CredentialExposure: Actions: - appsync:ListApiKeys: access_level: List description: Grants permission to list the API keys for a given API risk_category: - CredentialExposure service_name: AWS AppSync - athena:GetSession: access_level: Read description: Grants permission to get a session risk_category: - CredentialExposure service_name: Amazon Athena - chatbot:GetMicrosoftTeamsOauthParameters: access_level: Read description: Grants permission to generate OAuth parameters to request Microsoft Teams OAuth code to be used by the AWS Chatbot service risk_category: - CredentialExposure service_name: AWS Chatbot - chatbot:GetSlackOauthParameters: access_level: Read description: Grants permission to generate OAuth parameters to request Slack OAuth code to be used by the AWS Chatbot service risk_category: - CredentialExposure service_name: AWS Chatbot - chime:CreateApiKey: access_level: Write description: Grants permission to create a new SCIM access key for your Amazon Chime account and Okta configuration risk_category: - CredentialExposure service_name: Amazon Chime - cloud9:CreateEnvironmentSSH: access_level: Write description: Grants permission to create an AWS Cloud9 SSH development environment risk_category: - CredentialExposure service_name: AWS Cloud9 - cloud9:CreateEnvironmentToken: access_level: Read description: Grants permission to create an authentication token that allows a connection between the AWS Cloud9 IDE and the user's environment risk_category: - CredentialExposure service_name: AWS Cloud9 - codeartifact:GetAuthorizationToken: access_level: Read description: Grants permission to generate a temporary authentication token for accessing repositories in a domain risk_category: - CredentialExposure service_name: AWS CodeArtifact - codepipeline:PollForJobs: access_level: Write description: Grants permission to view information about any jobs for CodePipeline to act on risk_category: - CredentialExposure service_name: AWS CodePipeline - cognito-identity:GetCredentialsForIdentity: access_level: Read description: Grants permission to return credentials for the provided identity ID risk_category: - CredentialExposure service_name: Amazon Cognito Identity - cognito-identity:GetOpenIdToken: access_level: Read description: Grants permission to get an OpenID token, using a known Cognito ID risk_category: - CredentialExposure service_name: Amazon Cognito Identity - cognito-identity:GetOpenIdTokenForDeveloperIdentity: access_level: Read description: Grants permission to register (or retrieve) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process risk_category: - CredentialExposure service_name: Amazon Cognito Identity - cognito-idp:DescribeUserPoolClient: access_level: Read description: Grants permission to describe any user pool app client risk_category: - CredentialExposure service_name: Amazon Cognito User Pools - cognito-idp:GetUserAttributeVerificationCode: access_level: Read description: Grants permission to get the user attribute verification code for the specified attribute name risk_category: - CredentialExposure service_name: Amazon Cognito User Pools - connect:GetFederationToken: access_level: Read description: Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management risk_category: - CredentialExposure service_name: Amazon Connect - connect:ListSecurityKeys: access_level: List description: Grants permission to view the security keys of an existing Amazon Connect instance risk_category: - CredentialExposure service_name: Amazon Connect - ec2:GetPasswordData: access_level: Read description: Grants permission to retrieve the encrypted administrator password for a running Windows instance risk_category: - CredentialExposure service_name: Amazon EC2 - ec2-instance-connect:SendSSHPublicKey: access_level: Write description: Grants permission to push an SSH public key to the specified EC2 instance to be used for standard SSH risk_category: - CredentialExposure - PrivEsc service_name: Amazon EC2 Instance Connect - ecr-public:GetAuthorizationToken: access_level: Read description: Grants permission to retrieve a token that is valid for a specified registry for 12 hours risk_category: - CredentialExposure service_name: Amazon Elastic Container Registry Public - ecr:GetAuthorizationToken: access_level: Read description: Grants permission to retrieve a token that is valid for a specified registry for 12 hours risk_category: - CredentialExposure service_name: Amazon Elastic Container Registry - gamelift:GetComputeAuthToken: access_level: Read description: Grants permission to retrieve an authorization token for a compute and fleet to use in game server processes risk_category: - CredentialExposure service_name: Amazon GameLift - gamelift:GetGameSessionLogUrl: access_level: Read description: Grants permission to retrieve the location of stored logs for a game session risk_category: - CredentialExposure service_name: Amazon GameLift - gamelift:GetInstanceAccess: access_level: Read description: Grants permission to request remote access to a specified fleet instance risk_category: - CredentialExposure - DataAccess service_name: Amazon GameLift - gamelift:RequestUploadCredentials: access_level: Read description: Grants permission to retrieve fresh upload credentials to use when uploading a new game build risk_category: - CredentialExposure service_name: Amazon GameLift - iam:CreateAccessKey: access_level: Write description: Grants permission to create access key and secret access key for the specified IAM user risk_category: - CredentialExposure - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateLoginProfile: access_level: Write description: Grants permission to create a password for the specified IAM user risk_category: - CredentialExposure - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateServiceSpecificCredential: access_level: Write description: Grants permission to create a new service-specific credential for an IAM user risk_category: - CredentialExposure - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:ResetServiceSpecificCredential: access_level: Write description: Grants permission to reset the password for an existing service-specific credential for an IAM user risk_category: - CredentialExposure - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateAccessKey: access_level: Write description: Grants permission to update the status of the specified access key as Active or Inactive risk_category: - CredentialExposure - ResourceExposure service_name: AWS Identity and Access Management (IAM) - lightsail:DownloadDefaultKeyPair: access_level: Write description: Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region risk_category: - CredentialExposure service_name: Amazon Lightsail - lightsail:GetBucketAccessKeys: access_level: Read description: Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket risk_category: - CredentialExposure service_name: Amazon Lightsail - lightsail:GetKeyPair: access_level: Read description: Grants permission to get information about a key pair risk_category: - CredentialExposure service_name: Amazon Lightsail - lightsail:GetKeyPairs: access_level: Read description: Grants permission to get information about all key pairs risk_category: - CredentialExposure service_name: Amazon Lightsail - lightsail:GetRelationalDatabaseMasterUserPassword: access_level: Write description: Grants permission to get the master user password of a relational database risk_category: - CredentialExposure - ResourceExposure service_name: Amazon Lightsail - mediapackage:RotateChannelCredentials: access_level: Write description: Grants permission to rotate credentials for the first IngestEndpoint of a Channel in AWS Elemental MediaPackage risk_category: - CredentialExposure service_name: AWS Elemental MediaPackage - mediapackage:RotateIngestEndpointCredentials: access_level: Write description: Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage risk_category: - CredentialExposure - ResourceExposure service_name: AWS Elemental MediaPackage - rds-db:connect: access_level: Permissions management description: Allows IAM role or user to connect to RDS database risk_category: - CredentialExposure - ResourceExposure service_name: Amazon RDS IAM Authentication - redshift:GetClusterCredentials: access_level: Write description: Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account risk_category: - CredentialExposure service_name: Amazon Redshift - snowball:GetJobUnlockCode: access_level: Read description: Grants permission to get the UnlockCode code value for the specified job risk_category: - CredentialExposure service_name: AWS Snowball - sso-directory:ListBearerTokens: access_level: Read description: Grants permission to list bearer tokens for a given provisioning tenant risk_category: - CredentialExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - storagegateway:DescribeChapCredentials: access_level: Read description: Grants permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair risk_category: - CredentialExposure service_name: AWS Storage Gateway - sts:AssumeRole: access_level: Write description: Grants permission to obtain a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to risk_category: - CredentialExposure service_name: AWS Security Token Service - sts:AssumeRoleWithSAML: access_level: Write description: Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response risk_category: - CredentialExposure service_name: AWS Security Token Service - sts:AssumeRoleWithWebIdentity: access_level: Write description: Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider risk_category: - CredentialExposure service_name: AWS Security Token Service - sts:GetFederationToken: access_level: Read description: Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user risk_category: - CredentialExposure service_name: AWS Security Token Service - sts:GetSessionToken: access_level: Read description: Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user risk_category: - CredentialExposure service_name: AWS Security Token Service - waf-regional:GetChangeToken: access_level: Read description: Grants permission to retrieve a change token to use in create, update, and delete requests risk_category: - CredentialExposure service_name: AWS WAF Regional - waf:GetChangeToken: access_level: Read description: Grants permission to retrieve a change token to use in create, update, and delete requests risk_category: - CredentialExposure service_name: AWS WAF DataAccess: Actions: - aoss:APIAccessAll: access_level: Write description: Grant permission to all the supported Opensearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Serverless - aoss:DashboardsAccessAll: access_level: Write description: Grants permission to Opensearch Serverless Dashboards risk_category: - DataAccess service_name: Amazon OpenSearch Serverless - appsync:GetDataSource: access_level: Read description: Grants permission to retrieve a data source risk_category: - DataAccess service_name: AWS AppSync - appsync:GetFunction: access_level: Read description: Grants permission to retrieve a function risk_category: - DataAccess service_name: AWS AppSync - athena:GetQueryExecution: access_level: Read description: Grants permission to get information about the specified query execution risk_category: - DataAccess service_name: Amazon Athena - athena:GetQueryResults: access_level: Read description: Grants permission to get the query results risk_category: - DataAccess service_name: Amazon Athena - athena:GetQueryResultsStream: access_level: Read description: Grants permission to get the query results stream risk_category: - DataAccess service_name: Amazon Athena - cassandra:Select: access_level: Read description: Grants permission to SELECT data from a table risk_category: - DataAccess service_name: Amazon Keyspaces (for Apache Cassandra) - chatbot:DescribeSlackChannels: access_level: Read description: Grants permission to list all public Slack channels in the Slack workspace connected to the AWS Account onboarded with AWS Chatbot service risk_category: - DataAccess service_name: AWS Chatbot - chatbot:DescribeSlackUserIdentities: access_level: Read description: Grants permission to describe AWS Chatbot Slack User Identities risk_category: - DataAccess service_name: AWS Chatbot - chatbot:ListMicrosoftTeamsConfiguredTeams: access_level: Read description: Grants permission to list all Microsoft Teams connected to the AWS Account onboarded with AWS Chatbot service risk_category: - DataAccess service_name: AWS Chatbot - chatbot:ListMicrosoftTeamsUserIdentities: access_level: Read description: Grants permission to describe AWS Chatbot Microsoft Teams User Identities risk_category: - DataAccess service_name: AWS Chatbot - chime:GetAttendee: access_level: Read description: Grants permission to get attendee details for a specified meeting ID and attendee ID risk_category: - DataAccess service_name: Amazon Chime - chime:GetChannelMessage: access_level: Read description: Grants permission to get the full details of a channel message risk_category: - DataAccess service_name: Amazon Chime - chime:GetMeeting: access_level: Read description: Grants permission to get the meeting record for a specified meeting ID risk_category: - DataAccess service_name: Amazon Chime - chime:GetMeetingDetail: access_level: Read description: Grants permission to get attendee, connection, and other details for a meeting risk_category: - DataAccess service_name: Amazon Chime - chime:GetRoom: access_level: Read description: Grants permission to retrieve a room risk_category: - DataAccess service_name: Amazon Chime - chime:GetUser: access_level: Read description: Grants permission to get details for the specified user ID risk_category: - DataAccess service_name: Amazon Chime - chime:GetUserActivityReportData: access_level: Read description: Grants permission to get a summary of user activity on the user details page risk_category: - DataAccess service_name: Amazon Chime - chime:GetUserByEmail: access_level: Read description: Grants permission to get user details for an Amazon Chime user based on the email address in an Amazon Chime Enterprise or Team account risk_category: - DataAccess service_name: Amazon Chime - chime:GetUserSettings: access_level: Read description: Grants permission to get user settings related to the specified Amazon Chime user risk_category: - DataAccess service_name: Amazon Chime - chime:ListAttendees: access_level: List description: Grants permission to list up to 100 attendees for a specified Amazon Chime SDK meeting risk_category: - DataAccess service_name: Amazon Chime - chime:ListMeetingEvents: access_level: List description: Grants permission to list all events that occurred for a specified meeting risk_category: - DataAccess service_name: Amazon Chime - chime:ListMeetings: access_level: List description: Grants permission to list up to 100 active Amazon Chime SDK meetings risk_category: - DataAccess service_name: Amazon Chime - chime:ListUsers: access_level: List description: Grants permission to list the users that belong to the specified Amazon Chime account risk_category: - DataAccess service_name: Amazon Chime - cleanrooms:GetProtectedQuery: access_level: Read description: Grants permission to view a protected query risk_category: - DataAccess service_name: AWS Clean Rooms - cloudformation:GetTemplate: access_level: Read description: Grants permission to return the template body for a specified stack risk_category: - DataAccess service_name: AWS CloudFormation & Cloud Control API - cloudfront:GetFunction: access_level: Read description: Grants permission to get a CloudFront function's code risk_category: - DataAccess service_name: Amazon CloudFront - cloudtrail:GetQueryResults: access_level: Read description: Grants permission to fetch results of a complete query risk_category: - DataAccess service_name: AWS CloudTrail - cloudtrail:LookupEvents: access_level: Read description: Grants permission to look up API activity events captured by CloudTrail that create, update, or delete resources in your account risk_category: - DataAccess service_name: AWS CloudTrail - codeartifact:GetPackageVersionAsset: access_level: Read description: Grants permission to return an asset (or file) that is part of a package version risk_category: - DataAccess service_name: AWS CodeArtifact - codeartifact:GetPackageVersionReadme: access_level: Read description: Grants permission to return a package version's readme file risk_category: - DataAccess service_name: AWS CodeArtifact - codeartifact:ReadFromRepository: access_level: Read description: Grants permission to return package assets and metadata from a repository endpoint risk_category: - DataAccess service_name: AWS CodeArtifact - codebuild:BatchGetReportGroups: access_level: Read description: Grants permission to return an array of ReportGroup objects that are specified by the input reportGroupArns parameter risk_category: - DataAccess service_name: AWS CodeBuild - codebuild:BatchGetReports: access_level: Read description: Grants permission to return an array of the Report objects specified by the input reportArns parameter risk_category: - DataAccess service_name: AWS CodeBuild - codecommit:BatchGetCommits: access_level: Read description: Grants permission to get return information about one or more commits in an AWS CodeCommit repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:BatchGetPullRequests: access_level: Read description: Grants permission to return information about one or more pull requests in an AWS CodeCommit repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:BatchGetRepositories: access_level: Read description: Grants permission to get information about multiple repositories risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:DescribeMergeConflicts: access_level: Read description: Grants permission to get information about specific merge conflicts when attempting to merge two commits using either the three-way or the squash merge option risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:DescribePullRequestEvents: access_level: Read description: Grants permission to return information about one or more pull request events risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetApprovalRuleTemplate: access_level: Read description: Grants permission to return information about an approval rule template risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetBlob: access_level: Read description: Grants permission to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetBranch: access_level: Read description: Grants permission to get details about a branch in an AWS CodeCommit repository with this API; does not control Git branch actions risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetComment: access_level: Read description: Grants permission to get the content of a comment made on a change, file, or commit in a repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetCommentReactions: access_level: Read description: Grants permission to get the reactions on a comment risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetCommentsForComparedCommit: access_level: Read description: Grants permission to get information about comments made on the comparison between two commits risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetCommentsForPullRequest: access_level: Read description: Grants permission to get comments made on a pull request risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetCommit: access_level: Read description: Grants permission to return information about a commit, including commit message and committer information, with this API; does not control Git log actions risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetCommitHistory: access_level: Read description: Grants permission to get information about the history of commits in a repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetCommitsFromMergeBase: access_level: Read description: Grants permission to get information about the difference between commits in the context of a potential merge risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetDifferences: access_level: Read description: Grants permission to view information about the differences between valid commit specifiers such as a branch, tag, HEAD, commit ID, or other fully qualified reference risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetFile: access_level: Read description: Grants permission to return the base-64 encoded contents of a specified file and its metadata risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetFolder: access_level: Read description: Grants permission to return the contents of a specified folder in a repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetMergeCommit: access_level: Read description: Grants permission to get information about a merge commit created by one of the merge options for pull requests that creates merge commits. Not all merge options create merge commits. This permission does not control Git merge actions risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetMergeConflicts: access_level: Read description: Grants permission to get information about merge conflicts between the before and after commit IDs for a pull request in a repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetMergeOptions: access_level: Read description: Grants permission to get information about merge options for pull requests that can be used to merge two commits; does not control Git merge actions risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetObjectIdentifier: access_level: Read description: Grants permission to resolve blobs, trees, and commits to their identifier risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetPullRequest: access_level: Read description: Grants permission to get information about a pull request in a specified repository risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetPullRequestApprovalStates: access_level: Read description: Grants permission to retrieve the current approvals on an inputted pull request risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetPullRequestOverrideState: access_level: Read description: Grants permission to retrieve the current override state of a given pull request risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetReferences: access_level: Read description: Grants permission to get details about references in an AWS CodeCommit repository; does not control Git reference actions risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GetTree: access_level: Read description: Grants permission to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console risk_category: - DataAccess service_name: AWS CodeCommit - codecommit:GitPull: access_level: Read description: Grants permission to pull information from an AWS CodeCommit repository to a local repo risk_category: - DataAccess service_name: AWS CodeCommit - codeguru-profiler:GetRecommendations: access_level: Read description: Grants permission to get recommendations risk_category: - DataAccess service_name: Amazon CodeGuru Profiler - codeguru-reviewer:DescribeCodeReview: access_level: Read description: Grants permission to describe a code review risk_category: - DataAccess service_name: Amazon CodeGuru Reviewer - codeguru-reviewer:DescribeRecommendationFeedback: access_level: Read description: Grants permission to describe a recommendation feedback on a code review risk_category: - DataAccess service_name: Amazon CodeGuru Reviewer - codepipeline:GetPipelineExecution: access_level: Read description: Grants permission to view information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline risk_category: - DataAccess service_name: AWS CodePipeline - cognito-identity:LookupDeveloperIdentity: access_level: Read description: Grants permission to retrieve the IdentityId associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity risk_category: - DataAccess service_name: Amazon Cognito Identity - cognito-idp:AdminGetDevice: access_level: Read description: Grants permission to get information about any user's devices risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:AdminGetUser: access_level: Read description: Grants permission to look up any user by user name risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:AdminListDevices: access_level: List description: Grants permission to list any user's remembered devices risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:AdminListGroupsForUser: access_level: List description: Grants permission to list the groups that any user belongs to risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:AdminListUserAuthEvents: access_level: Read description: Grants permission to lists sign-in events for any user risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:GetDevice: access_level: Read description: Grants permission to get the device risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:GetGroup: access_level: Read description: Grants permission to describe a user pool group risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:GetUser: access_level: Read description: Grants permission to get the user attributes and metadata for a user risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:ListUsers: access_level: List description: Grants permission to list all user pool users risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:ListDevices: access_level: List description: Grants permission to list the devices risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-idp:ListGroups: access_level: List description: Grants permission to list all groups in user pools risk_category: - DataAccess service_name: Amazon Cognito User Pools - cognito-sync:ListRecords: access_level: Read description: Grants permission to get paginated records, optionally changed after a particular sync count for a dataset and identity risk_category: - DataAccess service_name: Amazon Cognito Sync - cognito-sync:QueryRecords: access_level: Read description: Grants permission to query records risk_category: - DataAccess service_name: Amazon Cognito Sync - connect:ListUsers: access_level: List description: Grants permission to list user resources in an Amazon Connect instance risk_category: - DataAccess service_name: Amazon Connect - datapipeline:QueryObjects: access_level: Read description: Grants permission to query the specified pipeline for the names of objects that match the specified set of conditions risk_category: - DataAccess service_name: AWS Data Pipeline - dax:BatchGetItem: access_level: Read description: Grants permission to return the attributes of one or more items from one or more tables risk_category: - DataAccess service_name: Amazon DynamoDB Accelerator (DAX) - dax:GetItem: access_level: Read description: Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key risk_category: - DataAccess service_name: Amazon DynamoDB Accelerator (DAX) - dax:Query: access_level: Read description: Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index risk_category: - DataAccess service_name: Amazon DynamoDB Accelerator (DAX) - dax:Scan: access_level: Read description: Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index risk_category: - DataAccess service_name: Amazon DynamoDB Accelerator (DAX) - dynamodb:BatchGetItem: access_level: Read description: Grants permission to return the attributes of one or more items from one or more tables risk_category: - DataAccess service_name: Amazon DynamoDB - dynamodb:GetItem: access_level: Read description: Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key risk_category: - DataAccess service_name: Amazon DynamoDB - dynamodb:GetRecords: access_level: Read description: Grants permission to retrieve the stream records from a given shard risk_category: - DataAccess service_name: Amazon DynamoDB - dynamodb:Query: access_level: Read description: Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index risk_category: - DataAccess service_name: Amazon DynamoDB - dynamodb:Scan: access_level: Read description: Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index risk_category: - DataAccess service_name: Amazon DynamoDB - ecr:GetDownloadUrlForLayer: access_level: Read description: Grants permission to retrieve the download URL corresponding to an image layer risk_category: - DataAccess service_name: Amazon Elastic Container Registry - es:ESHttpDelete: access_level: Write description: Grants permission to send HTTP DELETE requests to the OpenSearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Service - es:ESHttpGet: access_level: Read description: Grants permission to send HTTP GET requests to the OpenSearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Service - es:ESHttpHead: access_level: Read description: Grants permission to send HTTP HEAD requests to the OpenSearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Service - es:ESHttpPatch: access_level: Write description: Grants permission to send HTTP PATCH requests to the OpenSearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Service - es:ESHttpPost: access_level: Write description: Grants permission to send HTTP POST requests to the OpenSearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Service - es:ESHttpPut: access_level: Write description: Grants permission to send HTTP PUT requests to the OpenSearch APIs risk_category: - DataAccess service_name: Amazon OpenSearch Service - gamelift:GetInstanceAccess: access_level: Read description: Grants permission to request remote access to a specified fleet instance risk_category: - CredentialExposure - DataAccess service_name: Amazon GameLift - healthlake:ReadResource: access_level: Read description: Grants permission to read resource risk_category: - DataAccess service_name: AWS HealthLake - healthlake:SearchWithGet: access_level: Read description: Grants permission to search resources with GET method risk_category: - DataAccess service_name: AWS HealthLake - healthlake:SearchWithPost: access_level: Read description: Grants permission to search resources with POST method risk_category: - DataAccess service_name: AWS HealthLake - kendra:Query: access_level: Read description: Grants permission to query documents and faqs risk_category: - DataAccess service_name: Amazon Kendra - kinesis:GetRecords: access_level: Read description: Grants permission to get data records from a shard risk_category: - DataAccess service_name: Amazon Kinesis Data Streams - kinesisvideo:GetImages: access_level: Read description: Grants permission to get generated images from your Kinesis video stream risk_category: - DataAccess service_name: Amazon Kinesis Video Streams - kinesisvideo:GetMedia: access_level: Read description: Grants permission to return media content of a Kinesis video stream risk_category: - DataAccess service_name: Amazon Kinesis Video Streams - lambda:GetFunction: access_level: Read description: Grants permission to view details about an AWS Lambda function risk_category: - DataAccess service_name: AWS Lambda - lambda:GetLayerVersion: access_level: Read description: Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API risk_category: - DataAccess service_name: AWS Lambda - lightsail:GetContainerImages: access_level: Read description: Grants permission to view the container images that are registered to your Amazon Lightsail container service risk_category: - DataAccess service_name: Amazon Lightsail - logs:GetLogEvents: access_level: Read description: Grants permission to retrieve log events from the specified log stream risk_category: - DataAccess service_name: Amazon CloudWatch Logs - logs:GetLogRecord: access_level: Read description: Grants permission to retrieve all the fields and values of a single log event risk_category: - DataAccess service_name: Amazon CloudWatch Logs - logs:GetQueryResults: access_level: Read description: Grants permission to return the results from the specified query risk_category: - DataAccess service_name: Amazon CloudWatch Logs - logs:Unmask: access_level: Read description: Grants permission to fetch unmasked log events that have been redacted with a data protection policy risk_category: - DataAccess service_name: Amazon CloudWatch Logs - macie2:GetFindings: access_level: Read description: Grants permission to retrieve the details of one or more findings risk_category: - DataAccess service_name: Amazon Macie - mediastore:GetObject: access_level: Read description: Grants permission to retrieve an object risk_category: - DataAccess service_name: AWS Elemental MediaStore - qldb:GetBlock: access_level: Read description: Grants permission to retrieve a block from a ledger for a given BlockAddress risk_category: - DataAccess service_name: Amazon QLDB - rds:DownloadCompleteDBLogFile: access_level: Read description: Grants permission to download specified log file risk_category: - DataAccess service_name: Amazon RDS, Neptune & DocumentDB - rds:DownloadDBLogFilePortion: access_level: Read description: Grants permission to download all or a portion of the specified log file, up to 1 MB in size risk_category: - DataAccess service_name: Amazon RDS, Neptune & DocumentDB - robomaker:GetWorldTemplateBody: access_level: Read description: Get the body of a world template risk_category: - DataAccess service_name: AWS RoboMaker - s3-object-lambda:GetObject: access_level: Read description: Grants permission to retrieve objects from Amazon S3 risk_category: - DataAccess service_name: Amazon S3 Object Lambda - s3-object-lambda:GetObjectVersion: access_level: Read description: Grants permission to retrieve a specific version of an object risk_category: - DataAccess service_name: Amazon S3 Object Lambda - s3-object-lambda:ListBucket: access_level: List description: Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000) risk_category: - DataAccess service_name: Amazon S3 Object Lambda - s3:GetObject: access_level: Read description: Grants permission to retrieve objects from Amazon S3 risk_category: - DataAccess service_name: Amazon S3 - s3:GetObjectVersion: access_level: Read description: Grants permission to retrieve a specific version of an object risk_category: - DataAccess service_name: Amazon S3 - sagemaker:Search: access_level: Read description: Grants permission to search for SageMaker objects risk_category: - DataAccess service_name: Amazon SageMaker - sdb:Select: access_level: Read description: Description for Select risk_category: - DataAccess service_name: Amazon SimpleDB - serverlessrepo:GetApplication: access_level: Read description: Grants permission to get the specified application risk_category: - DataAccess service_name: AWS Serverless Application Repository - serverlessrepo:GetCloudFormationTemplate: access_level: Read description: Grants permission to get the specified AWS CloudFormation template risk_category: - DataAccess service_name: AWS Serverless Application Repository - sqs:ReceiveMessage: access_level: Read description: Grants permission to retrieve one or more messages, with a maximum limit of 10 messages, from the specified queue risk_category: - DataAccess service_name: Amazon SQS - ssm:GetDocument: access_level: Read description: Grants permission to view the contents of a specified SSM document risk_category: - DataAccess service_name: AWS Systems Manager - ssm:GetParameter: access_level: Read description: Grants permission to view information about a specified parameter risk_category: - DataAccess service_name: AWS Systems Manager - ssm:GetParameterHistory: access_level: Read description: Grants permission to view details and changes for a specified parameter risk_category: - DataAccess service_name: AWS Systems Manager - ssm:GetParameters: access_level: Read description: Grants permission to view information about multiple specified parameters risk_category: - DataAccess service_name: AWS Systems Manager - ssm:GetParametersByPath: access_level: Read description: Grants permission to view information about parameters in a specified hierarchy risk_category: - DataAccess service_name: AWS Systems Manager - sso-directory:DescribeGroup: access_level: Read description: Grants permission to query the group data, not including user and group members risk_category: - DataAccess service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:DescribeUser: access_level: Read description: Grants permission to retrieve information about a user from the directory that AWS IAM Identity Center provides by default risk_category: - DataAccess service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:SearchGroups: access_level: Read description: Grants permission to search for groups within the associated directory risk_category: - DataAccess service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:SearchUsers: access_level: Read description: Grants permission to search for users within the associated directory risk_category: - DataAccess service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso:SearchGroups: access_level: Read description: Grants permission to search for groups within the associated directory risk_category: - DataAccess service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:SearchUsers: access_level: Read description: Grants permission to search for users within the associated directory risk_category: - DataAccess service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - support:DescribeAttachment: access_level: Read description: Grants permission to describe attachment detail risk_category: - DataAccess service_name: AWS Support - support:DescribeCommunications: access_level: Read description: Grants permission to list the communications and attachments for one or more AWS Support cases risk_category: - DataAccess service_name: AWS Support - workdocs:GetDocument: access_level: Read description: Grants permission to retrieve the specified document object risk_category: - DataAccess service_name: Amazon WorkDocs - workdocs:GetDocumentPath: access_level: Read description: Grants permission to retrieve the path information (the hierarchy from the root folder) for the requested document risk_category: - DataAccess service_name: Amazon WorkDocs - workdocs:GetDocumentVersion: access_level: Read description: Grants permission to retrieve version metadata for the specified document risk_category: - DataAccess service_name: Amazon WorkDocs - workmail:ListGroupMembers: access_level: List description: Grants permission to read an overview of the members of a group. Users and groups can be members of a group risk_category: - DataAccess service_name: Amazon WorkMail - workmail:ListGroups: access_level: List description: Grants permission to list summaries of the organization's groups risk_category: - DataAccess service_name: Amazon WorkMail - workmail:ListUsers: access_level: List description: Grants permission to list the organization's users risk_category: - DataAccess service_name: Amazon WorkMail PrivEsc: Actions: - codestar:AssociateTeamMember: access_level: Permissions management description: Grants permission to add a user to the team for an AWS CodeStar project risk_category: - PrivEsc - ResourceExposure service_name: AWS CodeStar - codestar:CreateProject: access_level: Permissions management description: Grants permission to create a project with minimal structure, customer policies, and no resources risk_category: - PrivEsc - ResourceExposure service_name: AWS CodeStar - ec2-instance-connect:SendSSHPublicKey: access_level: Write description: Grants permission to push an SSH public key to the specified EC2 instance to be used for standard SSH risk_category: - CredentialExposure - PrivEsc service_name: Amazon EC2 Instance Connect - glue:UpdateDevEndpoint: access_level: Write description: Grants permission to update a development endpoint risk_category: - PrivEsc service_name: AWS Glue - iam:AddUserToGroup: access_level: Write description: Grants permission to add an IAM user to the specified IAM group risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AttachGroupPolicy: access_level: Permissions management description: Grants permission to attach a managed policy to the specified IAM group risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AttachRolePolicy: access_level: Permissions management description: Grants permission to attach a managed policy to the specified IAM role risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AttachUserPolicy: access_level: Permissions management description: Grants permission to attach a managed policy to the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateAccessKey: access_level: Write description: Grants permission to create access key and secret access key for the specified IAM user risk_category: - CredentialExposure - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateLoginProfile: access_level: Write description: Grants permission to create a password for the specified IAM user risk_category: - CredentialExposure - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreatePolicyVersion: access_level: Permissions management description: Grants permission to create a new version of the specified managed policy risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateServiceLinkedRole: access_level: Write description: Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateVirtualMFADevice: access_level: Write description: Grants permission to create a new virtual MFA device risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:EnableMFADevice: access_level: Write description: Grants permission to enable an MFA device and associate it with the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PassRole: access_level: Write description: Grants permission to pass a role to a service risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutGroupPolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM group risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutRolePolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM role risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutUserPolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:ResyncMFADevice: access_level: Write description: Grants permission to synchronize the specified MFA device with its IAM entity (user or role) risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:SetDefaultPolicyVersion: access_level: Permissions management description: Grants permission to set the version of the specified policy as the policy's default version risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateAssumeRolePolicy: access_level: Permissions management description: Grants permission to update the policy that grants an IAM entity permission to assume a role risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateLoginProfile: access_level: Write description: Grants permission to change the password for the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) ResourceExposure: Actions: - acm-pca:CreatePermission: access_level: Permissions management description: Grants permission to create a permission for an AWS Private CA risk_category: - ResourceExposure service_name: AWS Private Certificate Authority - acm-pca:DeletePermission: access_level: Permissions management description: Grants permission to delete a permission for an AWS Private CA risk_category: - ResourceExposure service_name: AWS Private Certificate Authority - acm-pca:DeletePolicy: access_level: Permissions management description: Grants permission to delete the policy for an AWS Private CA risk_category: - ResourceExposure service_name: AWS Private Certificate Authority - acm-pca:PutPolicy: access_level: Permissions management description: Grants permission to put a policy on an AWS Private CA risk_category: - ResourceExposure service_name: AWS Private Certificate Authority - apigateway:UpdateRestApiPolicy: access_level: Permissions management description: Grants permission to manage the IAM resource policy for an API. This is an additional authorization control for managing an API due to the sensitive nature of the resource policy risk_category: - ResourceExposure service_name: Amazon API Gateway Management - backup:DeleteBackupVaultAccessPolicy: access_level: Permissions management description: Grants permission to delete backup vault access policy risk_category: - ResourceExposure service_name: AWS Backup - backup:PutBackupVaultAccessPolicy: access_level: Permissions management description: Grants permission to add an access policy to the backup vault risk_category: - ResourceExposure service_name: AWS Backup - chime:DeleteVoiceConnectorTerminationCredentials: access_level: Write description: Grants permission to delete SIP termination credentials for the specified Amazon Chime Voice Connector risk_category: - ResourceExposure service_name: Amazon Chime - chime:PutVoiceConnectorTerminationCredentials: access_level: Write description: Grants permission to add SIP termination credentials for the specified Amazon Chime Voice Connector risk_category: - ResourceExposure service_name: Amazon Chime - cloudformation:SetStackPolicy: access_level: Permissions management description: Grants permission to set a stack policy for a specified stack risk_category: - ResourceExposure service_name: AWS CloudFormation & Cloud Control API - cloudsearch:UpdateServiceAccessPolicies: access_level: Permissions management description: Configures the access rules that control access to the domain's document and search endpoints risk_category: - ResourceExposure service_name: Amazon CloudSearch - codeartifact:DeleteDomainPermissionsPolicy: access_level: Permissions management description: Grants permission to delete the resource policy set on a domain risk_category: - ResourceExposure service_name: AWS CodeArtifact - codeartifact:DeleteRepositoryPermissionsPolicy: access_level: Permissions management description: Grants permission to delete the resource policy set on a repository risk_category: - ResourceExposure service_name: AWS CodeArtifact - codebuild:DeleteResourcePolicy: access_level: Permissions management description: Grants permission to delete a resource policy for the associated project or report group risk_category: - ResourceExposure service_name: AWS CodeBuild - codebuild:DeleteSourceCredentials: access_level: Write description: Grants permission to delete a set of GitHub, GitHub Enterprise, or Bitbucket source credentials risk_category: - ResourceExposure service_name: AWS CodeBuild - codebuild:ImportSourceCredentials: access_level: Write description: Grants permission to import the source repository credentials for an AWS CodeBuild project that has its source code stored in a GitHub, GitHub Enterprise, or Bitbucket repository risk_category: - ResourceExposure service_name: AWS CodeBuild - codebuild:PutResourcePolicy: access_level: Permissions management description: Grants permission to create a resource policy for the associated project or report group risk_category: - ResourceExposure service_name: AWS CodeBuild - codeguru-profiler:PutPermission: access_level: Permissions management description: Grants permission to update the list of principals allowed for an action group in the resource policy associated with the specified Profiling Group risk_category: - ResourceExposure service_name: Amazon CodeGuru Profiler - codeguru-profiler:RemovePermission: access_level: Permissions management description: Grants permission to remove the permission of specified Action Group from the resource policy associated with the specified Profiling Group risk_category: - ResourceExposure service_name: Amazon CodeGuru Profiler - codestar:AssociateTeamMember: access_level: Permissions management description: Grants permission to add a user to the team for an AWS CodeStar project risk_category: - PrivEsc - ResourceExposure service_name: AWS CodeStar - codestar:CreateProject: access_level: Permissions management description: Grants permission to create a project with minimal structure, customer policies, and no resources risk_category: - PrivEsc - ResourceExposure service_name: AWS CodeStar - codestar:DeleteProject: access_level: Permissions management description: Grants permission to delete a project, including project resources. Does not delete users associated with the project, but does delete the IAM roles that allowed access to the project risk_category: - ResourceExposure service_name: AWS CodeStar - codestar:DisassociateTeamMember: access_level: Permissions management description: Grants permission to remove a user from a project. Removing a user from a project also removes the IAM policies from that user that allowed access to the project and its resources risk_category: - ResourceExposure service_name: AWS CodeStar - codestar:UpdateTeamMember: access_level: Permissions management description: Grants permission to update team member attributes within a CodeStar project risk_category: - ResourceExposure service_name: AWS CodeStar - cognito-identity:CreateIdentityPool: access_level: Write description: Grants permission to create a new identity pool risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:DeleteIdentities: access_level: Write description: Grants permission to delete identities from an identity pool. You can specify a list of 1-60 identities that you want to delete risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:DeleteIdentityPool: access_level: Write description: Grants permission to delete a user pool. Once a pool is deleted, users will not be able to authenticate with the pool risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:GetId: access_level: Write description: Grants permission to generate (or retrieve) a Cognito ID. Supplying multiple logins will create an implicit linked account risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:MergeDeveloperIdentities: access_level: Write description: Grants permission to merge two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:SetIdentityPoolRoles: access_level: Write description: Grants permission to set the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:UnlinkDeveloperIdentity: access_level: Write description: Grants permission to unlink a DeveloperUserIdentifier from an existing identity risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:UnlinkIdentity: access_level: Write description: Grants permission to unlink a federated identity from an existing account risk_category: - ResourceExposure service_name: Amazon Cognito Identity - cognito-identity:UpdateIdentityPool: access_level: Write description: Grants permission to update an identity pool risk_category: - ResourceExposure service_name: Amazon Cognito Identity - deeplens:AssociateServiceRoleToAccount: access_level: Permissions management description: Associates the user's account with IAM roles controlling various permissions needed by AWS DeepLens for proper functionality. risk_category: - ResourceExposure service_name: AWS DeepLens - ds:CreateConditionalForwarder: access_level: Write description: Grants permission to create a conditional forwarder associated with your AWS directory risk_category: - ResourceExposure service_name: AWS Directory Service - ds:CreateDirectory: access_level: Write description: Grants permission to create a Simple AD directory risk_category: - ResourceExposure service_name: AWS Directory Service - ds:CreateMicrosoftAD: access_level: Write description: Grants permission to create a Microsoft AD in the AWS cloud risk_category: - ResourceExposure service_name: AWS Directory Service - ds:CreateTrust: access_level: Write description: Grants permission to initiate the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain risk_category: - ResourceExposure service_name: AWS Directory Service - ds:ShareDirectory: access_level: Write description: Grants permission to share a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region risk_category: - ResourceExposure service_name: AWS Directory Service - ec2:CreateNetworkInterfacePermission: access_level: Permissions management description: Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface risk_category: - ResourceExposure service_name: Amazon EC2 - ec2:DeleteNetworkInterfacePermission: access_level: Permissions management description: Grants permission to delete a permission that is associated with a network interface risk_category: - ResourceExposure service_name: Amazon EC2 - ec2:ModifySnapshotAttribute: access_level: Permissions management description: Grants permission to add or remove permission settings for a snapshot risk_category: - ResourceExposure service_name: Amazon EC2 - ec2:ModifyVpcEndpointServicePermissions: access_level: Permissions management description: Grants permission to modify the permissions for a VPC endpoint service risk_category: - ResourceExposure service_name: Amazon EC2 - ec2:ResetSnapshotAttribute: access_level: Permissions management description: Grants permission to reset permission settings for a snapshot risk_category: - ResourceExposure service_name: Amazon EC2 - ecr:DeleteRepositoryPolicy: access_level: Permissions management description: Grants permission to delete the repository policy from a specified repository risk_category: - ResourceExposure service_name: Amazon Elastic Container Registry - ecr:SetRepositoryPolicy: access_level: Permissions management description: Grants permission to apply a repository policy on a specified repository to control access permissions risk_category: - ResourceExposure service_name: Amazon Elastic Container Registry - elasticfilesystem:DeleteFileSystemPolicy: access_level: Permissions management description: Grants permission to delete the resource-level policy for a file system risk_category: - ResourceExposure service_name: Amazon Elastic File System - elasticfilesystem:PutFileSystemPolicy: access_level: Permissions management description: Grants permission to apply a resource-level policy that defines the actions allowed or denied from given actors for the specified file system risk_category: - ResourceExposure service_name: Amazon Elastic File System - elasticmapreduce:PutBlockPublicAccessConfiguration: access_level: Permissions management description: Grants permission to create or update the EMR block public access configuration for the AWS account in the Region risk_category: - ResourceExposure service_name: Amazon Elastic MapReduce - es:CreateElasticsearchDomain: access_level: Write description: Grants permission to create an OpenSearch Service domain. This permission is deprecated. Use CreateDomain instead risk_category: - ResourceExposure service_name: Amazon OpenSearch Service - es:UpdateElasticsearchDomainConfig: access_level: Write description: Grants permission to modify the configuration of an OpenSearch Service domain, such as the instance type or number of instances. This permission is deprecated. Use UpdateDomainConfig instead risk_category: - ResourceExposure service_name: Amazon OpenSearch Service - glacier:AbortVaultLock: access_level: Permissions management description: Grants permission to abort the vault locking process if the vault lock is not in the Locked state risk_category: - ResourceExposure service_name: Amazon S3 Glacier - glacier:CompleteVaultLock: access_level: Permissions management description: Grants permission to complete the vault locking process risk_category: - ResourceExposure service_name: Amazon S3 Glacier - glacier:DeleteVaultAccessPolicy: access_level: Permissions management description: Grants permission to delete the access policy associated with the specified vault risk_category: - ResourceExposure service_name: Amazon S3 Glacier - glacier:InitiateVaultLock: access_level: Permissions management description: Grants permission to initiate the vault locking process risk_category: - ResourceExposure service_name: Amazon S3 Glacier - glacier:SetDataRetrievalPolicy: access_level: Permissions management description: Grants permission to set and then enacts a data retrieval policy in the region specified in the PUT request risk_category: - ResourceExposure service_name: Amazon S3 Glacier - glacier:SetVaultAccessPolicy: access_level: Permissions management description: Grants permission to configure an access policy for a vault; will overwrite an existing policy risk_category: - ResourceExposure service_name: Amazon S3 Glacier - glue:DeleteResourcePolicy: access_level: Permissions management description: Grants permission to delete a resource policy risk_category: - ResourceExposure service_name: AWS Glue - glue:PutResourcePolicy: access_level: Permissions management description: Grants permission to update a resource policy risk_category: - ResourceExposure service_name: AWS Glue - greengrass:AssociateServiceRoleToAccount: access_level: Permissions management description: Grants permission to associate a role with your account. AWS IoT Greengrass uses this role to access your Lambda functions and AWS IoT resources risk_category: - ResourceExposure service_name: AWS IoT Greengrass - health:DisableHealthServiceAccessForOrganization: access_level: Permissions management description: Grants permission to disable the Organizational View feature risk_category: - ResourceExposure service_name: AWS Health APIs and Notifications - health:EnableHealthServiceAccessForOrganization: access_level: Permissions management description: Grants permission to enable the Organizational View feature risk_category: - ResourceExposure service_name: AWS Health APIs and Notifications - iam:AddClientIDToOpenIDConnectProvider: access_level: Write description: Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AddRoleToInstanceProfile: access_level: Write description: Grants permission to add an IAM role to the specified instance profile risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AddUserToGroup: access_level: Write description: Grants permission to add an IAM user to the specified IAM group risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AttachGroupPolicy: access_level: Permissions management description: Grants permission to attach a managed policy to the specified IAM group risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AttachRolePolicy: access_level: Permissions management description: Grants permission to attach a managed policy to the specified IAM role risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:AttachUserPolicy: access_level: Permissions management description: Grants permission to attach a managed policy to the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:ChangePassword: access_level: Write description: Grants permission to an IAM user to change their own password risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateAccessKey: access_level: Write description: Grants permission to create access key and secret access key for the specified IAM user risk_category: - CredentialExposure - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateAccountAlias: access_level: Write description: Grants permission to create an alias for your AWS account risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateGroup: access_level: Write description: Grants permission to create a new group risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateInstanceProfile: access_level: Write description: Grants permission to create a new instance profile risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateLoginProfile: access_level: Write description: Grants permission to create a password for the specified IAM user risk_category: - CredentialExposure - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateOpenIDConnectProvider: access_level: Write description: Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC) risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreatePolicy: access_level: Permissions management description: Grants permission to create a new managed policy risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreatePolicyVersion: access_level: Permissions management description: Grants permission to create a new version of the specified managed policy risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateRole: access_level: Write description: Grants permission to create a new role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateSAMLProvider: access_level: Write description: Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0 risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateServiceLinkedRole: access_level: Write description: Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateServiceSpecificCredential: access_level: Write description: Grants permission to create a new service-specific credential for an IAM user risk_category: - CredentialExposure - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateUser: access_level: Write description: Grants permission to create a new IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:CreateVirtualMFADevice: access_level: Write description: Grants permission to create a new virtual MFA device risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeactivateMFADevice: access_level: Write description: Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteAccessKey: access_level: Write description: Grants permission to delete the access key pair that is associated with the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteAccountAlias: access_level: Write description: Grants permission to delete the specified AWS account alias risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteAccountPasswordPolicy: access_level: Permissions management description: Grants permission to delete the password policy for the AWS account risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteGroup: access_level: Write description: Grants permission to delete the specified IAM group risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteGroupPolicy: access_level: Permissions management description: Grants permission to delete the specified inline policy from its group risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteInstanceProfile: access_level: Write description: Grants permission to delete the specified instance profile risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteLoginProfile: access_level: Write description: Grants permission to delete the password for the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteOpenIDConnectProvider: access_level: Write description: Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeletePolicy: access_level: Permissions management description: Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeletePolicyVersion: access_level: Permissions management description: Grants permission to delete a version from the specified managed policy risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteRole: access_level: Write description: Grants permission to delete the specified role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteRolePermissionsBoundary: access_level: Permissions management description: Grants permission to remove the permissions boundary from a role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteRolePolicy: access_level: Permissions management description: Grants permission to delete the specified inline policy from the specified role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteSAMLProvider: access_level: Write description: Grants permission to delete a SAML provider resource in IAM risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteServerCertificate: access_level: Write description: Grants permission to delete the specified server certificate risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteServiceLinkedRole: access_level: Write description: Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteServiceSpecificCredential: access_level: Write description: Grants permission to delete the specified service-specific credential for an IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteSigningCertificate: access_level: Write description: Grants permission to delete a signing certificate that is associated with the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteSSHPublicKey: access_level: Write description: Grants permission to delete the specified SSH public key risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteUser: access_level: Write description: Grants permission to delete the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteUserPermissionsBoundary: access_level: Permissions management description: Grants permission to remove the permissions boundary from the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteUserPolicy: access_level: Permissions management description: Grants permission to delete the specified inline policy from an IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DeleteVirtualMFADevice: access_level: Write description: Grants permission to delete a virtual MFA device risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DetachGroupPolicy: access_level: Permissions management description: Grants permission to detach a managed policy from the specified IAM group risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DetachRolePolicy: access_level: Permissions management description: Grants permission to detach a managed policy from the specified role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:DetachUserPolicy: access_level: Permissions management description: Grants permission to detach a managed policy from the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:EnableMFADevice: access_level: Write description: Grants permission to enable an MFA device and associate it with the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PassRole: access_level: Write description: Grants permission to pass a role to a service risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutGroupPolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM group risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutRolePermissionsBoundary: access_level: Permissions management description: Grants permission to set a managed policy as a permissions boundary for a role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutRolePolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM role risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutUserPermissionsBoundary: access_level: Permissions management description: Grants permission to set a managed policy as a permissions boundary for an IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:PutUserPolicy: access_level: Permissions management description: Grants permission to create or update an inline policy document that is embedded in the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:RemoveClientIDFromOpenIDConnectProvider: access_level: Write description: Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:RemoveRoleFromInstanceProfile: access_level: Write description: Grants permission to remove an IAM role from the specified EC2 instance profile risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:RemoveUserFromGroup: access_level: Write description: Grants permission to remove an IAM user from the specified group risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:ResetServiceSpecificCredential: access_level: Write description: Grants permission to reset the password for an existing service-specific credential for an IAM user risk_category: - CredentialExposure - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:ResyncMFADevice: access_level: Write description: Grants permission to synchronize the specified MFA device with its IAM entity (user or role) risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:SetDefaultPolicyVersion: access_level: Permissions management description: Grants permission to set the version of the specified policy as the policy's default version risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:SetSecurityTokenServicePreferences: access_level: Write description: Grants permission to set the STS global endpoint token version risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateAccessKey: access_level: Write description: Grants permission to update the status of the specified access key as Active or Inactive risk_category: - CredentialExposure - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateAccountPasswordPolicy: access_level: Write description: Grants permission to update the password policy settings for the AWS account risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateAssumeRolePolicy: access_level: Permissions management description: Grants permission to update the policy that grants an IAM entity permission to assume a role risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateGroup: access_level: Write description: Grants permission to update the name or path of the specified IAM group risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateLoginProfile: access_level: Write description: Grants permission to change the password for the specified IAM user risk_category: - PrivEsc - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateOpenIDConnectProviderThumbprint: access_level: Write description: Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateRole: access_level: Write description: Grants permission to update the description or maximum session duration setting of a role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateRoleDescription: access_level: Write description: Grants permission to update only the description of a role risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateSAMLProvider: access_level: Write description: Grants permission to update the metadata document for an existing SAML provider resource risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateServerCertificate: access_level: Write description: Grants permission to update the name or the path of the specified server certificate stored in IAM risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateServiceSpecificCredential: access_level: Write description: Grants permission to update the status of a service-specific credential to active or inactive for an IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateSigningCertificate: access_level: Write description: Grants permission to update the status of the specified user signing certificate to active or disabled risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateSSHPublicKey: access_level: Write description: Grants permission to update the status of an IAM user's SSH public key to active or inactive risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UpdateUser: access_level: Write description: Grants permission to update the name or the path of the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UploadServerCertificate: access_level: Write description: Grants permission to upload a server certificate entity for the AWS account risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UploadSigningCertificate: access_level: Write description: Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - iam:UploadSSHPublicKey: access_level: Write description: Grants permission to upload an SSH public key and associate it with the specified IAM user risk_category: - ResourceExposure service_name: AWS Identity and Access Management (IAM) - imagebuilder:PutComponentPolicy: access_level: Permissions management description: Grants permission to set the resource policy associated with a component risk_category: - ResourceExposure service_name: Amazon EC2 Image Builder - imagebuilder:PutImagePolicy: access_level: Permissions management description: Grants permission to set the resource policy associated with an image risk_category: - ResourceExposure service_name: Amazon EC2 Image Builder - imagebuilder:PutImageRecipePolicy: access_level: Permissions management description: Grants permission to set the resource policy associated with an image recipe risk_category: - ResourceExposure service_name: Amazon EC2 Image Builder - iot:AttachPolicy: access_level: Permissions management description: Grants permission to attach a policy to the specified target risk_category: - ResourceExposure service_name: AWS IoT - iot:AttachPrincipalPolicy: access_level: Permissions management description: Grants permission to attach the specified policy to the specified principal (certificate or other credential) risk_category: - ResourceExposure service_name: AWS IoT - iot:DetachPolicy: access_level: Permissions management description: Grants permission to detach a policy from the specified target risk_category: - ResourceExposure service_name: AWS IoT - iot:DetachPrincipalPolicy: access_level: Permissions management description: Grants permission to remove the specified policy from the specified certificate risk_category: - ResourceExposure service_name: AWS IoT - iot:SetDefaultAuthorizer: access_level: Permissions management description: Grants permission to set the default authorizer. This will be used if a websocket connection is made without specifying an authorizer risk_category: - ResourceExposure service_name: AWS IoT - iot:SetDefaultPolicyVersion: access_level: Permissions management description: Grants permission to set the specified version of the specified policy as the policy's default (operative) version risk_category: - ResourceExposure service_name: AWS IoT - iotsitewise:CreateAccessPolicy: access_level: Write description: Grants permission to create an access policy for a portal or a project risk_category: - ResourceExposure service_name: AWS IoT SiteWise - iotsitewise:DeleteAccessPolicy: access_level: Write description: Grants permission to delete an access policy risk_category: - ResourceExposure service_name: AWS IoT SiteWise - iotsitewise:UpdateAccessPolicy: access_level: Write description: Grants permission to update an access policy risk_category: - ResourceExposure service_name: AWS IoT SiteWise - kms:CreateGrant: access_level: Permissions management description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy risk_category: - ResourceExposure service_name: AWS Key Management Service - kms:PutKeyPolicy: access_level: Permissions management description: Controls permission to replace the key policy for the specified AWS KMS key risk_category: - ResourceExposure service_name: AWS Key Management Service - kms:RetireGrant: access_level: Permissions management description: Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform risk_category: - ResourceExposure service_name: AWS Key Management Service - kms:RevokeGrant: access_level: Permissions management description: Controls permission to revoke a grant, which denies permission for all operations that depend on the grant risk_category: - ResourceExposure service_name: AWS Key Management Service - lakeformation:BatchGrantPermissions: access_level: Permissions management description: Grants permission to data lake permissions to one or more principals in a batch risk_category: - ResourceExposure service_name: AWS Lake Formation - lakeformation:BatchRevokePermissions: access_level: Permissions management description: Grants permission to revoke data lake permissions from one or more principals in a batch risk_category: - ResourceExposure service_name: AWS Lake Formation - lakeformation:GrantPermissions: access_level: Permissions management description: Grants permission to data lake permissions to a principal risk_category: - ResourceExposure service_name: AWS Lake Formation - lakeformation:PutDataLakeSettings: access_level: Permissions management description: Grants permission to overwrite data lake settings such as the list of data lake administrators and database and table default permissions risk_category: - ResourceExposure service_name: AWS Lake Formation - lakeformation:RevokePermissions: access_level: Permissions management description: Grants permission to revoke data lake permissions from a principal risk_category: - ResourceExposure service_name: AWS Lake Formation - lambda:AddLayerVersionPermission: access_level: Permissions management description: Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer risk_category: - ResourceExposure service_name: AWS Lambda - lambda:AddPermission: access_level: Permissions management description: Grants permission to give an AWS service or another account permission to use an AWS Lambda function risk_category: - ResourceExposure service_name: AWS Lambda - lambda:DisableReplication: access_level: Permissions management description: Grants permission to disable replication for a Lambda@Edge function risk_category: - ResourceExposure service_name: AWS Lambda - lambda:EnableReplication: access_level: Permissions management description: Grants permission to enable replication for a Lambda@Edge function risk_category: - ResourceExposure service_name: AWS Lambda - lambda:RemoveLayerVersionPermission: access_level: Permissions management description: Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer risk_category: - ResourceExposure service_name: AWS Lambda - lambda:RemovePermission: access_level: Permissions management description: Grants permission to revoke function-use permission from an AWS service or another account risk_category: - ResourceExposure service_name: AWS Lambda - license-manager:UpdateServiceSettings: access_level: Permissions management description: Grants permission to updates service settings risk_category: - ResourceExposure service_name: AWS License Manager - lightsail:GetRelationalDatabaseMasterUserPassword: access_level: Write description: Grants permission to get the master user password of a relational database risk_category: - CredentialExposure - ResourceExposure service_name: Amazon Lightsail - logs:DeleteResourcePolicy: access_level: Permissions management description: Grants permission to delete a resource policy from this account risk_category: - ResourceExposure service_name: Amazon CloudWatch Logs - logs:PutResourcePolicy: access_level: Permissions management description: Grants permission to create or update a resource policy allowing other AWS services to put log events to this account risk_category: - ResourceExposure service_name: Amazon CloudWatch Logs - mediapackage:RotateIngestEndpointCredentials: access_level: Write description: Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage risk_category: - CredentialExposure - ResourceExposure service_name: AWS Elemental MediaPackage - mediastore:DeleteContainerPolicy: access_level: Permissions management description: Grants permission to delete the access policy of a container risk_category: - ResourceExposure service_name: AWS Elemental MediaStore - mediastore:PutContainerPolicy: access_level: Permissions management description: Grants permission to create or replace the access policy of a container risk_category: - ResourceExposure service_name: AWS Elemental MediaStore - opsworks:SetPermission: access_level: Permissions management description: Grants permission to specify a user's permissions risk_category: - ResourceExposure service_name: AWS OpsWorks - opsworks:UpdateUserProfile: access_level: Permissions management description: Grants permission to update a specified user profile risk_category: - ResourceExposure service_name: AWS OpsWorks - quicksight:CreateAdmin: access_level: Write description: Grants permission to provision Amazon QuickSight administrators, authors, and readers risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:CreateGroup: access_level: Write description: Grants permission to create a QuickSight group risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:CreateGroupMembership: access_level: Write description: Grants permission to add a QuickSight user to a QuickSight group risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:CreateIAMPolicyAssignment: access_level: Write description: Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:CreateUser: access_level: Write description: Grants permission to provision Amazon QuickSight authors and readers risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:DeleteGroup: access_level: Write description: Grants permission to remove a user group from QuickSight risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:DeleteGroupMembership: access_level: Write description: Grants permission to remove a user from a group so that he/she is no longer a member of the group risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:DeleteIAMPolicyAssignment: access_level: Write description: Grants permission to update an existing assignment risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:DeleteUser: access_level: Write description: Grants permission to delete a QuickSight user, given the user name risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:DeleteUserByPrincipalId: access_level: Write description: Grants permission to deletes a user identified by its principal ID risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:RegisterUser: access_level: Write description: Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:UpdateDashboardPermissions: access_level: Permissions management description: Grants permission to update permissions for a QuickSight Dashboard risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:UpdateGroup: access_level: Write description: Grants permission to change group description risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:UpdateIAMPolicyAssignment: access_level: Write description: Grants permission to update an existing assignment risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:UpdateTemplatePermissions: access_level: Permissions management description: Grants permission to update permissions for a template risk_category: - ResourceExposure service_name: Amazon QuickSight - quicksight:UpdateUser: access_level: Write description: Grants permission to update an Amazon QuickSight user risk_category: - ResourceExposure service_name: Amazon QuickSight - ram:AcceptResourceShareInvitation: access_level: Write description: Grants permission to accept the specified resource share invitation risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:AssociateResourceShare: access_level: Write description: Grants permission to associate resource(s) and/or principal(s) to a resource share risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:CreateResourceShare: access_level: Write description: Grants permission to create a resource share with provided resource(s) and/or principal(s) risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:DeleteResourceShare: access_level: Write description: Grants permission to delete resource share risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:DisassociateResourceShare: access_level: Write description: Grants permission to disassociate resource(s) and/or principal(s) from a resource share risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:EnableSharingWithAwsOrganization: access_level: Permissions management description: Grants permission to access customer's organization and create a SLR in the customer's account risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:RejectResourceShareInvitation: access_level: Write description: Grants permission to reject the specified resource share invitation risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - ram:UpdateResourceShare: access_level: Write description: Grants permission to update attributes of the resource share risk_category: - ResourceExposure service_name: AWS Resource Access Manager (RAM) - rds-db:connect: access_level: Permissions management description: Allows IAM role or user to connect to RDS database risk_category: - CredentialExposure - ResourceExposure service_name: Amazon RDS IAM Authentication - rds:AuthorizeDBSecurityGroupIngress: access_level: Permissions management description: Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization risk_category: - ResourceExposure service_name: Amazon RDS, Neptune & DocumentDB - redshift:AuthorizeSnapshotAccess: access_level: Permissions management description: Grants permission to the specified AWS account to restore a snapshot risk_category: - ResourceExposure service_name: Amazon Redshift - redshift:CreateClusterUser: access_level: Permissions management description: Grants permission to automatically create the specified Amazon Redshift user if it does not exist risk_category: - ResourceExposure service_name: Amazon Redshift - redshift:CreateSnapshotCopyGrant: access_level: Permissions management description: Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region risk_category: - ResourceExposure service_name: Amazon Redshift - redshift:JoinGroup: access_level: Permissions management description: Grants permission to join the specified Amazon Redshift group risk_category: - ResourceExposure service_name: Amazon Redshift - redshift:ModifyClusterIamRoles: access_level: Permissions management description: Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services risk_category: - ResourceExposure service_name: Amazon Redshift - redshift:RevokeSnapshotAccess: access_level: Permissions management description: Grants permission to revoke access from the specified AWS account to restore a snapshot risk_category: - ResourceExposure service_name: Amazon Redshift - route53resolver:PutResolverRulePolicy: access_level: Permissions management description: Grants permission to specify an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules risk_category: - ResourceExposure service_name: Amazon Route 53 Resolver - s3:BypassGovernanceRetention: access_level: Permissions management description: Grants permission to allow circumvention of governance-mode object retention settings risk_category: - ResourceExposure service_name: Amazon S3 - s3:DeleteAccessPointPolicy: access_level: Permissions management description: Grants permission to delete the policy on a specified access point risk_category: - ResourceExposure service_name: Amazon S3 - s3:DeleteBucketPolicy: access_level: Permissions management description: Grants permission to delete the policy on a specified bucket risk_category: - ResourceExposure service_name: Amazon S3 - s3:ObjectOwnerOverrideToBucketOwner: access_level: Permissions management description: Grants permission to change replica ownership risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutAccessPointPolicy: access_level: Permissions management description: Grants permission to associate an access policy with a specified access point risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutAccountPublicAccessBlock: access_level: Permissions management description: Grants permission to create or modify the PublicAccessBlock configuration for an AWS account risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutBucketAcl: access_level: Permissions management description: Grants permission to set the permissions on an existing bucket using access control lists (ACLs) risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutBucketPolicy: access_level: Permissions management description: Grants permission to add or replace a bucket policy on a bucket risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutBucketPublicAccessBlock: access_level: Permissions management description: Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutObjectAcl: access_level: Permissions management description: Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket risk_category: - ResourceExposure service_name: Amazon S3 - s3:PutObjectVersionAcl: access_level: Permissions management description: Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket risk_category: - ResourceExposure service_name: Amazon S3 - secretsmanager:DeleteResourcePolicy: access_level: Permissions management description: Grants permission to delete the resource policy attached to a secret risk_category: - ResourceExposure service_name: AWS Secrets Manager - secretsmanager:PutResourcePolicy: access_level: Permissions management description: Grants permission to attach a resource policy to a secret risk_category: - ResourceExposure service_name: AWS Secrets Manager - secretsmanager:ValidateResourcePolicy: access_level: Permissions management description: Grants permission to validate a resource policy before attaching policy risk_category: - ResourceExposure service_name: AWS Secrets Manager - servicecatalog:CreatePortfolioShare: access_level: Permissions management description: Grants permission to share a portfolio you own with another AWS account risk_category: - ResourceExposure service_name: AWS Service Catalog - servicecatalog:DeletePortfolioShare: access_level: Permissions management description: Grants permission to unshare a portfolio you own from an AWS account you previously shared the portfolio with risk_category: - ResourceExposure service_name: AWS Service Catalog - sns:AddPermission: access_level: Permissions management description: Grants permission to add a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions risk_category: - ResourceExposure service_name: Amazon SNS - sns:CreateTopic: access_level: Write description: Grants permission to create a topic to which notifications can be published risk_category: - ResourceExposure service_name: Amazon SNS - sns:RemovePermission: access_level: Permissions management description: Grants permission to remove a statement from a topic's access control policy risk_category: - ResourceExposure service_name: Amazon SNS - sns:SetTopicAttributes: access_level: Permissions management description: Grants permission to allow a topic owner to set an attribute of the topic to a new value risk_category: - ResourceExposure service_name: Amazon SNS - sqs:AddPermission: access_level: Permissions management description: Grants permission to a queue for a specific principal risk_category: - ResourceExposure service_name: Amazon SQS - sqs:CreateQueue: access_level: Write description: Grants permission to create a new queue, or returns the URL of an existing one risk_category: - ResourceExposure service_name: Amazon SQS - sqs:RemovePermission: access_level: Permissions management description: Grants permission to revoke any permissions in the queue policy that matches the specified Label parameter risk_category: - ResourceExposure service_name: Amazon SQS - sqs:SetQueueAttributes: access_level: Write description: Grants permission to set the value of one or more queue attributes risk_category: - ResourceExposure service_name: Amazon SQS - ssm:ModifyDocumentPermission: access_level: Permissions management description: Grants permission to share a custom SSM document publicly or privately with specified AWS accounts risk_category: - ResourceExposure service_name: AWS Systems Manager - sso-directory:AddMemberToGroup: access_level: Write description: Grants permission to add a member to a group in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:CreateAlias: access_level: Write description: Grants permission to create an alias for the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:CreateGroup: access_level: Write description: Grants permission to create a group in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:CreateUser: access_level: Write description: Grants permission to create a user in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:DeleteGroup: access_level: Write description: Grants permission to delete a group from the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:DeleteUser: access_level: Write description: Grants permission to delete a user from the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:DisableUser: access_level: Write description: Grants permission to deactivate a user in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:EnableUser: access_level: Write description: Grants permission to activate user in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:RemoveMemberFromGroup: access_level: Write description: Grants permission to remove a member that is part of a group in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:UpdateGroup: access_level: Write description: Grants permission to update information about a group in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:UpdatePassword: access_level: Write description: Grants permission to update a password by sending password reset link via email or generating one time password for a user in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:UpdateUser: access_level: Write description: Grants permission to update user information in the directory that AWS IAM Identity Center provides by default risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso-directory:VerifyEmail: access_level: Write description: Grants permission to verify an email address of an User risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) directory - sso:AssociateDirectory: access_level: Write description: Grants permission to connect a directory to be used by AWS IAM Identity Center risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:AssociateProfile: access_level: Write description: Grants permission to create an association between a directory user or group and a profile risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:CreateApplicationInstance: access_level: Write description: Grants permission to add an application instance to AWS IAM Identity Center risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:CreateApplicationInstanceCertificate: access_level: Write description: Grants permission to add a new certificate for an application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:CreatePermissionSet: access_level: Write description: Grants permission to create a permission set risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:CreateProfile: access_level: Write description: Grants permission to create a profile for an application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:CreateTrust: access_level: Write description: Grants permission to create a federation trust in a target account risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DeleteApplicationInstance: access_level: Write description: Grants permission to delete the application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DeleteApplicationInstanceCertificate: access_level: Write description: Grants permission to delete an inactive or expired certificate from the application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DeletePermissionSet: access_level: Write description: Grants permission to delete a permission set risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DeletePermissionsPolicy: access_level: Permissions management description: Grants permission to delete the permission policy associated with a permission set risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DeleteProfile: access_level: Write description: Grants permission to delete the profile for an application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DisassociateDirectory: access_level: Write description: Grants permission to disassociate a directory to be used by AWS IAM Identity Center risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:DisassociateProfile: access_level: Write description: Grants permission to disassociate a directory user or group from a profile risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:ImportApplicationInstanceServiceProviderMetadata: access_level: Write description: Grants permission to update the application instance by uploading an application SAML metadata file provided by the service provider risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:PutPermissionsPolicy: access_level: Permissions management description: Grants permission to add a policy to a permission set risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:StartSSO: access_level: Write description: Grants permission to initialize AWS IAM Identity Center risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceActiveCertificate: access_level: Write description: Grants permission to set a certificate as the active one for this application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceDisplayData: access_level: Write description: Grants permission to update display data of an application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceResponseConfiguration: access_level: Write description: Grants permission to update federation response configuration for the application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceResponseSchemaConfiguration: access_level: Write description: Grants permission to update federation response schema configuration for the application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceSecurityConfiguration: access_level: Write description: Grants permission to update security details for the application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceServiceProviderConfiguration: access_level: Write description: Grants permission to update service provider related configuration for the application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateApplicationInstanceStatus: access_level: Write description: Grants permission to update the status of an application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateDirectoryAssociation: access_level: Write description: Grants permission to update the user attribute mappings for your connected directory risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdatePermissionSet: access_level: Permissions management description: Grants permission to update the permission set risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateProfile: access_level: Write description: Grants permission to update the profile for an application instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateSSOConfiguration: access_level: Write description: Grants permission to update the configuration for the current SSO instance risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - sso:UpdateTrust: access_level: Write description: Grants permission to update the federation trust in a target account risk_category: - ResourceExposure service_name: AWS IAM Identity Center (successor to AWS Single Sign-On) - storagegateway:DeleteChapCredentials: access_level: Write description: Grants permission to delete Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair risk_category: - ResourceExposure service_name: AWS Storage Gateway - storagegateway:SetLocalConsolePassword: access_level: Write description: Grants permission to set the password for your VM local console risk_category: - ResourceExposure service_name: AWS Storage Gateway - storagegateway:SetSMBGuestPassword: access_level: Write description: Grants permission to set the password for SMB Guest user risk_category: - ResourceExposure service_name: AWS Storage Gateway - storagegateway:UpdateChapCredentials: access_level: Write description: Grants permission to update the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target risk_category: - ResourceExposure service_name: AWS Storage Gateway - waf-regional:DeletePermissionPolicy: access_level: Permissions management description: Grants permission to delete an IAM policy from a rule group risk_category: - ResourceExposure service_name: AWS WAF Regional - waf-regional:PutPermissionPolicy: access_level: Permissions management description: Grants permission to attach an IAM policy to a specified rule group, to support rule group sharing between accounts risk_category: - ResourceExposure service_name: AWS WAF Regional - waf:DeletePermissionPolicy: access_level: Permissions management description: Grants permission to delete an IAM policy from a rule group risk_category: - ResourceExposure service_name: AWS WAF - waf:PutPermissionPolicy: access_level: Permissions management description: Grants permission to attach an IAM policy to a rule group, to share the rule group between accounts risk_category: - ResourceExposure service_name: AWS WAF - wafv2:CreateWebACL: access_level: Write description: Grants permission to create a WebACL risk_category: - ResourceExposure service_name: AWS WAF V2 - wafv2:DeletePermissionPolicy: access_level: Permissions management description: Grants permission to delete the PermissionPolicy on a RuleGroup risk_category: - ResourceExposure service_name: AWS WAF V2 - wafv2:DeleteWebACL: access_level: Write description: Grants permission to delete a WebACL risk_category: - ResourceExposure service_name: AWS WAF V2 - wafv2:PutPermissionPolicy: access_level: Permissions management description: Grants permission to attach an IAM policy to a resource, used to share rule groups between accounts risk_category: - ResourceExposure service_name: AWS WAF V2 - wafv2:UpdateWebACL: access_level: Write description: Grants permission to update a WebACL risk_category: - ResourceExposure service_name: AWS WAF V2 - worklink:UpdateDevicePolicyConfiguration: access_level: Write description: Grants permission to update the device policy configuration for an Amazon WorkLink fleet risk_category: - ResourceExposure service_name: Amazon WorkLink - workmail:ResetPassword: access_level: Write description: Grants permission to allow the administrator to reset the password for a user risk_category: - ResourceExposure service_name: Amazon WorkMail - workmail:ResetUserPassword: access_level: Write description: Grants permission to reset the password for a user's account risk_category: - ResourceExposure service_name: Amazon WorkMail - xray:PutEncryptionConfig: access_level: Permissions management description: Grants permission to update the encryption configuration for X-Ray data risk_category: - ResourceExposure service_name: AWS X-Ray