway	ec2:DescribeInternetGateways
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:ec2:vpngateway	ec2:DescribeVpnGateways
aws:network-firewall:firewall	network-firewall:DescribeFirewall, network-firewall:DescribeFirewallPolicy, network-firewall:DescribeLoggingConfiguration, network-firewall:ListFirewalls

Resource Catalog

Resource Type	Permissions
aws:acm:acm	acm:DescribeCertificate, acm:ListCertificates
aws:applicationautoscaling:scalingpolicy	applicationautoscaling:DescribeScalingPolicies
aws:autoscaling:group	autoscaling:DescribeAutoScalingGroups
aws:cloudformation:stack	cloudformation:DescribeStacks, cloudformation:ListStacks
aws:cloudfront:distribution	cloudfront:GetDistribution, cloudfront:ListDistributions
aws:cloudfront:function	cloudfront:ListFunctions
aws:cloudtrail:trail	cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus
aws:cloudwatchlogs:log-group	logs:DescribeLogGroups, logs:DescribeSubscriptionFilters
aws:docdb:cluster	rds:DescribeDBClusters
aws:dynamodb:table	dynamodb:DescribeContinuousBackups, dynamodb:DescribeTable, dynamodb:DescribeTimeToLive, dynamodb:ListTables
aws:ec2:image	ec2:DescribeImageAttribute, ec2:DescribeImages
aws:ec2:instance	ec2:DescribeInstances
aws:ec2:networkacl	ec2:DescribeNetworkAcls
aws:ec2:networkinterface	ec2:DescribeNetworkInterfaces
aws:ec2:securitygroup	ec2:DescribeSecurityGroups
aws:ec2:snapshot	ec2:DescribeSnapshotAttribute, ec2:DescribeSnapshots
aws:ec2:volume	ec2:DescribeVolumes
aws:ec2:vpc	ec2:DescribeVpcs
aws:ec2:vpcendpoint	ec2:DescribeVpcEndpoints
aws:ec2:vpcendpoint-service	ec2:DescribeVpcEndpointServices
aws:ec2:vpcnatgateway	ec2:DescribeNatGateways
aws:ec2:vpcpeeringconnection	ec2:DescribeVpcPeeringConnections
aws:ecr:repository	ecr:DescribeRepositories, ecr:GetLifecyclePolicy, ecr:GetRepositoryPolicy
aws:ecrpublic:repository	ecr-public:DescribeImages, ecr-public:DescribeRepositories, ecr-public:GetRepositoryPolicy
aws:ecs:cluster	ecs:DescribeClusters, ecs:ListClusters
aws:ecs:service	ecs:DescribeServices, ecs:ListClusters, ecs:ListServices
aws:ecs:task	ecs:DescribeServices, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:ecs:task-definition	ecs:DescribeServices, ecs:DescribeTaskDefinition, ecs:DescribeTasks, ecs:ListClusters, ecs:ListServices, ecs:ListTasks
aws:efs:accesspoint	elasticfilesystem:DescribeAccessPoints
aws:efs:filesystem	elasticfilesystem:DescribeFileSystems, elasticfilesystem:DescribeLifecycleConfiguration
aws:eks:cluster	eks:DescribeCluster, eks:ListClusters
aws:elasticache:cluster	elasticache:DescribeCacheClusters
aws:elasticloadbalancing:loadbalancer	elasticloadbalancing:DescribeInstanceHealth, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancerPolicies, elasticloadbalancing:DescribeLoadBalancers
aws:elasticloadbalancingv2:loadbalancer	elasticloadbalancing:DescribeListeners, elasticloadbalancing:DescribeLoadBalancerAttributes, elasticloadbalancing:DescribeLoadBalancers
aws:elasticsearchservice:domain	es:DescribeElasticsearchDomains, es:ListDomainNames
aws:emr:cluster	elasticmapreduce:DescribeCluster, elasticmapreduce:GetAutoTerminationPolicy, elasticmapreduce:GetManagedScalingPolicy, elasticmapreduce:ListClusters
aws:eventbridge:eventbus	events:ListEventBuses, events:ListRules
aws:iam:account	iam:GetAccountPasswordPolicy, iam:GetAccountSummary, organizations:DescribeOrganization
aws:iam:policy	iam:GetPolicy, iam:GetPolicyVersion, iam:ListPolicies
aws:iam:role	iam:GetAccountAuthorizationDetails, iam:GetRole, iam:ListAttachedRolePolicies
aws:iam:server-certificate	iam:ListServerCertificates
aws:iam:user	iam:GetLoginProfile, iam:GetUser, iam:ListAttachedUserPolicies, iam:ListGroupsForUser, iam:ListMFADevices, iam:ListSSHPublicKeys, iam:ListUsers, iam:ListVirtualMFADevices
aws:kms:key	kms:DescribeKey, kms:GetKeyRotationStatus, kms:ListKeys
aws:lambda:function	lambda:GetFunction, lambda:GetPolicy, lambda:ListFunctionUrlConfigs, lambda:ListFunctions, lambda:ListProvisionedConcurrencyConfigs
aws:mq:broker	mq:DescribeBroker, mq:ListBrokers
aws:pipes:pipe	pipes:ListPipes
aws:rds:cluster	rds:DescribeDBClusters
aws:rds:instance	rds:DescribeDBInstances
aws:rds:snapshot	rds:DescribeDBSnapshotAttributes, rds:DescribeDBSnapshots
aws:redshift:cluster	redshift:DescribeClusterParameters, redshift:DescribeClusters, redshift:DescribeEndpointAccess, redshift:DescribeLoggingStatus
aws:s3:bucket	s3:GetBucketAbac, s3:GetBucketAcl, s3:GetBucketLogging, s3:GetBucketMetadataConfiguration, s3:GetBucketNotification, s3:GetBucketObjectLockConfiguration, s3:GetBucketOwnershipControls, s3:GetBucketPolicy, s3:GetBucketPolicyStatus, s3:GetBucketPublicAccessBlock, s3:GetBucketVersioning, s3:GetBucketWebsite, s3:GetEncryptionConfiguration, s3:GetInventoryConfiguration, s3:GetLifecycleConfiguration, s3:GetReplicationConfiguration, s3:ListAllMyBuckets
aws:s3control:accountpublicaccessblock	s3:GetBucketPublicAccessBlock
aws:secretsmanager:secret	secretsmanager:DescribeSecret, secretsmanager:GetResourcePolicy, secretsmanager:ListSecrets
aws:sfn:statemachine	states:DescribeStateMachine, states:ListStateMachines
aws:sns:topic	sns:GetTopicAttributes, sns:ListTopics
aws:sqs:queue	sqs:GetQueueAttributes, sqs:GetQueueUrl, sqs:ListQueues

今後のリリース

ここに記載している権限は、今後 30 日以内に追加予定のリソースを反映したものです。Datadog のリソースカバレッジとトラッキングを最大限に活用するため、これらの権限を既存の AWS インテグレーション IAM ポリシー (SecurityAudit ポリシーをアタッチ済み) に含めてください。

今後のリリース向けの権限

[
  "There are no future permissions currently"
]

Cloud Security

セットアップ

AWS アカウントに AWS インテグレーションをまだ設定していない場合は、上記のセットアップ手順を完了してください。手順内で案内される箇所では Cloud Security を必ず有効化してください。

注: この機能を使用するには、AWS インテグレーションにロールの委任を設定する必要があります。

既存の AWS インテグレーションに Cloud Security を追加するには、以下の手順に従ってリソースの収集を有効化してください。

Datadog IAM ロールに必要な権限を付与するには、AWS マネージドの SecurityAudit ポリシーを Datadog の AWS IAM ロールにアタッチしてください。このポリシーは AWS コンソールで確認できます。
Datadog AWS インテグレーションページで、以下の手順で設定を完了させます。または、Update an AWS Integration API エンドポイントを利用することも可能です。
1. リソース収集を有効化したい AWS アカウントを選択します。
2. Resource collection タブで、Cloud Security の横にある Enable をクリックします。Cloud Security Setup ページへリダイレクトされ、選択したアカウントのセットアップダイアログが自動的に開きます。
3. セットアップダイアログで、Enable Resource Scanning トグルをオンに切り替えます。
4. Done をクリックしてセットアップを完了します。

アラームの収集

AWS CloudWatch アラームを Datadog イベントエクスプローラーに送信する方法は 2 つあります。

Alarm polling: Alarm polling は AWS インテグレーションに標準で含まれており、DescribeAlarmHistory API を通じてメトリクスアラームを取得します。この方法を採用すると、アラームはイベントソース Amazon Web Services として分類されます。注: クローラはコンポジットアラームを収集しません。
SNS トピック: アラームを SNS トピックにサブスクライブしてから、SNS メッセージを Datadog に転送することで、イベントエクスプローラー内のすべての AWS CloudWatch アラームを確認できます。Datadog でイベントとして SNS メッセージを受信する方法については、SNS メッセージの受信を参照してください。この方法に従うと、イベントソース Amazon SNS の下にアラームが分類されます。

収集されるデータ

メトリクス

注: AWS カスタムメトリクスの収集を有効にしたり、Datadog がインテグレーションを提供していないサービスからのメトリクスを収集することも可能です。詳しくは、AWS インテグレーションと CloudWatch の FAQ をご参照ください。

イベント

AWS からのイベントは、AWS サービス単位で収集されます。収集されるイベントの詳細については、お使いの AWS サービスのドキュメントを参照してください。

インテグレーション	Datadog タグキー
All	`region`
API Gateway	`apiid`、apiname`、`method`、`resource`、`stage`
App Runner	`instance`、`serviceid`、`servicename`
Auto Scaling	`autoscalinggroupname`、`autoscaling_group`
Billing	`account_id`、`budget_name`、`budget_type`、`currency`、`servicename`、`time_unit`
CloudFront	`distributionid`
CodeBuild	`project_name`
CodeDeploy	`application`、`creator`、`deployment_config`、`deployment_group`、`deployment_option`、`deployment_type`、`status`
DirectConnect	`connectionid`
DynamoDB	`globalsecondaryindexname`、`operation`、`streamlabel`、`tablename`
EBS	`volumeid`、`volume-name`、`volume-type`
EC2	`autoscaling_group`、`availability-zone`、`image`、`instance-id`、`instance-type`、`kernel`、`name`、`security_group_name`
ECS	`clustername`、`servicename`、`instance_id`
EFS	`filesystemid`
ElastiCache	`cachenodeid`、`cache_node_type`、`cacheclusterid`、`cluster_name`、`engine`、`engine_version`、`preferred_availability-zone`、`replication_group`
ElasticBeanstalk	`environmentname`、`enviromentid`
ELB	`availability-zone`、`hostname`、`loadbalancername`、`name`、`targetgroup`
EMR	`cluster_name`、`jobflowid`
ES	`dedicated_master_enabled`、`ebs_enabled`、`elasticsearch_version`、`instance_type`、`zone_awareness_enabled`
Firehose	`deliverystreamname`
FSx	`filesystemid`、`filesystemtype`
Health	`event_category`、`status`、`service`
IoT	`actiontype`、`protocol`、`rulename`
Kinesis	`streamname`、`name`、`state`
KMS	`keyid`
Lambda	`functionname`、`resource`、`executedversion`、`memorysize`、`runtime`
Machine Learning	`mlmodelid`、`requestmode`
MQ	`broker`、`queue`、`topic`
OpsWorks	`stackid`、`layerid`、`instanceid`
Polly	`operation`
RDS	`auto_minor_version_upgrade`、`dbinstanceclass`、`dbclusteridentifier`、`dbinstanceidentifier`、`dbname`、`engine`、`engineversion`、`hostname`、`name`、`publicly_accessible`、`secondary_availability-zone`
RDS Proxy	`proxyname`、`target`、`targetgroup`、`targetrole`
Redshift	`clusteridentifier`、`latency`、`nodeid`、`service_class`、`stage`、`wlmid`
Route 53	`healthcheckid`
S3	`bucketname`、`filterid`、`storagetype`
SES	タグキーは AWS でカスタム設定されます。
SNS	`topicname`
SQS	`queuename`
VPC	`nategatewayid`、`vpnid`、`tunnelipaddress`
WorkSpaces	`directoryid`、`workspaceid`

サービスチェック

トラブルシューティング

AWS インテグレーションに関する問題解決は、AWS インテグレーションのトラブルシューティングガイドをご参照ください。

その他の参考資料

お役に立つドキュメント、リンクや記事:

Amazon Web Services

概要

セットアップ

自動

手動

AWS IAM permissions

AWS integration IAM policy

AWS resource collection IAM policy

ログ収集

メトリクスの収集

リソース収集

AWS resource collection IAM policy

リソース タイプと権限

Cloud Cost Management (CCM)

Cloudcraft

Cloud Security Monitoring (CSM)

Network Performance Monitoring (NPM)

Resource Catalog

今後のリリース

今後のリリース向けの権限

Cloud Security

セットアップ

アラームの収集

収集されるデータ

メトリクス

イベント

タグ

サービス チェック

トラブルシューティング

その他の参考資料

リソースタイプと権限

サービスチェック