CredentialExposure:
  Actions:
  - appsync:ListApiKeys
  - athena:GetSession
  - chatbot:GetMicrosoftTeamsOauthParameters
  - chatbot:GetSlackOauthParameters
  - chime:CreateApiKey
  - cloud9:CreateEnvironmentSSH
  - cloud9:CreateEnvironmentToken
  - codeartifact:GetAuthorizationToken
  - codepipeline:PollForJobs
  - cognito-identity:GetCredentialsForIdentity
  - cognito-identity:GetOpenIdToken
  - cognito-identity:GetOpenIdTokenForDeveloperIdentity
  - cognito-idp:DescribeUserPoolClient
  - cognito-idp:GetUserAttributeVerificationCode
  - connect:GetFederationToken
  - connect:ListSecurityKeys
  - ec2:GetPasswordData
  - ec2-instance-connect:SendSSHPublicKey
  - ecr-public:GetAuthorizationToken
  - ecr:GetAuthorizationToken
  - gamelift:GetComputeAuthToken
  - gamelift:GetGameSessionLogUrl
  - gamelift:GetInstanceAccess
  - gamelift:RequestUploadCredentials
  - iam:CreateAccessKey
  - iam:CreateLoginProfile
  - iam:CreateServiceSpecificCredential
  - iam:ResetServiceSpecificCredential
  - iam:UpdateAccessKey
  - lightsail:DownloadDefaultKeyPair
  - lightsail:GetBucketAccessKeys
  - lightsail:GetKeyPair
  - lightsail:GetKeyPairs
  - lightsail:GetRelationalDatabaseMasterUserPassword
  - mediapackage:RotateChannelCredentials
  - mediapackage:RotateIngestEndpointCredentials
  - rds-db:connect
  - redshift:GetClusterCredentials
  - snowball:GetJobUnlockCode
  - sso-directory:ListBearerTokens
  - storagegateway:DescribeChapCredentials
  - sts:AssumeRole
  - sts:AssumeRoleWithSAML
  - sts:AssumeRoleWithWebIdentity
  - sts:GetFederationToken
  - sts:GetSessionToken
  - waf-regional:GetChangeToken
  - waf:GetChangeToken

DataAccess:
  Actions:
  - aoss:APIAccessAll
  - aoss:DashboardsAccessAll
  - appsync:GetDataSource
  - appsync:GetFunction
  - athena:GetQueryExecution
  - athena:GetQueryResults
  - athena:GetQueryResultsStream
  - cassandra:Select
  - chatbot:DescribeSlackChannels
  - chatbot:DescribeSlackUserIdentities
  - chatbot:ListMicrosoftTeamsConfiguredTeams
  - chatbot:ListMicrosoftTeamsUserIdentities
  - chime:GetAttendee
  - chime:GetChannelMessage
  - chime:GetMeeting
  - chime:GetMeetingDetail
  - chime:GetRoom
  - chime:GetUser
  - chime:GetUserActivityReportData
  - chime:GetUserByEmail
  - chime:GetUserSettings
  - chime:ListAttendees
  - chime:ListMeetingEvents
  - chime:ListMeetings
  - chime:ListUsers
  - cleanrooms:GetProtectedQuery
  - cloudformation:GetTemplate
  - cloudfront:GetFunction
  - cloudtrail:GetQueryResults
  - cloudtrail:LookupEvents
  - codeartifact:GetPackageVersionAsset
  - codeartifact:GetPackageVersionReadme
  - codeartifact:ReadFromRepository
  - codebuild:BatchGetReportGroups
  - codebuild:BatchGetReports
  - codecommit:BatchGetCommits
  - codecommit:BatchGetPullRequests
  - codecommit:BatchGetRepositories
  - codecommit:DescribeMergeConflicts
  - codecommit:DescribePullRequestEvents
  - codecommit:GetApprovalRuleTemplate
  - codecommit:GetBlob
  - codecommit:GetBranch
  - codecommit:GetComment
  - codecommit:GetCommentReactions
  - codecommit:GetCommentsForComparedCommit
  - codecommit:GetCommentsForPullRequest
  - codecommit:GetCommit
  - codecommit:GetCommitHistory
  - codecommit:GetCommitsFromMergeBase
  - codecommit:GetDifferences
  - codecommit:GetFile
  - codecommit:GetFolder
  - codecommit:GetMergeCommit
  - codecommit:GetMergeConflicts
  - codecommit:GetMergeOptions
  - codecommit:GetObjectIdentifier
  - codecommit:GetPullRequest
  - codecommit:GetPullRequestApprovalStates
  - codecommit:GetPullRequestOverrideState
  - codecommit:GetReferences
  - codecommit:GetTree
  - codecommit:GitPull
  - codeguru-profiler:GetRecommendations
  - codeguru-reviewer:DescribeCodeReview
  - codeguru-reviewer:DescribeRecommendationFeedback
  - codepipeline:GetPipelineExecution
  - cognito-identity:LookupDeveloperIdentity
  - cognito-idp:AdminGetDevice
  - cognito-idp:AdminGetUser
  - cognito-idp:AdminListDevices
  - cognito-idp:AdminListGroupsForUser
  - cognito-idp:AdminListUserAuthEvents
  - cognito-idp:GetDevice
  - cognito-idp:GetGroup
  - cognito-idp:GetUser
  - cognito-idp:ListUsers
  - cognito-idp:ListDevices
  - cognito-idp:ListGroups
  - cognito-sync:ListRecords
  - cognito-sync:QueryRecords
  - connect:ListUsers
  - datapipeline:QueryObjects
  - dax:BatchGetItem
  - dax:GetItem
  - dax:Query
  - dax:Scan
  - dynamodb:BatchGetItem
  - dynamodb:GetItem
  - dynamodb:GetRecords
  - dynamodb:Query
  - dynamodb:Scan
  - ecr:GetDownloadUrlForLayer
  - es:ESHttpDelete
  - es:ESHttpGet
  - es:ESHttpHead
  - es:ESHttpPatch
  - es:ESHttpPost
  - es:ESHttpPut
  - gamelift:GetInstanceAccess
  - healthlake:ReadResource
  - healthlake:SearchWithGet
  - healthlake:SearchWithPost
  - kendra:Query
  - kinesis:GetRecords
  - kinesisvideo:GetImages
  - kinesisvideo:GetMedia
  - lambda:GetFunction
  - lambda:GetLayerVersion
  - lightsail:GetContainerImages
  - logs:GetLogEvents
  - logs:GetLogRecord
  - logs:GetQueryResults
  - logs:Unmask
  - macie2:GetFindings
  - mediastore:GetObject
  - qldb:GetBlock
  - rds:DownloadCompleteDBLogFile
  - rds:DownloadDBLogFilePortion
  - robomaker:GetWorldTemplateBody
  - s3-object-lambda:GetObject
  - s3-object-lambda:GetObjectVersion
  - s3-object-lambda:ListBucket
  - s3:GetObject
  - s3:GetObjectVersion
  - sagemaker:Search
  - sdb:Select
  - serverlessrepo:GetApplication
  - serverlessrepo:GetCloudFormationTemplate
  - sqs:ReceiveMessage
  - ssm:GetDocument
  - ssm:GetParameter
  - ssm:GetParameterHistory
  - ssm:GetParameters
  - ssm:GetParametersByPath
  - sso-directory:DescribeGroup
  - sso-directory:DescribeUser
  - sso-directory:SearchGroups
  - sso-directory:SearchUsers
  - sso:SearchGroups
  - sso:SearchUsers
  - support:DescribeAttachment
  - support:DescribeCommunications
  - workdocs:GetDocument
  - workdocs:GetDocumentPath
  - workdocs:GetDocumentVersion
  - workmail:ListGroupMembers
  - workmail:ListGroups
  - workmail:ListUsers

PrivEsc:
  Actions:
  - codestar:AssociateTeamMember
  - codestar:CreateProject
  - ec2-instance-connect:SendSSHPublicKey
  - glue:UpdateDevEndpoint
  - iam:AddUserToGroup
  - iam:AttachGroupPolicy
  - iam:AttachRolePolicy
  - iam:AttachUserPolicy
  - iam:CreateAccessKey
  - iam:CreateLoginProfile
  - iam:CreatePolicyVersion
  - iam:CreateServiceLinkedRole
  - iam:CreateVirtualMFADevice
  - iam:EnableMFADevice
  - iam:PassRole
  - iam:PutGroupPolicy
  - iam:PutRolePolicy
  - iam:PutUserPolicy
  - iam:ResyncMFADevice
  - iam:SetDefaultPolicyVersion
  - iam:UpdateAssumeRolePolicy
  - iam:UpdateLoginProfile

ResourceExposure:
  Actions:
  - acm-pca:CreatePermission
  - acm-pca:DeletePermission
  - acm-pca:DeletePolicy
  - acm-pca:PutPolicy
  - apigateway:UpdateRestApiPolicy
  - backup:DeleteBackupVaultAccessPolicy
  - backup:PutBackupVaultAccessPolicy
  - chime:DeleteVoiceConnectorTerminationCredentials
  - chime:PutVoiceConnectorTerminationCredentials
  - cloudformation:SetStackPolicy
  - cloudsearch:UpdateServiceAccessPolicies
  - codeartifact:DeleteDomainPermissionsPolicy
  - codeartifact:DeleteRepositoryPermissionsPolicy
  - codebuild:DeleteResourcePolicy
  - codebuild:DeleteSourceCredentials
  - codebuild:ImportSourceCredentials
  - codebuild:PutResourcePolicy
  - codeguru-profiler:PutPermission
  - codeguru-profiler:RemovePermission
  - codestar:AssociateTeamMember
  - codestar:CreateProject
  - codestar:DeleteProject
  - codestar:DisassociateTeamMember
  - codestar:UpdateTeamMember
  - cognito-identity:CreateIdentityPool
  - cognito-identity:DeleteIdentities
  - cognito-identity:DeleteIdentityPool
  - cognito-identity:GetId
  - cognito-identity:MergeDeveloperIdentities
  - cognito-identity:SetIdentityPoolRoles
  - cognito-identity:UnlinkDeveloperIdentity
  - cognito-identity:UnlinkIdentity
  - cognito-identity:UpdateIdentityPool
  - deeplens:AssociateServiceRoleToAccount
  - ds:CreateConditionalForwarder
  - ds:CreateDirectory
  - ds:CreateMicrosoftAD
  - ds:CreateTrust
  - ds:ShareDirectory
  - ec2:CreateNetworkInterfacePermission
  - ec2:DeleteNetworkInterfacePermission
  - ec2:DisableImageBlockPublicAccess
  - ec2:ModifySnapshotAttribute
  - ec2:ModifyVpcEndpointServicePermissions
  - ec2:ResetSnapshotAttribute
  - ecr:DeleteRepositoryPolicy
  - ecr:SetRepositoryPolicy
  - elasticfilesystem:DeleteFileSystemPolicy
  - elasticfilesystem:PutFileSystemPolicy
  - elasticmapreduce:PutBlockPublicAccessConfiguration
  - es:CreateElasticsearchDomain
  - es:UpdateElasticsearchDomainConfig
  - glacier:AbortVaultLock
  - glacier:CompleteVaultLock
  - glacier:DeleteVaultAccessPolicy
  - glacier:InitiateVaultLock
  - glacier:SetDataRetrievalPolicy
  - glacier:SetVaultAccessPolicy
  - glue:DeleteResourcePolicy
  - glue:PutResourcePolicy
  - greengrass:AssociateServiceRoleToAccount
  - health:DisableHealthServiceAccessForOrganization
  - health:EnableHealthServiceAccessForOrganization
  - iam:AddClientIDToOpenIDConnectProvider
  - iam:AddRoleToInstanceProfile
  - iam:AddUserToGroup
  - iam:AttachGroupPolicy
  - iam:AttachRolePolicy
  - iam:AttachUserPolicy
  - iam:ChangePassword
  - iam:CreateAccessKey
  - iam:CreateAccountAlias
  - iam:CreateGroup
  - iam:CreateInstanceProfile
  - iam:CreateLoginProfile
  - iam:CreateOpenIDConnectProvider
  - iam:CreatePolicy
  - iam:CreatePolicyVersion
  - iam:CreateRole
  - iam:CreateSAMLProvider
  - iam:CreateServiceLinkedRole
  - iam:CreateServiceSpecificCredential
  - iam:CreateUser
  - iam:CreateVirtualMFADevice
  - iam:DeactivateMFADevice
  - iam:DeleteAccessKey
  - iam:DeleteAccountAlias
  - iam:DeleteAccountPasswordPolicy
  - iam:DeleteGroup
  - iam:DeleteGroupPolicy
  - iam:DeleteInstanceProfile
  - iam:DeleteLoginProfile
  - iam:DeleteOpenIDConnectProvider
  - iam:DeletePolicy
  - iam:DeletePolicyVersion
  - iam:DeleteRole
  - iam:DeleteRolePermissionsBoundary
  - iam:DeleteRolePolicy
  - iam:DeleteSAMLProvider
  - iam:DeleteServerCertificate
  - iam:DeleteServiceLinkedRole
  - iam:DeleteServiceSpecificCredential
  - iam:DeleteSigningCertificate
  - iam:DeleteSSHPublicKey
  - iam:DeleteUser
  - iam:DeleteUserPermissionsBoundary
  - iam:DeleteUserPolicy
  - iam:DeleteVirtualMFADevice
  - iam:DetachGroupPolicy
  - iam:DetachRolePolicy
  - iam:DetachUserPolicy
  - iam:EnableMFADevice
  - iam:PassRole
  - iam:PutGroupPolicy
  - iam:PutRolePermissionsBoundary
  - iam:PutRolePolicy
  - iam:PutUserPermissionsBoundary
  - iam:PutUserPolicy
  - iam:RemoveClientIDFromOpenIDConnectProvider
  - iam:RemoveRoleFromInstanceProfile
  - iam:RemoveUserFromGroup
  - iam:ResetServiceSpecificCredential
  - iam:ResyncMFADevice
  - iam:SetDefaultPolicyVersion
  - iam:SetSecurityTokenServicePreferences
  - iam:UpdateAccessKey
  - iam:UpdateAccountPasswordPolicy
  - iam:UpdateAssumeRolePolicy
  - iam:UpdateGroup
  - iam:UpdateLoginProfile
  - iam:UpdateOpenIDConnectProviderThumbprint
  - iam:UpdateRole
  - iam:UpdateRoleDescription
  - iam:UpdateSAMLProvider
  - iam:UpdateServerCertificate
  - iam:UpdateServiceSpecificCredential
  - iam:UpdateSigningCertificate
  - iam:UpdateSSHPublicKey
  - iam:UpdateUser
  - iam:UploadServerCertificate
  - iam:UploadSigningCertificate
  - iam:UploadSSHPublicKey
  - imagebuilder:PutComponentPolicy
  - imagebuilder:PutImagePolicy
  - imagebuilder:PutImageRecipePolicy
  - iot:AttachPolicy
  - iot:AttachPrincipalPolicy
  - iot:DetachPolicy
  - iot:DetachPrincipalPolicy
  - iot:SetDefaultAuthorizer
  - iot:SetDefaultPolicyVersion
  - iotsitewise:CreateAccessPolicy
  - iotsitewise:DeleteAccessPolicy
  - iotsitewise:UpdateAccessPolicy
  - kms:CreateGrant
  - kms:PutKeyPolicy
  - kms:RetireGrant
  - kms:RevokeGrant
  - lakeformation:BatchGrantPermissions
  - lakeformation:BatchRevokePermissions
  - lakeformation:GrantPermissions
  - lakeformation:PutDataLakeSettings
  - lakeformation:RevokePermissions
  - lambda:AddLayerVersionPermission
  - lambda:AddPermission
  - lambda:DisableReplication
  - lambda:EnableReplication
  - lambda:RemoveLayerVersionPermission
  - lambda:RemovePermission
  - license-manager:UpdateServiceSettings
  - lightsail:GetRelationalDatabaseMasterUserPassword
  - logs:DeleteResourcePolicy
  - logs:PutResourcePolicy
  - mediapackage:RotateIngestEndpointCredentials
  - mediastore:DeleteContainerPolicy
  - mediastore:PutContainerPolicy
  - opsworks:SetPermission
  - opsworks:UpdateUserProfile
  - quicksight:CreateAdmin
  - quicksight:CreateGroup
  - quicksight:CreateGroupMembership
  - quicksight:CreateIAMPolicyAssignment
  - quicksight:CreateUser
  - quicksight:DeleteGroup
  - quicksight:DeleteGroupMembership
  - quicksight:DeleteIAMPolicyAssignment
  - quicksight:DeleteUser
  - quicksight:DeleteUserByPrincipalId
  - quicksight:RegisterUser
  - quicksight:UpdateDashboardPermissions
  - quicksight:UpdateGroup
  - quicksight:UpdateIAMPolicyAssignment
  - quicksight:UpdateTemplatePermissions
  - quicksight:UpdateUser
  - ram:AcceptResourceShareInvitation
  - ram:AssociateResourceShare
  - ram:CreateResourceShare
  - ram:DeleteResourceShare
  - ram:DisassociateResourceShare
  - ram:EnableSharingWithAwsOrganization
  - ram:RejectResourceShareInvitation
  - ram:UpdateResourceShare
  - rds-db:connect
  - rds:AuthorizeDBSecurityGroupIngress
  - redshift:AuthorizeSnapshotAccess
  - redshift:CreateClusterUser
  - redshift:CreateSnapshotCopyGrant
  - redshift:JoinGroup
  - redshift:ModifyClusterIamRoles
  - redshift:RevokeSnapshotAccess
  - route53resolver:PutResolverRulePolicy
  - s3:BypassGovernanceRetention
  - s3:DeleteAccessPointPolicy
  - s3:DeleteBucketPolicy
  - s3:ObjectOwnerOverrideToBucketOwner
  - s3:PutAccessPointPolicy
  - s3:PutAccountPublicAccessBlock
  - s3:PutBucketAcl
  - s3:PutBucketPolicy
  - s3:PutBucketPublicAccessBlock
  - s3:PutObjectAcl
  - s3:PutObjectVersionAcl
  - secretsmanager:DeleteResourcePolicy
  - secretsmanager:PutResourcePolicy
  - secretsmanager:ValidateResourcePolicy
  - servicecatalog:CreatePortfolioShare
  - servicecatalog:DeletePortfolioShare
  - sns:AddPermission
  - sns:CreateTopic
  - sns:RemovePermission
  - sns:SetTopicAttributes
  - sqs:AddPermission
  - sqs:CreateQueue
  - sqs:RemovePermission
  - sqs:SetQueueAttributes
  - ssm:ModifyDocumentPermission
  - sso-directory:AddMemberToGroup
  - sso-directory:CreateAlias
  - sso-directory:CreateGroup
  - sso-directory:CreateUser
  - sso-directory:DeleteGroup
  - sso-directory:DeleteUser
  - sso-directory:DisableUser
  - sso-directory:EnableUser
  - sso-directory:RemoveMemberFromGroup
  - sso-directory:UpdateGroup
  - sso-directory:UpdatePassword
  - sso-directory:UpdateUser
  - sso-directory:VerifyEmail
  - sso:AssociateDirectory
  - sso:AssociateProfile
  - sso:CreateApplicationInstance
  - sso:CreateApplicationInstanceCertificate
  - sso:CreatePermissionSet
  - sso:CreateProfile
  - sso:CreateTrust
  - sso:DeleteApplicationInstance
  - sso:DeleteApplicationInstanceCertificate
  - sso:DeletePermissionSet
  - sso:DeletePermissionsPolicy
  - sso:DeleteProfile
  - sso:DisassociateDirectory
  - sso:DisassociateProfile
  - sso:ImportApplicationInstanceServiceProviderMetadata
  - sso:PutPermissionsPolicy
  - sso:StartSSO
  - sso:UpdateApplicationInstanceActiveCertificate
  - sso:UpdateApplicationInstanceDisplayData
  - sso:UpdateApplicationInstanceResponseConfiguration
  - sso:UpdateApplicationInstanceResponseSchemaConfiguration
  - sso:UpdateApplicationInstanceSecurityConfiguration
  - sso:UpdateApplicationInstanceServiceProviderConfiguration
  - sso:UpdateApplicationInstanceStatus
  - sso:UpdateDirectoryAssociation
  - sso:UpdatePermissionSet
  - sso:UpdateProfile
  - sso:UpdateSSOConfiguration
  - sso:UpdateTrust
  - storagegateway:DeleteChapCredentials
  - storagegateway:SetLocalConsolePassword
  - storagegateway:SetSMBGuestPassword
  - storagegateway:UpdateChapCredentials
  - waf-regional:DeletePermissionPolicy
  - waf-regional:PutPermissionPolicy
  - waf:DeletePermissionPolicy
  - waf:PutPermissionPolicy
  - wafv2:CreateWebACL
  - wafv2:DeletePermissionPolicy
  - wafv2:DeleteWebACL
  - wafv2:PutPermissionPolicy
  - wafv2:UpdateWebACL
  - worklink:UpdateDevicePolicyConfiguration
  - workmail:ResetPassword
  - workmail:ResetUserPassword
  - xray:PutEncryptionConfig