{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:*",
                "ec2:*",
                "elasticloadbalancing:*",
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:DeleteOpenIDConnectProvider",
                "iam:ListOpenIDConnectProviderTags",
                "iam:TagOpenIDConnectProvider",
                "iam:UntagOpenIDConnectProvider",
                "iam:ListOpenIDConnectProviders",
                "iam:GetOpenIDConnectProvider",
                "iam:UpdateOpenIDConnectProviderThumbprint",
                "iam:RemoveClientIDFromOpenIDConnectProvider",
                "iam:AddClientIDToOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateServiceLinkedRole",
                "iam:DeleteInstanceProfile",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:GetAccount*",
                "iam:GetInstanceProfile",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagRole",
                "iam:ListRoleTags",
                "iam:UntagRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRoleDescription",
                "kms:*",
                "logs:*",
                "route53:*",
                "route53resolver:*",
                "sts:AssumeRole",
                "sts:DecodeAuthorizationMessage",
                "sts:GetFederationToken",
                "servicequotas:*",
                "support:*",
                "trustedadvisor:*",
                "ssm:GetParameter"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": "${arn_prefix}:sqs:*:${account_id}:*-g8s-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:*"
            ],
            "Resource": "${arn_prefix}:events:*:${account_id}:*-g8s-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:GetBucketLogging",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutBucketAcl",
                "s3:PutBucketLogging",
                "s3:PutBucketTagging",
                "s3:PutObjectAcl",
                "s3:PutObject",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutEncryptionConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketOwnershipControls"
            ],
            "Resource": "${arn_prefix}:s3:::*-g8s-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateRoleDescription"
            ],
            "Resource": [
                "${arn_prefix}:iam::${account_id}:role/*-EC2-K8S-Role",
                "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role",
                "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role",
                "${arn_prefix}:iam::${account_id}:role/*-vpc-peer-access",
                "${arn_prefix}:iam::${account_id}:role/gs-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile"
            ],
            "Resource": [
                "${arn_prefix}:iam::${account_id}:instance-profile/*-EC2-K8S-Role",
                "${arn_prefix}:iam::${account_id}:instance-profile/gs-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:TagRole"
            ],
            "Resource": [
                "${arn_prefix}:iam::${account_id}:role/gs-*",
                "${arn_prefix}:iam::${account_id}:role/*-IAMManager-Role",
                "${arn_prefix}:iam::${account_id}:role/*-Route53Manager-Role"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "${arn_prefix}:iam::${account_id}:role/aws-service-role/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:TagResource",
                "cloudfront:UntagResource",
                "cloudfront:GetCloudFrontOriginAccessIdentity",
                "cloudfront:CreateCloudFrontOriginAccessIdentity",
                "cloudfront:DeleteCloudFrontOriginAccessIdentity",
                "cloudfront:GetDistribution",
                "cloudfront:CreateDistribution",
                "cloudfront:UpdateDistribution",
                "cloudfront:DeleteDistribution",
                "cloudfront:ListDistributions",
                "cloudfront:ListTagsForResource"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "acm:RequestCertificate",
                "acm:AddTagsToCertificate",
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:DeleteCertificate"
            ],
            "Resource": "*"
        }
    ]
}