{
	"Version": "2012-10-17",
	"Statement": [{
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": [
				"arn:aws:iam::*:role/dms-vpc-role",
				"arn:aws:iam::*:role/DataClassificationPipelineGlueJobRole",
				"arn:aws:iam::*:role/DataClassificationPipelineStartGlueWorkflowLambdaRole",
				"arn:aws:iam::*:role/DataClassificationPipelineCreateGlueScriptLambdaRole",
				"arn:aws:iam::*:role/DataClassificationPipelineKinesisRole",
				"arn:aws:iam::*:role/DataClassificationPipelineCloudWatchRole",
				"arn:aws:iam::*:role/DataClassificationPipelineRDSLoaderRole"
			]
		},
		{
				"Effect": "Allow",
				"Action": "iam:CreateServiceLinkedRole",
				"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS"
		},
		{
				"Effect": "Allow",
				"Action": "ssm:GetParameters",
				"Resource": "arn:aws:ssm:*:*:parameter/*"
		},
		{
			"Effect": "Allow",
			"Resource": "*",
			"Action": [
				"cloudformation:*Stack*",
				"cloudformation:*ChangeSet*",
				"cloudformation:*Template*",
				"cloudformation:CreateUploadBucket",
				"dms:*Endpoint*",
				"dms:*ReplicationInstance*",
				"dms:*ReplicationSubnetGroup*",
				"dms:*ReplicationTask*",
				"dms:*Certificate*",
				"dms:*TableStatistics*",
				"dynamodb:*Table*",
				"dynamodb:*Limits*",
				"ec2:DescribeImages",
				"ec2:DescribeAvailabilityZones",
				"ec2:*Address*",
				"ec2:*Instance*",
				"ec2:*InternetGateway*",
				"ec2:*Route*",
				"ec2:*SecurityGroup*",
				"ec2:*Subnet*",
				"ec2:*Tags*",
				"ec2:*Volume*",
				"ec2:*Vpc*",
				"ec2:*AccountAttributes*",
				"events:ListEventBuses",
				"events:DescribeEventBus",
				"events:*Rule*",
				"events:*Targets*",
				"firehose:*DeliveryStream*",
				"glue:*Crawler*",
				"glue:*Database*",
				"glue:*Job*",
				"glue:*Trigger*",
				"glue:*Table*",
				"glue:*Workflow*",
				"glue:GetCatalogImportStatus",
				"glue:GetTags",
				"iam:CreateRole",
				"iam:DeleteRole",
				"iam:GetRole",
				"iam:ListRoles",
				"iam:*Policy",
				"iam:*Policies",
				"iam:*InstanceProfile",
				"iam:DeleteServiceLinkedRole",
				"iam:GetServiceLinkedRoleDeletionStatus",
				"kms:*Alias*",
				"kms:*Grant*",
				"kms:*Key*",
				"kms:Decrypt*",
				"kms:Encrypt*",
				"kms:*ResourceTags*",
				"kms:ReEncryptFrom*",
				"kms:ReEncryptTo*",
				"kms:TagResource*",
				"kms:UntagResource*",
				"lambda:*Permission*",
				"lambda:*Function*",
				"lambda:*Tags*",
				"lambda:GetAccountSettings",
				"rds:*DBInstance*",
				"rds:*DBSubnetGroup*",
				"rds:*DBSecurityGroup*",
				"rds:*DBParameterGroup",
				"rds:DescribeEngineDefaultParameters",
				"logs:Describe*",
				"logs:Get*",
				"logs:List*",
				"logs:StartQuery",
				"logs:StopQuery",
				"logs:TestMetricFilter",
				"logs:FilterLogEvents",
				"s3:*Bucket*",
				"s3:*Object*",
				"s3:*EncryptionConfiguration*",
				"tag:*",
				"secretsmanager:GetSecretValue",
				"secretsmanager:DescribeSecret",
				"secretsmanager:ListSecrets",
				"secretsmanager:CreateSecret",
				"secretsmanager:DeleteSecret",
				"secretsmanager:GetRandomPassword",
				"ssm:StartSession",
				"macie2:GetMacieSession",
				"macie2:GetFindings",
				"macie2:GetClassificationExportConfiguration",
				"macie2:Get*Statistics",
				"macie2:ListFindings",
				"macie2:ListFindingsFilters",
				"macie2:ListClassificationJobs",
				"macie2:ListCustomDataIdentifiers",
				"macie2:ListMembers",
				"macie2:DescribeBuckets",
				"macie2:DescribeClassificationJob",
				"macie2:CreateClassificationJob",
				"macie2:UpdateClassificationJob",
				"macie2:EnableMacie",
				"macie2:DisableMacie",
				"athena:Get*",
				"athena:List*",
				"athena:Tag*",
				"athena:BatchGetNamedQuery",
				"athena:BatchGetQueryExecution",
				"athena:CreateDataCatalog",
				"athena:UpdateDataCatalog",
				"athena:CreatePreparedStatement",
				"athena:StartQueryExecution",
				"athena:CreateNamedQuery",
				"athena:UpdatePreparedStatement",
				"athena:StopQueryExecution",
				"athena:DeleteDataCatalog",
				"athena:DeleteNamedQuery",
				"athena:DeletePreparedStatement"
			]
		}
	]
}