DevOps Agent IAM permissions
AWS DevOps Agent uses service-specific AWS Identity and Access Management (IAM) actions to control access to its features and capabilities. These actions determine what users can do within the AWS DevOps Agent console and Operator Web App. This is separate from the AWS service API permissions that the agent itself uses to investigate your resources.
For more information about limiting agent access, see Limiting Agent Access in an AWS Account.
Agent Space management actions
These actions control access to Agent Space configuration and management:
aidevops:GetAgentSpace – Allows users to view details about an Agent Space, including its configuration, status, and associated accounts. Users need this permission to access an Agent Space in the AWS Management Console.
aidevops:GetAssociation – Allows users to view details about a specific account association, including the IAM role configuration and connection status.
aidevops:ListAssociations – Allows users to list all AWS account associations configured for an Agent Space, including both primary and secondary accounts.
Investigation and execution actions
These actions control access to incident investigation features:
aidevops:ListExecutions – Allows users to view execution metadata—including ID, status, and more—for investigations, mitigations, evaluations, and chat conversations associated with a task.
aidevops:ListJournalRecords – Allows users to access detailed logs that show the agent's reasoning steps, actions taken, and data sources consulted during an investigation, mitigation, evaluation, and chat conversation. This is useful for understanding how the agent reached its conclusions.
Chat management actions
Chat requires the following IAM permissions to function:
aidevops:ListChats – Allows users to list and access chat conversation history.
aidevops:CreateChat – Allows users to create new chat conversations.
aidevops:SendMessage – Allows users to submit queries and receive streaming responses.
Topology and discovery actions
These actions control access to application resource mapping features:
aidevops:DiscoverTopology – Allows users to trigger topology discovery and mapping for an Agent Space. This action initiates the process of scanning AWS accounts and building the application resource topology.
Prevention and recommendation actions
These actions control access to the Prevention feature:
aidevops:ListGoals – Allows users to view prevention goals and objectives that the agent is working toward based on recent incident patterns.
aidevops:ListRecommendations – Allows users to view all recommendations generated by the Prevention feature, including their priority and category.
aidevops:GetRecommendation – Allows users to view detailed information about a specific recommendation, including the incidents it would have prevented and implementation guidance.
Backlog task management actions
These actions control the ability to manage recommendations as backlog tasks:
aidevops:CreateBacklogTask – Allows users to create an incident investigation or prevention evaluation task.
aidevops:UpdateBacklogTask – Allows users to approve a mitigation plan or cancel an active investigation or evaluation.
aidevops:GetBacklogTask – Allows users to retrieve details about a specific task.
aidevops:ListBacklogTasks – Allows users to list tasks for an Agent Space, filtered by task type, status, priority, or creation time.
Knowledge management actions
These actions control the ability to add and manage custom knowledge that the agent can use during investigations:
aidevops:CreateKnowledgeItem – Allows users to add custom knowledge items, such as skills, troubleshooting guides, or application-specific information that the agent should reference.
aidevops:ListKnowledgeItems – Allows users to view all knowledge items configured for an Agent Space.
aidevops:GetKnowledgeItem – Allows users to retrieve the details of a specific knowledge item.
aidevops:UpdateKnowledgeItem – Allows users to modify existing knowledge items to keep information current.
aidevops:DeleteKnowledgeItem – Allows users to remove knowledge items that are no longer relevant.
AWS Support integration actions
These actions control integration with AWS Support cases:
aidevops:InitiateChatForCase – Allows users to start a chat session with AWS Support directly from an investigation, automatically providing context about the incident.
aidevops:EndChatForCase – Allows users to end an active AWS Support case chat session.
aidevops:DescribeSupportLevel – Allows users to check the AWS Support plan level for the account to determine available support options.
Usage and monitoring actions
These actions control access to usage information:
aidevops:GetAccountUsage – Allows users to view the AWS DevOps Agent monthly quota for investigation hours, prevention evaluation hours, and chat requests, as well as the current month's usage.
Common IAM policy examples
Administrator policy
This policy grants full access to all AWS DevOps Agent features:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "aidevops:*", "Resource": "*" } ] }
Operator policy
This policy grants access to investigation and prevention features without administrative capabilities:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aidevops:GetAgentSpace", "aidevops:InvokeAgent", "aidevops:ListExecutions", "aidevops:ListJournalRecords", "aidevops:ListAssociations", "aidevops:GetAssociation", "aidevops:DiscoverTopology", "aidevops:ListRecommendations", "aidevops:GetRecommendation", "aidevops:CreateBacklogTask", "aidevops:UpdateBacklogTask", "aidevops:GetBacklogTask", "aidevops:ListBacklogTasks", "aidevops:ListKnowledgeItems", "aidevops:GetKnowledgeItem", "aidevops:InitiateChatForCase", "aidevops:EndChatForCase", "aidevops:ListChats", "aidevops:CreateChat", "aidevops:SendMessage", "aidevops:ListGoals", "aidevops:CreateKnowledgeItem", "aidevops:UpdateKnowledgeItem", "aidevops:DescribeSupportLevel", "aidevops:ListPendingMessages" ], "Resource": "*" } ] }
Read-only policy
This policy grants view-only access to investigations and recommendations:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aidevops:GetAgentSpace", "aidevops:ListAssociations", "aidevops:GetAssociation", "aidevops:ListExecutions", "aidevops:ListJournalRecords", "aidevops:ListRecommendations", "aidevops:GetRecommendation", "aidevops:ListBacklogTasks", "aidevops:GetBacklogTask", "aidevops:ListKnowledgeItems", "aidevops:GetKnowledgeItem", "aidevops:GetAccountUsage" ], "Resource": "*" } ] }
Using service-linked roles for AWS DevOps Agent
AWS DevOps Agent uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS DevOps Agent. Service-linked roles are predefined by AWS DevOps Agent and include all the permissions that the service requires to call other AWS services on your behalf.
Service-linked role permissions
The AWSServiceRoleForAIDevOps service-linked role trusts the aidevops.amazonaws.com service principal to assume the role.
The role uses the managed policy AWSServiceRoleForAIDevOpsPolicy with the following permissions:
cloudwatch:PutMetricData– Publish usage metrics to theAWS/AIDevOpsCloudWatch namespace. Scoped by acloudwatch:namespacecondition to only allow theAWS/AIDevOpsnamespace.vpc-lattice:CreateResourceGateway– Create VPC Lattice resource gateways for private connections. Scoped by anaws:RequestTag/AWSAIDevOpsManagedcondition so the service can only create resource gateways that carry theAWSAIDevOpsManagedtag.vpc-lattice:TagResource– Tag VPC Lattice resource gateways. Scoped by anaws:RequestTag/AWSAIDevOpsManagedcondition.vpc-lattice:DeleteResourceGateway– Delete VPC Lattice resource gateways. Scoped by anaws:ResourceTag/AWSAIDevOpsManagedcondition so the service can only delete resource gateways it created.vpc-lattice:GetResourceGateway– Retrieve information about VPC Lattice resource gateways. Scoped by anaws:ResourceTag/AWSAIDevOpsManagedcondition so the service can only read resource gateways it created.ec2:DescribeVpcs,ec2:DescribeSubnets,ec2:DescribeSecurityGroups– Retrieve information about VPC networking resources required to configure resource gateways. These read-only actions apply to all VPC resources because the EC2 API does not support resource-level permissions for Describe calls.iam:CreateServiceLinkedRole– Create the VPC Lattice service-linked role required for resource gateway operations. This permission is scoped to thevpc-lattice.amazonaws.com.rproxy.govskope.usservice principal only and cannot be used to create service-linked roles for any other service.
Creating the service-linked role
You don't need to manually create the AWSServiceRoleForAIDevOps service-linked role. When you start using AWS DevOps Agent, the service creates the service-linked role for you.
To allow the service to create the role on your behalf, you must have the iam:CreateServiceLinkedRole permission. We recommend scoping this permission with an iam:AWSServiceName condition for aidevops.amazonaws.com to follow the principle of least privilege. For more information, see Service-linked role permissions.
Editing the service-linked role
You cannot edit the AWSServiceRoleForAIDevOps service-linked role. After the role is created, you cannot change the name of the role because various entities might reference the role by name. However, you can edit the description of the role using IAM. For more information, see Editing a service-linked role.
Deleting the service-linked role
If you no longer need to use AWS DevOps Agent, we recommend that you delete the AWSServiceRoleForAIDevOps service-linked role. Before you can delete the role, you must first remove any private connections configured in your Agent Space. Deleting the service-linked role does not automatically remove VPC Lattice resource gateways tagged with AWSAIDevOpsManaged that were previously created by the service. You should delete these resource gateways manually if they are no longer needed. For more information, see Deleting a service-linked role.
AWS Managed policies for AWS DevOps Agent
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. These AWS managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see AWS managed policies in the _IAM User Guide_.
The following AWS managed policies, which you can attach to users in your account, are specific to AWS DevOps Agent.
AIDevOpsAgentReadOnlyAccess
Provides read only access to Amazon DevOps Agent via the AWS Management Console
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AIDevOpsAgentReadOnlyAccess", "Effect": "Allow", "Action": [ "aidevops:Get*", "aidevops:List*", "aidevops:SearchServiceAccessibleResource" ], "Resource": "*" } ] }
AIDevOpsAgentFullAccess
Provides full access to Amazon DevOps Agent via the AWS Management Console
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AIDevOpsAgentSpaceAccess", "Effect": "Allow", "Action": [ "aidevops:CreateAgentSpace", "aidevops:DeleteAgentSpace", "aidevops:GetAgentSpace", "aidevops:ListAgentSpaces", "aidevops:UpdateAgentSpace" ], "Resource": "*" }, { "Sid": "AIDevOpsServiceAccess", "Effect": "Allow", "Action": [ "aidevops:DeregisterService", "aidevops:GetService", "aidevops:ListServices", "aidevops:RegisterService", "aidevops:SearchServiceAccessibleResource" ], "Resource": "*" }, { "Sid": "AIDevOpsAssociationAccess", "Effect": "Allow", "Action": [ "aidevops:AssociateService", "aidevops:DisassociateService", "aidevops:GetAssociation", "aidevops:ListAssociations", "aidevops:UpdateAssociation", "aidevops:ValidateAwsAssociations" ], "Resource": "*" }, { "Sid": "AIDevOpsWebhookAccess", "Effect": "Allow", "Action": [ "aidevops:ListWebhooks" ], "Resource": "*" }, { "Sid": "AIDevOpsOperatorAppAccess", "Effect": "Allow", "Action": [ "aidevops:DisableOperatorApp", "aidevops:EnableOperatorApp", "aidevops:GetOperatorApp", "aidevops:UpdateOperatorAppIdpConfig" ], "Resource": "*" }, { "Sid": "AIDevOpsKnowledgeAccess", "Effect": "Allow", "Action": [ "aidevops:CreateKnowledgeItem", "aidevops:DeleteKnowledgeItem", "aidevops:GetKnowledgeItem", "aidevops:ListKnowledgeItems", "aidevops:ListKnowledgeItemVersions", "aidevops:UpdateKnowledgeItem" ], "Resource": "*" }, { "Sid": "AIDevOpsBacklogAccess", "Effect": "Allow", "Action": [ "aidevops:CreateBacklogTask", "aidevops:GetBacklogTask", "aidevops:ListBacklogTasks", "aidevops:ListGoals", "aidevops:UpdateBacklogTask", "aidevops:UpdateGoal" ], "Resource": "*" }, { "Sid": "AIDevOpsRecommendationAccess", "Effect": "Allow", "Action": [ "aidevops:GetRecommendation", "aidevops:ListRecommendations", "aidevops:UpdateRecommendation" ], "Resource": "*" }, { "Sid": "AIDevOpsAgentChatAccess", "Effect": "Allow", "Action": [ "aidevops:CreateChat", "aidevops:ListChats", "aidevops:ListPendingMessages", "aidevops:SendMessage" ], "Resource": "*" }, { "Sid": "AIDevOpsJournalAccess", "Effect": "Allow", "Action": [ "aidevops:ListExecutions", "aidevops:ListJournalRecords" ], "Resource": "*" }, { "Sid": "AIDevOpsTopologyAccess", "Effect": "Allow", "Action": [ "aidevops:DiscoverTopology" ], "Resource": "*" }, { "Sid": "AIDevOpsSupportAccess", "Effect": "Allow", "Action": [ "aidevops:DescribeSupportLevel", "aidevops:EndChatForCase", "aidevops:InitiateChatForCase" ], "Resource": "*" }, { "Sid": "AIDevOpsUsageAccess", "Effect": "Allow", "Action": [ "aidevops:GetAccountUsage" ], "Resource": "*" }, { "Sid": "AIDevOpsTaggingAccess", "Effect": "Allow", "Action": [ "aidevops:ListTagsForResource", "aidevops:TagResource", "aidevops:UntagResource" ], "Resource": "*" }, { "Sid": "AIDevOpsVendedLogs", "Effect": "Allow", "Action": [ "aidevops:AllowVendedLogDeliveryForResource" ], "Resource": "*" } ] }
AIDevOpsOperatorAppAccessPolicy
Provides access to use the AWS DevOps operator web app for an Agent Space.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOperatorAgentSpaceActions", "Effect": "Allow", "Action": [ "aidevops:GetAgentSpace", "aidevops:GetAssociation", "aidevops:ListAssociations", "aidevops:CreateBacklogTask", "aidevops:GetBacklogTask", "aidevops:UpdateBacklogTask", "aidevops:ListBacklogTasks", "aidevops:ListJournalRecords", "aidevops:DiscoverTopology", "aidevops:ListGoals", "aidevops:ListRecommendations", "aidevops:ListExecutions", "aidevops:GetRecommendation", "aidevops:UpdateRecommendation", "aidevops:CreateKnowledgeItem", "aidevops:ListKnowledgeItems", "aidevops:ListKnowledgeItemVersions", "aidevops:GetKnowledgeItem", "aidevops:UpdateKnowledgeItem", "aidevops:DeleteKnowledgeItem", "aidevops:ListPendingMessages", "aidevops:InitiateChatForCase", "aidevops:EndChatForCase", "aidevops:DescribeSupportLevel", "aidevops:ListChats", "aidevops:CreateChat", "aidevops:SendMessage" ], "Resource": "arn:aws:aidevops:*:*:agentspace/${aws:PrincipalTag/AgentSpaceId}", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowOperatorAccountActions", "Effect": "Allow", "Action": [ "aidevops:GetAccountUsage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AllowSupportOperatorActions", "Effect": "Allow", "Action": [ "support:DescribeCases", "support:InitiateChatForCase", "support:DescribeSupportLevel" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } } ] }
AIDevOpsAgentAccessPolicy
Provides permissions required by the AWS DevOps Agent to conduct investigations and perform analysis on customer AWS resources.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AIOPSServiceAccess", "Effect": "Allow", "Action": [ "access-analyzer:GetAnalyzer", "access-analyzer:List*", "acm-pca:Describe*", "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:List*", "acm:DescribeCertificate", "acm:GetAccountConfiguration", "aidevops:GetKnowledgeItem", "aidevops:ListKnowledgeItems", "airflow:List*", "amplify:GetApp", "amplify:GetBranch", "amplify:GetDomainAssociation", "amplify:List*", "aoss:BatchGetCollection", "aoss:BatchGetLifecyclePolicy", "aoss:BatchGetVpcEndpoint", "aoss:GetAccessPolicy", "aoss:GetSecurityConfig", "aoss:GetSecurityPolicy", "aoss:List*", "appconfig:GetApplication", "appconfig:GetConfigurationProfile", "appconfig:GetEnvironment", "appconfig:GetHostedConfigurationVersion", "appconfig:List*", "appflow:Describe*", "appflow:List*", "application-autoscaling:Describe*", "application-signals:BatchGetServiceLevelObjectiveBudgetReport", "application-signals:GetService", "application-signals:GetServiceLevelObjective", "application-signals:List*", "applicationinsights:Describe*", "applicationinsights:List*", "apprunner:Describe*", "apprunner:List*", "appstream:Describe*", "appstream:List*", "appsync:GetApiAssociation", "appsync:GetDataSource", "appsync:GetDomainName", "appsync:GetFunction", "appsync:GetGraphqlApi", "appsync:GetGraphqlApiEnvironmentVariables", "appsync:GetIntrospectionSchema", "appsync:GetResolver", "appsync:GetSourceApiAssociation", "appsync:List*", "aps:Describe*", "aps:List*", "arc-zonal-shift:GetManagedResource", "arc-zonal-shift:List*", "athena:GetCapacityAssignmentConfiguration", "athena:GetCapacityReservation", "athena:GetDataCatalog", "athena:GetNamedQuery", "athena:GetPreparedStatement", "athena:GetWorkGroup", "athena:List*", "auditmanager:GetAssessment", "auditmanager:List*", "autoscaling:Describe*", "backup-gateway:GetHypervisor", "backup-gateway:List*", "backup:Describe*", "backup:GetBackupPlan", "backup:GetBackupSelection", "backup:GetBackupVaultAccessPolicy", "backup:GetBackupVaultNotifications", "backup:GetRestoreTestingPlan", "backup:GetRestoreTestingSelection", "backup:List*", "batch:DescribeComputeEnvironments", "batch:DescribeJobQueues", "batch:DescribeSchedulingPolicies", "batch:List*", "bedrock:GetAgent", "bedrock:GetAgentActionGroup", "bedrock:GetAgentAlias", "bedrock:GetAgentKnowledgeBase", "bedrock:GetDataSource", "bedrock:GetGuardrail", "bedrock:GetKnowledgeBase", "bedrock:List*", "budgets:Describe*", "budgets:List*", "ce:Describe*", "ce:GetAnomalyMonitors", "ce:GetAnomalySubscriptions", "ce:List*", "chatbot:Describe*", "chatbot:GetMicrosoftTeamsChannelConfiguration", "chatbot:List*", "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:List*", "cleanrooms:GetAnalysisTemplate", "cleanrooms:GetCollaboration", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetConfiguredTableAssociation", "cleanrooms:GetMembership", "cleanrooms:List*", "cloudformation:Describe*", "cloudformation:GetResource", "cloudformation:GetStackPolicy", "cloudformation:GetTemplate", "cloudformation:List*", "cloudfront:Describe*", "cloudfront:GetCachePolicy", "cloudfront:GetCloudFrontOriginAccessIdentity", "cloudfront:GetContinuousDeploymentPolicy", "cloudfront:GetDistribution", "cloudfront:GetDistributionConfig", "cloudfront:GetFunction", "cloudfront:GetKeyGroup", "cloudfront:GetMonitoringSubscription", "cloudfront:GetOriginAccessControl", "cloudfront:GetOriginRequestPolicy", "cloudfront:GetPublicKey", "cloudfront:GetRealtimeLogConfig", "cloudfront:GetResponseHeadersPolicy", "cloudfront:List*", "cloudtrail:Describe*", "cloudtrail:GetChannel", "cloudtrail:GetEventConfiguration", "cloudtrail:GetEventDataStore", "cloudtrail:GetEventSelectors", "cloudtrail:GetInsightSelectors", "cloudtrail:GetQueryResults", "cloudtrail:GetResourcePolicy", "cloudtrail:GetTrail", "cloudtrail:GetTrailStatus", "cloudtrail:List*", "cloudtrail:LookupEvents", "cloudtrail:StartQuery", "cloudwatch:Describe*", "cloudwatch:GenerateQuery", "cloudwatch:GetDashboard", "cloudwatch:GetInsightRuleReport", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricStream", "cloudwatch:GetService", "cloudwatch:GetServiceLevelObjective", "cloudwatch:List*", "codeartifact:Describe*", "codeartifact:GetDomainPermissionsPolicy", "codeartifact:GetRepositoryPermissionsPolicy", "codeartifact:List*", "codebuild:BatchGetFleets", "codebuild:List*", "codecommit:GetRepository", "codecommit:GetRepositoryTriggers", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetDeploymentTargets", "codedeploy:GetApplication", "codedeploy:GetDeploymentConfig", "codedeploy:GetDeploymentTarget", "codedeploy:List*", "codeguru-profiler:Describe*", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:List*", "codeguru-reviewer:Describe*", "codeguru-reviewer:List*", "codepipeline:GetPipeline", "codepipeline:GetPipelineState", "codepipeline:List*", "codestar-connections:GetConnection", "codestar-connections:GetRepositoryLink", "codestar-connections:GetSyncConfiguration", "codestar-connections:List*", "codestar-notifications:Describe*", "codestar-notifications:List*", "cognito-identity:DescribeIdentityPool", "cognito-identity:GetIdentityPoolRoles", "cognito-identity:ListIdentityPools", "cognito-identity:ListTagsForResource", "cognito-idp:AdminListGroupsForUser", "cognito-idp:DescribeIdentityProvider", "cognito-idp:DescribeResourceServer", "cognito-idp:DescribeRiskConfiguration", "cognito-idp:DescribeUserImportJob", "cognito-idp:DescribeUserPool", "cognito-idp:DescribeUserPoolDomain", "cognito-idp:GetGroup", "cognito-idp:GetLogDeliveryConfiguration", "cognito-idp:GetUICustomization", "cognito-idp:GetUserPoolMfaConfig", "cognito-idp:GetWebACLForResource", "cognito-idp:ListGroups", "cognito-idp:ListIdentityProviders", "cognito-idp:ListResourceServers", "cognito-idp:ListUserPoolClients", "cognito-idp:ListUserPools", "cognito-idp:ListTagsForResource", "comprehend:Describe*", "comprehend:List*", "config:Describe*", "config:GetStoredQuery", "config:List*", "connect:Describe*", "connect:GetTaskTemplate", "connect:List*", "databrew:Describe*", "databrew:List*", "datapipeline:Describe*", "datapipeline:GetPipelineDefinition", "datapipeline:List*", "datasync:Describe*", "datasync:List*", "deadline:GetFarm", "deadline:GetFleet", "deadline:GetLicenseEndpoint", "deadline:GetMonitor", "deadline:GetQueue", "deadline:GetQueueEnvironment", "deadline:GetQueueFleetAssociation", "deadline:GetStorageProfile", "deadline:List*", "detective:GetMembers", "detective:List*", "devicefarm:GetDevicePool", "devicefarm:GetInstanceProfile", "devicefarm:GetNetworkProfile", "devicefarm:GetProject", "devicefarm:GetTestGridProject", "devicefarm:GetVPCEConfiguration", "devicefarm:List*", "devops-guru:Describe*", "devops-guru:GetResourceCollection", "devops-guru:List*", "dms:Describe*", "dms:List*", "ds:Describe*", "dynamodb:Describe*", "dynamodb:GetResourcePolicy", "dynamodb:List*", "ec2:Describe*", "ec2:GetAssociatedEnclaveCertificateIamRoles", "ec2:GetIpamPoolAllocations", "ec2:GetIpamPoolCidrs", "ec2:GetManagedPrefixListEntries", "ec2:GetNetworkInsightsAccessScopeContent", "ec2:GetSnapshotBlockPublicAccessState", "ec2:GetTransitGatewayMulticastDomainAssociations", "ec2:GetTransitGatewayRouteTableAssociations", "ec2:GetTransitGatewayRouteTablePropagations", "ec2:GetVerifiedAccessEndpointPolicy", "ec2:GetVerifiedAccessGroupPolicy", "ec2:GetVerifiedAccessInstanceWebAcl", "ec2:SearchLocalGatewayRoutes", "ec2:SearchTransitGatewayRoutes", "ecr:Describe*", "ecr:GetLifecyclePolicy", "ecr:GetRegistryPolicy", "ecr:GetRepositoryPolicy", "ecr:List*", "ecs:Describe*", "ecs:List*", "eks:AccessKubernetesApi", "eks:Describe*", "eks:List*", "elasticache:Describe*", "elasticache:List*", "elasticbeanstalk:Describe*", "elasticbeanstalk:List*", "elasticfilesystem:Describe*", "elasticloadbalancing:GetResourcePolicy", "elasticloadbalancing:GetTrustStoreCaCertificatesBundle", "elasticloadbalancing:GetTrustStoreRevocationContent", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:List*", "emr-containers:Describe*", "emr-containers:List*", "emr-serverless:GetApplication", "emr-serverless:List*", "es:Describe*", "es:List*", "events:Describe*", "events:List*", "evidently:GetExperiment", "evidently:GetFeature", "evidently:GetLaunch", "evidently:GetProject", "evidently:GetSegment", "evidently:List*", "firehose:Describe*", "firehose:List*", "fis:GetExperimentTemplate", "fis:GetTargetAccountConfiguration", "fis:List*", "fms:GetNotificationChannel", "fms:GetPolicy", "fms:List*", "forecast:Describe*", "forecast:List*", "frauddetector:BatchGetVariable", "frauddetector:Describe*", "frauddetector:GetDetectors", "frauddetector:GetDetectorVersion", "frauddetector:GetEntityTypes", "frauddetector:GetEventTypes", "frauddetector:GetExternalModels", "frauddetector:GetLabels", "frauddetector:GetListElements", "frauddetector:GetListsMetadata", "frauddetector:GetModelVersion", "frauddetector:GetOutcomes", "frauddetector:GetRules", "frauddetector:GetVariables", "frauddetector:List*", "fsx:Describe*", "gamelift:Describe*", "gamelift:List*", "globalaccelerator:Describe*", "globalaccelerator:List*", "glue:GetDatabase", "glue:GetDatabases", "glue:GetJob", "glue:GetRegistry", "glue:GetSchema", "glue:GetSchemaVersion", "glue:GetTable", "glue:GetTags", "glue:GetTrigger", "glue:List*", "glue:querySchemaVersionMetadata", "grafana:Describe*", "grafana:List*", "greengrass:Describe*", "greengrass:GetDeployment", "greengrass:List*", "groundstation:GetConfig", "groundstation:GetDataflowEndpointGroup", "groundstation:GetMissionProfile", "groundstation:List*", "guardduty:GetDetector", "guardduty:GetFilter", "guardduty:GetIPSet", "guardduty:GetMalwareProtectionPlan", "guardduty:GetMasterAccount", "guardduty:GetMembers", "guardduty:GetThreatIntelSet", "guardduty:List*", "health:DescribeEvents", "health:DescribeEventDetails", "healthlake:Describe*", "healthlake:List*", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetInstanceProfile", "iam:GetLoginProfile", "iam:GetOpenIDConnectProvider", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetSAMLProvider", "iam:GetServerCertificate", "iam:GetServiceLinkedRoleDeletionStatus", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedRolePolicies", "iam:ListOpenIDConnectProviders", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListServerCertificates", "iam:ListVirtualMFADevices", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership", "identitystore:ListGroupMemberships", "identitystore:ListGroups", "imagebuilder:GetComponent", "imagebuilder:GetContainerRecipe", "imagebuilder:GetDistributionConfiguration", "imagebuilder:GetImage", "imagebuilder:GetImagePipeline", "imagebuilder:GetImageRecipe", "imagebuilder:GetInfrastructureConfiguration", "imagebuilder:GetLifecyclePolicy", "imagebuilder:GetWorkflow", "imagebuilder:List*", "inspector2:List*", "inspector:Describe*", "inspector:List*", "internetmonitor:GetMonitor", "internetmonitor:List*", "iot:Describe*", "iot:GetPackage", "iot:GetPackageVersion", "iot:GetPolicy", "iot:GetThingShadow", "iot:GetTopicRule", "iot:GetTopicRuleDestination", "iot:GetV2LoggingOptions", "iot:List*", "iotanalytics:Describe*", "iotanalytics:List*", "iotevents:Describe*", "iotevents:List*", "iotsitewise:Describe*", "iotsitewise:List*", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:GetNetworkAnalyzerConfiguration", "iotwireless:GetServiceProfile", "iotwireless:GetWirelessDevice", "iotwireless:GetWirelessGateway", "iotwireless:GetWirelessGatewayTaskDefinition", "iotwireless:List*", "ivs:GetChannel", "ivs:GetEncoderConfiguration", "ivs:GetPlaybackRestrictionPolicy", "ivs:GetRecordingConfiguration", "ivs:GetStage", "ivs:List*", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom", "ivschat:List*", "kafka:Describe*", "kafka:GetClusterPolicy", "kafka:List*", "kafkaconnect:Describe*", "kafkaconnect:List*", "kendra:Describe*", "kendra:List*", "kinesis:Describe*", "kinesis:GetResourcePolicy", "kinesis:List*", "kinesisanalytics:Describe*", "kinesisanalytics:List*", "kinesisvideo:Describe*", "kms:DescribeKey", "kms:ListResourceTags", "kms:ListKeys", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListKeyRotations", "lakeformation:Describe*", "lakeformation:GetLFTag", "lakeformation:GetResourceLFTags", "lakeformation:List*", "lambda:GetAlias", "lambda:GetCodeSigningConfig", "lambda:GetEventSourceMapping", "lambda:GetFunctionCodeSigningConfig", "lambda:GetFunctionConfiguration", "lambda:GetFunctionEventInvokeConfig", "lambda:GetFunctionRecursionConfig", "lambda:GetFunctionUrlConfig", "lambda:GetLayerVersion", "lambda:GetLayerVersionPolicy", "lambda:GetPolicy", "lambda:GetProvisionedConcurrencyConfig", "lambda:GetRuntimeManagementConfig", "lambda:List*", "launchwizard:GetDeployment", "launchwizard:List*", "license-manager:GetLicense", "license-manager:List*", "lightsail:GetAlarms", "lightsail:GetBuckets", "lightsail:GetCertificates", "lightsail:GetContainerServices", "lightsail:GetDisk", "lightsail:GetDisks", "lightsail:GetInstance", "lightsail:GetInstances", "lightsail:GetLoadBalancer", "lightsail:GetLoadBalancers", "lightsail:GetLoadBalancerTlsCertificates", "lightsail:GetStaticIp", "lightsail:GetStaticIps", "logs:Describe*", "logs:FilterLogEvents", "logs:GetDataProtectionPolicy", "logs:GetDelivery", "logs:GetDeliveryDestination", "logs:GetDeliveryDestinationPolicy", "logs:GetDeliverySource", "logs:GetLogAnomalyDetector", "logs:GetLogDelivery", "logs:GetLogGroupFields", "logs:GetQueryResults", "logs:List*", "logs:StartQuery", "logs:StopLiveTail", "logs:StopQuery", "logs:TestMetricFilter", "m2:GetApplication", "m2:GetEnvironment", "m2:List*", "macie2:GetAllowList", "macie2:GetCustomDataIdentifier", "macie2:GetFindingsFilter", "macie2:GetMacieSession", "macie2:List*", "mediaconnect:Describe*", "mediaconnect:List*", "medialive:Describe*", "medialive:GetCloudWatchAlarmTemplate", "medialive:GetCloudWatchAlarmTemplateGroup", "medialive:GetEventBridgeRuleTemplate", "medialive:GetEventBridgeRuleTemplateGroup", "medialive:GetSignalMap", "medialive:List*", "mediapackage-vod:Describe*", "mediapackage-vod:List*", "mediapackage:Describe*", "mediapackage:List*", "mediapackagev2:GetChannel", "mediapackagev2:GetChannelGroup", "mediapackagev2:GetChannelPolicy", "mediapackagev2:GetOriginEndpoint", "mediapackagev2:GetOriginEndpointPolicy", "mediapackagev2:List*", "memorydb:Describe*", "memorydb:List*", "mobiletargeting:GetInAppTemplate", "mobiletargeting:List*", "mq:Describe*", "mq:List*", "network-firewall:Describe*", "network-firewall:List*", "networkmanager:Describe*", "networkmanager:GetConnectAttachment", "networkmanager:GetConnectPeer", "networkmanager:GetCoreNetwork", "networkmanager:GetCoreNetworkPolicy", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetDevices", "networkmanager:GetLinkAssociations", "networkmanager:GetLinks", "networkmanager:GetSites", "networkmanager:GetSiteToSiteVpnAttachment", "networkmanager:GetTransitGatewayPeering", "networkmanager:GetTransitGatewayRegistrations", "networkmanager:GetTransitGatewayRouteTableAttachment", "networkmanager:GetVpcAttachment", "networkmanager:List*", "oam:GetLink", "oam:GetSink", "oam:GetSinkPolicy", "oam:List*", "omics:GetAnnotationStore", "omics:GetReferenceStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:GetWorkflow", "omics:List*", "organizations:Describe*", "organizations:List*", "osis:GetPipeline", "osis:List*", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:List*", "pca-connector-ad:GetConnector", "pca-connector-ad:GetDirectoryRegistration", "pca-connector-ad:GetServicePrincipalName", "pca-connector-ad:GetTemplate", "pca-connector-ad:GetTemplateGroupAccessControlEntry", "pca-connector-ad:List*", "pca-connector-scep:GetChallengeMetadata", "pca-connector-scep:GetConnector", "pca-connector-scep:List*", "personalize:Describe*", "personalize:List*", "pi:DescribeDimensionKeys", "pi:GetResourceMetadata", "pi:GetResourceMetrics", "pi:ListAvailableResourceDimensions", "pi:ListAvailableResourceMetrics", "pipes:Describe*", "pipes:List*", "proton:GetEnvironmentTemplate", "proton:GetServiceTemplate", "proton:List*", "qbusiness:GetApplication", "qbusiness:GetDataSource", "qbusiness:GetIndex", "qbusiness:GetPlugin", "qbusiness:GetRetriever", "qbusiness:GetWebExperience", "qbusiness:List*", "ram:GetPermission", "ram:GetResourceShares", "ram:List*", "rds:Describe*", "rds:List*", "redshift-serverless:GetNamespace", "redshift-serverless:GetWorkgroup", "redshift-serverless:List*", "redshift:Describe*", "refactor-spaces:GetApplication", "refactor-spaces:GetEnvironment", "refactor-spaces:GetRoute", "refactor-spaces:List*", "rekognition:Describe*", "rekognition:List*", "resiliencehub:Describe*", "resiliencehub:List*", "resource-explorer-2:GetDefaultView", "resource-explorer-2:GetIndex", "resource-explorer-2:GetView", "resource-explorer-2:List*", "resource-explorer-2:Search", "resource-groups:GetGroup", "resource-groups:GetGroupConfiguration", "resource-groups:GetGroupQuery", "resource-groups:GetTags", "resource-groups:List*", "route53-recovery-control-config:Describe*", "route53-recovery-control-config:List*", "route53-recovery-readiness:GetCell", "route53-recovery-readiness:GetReadinessCheck", "route53-recovery-readiness:GetRecoveryGroup", "route53-recovery-readiness:GetResourceSet", "route53-recovery-readiness:List*", "route53:GetDNSSEC", "route53:GetHealthCheck", "route53:GetHealthCheckStatus", "route53:GetHostedZone", "route53:List*", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:GetProfileResourceAssociation", "route53profiles:List*", "route53resolver:GetFirewallDomainList", "route53resolver:GetFirewallRuleGroup", "route53resolver:GetFirewallRuleGroupAssociation", "route53resolver:GetOutpostResolver", "route53resolver:GetResolverConfig", "route53resolver:GetResolverQueryLogConfig", "route53resolver:GetResolverQueryLogConfigAssociation", "route53resolver:GetResolverRule", "route53resolver:GetResolverRuleAssociation", "route53resolver:List*", "rum:GetAppMonitor", "rum:List*", "s3-outposts:ListEndpoints", "s3-outposts:ListOutpostsWithS3", "s3:GetAccessGrant", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:GetAccessPoint", "s3:GetAccessPointConfigurationForObjectLambda", "s3:GetAccessPointForObjectLambda", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyForObjectLambda", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:GetBucketAbac", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketMetadataTableConfiguration", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetReplicationConfiguration", "s3:GetStorageLensConfiguration", "s3:GetStorageLensConfigurationTagging", "s3:GetStorageLensGroup", "s3:ListAllMyBuckets", "sagemaker:Describe*", "sagemaker:List*", "scheduler:GetSchedule", "scheduler:GetScheduleGroup", "scheduler:List*", "schemas:Describe*", "schemas:GetResourcePolicy", "schemas:List*", "secretsmanager:Describe*", "secretsmanager:GetResourcePolicy", "secretsmanager:List*", "securityhub:BatchGetAutomationRules", "securityhub:BatchGetSecurityControls", "securityhub:Describe*", "securityhub:GetConfigurationPolicy", "securityhub:GetConfigurationPolicyAssociation", "securityhub:GetEnabledStandards", "securityhub:GetFindingAggregator", "securityhub:GetInsights", "securityhub:List*", "securitylake:GetSubscriber", "securitylake:List*", "servicecatalog:Describe*", "servicecatalog:GetApplication", "servicecatalog:GetAttributeGroup", "servicecatalog:List*", "servicequotas:GetServiceQuota", "ses:Describe*", "ses:GetAccount", "ses:GetAddonInstance", "ses:GetAddonSubscription", "ses:GetArchive", "ses:GetConfigurationSet", "ses:GetConfigurationSetEventDestinations", "ses:GetContactList", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", "ses:GetEmailIdentity", "ses:GetEmailTemplate", "ses:GetIngressPoint", "ses:GetRelay", "ses:GetRuleSet", "ses:GetTemplate", "ses:GetTrafficPolicy", "ses:List*", "shield:Describe*", "shield:List*", "signer:GetSigningProfile", "signer:List*", "sns:GetDataProtectionPolicy", "sns:GetSubscriptionAttributes", "sns:GetTopicAttributes", "sns:List*", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:List*", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:List*", "ssm-incidents:GetReplicationSet", "ssm-incidents:GetResponsePlan", "ssm-incidents:List*", "ssm-sap:GetApplication", "ssm-sap:List*", "ssm:Describe*", "ssm:GetDefaultPatchBaseline", "ssm:GetDocument", "ssm:GetParameters", "ssm:GetPatchBaseline", "ssm:GetResourcePolicies", "ssm:List*", "sso:GetInlinePolicyForPermissionSet", "sso:GetManagedApplicationInstance", "sso:GetPermissionsBoundaryForPermissionSet", "sso:GetSharedSsoConfiguration", "sso:ListAccountAssignments", "sso:ListApplicationAssignments", "sso:ListApplications", "sso:ListCustomerManagedPolicyReferencesInPermissionSet", "sso:ListInstances", "sso:ListManagedPoliciesInPermissionSet", "sso:ListTagsForResource", "states:GetExecutionHistory", "states:Describe*", "states:List*", "support:CreateCase", "support:DescribeCases", "synthetics:Describe*", "synthetics:GetCanary", "synthetics:GetCanaryRuns", "synthetics:GetGroup", "synthetics:List*", "tag:GetResources", "timestream:Describe*", "timestream:List*", "transfer:Describe*", "transfer:List*", "verifiedpermissions:GetIdentitySource", "verifiedpermissions:GetPolicy", "verifiedpermissions:GetPolicyStore", "verifiedpermissions:GetPolicyTemplate", "verifiedpermissions:GetSchema", "verifiedpermissions:List*", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetAuthPolicy", "vpc-lattice:GetListener", "vpc-lattice:GetResourcePolicy", "vpc-lattice:GetRule", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetServiceNetworkServiceAssociation", "vpc-lattice:GetServiceNetworkVpcAssociation", "vpc-lattice:GetTargetGroup", "vpc-lattice:List*", "wafv2:GetIPSet", "wafv2:GetLoggingConfiguration", "wafv2:GetRegexPatternSet", "wafv2:GetRuleGroup", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:List*", "workspaces-web:GetBrowserSettings", "workspaces-web:GetIdentityProvider", "workspaces-web:GetNetworkSettings", "workspaces-web:GetPortal", "workspaces-web:GetPortalServiceProviderMetadata", "workspaces-web:GetTrustStore", "workspaces-web:GetUserAccessLoggingSettings", "workspaces-web:GetUserSettings", "workspaces-web:List*", "workspaces:Describe*", "xray:BatchGetTraces", "xray:GetGroup", "xray:GetGroups", "xray:GetSamplingRules", "xray:GetServiceGraph", "xray:GetTraceSummaries", "xray:List*" ], "Resource": "*" }, { "Sid": "AIOPSAPIGatewayAccess", "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": [ "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/restapis/*", "arn:aws:apigateway:*::/restapis/*/deployments", "arn:aws:apigateway:*::/restapis/*/deployments/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integrations", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*/integrations/*", "arn:aws:apigateway:*::/restapis/*/stages", "arn:aws:apigateway:*::/restapis/*/stages/*", "arn:aws:apigateway:*::/apis", "arn:aws:apigateway:*::/apis/*", "arn:aws:apigateway:*::/apis/*/deployments", "arn:aws:apigateway:*::/apis/*/deployments/*", "arn:aws:apigateway:*::/apis/*/integrations", "arn:aws:apigateway:*::/apis/*/integrations/*", "arn:aws:apigateway:*::/apis/*/stages", "arn:aws:apigateway:*::/apis/*/stages/*", "arn:aws:apigateway:*::/domainnames/*" ] } ] }
