Parameters: VegaExternalIdParameter: Type: String Description: Vega Cloud's ExternalId for your environments (helps to authenticate role assumption). Please contact Vega Cloud for your ExternalId. Default: "vega:" Resources: VegaDiscoveryReader: Properties: RoleName: VegaDiscoveryReader AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Ref VegaExternalIdParameter Effect: Allow Principal: # 955075715928 This one of the Vega Data Collection Accounts # 549829454055 This one of the Vega Data Collection Accounts # 933023916684 This is the Vega Saas Platform Account AWS: ["arn:aws:iam::955075715928:root", "arn:aws:iam::549829454055:root", "arn:aws:iam::933023916684:root"] - Action: "sts:AssumeRole" Effect: Allow Principal: Service: ["cloudformation.amazonaws.com"] Version: 2012-10-17 Type: "AWS::IAM::Role" DiscoveryPolicy: DependsOn: VegaDiscoveryReader Type: "AWS::IAM::Policy" Properties: PolicyName: VegaDiscoveryReaderPolicy Roles: - VegaDiscoveryReader PolicyDocument: Statement: # AWS Batch Discovery - Sid: VegaDiscoveryReaderBatchDiscovery Effect: Allow Resource: "*" Action: - "batch:Describe*" - "batch:List*" # CloudWatch Metrics Discovery - Sid: VegaDiscoveryReaderCloudWatchMetricsDiscovery Effect: Allow Resource: "*" Action: - "cloudwatch:GetMetricData" - "cloudwatch:GetMetricStatistics" - "cloudwatch:ListMetrics" - "cloudwatch:ListTagsForResource" # EC2 Resource Discovery - Sid: VegaDiscoveryReaderEC2Discovery Effect: Allow Resource: "*" Action: - "ec2:Describe*" - "ec2:GetCapacityReservationUsage" - "ec2:GetGroupsForCapacityReservation" - "ec2:GetHostReservationPurchasePreview" # RDS Resource Discovery - Sid: VegaDiscoveryReaderRDSDiscovery Effect: Allow Resource: "*" Action: - "rds:DescribeDBClusterSnapshots" - "rds:DescribeDBClusters" - "rds:DescribeRecommendationGroups" - "rds:DescribeRecommendations" - "rds:DescribeReservedDBInstances" - "rds:DescribeReservedDBInstancesOfferings" - "rds:DescribeDBInstances" - "rds:DescribeDBSnapshots" - "rds:ListTagsForResource" # Elastic Container Service (ECS) - Sid: VegaDiscoveryReaderECSDiscovery Effect: Allow Resource: "*" Action: - "ecs:Describe*" - "ecs:List*" # Elastic Kubernetes Service (EKS) - Sid: VegaDiscoveryReaderEKSDiscovery Effect: Allow Resource: "*" Action: - "eks:Describe*" - "eks:List*" # ElastiCache Resource Discovery - Sid: VegaDiscoveryReaderElastiCacheDiscovery Effect: Allow Resource: "*" Action: - "elasticache:Describe*" - "elasticache:List*" # Redshift Resource Discovery - Sid: VegaDiscoveryReaderRedshiftDiscovery Effect: Allow Resource: "*" Action: - "redshift:DescribeReservedNodes" - "redshift:DescribeReservedNodeExchangeStatus" - "redshift:DescribeReservedNodeOfferings" - "redshift:DescribeClusters" - "redshift:DescribeClusterSnapshots" - "redshift:DescribeStorage" - "redshift:DescribeTags" - "redshift:GetReservedNodeExchangeOfferings" - "redshift:GetReservedNodeExchangeConfigurationOptions" # DynamoDB Resource Discovery - Sid: VegaDiscoveryReaderDynamoDBDiscovery Effect: Allow Resource: "*" Action: - "dynamodb:DescribeReservedCapacity" - "dynamodb:DescribeReservedCapacityOfferings" - "dynamodb:ListTagsOfResource" # Opensearch Resource Discovery - Sid: VegaDiscoveryReaderOpensearchDiscovery Effect: Allow Resource: "*" Action: - "es:DescribeReservedElasticsearchInstances" - "es:DescribeReservedElasticsearchInstanceOfferings" - "es:DescribeReservedInstances" - "es:DescribeReservedInstanceOfferings" - "es:ListTags" # Medialive Resource Discovery - Sid: VegaDiscoveryReaderMedialiveDiscovery Effect: Allow Resource: "*" Action: - "medialive:DescribeReservation" - "medialive:ListReservations" - "medialive:ListTagsForResource" # Trusted Advisor Resource Discovery - Sid: VegaDiscoveryReaderTrustedAdvisorDiscovery Effect: Allow Resource: "*" Action: - "support:DescribeTrustedAdvisorCheckRefreshStatuses" - "support:DescribeTrustedAdvisorCheckResult" - "support:DescribeTrustedAdvisorChecks" - "support:DescribeTrustedAdvisorCheckSummaries" - "support:RefreshTrustedAdvisorCheck" - "trustedadvisor:Describe*" # Savings Plan Resource Discovery - Sid: VegaDiscoveryReaderSavingsPlanDiscovery Effect: Allow Resource: "*" Action: - "savingsplans:*" # Compute Optimizer Resource Discovery - Sid: VegaDiscoveryReaderComputeOptimizerDiscovery Effect: Allow Resource: "*" Action: - "compute-optimizer:GetAutoScalingGroupRecommendations" - "compute-optimizer:GetEBSVolumeRecommendations" - "compute-optimizer:GetEC2InstanceRecommendations" - "compute-optimizer:GetEC2RecommendationProjectedMetrics" - "compute-optimizer:GetEffectiveRecommendationPreferences" - "compute-optimizer:GetEnrollmentStatus" - "compute-optimizer:GetEnrollmentStatusesForOrganization" - "compute-optimizer:GetLambdaFunctionRecommendations" - "compute-optimizer:GetRecommendationPreferences" - "compute-optimizer:GetRecommendationSummaries" # S3 Resource Discovery - Sid: VegaDiscoveryReaderS3Discovery Effect: Allow Resource: "*" Action: # Note: Get* is filtered with an explicit deny on GetObject below. - "s3:Get*" - "s3:List*" - Action: - "s3:GetObject" Effect: Deny Resource: "*" VegaOptimizer: # This role and policy are used by the Vega Platform discover, tag resources, and optimize yoour account(s) # Optimize includes minimal permission for such actions as starting/stopping instances, modifying instance types Properties: RoleName: VegaOptimizer AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Condition: StringEquals: "sts:ExternalId": !Ref VegaExternalIdParameter Effect: Allow Principal: # 955075715928 This one of the Vega Data Collection Accounts # 549829454055 This one of the Vega Data Collection Accounts # 933023916684 This is the Vega Saas Platform Account AWS: ["arn:aws:iam::955075715928:root", "arn:aws:iam::549829454055:root", "arn:aws:iam::933023916684:root"] - Action: "sts:AssumeRole" Effect: Allow Principal: Service: ["cloudformation.amazonaws.com"] Version: 2012-10-17 Type: "AWS::IAM::Role" ParkingPolicy: DependsOn: VegaOptimizer Type: "AWS::IAM::Policy" Properties: PolicyName: VegaParkingPolicy Roles: - VegaOptimizer PolicyDocument: Statement: # General Parking Requirements - Sid: VegaOptimizerGeneralParkingRequirements Effect: Allow Resource: "*" Action: - "autoscaling:DescribeAutoScalingGroups" - "autoscaling:UpdateAutoScalingGroup" - "autoscaling:SuspendProcesses" - "autoscaling:ResumeProcesses" - "autoscaling:DescribeScalingActivities" - "autoscaling:DescribeLaunchConfigurations" - "autoscaling:DescribeAutoScalingInstances" - "autoscaling:Describe*" - "autoscaling:List*" - "iam:PassRole" # CloudWatch Metrics Discovery - Sid: VegaOptimizerCloudWatchMetricsDiscovery Effect: Allow Resource: "*" Action: - "cloudwatch:GetMetricData" - "cloudwatch:GetMetricStatistics" - "cloudwatch:ListMetrics" - "cloudwatch:DescribeAlarms" - "cloudwatch:DescribeAlarmsForMetric" # EC2 Resource Discovery - Effect: Allow Sid: VegaOptimizerEC2Discovery Resource: "*" Action: - "ec2:Describe*" - "ec2:List*" # EC2 Parking - Sid: VegaOptimizerEC2Parking Effect: Allow Resource: "*" Action: - "ec2:RunInstances" - "ec2:StartInstances" - "ec2:StopInstances" # Load Balancer Resource Discovery - Sid: VegaOptimizerLoadBalancerDiscovery Effect: Allow Resource: "*" Action: - "elasticloadbalancing:Describe*" - "elasticloadbalancing:List*" - "ec2:Describe*" - "ec2:List*" # Load Balancer Parking - Sid: VegaOptimizerLoadBalancerParking Effect: Allow Resource: "*" Action: - "elasticloadbalancing:RegisterTargets" - "elasticloadbalancing:DeregisterTargets" - "ec2:StartInstances" - "ec2:StopInstances" # RDS Resource Discovery - Sid: VegaOptimizerRDSDiscovery Effect: Allow Resource: "*" Action: - "rds:DescribeDBClusters" - "rds:DescribeDBInstances" - "rds:List*" # RDS Parking - Sid: VegaOptimizerRDSParking Effect: Allow Resource: "*" Action: - "rds:StartDBCluster" - "rds:StartDBInstance" - "rds:StopDBCluster" - "rds:StopDBInstance" # Redshift Resource Discovery - Sid: VegaOptimizerRedshiftDiscovery Effect: Allow Resource: "*" Action: - "redshift:DescribeReservedNodes" - "redshift:DescribeReservedNodeExchangeStatus" - "redshift:DescribeReservedNodeOfferings" - "redshift:DescribeClusters" - "redshift:DescribeStorage" # Park Redshift - Sid: VegaOptimizerRedshiftParking Effect: Allow Resource: "*" Action: - "redshift:PauseCluster" - "redshift:ResumeCluster" TaggingPolicy: DependsOn: VegaOptimizer Type: "AWS::IAM::Policy" Properties: PolicyName: VegaTaggingPolicy Roles: - VegaOptimizer PolicyDocument: Statement: - Sid: VegaTaggingPolicy Effect: Allow Resource: "*" Action: - "s3:GetObjectTagging" - "s3:PutObjectTagging" - "s3:PutBucketTagging" - "s3-outposts:PutBucketTagging" - "s3:DeleteJobTagging" - "s3:DeleteStorageLensConfigurationTagging" - "s3:GetJobTagging" - "s3:GetStorageLensConfigurationTagging" - "s3:PutJobTagging" - "s3:PutStorageLensConfigurationTagging" - "cognito-identity:ListTagsForResource" - "cognito-identity:TagResource" - "cognito-identity:UntagResource" - "acm:AddTagsToCertificate" - "acm:ListTagsForCertificate" - "acm:RemoveTagsFromCertificate" - "appstream:ListTagsForResource" - "appstream:TagResource" - "appstream:UntagResource" - "autoscaling:CreateOrUpdateTags" - "autoscaling:DeleteTags" - "autoscaling:DescribeTags" - "batch:ListTagsForResource" - "batch:TagResource" - "batch:UntagResource" - "clouddirectory:ListTagsForResource" - "clouddirectory:TagResource" - "clouddirectory:UntagResource" - "cloudfront:CreateDistributionWithTags" - "cloudfront:CreateStreamingDistributionWithTags" - "cloudfront:ListTagsForResource" - "cloudfront:TagResource" - "cloudfront:UntagResource" - "cloudhsm:AddTagsToResource" - "cloudhsm:ListTagsForResource" - "cloudhsm:RemoveTagsFromResource" - "cloudtrail:AddTags" - "cloudtrail:ListTags" - "cloudtrail:RemoveTags" - "cloudwatch:ListTagsForResource" - "cloudwatch:TagResource" - "cloudwatch:UntagResource" - "events:ListTagsForResource" - "events:TagResource" - "events:UntagResource" - "logs:ListTagsLogGroup" - "logs:TagLogGroup" - "logs:UntagLogGroup" - "codecommit:ListTagsForResource" - "codecommit:TagResource" - "codecommit:UntagResource" - "codedeploy:AddTagsToOnPremisesInstances" - "codedeploy:ListTagsForResource" - "codedeploy:RemoveTagsFromOnPremisesInstances" - "codedeploy:TagResource" - "codedeploy:UntagResource" - "codepipeline:ListTagsForResource" - "codepipeline:TagResource" - "codepipeline:UntagResource" - "cognito-idp:ListTagsForResource" - "cognito-idp:TagResource" - "cognito-idp:UntagResource" - "config:BatchGetAggregateResourceConfig" - "config:GetAggregateComplianceDetailsByConfigRule" - "config:GetAggregateConfigRuleComplianceSummary" - "config:GetAggregateDiscoveredResourceCounts" - "config:GetAggregateResourceConfig" - "config:ListAggregateDiscoveredResources" - "config:ListTagsForResource" - "config:PutAggregationAuthorization" - "config:SelectAggregateResourceConfig" - "config:TagResource" - "config:UntagResource" - "datapipeline:AddTags" - "datapipeline:RemoveTags" - "devicefarm:ListTagsForResource" - "devicefarm:TagResource" - "devicefarm:UntagResource" - "directconnect:DescribeTags" - "directconnect:TagResource" - "directconnect:UntagResource" - "ds:AddTagsToResource" - "ec2:CreateTags" - "ds:ListTagsForResource" - "ds:RemoveTagsFromResource" - "ec2:DeleteTags" - "discovery:CreateTags" - "discovery:DeleteTags" - "discovery:DescribeTags" - "dms:AddTagsToResource" - "dms:ListTagsForResource" - "dms:RemoveTagsFromResource" - "dynamodb:ListTagsOfResource" - "dynamodb:TagResource" - "dynamodb:UntagResource" - "ec2:DescribeTags" - "ecr:ListTagsForResource" - "ecr:PutImageTagMutability" - "ecr:TagResource" - "ecr:UntagResource" - "ecs:ListTagsForResource" - "ecs:TagResource" - "ecs:UntagResource" - "elasticfilesystem:CreateTags" - "elasticfilesystem:DeleteTags" - "elasticfilesystem:DescribeTags" - "elasticfilesystem:ListTagsForResource" - "elasticfilesystem:TagResource" - "elasticfilesystem:UntagResource" - "elasticache:AddTagsToResource" - "elasticache:ListTagsForResource" - "elasticache:AddTagsToResource" - "elasticache:RemoveTagsFromResource" - "elasticbeanstalk:ListTagsForResource" - "elasticloadbalancing:AddTags" - "elasticloadbalancing:DescribeTags" - "elasticloadbalancing:RemoveTags" - "elasticmapreduce:AddTags" - "elasticmapreduce:RemoveTags" - "es:AddTags" - "es:ListTags" - "es:RemoveTags" - "firehose:ListTagsForDeliveryStream" - "firehose:TagDeliveryStream" - "firehose:UntagDeliveryStream" - "gamelift:ListTagsForResource" - "gamelift:TagResource" - "gamelift:UntagResource" - "glacier:AddTagsToVault" - "glacier:ListTagsForVault" - "glacier:RemoveTagsFromVault" - "health:DescribeEventAggregates" - "iam:ListRoleTags" - "iam:ListUserTags" - "iam:TagRole" - "iam:TagUser" - "iam:UntagRole" - "iam:UntagUser" - "inspector:ListTagsForResource" - "inspector:SetTagsForResource" - "iot:ListTagsForResource" - "iot:TagResource" - "iot:UntagResource" - "kinesis:AddTagsToStream" - "kinesis:ListTagsForStream" - "kinesis:RemoveTagsFromStream" - "kinesisanalytics:ListTagsForResource" - "kinesisanalytics:TagResource" - "kinesisanalytics:UntagResource" - "kms:ListResourceTags" - "kms:TagResource" - "kms:UntagResource" - "lambda:ListTags" - "lambda:TagResource" - "lambda:UntagResource" - "lightsail:TagResource" - "lightsail:UntagResource" - "machinelearning:AddTags" - "machinelearning:DeleteTags" - "machinelearning:DescribeTags" - "opsworks:ListTags" - "opsworks:TagResource" - "opsworks:UntagResource" - "opsworks-cm:ListTagsForResource" - "opsworks-cm:TagResource" - "opsworks-cm:UntagResource" - "organizations:ListTagsForResource" - "organizations:TagResource" - "organizations:UntagResource" - "mobiletargeting:ListTagsForResource" - "mobiletargeting:TagResource" - "mobiletargeting:UntagResource" - "rds:AddTagsToResource" - "rds:ListTagsForResource" - "rds:RemoveTagsFromResource" - "rds:AddTagsToResource" - "redshift:CreateTags" - "redshift:DeleteTags" - "redshift:DescribeTags" - "tag:DescribeReportCreation" - "tag:GetComplianceSummary" - "tag:GetResources" - "tag:GetTagKeys" - "tag:GetTagValues" - "tag:StartReportCreation" - "tag:TagResources" - "tag:UntagResources" - "route53:ChangeTagsForResource" - "route53:ListTagsForResource" - "route53:ListTagsForResources" - "route53domains:DeleteTagsForDomain" - "route53domains:ListTagsForDomain" - "route53domains:UpdateTagsForDomain" - "s3:DeleteObjectTagging" - "s3:GetBucketTagging" - "s3:GetObjectTagging" - "s3:PutBucketTagging" - "s3:PutObjectTagging" - "s3-outposts:GetBucketTagging" - "s3-outposts:PutBucketTagging" - "servicecatalog:AssociateTagOptionWithResource" - "servicecatalog:CreateTagOption" - "servicecatalog:DeleteTagOption" - "servicecatalog:DescribeTagOption" - "servicecatalog:DisassociateTagOptionFromResource" - "servicecatalog:ListResourcesForTagOption" - "servicecatalog:ListTagOptions" - "servicecatalog:UpdateTagOption" - "sns:ListTagsForResource" - "sns:TagResource" - "sns:UntagResource" - "sqs:TagQueue" - "sqs:ListQueueTags" - "sqs:TagQueue" - "sqs:UntagQueue" - "ssm:AddTagsToResource" - "ssm:ListTagsForResource" - "ssm:RemoveTagsFromResource" - "storagegateway:AddTagsToResource" - "storagegateway:ListTagsForResource" - "storagegateway:RemoveTagsFromResource" - "states:ListTagsForResource" - "states:TagResource" - "states:UntagResource" - "swf:ListTagsForResource" - "swf:TagResource" - "swf:UntagResource" - "xray:ListTagsForResource" - "xray:TagResource" - "xray:UntagResource" - "waf:ListTagsForResource" - "waf:TagResource" - "waf:UntagResource" - "waf-regional:ListTagsForResource" - "waf-regional:TagResource" - "waf-regional:UntagResource" - "workspaces:CreateTags" - "workspaces:DeleteTags" - "workspaces:DescribeTags" - "codestar:ListTagsForProject" - "codestar:TagProject" - "codestar:UntagProject" - "lex:ListTagsForResource" - "lex:TagResource" - "lex:UntagResource" - "athena:ListTagsForResource" - "athena:TagResource" - "athena:UntagResource" - "greengrass:ListTagsForResource" - "greengrass:TagResource" - "greengrass:UntagResource" - "dax:ListTags" - "dax:TagResource" - "dax:UntagResource" - "cloudhsm:ListTags" - "cloudhsm:TagResource" - "cloudhsm:UntagResource" - "glue:GetTags" - "glue:TagResource" - "glue:UntagResource" - "mediaconvert:ListTagsForResource" - "mediaconvert:TagResource" - "mediaconvert:UntagResource" - "medialive:CreateTags" - "medialive:DeleteTags" - "medialive:ListTagsForResource" - "mediapackage:ListTagsForResource" - "mediapackage:TagResource" - "mediapackage:UntagResource" - "mediastore:ListTagsForResource" - "mediastore:TagResource" - "mediastore:UntagResource" - "appsync:ListTagsForResource" - "appsync:TagResource" - "appsync:UntagResource" - "guardduty:ListTagsForResource" - "guardduty:TagResource" - "guardduty:UntagResource" - "mq:CreateTags" - "mq:DeleteTags" - "mq:ListTags" - "comprehend:ListTagsForResource" - "comprehend:TagResource" - "comprehend:UntagResource" - "kinesisvideo:ListTagsForResource" - "kinesisvideo:ListTagsForStream" - "kinesisvideo:TagResource" - "kinesisvideo:TagStream" - "kinesisvideo:UntagResource" - "kinesisvideo:UntagStream" - "sagemaker:AddTags" - "sagemaker:DeleteTags" - "sagemaker:ListTags" - "resource-groups:GetTags" - "resource-groups:Tag" - "resource-groups:Untag" - "a4b:ListTags" - "a4b:TagResource" - "a4b:UntagResource" - "cloud9:ListTagsForResource" - "cloud9:TagResource" - "cloud9:UntagResource" - "servicediscovery:ListTagsForResource" - "servicediscovery:TagResource" - "servicediscovery:UntagResource" - "workmail:ListTagsForResource" - "workmail:TagResource" - "workmail:UntagResource" - "connect:ListTagsForResource" - "connect:TagResource" - "connect:UntagResource" - "acm-pca:ListTags" - "acm-pca:TagCertificateAuthority" - "acm-pca:UntagCertificateAuthority" - "fms:ListTagsForResource" - "fms:TagResource" - "fms:UntagResource" - "secretsmanager:TagResource" - "secretsmanager:UntagResource" - "iotanalytics:ListTagsForResource" - "iotanalytics:TagResource" - "iotanalytics:UntagResource" - "iot1click:ListTagsForResource" - "iot1click:TagResource" - "iot1click:UntagResource" - "iot1click:ListTagsForResource" - "iot1click:TagResource" - "iot1click:UntagResource" - "rds:AddTagsToResource" - "rds:ListTagsForResource" - "rds:RemoveTagsFromResource" - "rds:AddTagsToResource" - "mediatailor:ListTagsForResource" - "mediatailor:TagResource" - "mediatailor:UntagResource" - "eks:ListTagsForResource" - "eks:TagResource" - "eks:UntagResource" - "dlm:ListTagsForResource" - "dlm:TagResource" - "dlm:UntagResource" - "signer:ListTagsForResource" - "signer:TagResource" - "signer:UntagResource" - "chime:ListAttendeeTags" - "chime:ListMeetingTags" - "chime:ListTagsForResource" - "chime:TagAttendee" - "chime:TagMeeting" - "chime:TagResource" - "chime:UntagAttendee" - "chime:UntagMeeting" - "chime:UntagResource" - "ses:ListTagsForResource" - "ses:TagResource" - "ses:UntagResource" - "ram:TagResource" - "ram:UntagResource" - "route53resolver:ListTagsForResource" - "route53resolver:TagResource" - "route53resolver:UntagResource" - "quicksight:ListTagsForResource" - "quicksight:TagResource" - "quicksight:UntagResource" - "amplify:TagResource" - "amplify:UntagResource" - "datasync:ListAgents" - "datasync:ListTagsForResource" - "datasync:TagResource" - "datasync:UntagResource" - "robomaker:ListTagsForResource" - "robomaker:TagResource" - "robomaker:UntagResource" - "transfer:ListTagsForResource" - "transfer:TagResource" - "transfer:UntagResource" - "globalaccelerator:ListTagsForResource" - "globalaccelerator:TagResource" - "globalaccelerator:UntagResource" - "kinesisanalytics:ListTagsForResource" - "kinesisanalytics:TagResource" - "kinesisanalytics:UntagResource" - "fsx:ListTagsForResource" - "fsx:TagResource" - "fsx:UntagResource" - "securityhub:ListTagsForResource" - "securityhub:TagResource" - "securityhub:UntagResource" - "appmesh:ListTagsForResource" - "appmesh:TagResource" - "appmesh:UntagResource" - "license-manager:ListTagsForResource" - "license-manager:TagResource" - "license-manager:UntagResource" - "kafka:ListTagsForResource" - "kafka:TagResource" - "kafka:UntagResource" - "rds:AddTagsToResource" - "rds:ListTagsForResource" - "rds:RemoveTagsFromResource" - "rds:AddTagsToResource" - "backup:ListTags" - "backup:TagResource" - "backup:UntagResource" - "worklink:ListTagsForResource" - "worklink:TagResource" - "worklink:UntagResource" - "managedblockchain:ListTagsForResource" - "managedblockchain:TagResource" - "managedblockchain:UntagResource" - "mediapackage-vod:ListTagsForResource" - "mediapackage-vod:TagResource" - "mediapackage-vod:UntagResource" - "groundstation:ListTagsForResource" - "groundstation:TagResource" - "groundstation:UntagResource" - "iotthingsgraph:ListTagsForResource" - "iotthingsgraph:TagResource" - "iotthingsgraph:UntagResource" - "iotevents:ListTagsForResource" - "iotevents:TagResource" - "iotevents:UntagResource" - "applicationinsights:ListTagsForResource" - "applicationinsights:TagResource" - "applicationinsights:UntagResource" - "servicequotas:ListTagsForResource" - "servicequotas:TagResource" - "servicequotas:UntagResource" - "events:ListTagsForResource" - "events:TagResource" - "events:UntagResource" - "forecast:ListTagsForResource" - "forecast:TagResource" - "forecast:UntagResource" - "qldb:ListTagsForResource" - "qldb:TagResource" - "qldb:UntagResource" - "codestar-notifications:ListTagsForResource" - "codestar-notifications:TagResource" - "codestar-notifications:UntagResource" - "savingsplans:ListTagsForResource" - "savingsplans:TagResource" - "savingsplans:UntagResource" - "dataexchange:ListTagsForResource" - "dataexchange:TagResource" - "dataexchange:UntagResource" - "ses:ListTagsForResource" - "ses:TagResource" - "ses:UntagResource" - "appconfig:ListTagsForResource" - "appconfig:TagResource" - "appconfig:UntagResource" - "iot:ListTagsForResource" - "iot:TagResource" - "iot:UntagResource" - "wafv2:ListTagsForResource" - "wafv2:TagResource" - "wafv2:UntagResource" - "imagebuilder:ListTagsForResource" - "imagebuilder:TagResource" - "imagebuilder:UntagResource" - "schemas:ListTagsForResource" - "schemas:TagResource" - "schemas:UntagResource" - "access-analyzer:ListTagsForResource" - "access-analyzer:TagResource" - "access-analyzer:UntagResource" - "codecommit:UntagResource" - "codeguru-profiler:ListTagsForResource" - "codeguru-profiler:PostAgentProfile" - "codeguru-profiler:TagResource" - "codeguru-profiler:UntagResource" - "frauddetector:ListTagsForResource" - "frauddetector:TagResource" - "frauddetector:UntagResource" - "kendra:ListTagsForResource" - "kendra:TagResource" - "kendra:UntagResource" - "networkmanager:ListTagsForResource" - "networkmanager:TagResource" - "networkmanager:UntagResource" - "outposts:ListTagsForResource" - "outposts:TagResource" - "outposts:UntagResource" - "codestar-connections:ListTagsForResource" - "codestar-connections:TagResource" - "codestar-connections:UntagResource" - "synthetics:ListTagsForResource" - "synthetics:TagResource" - "synthetics:UntagResource" - "iotsitewise:ListTagsForResource" - "iotsitewise:TagResource" - "iotsitewise:UntagResource" - "macie2:ListTagsForResource" - "macie2:TagResource" - "macie2:UntagResource" - "codeartifact:ListTagsForResource" - "codeartifact:TagResource" - "codeartifact:UntagResource" - "ivs:ListTagsForResource" - "ivs:TagResource" - "ivs:UntagResource" - "braket:ListTagsForResource" - "braket:TagResource" - "braket:UntagResource" - "appflow:ListTagsForResource" - "appflow:TagResource" - "appflow:UntagResource" - "sso:ListTagsForResource" - "sso:TagResource" - "sso:UntagResource" - "timestream:ListTagsForResource" - "timestream:TagResource" - "timestream:UntagResource" - "databrew:ListTagsForResource" - "databrew:TagResource" - "databrew:UntagResource" - "servicecatalog:ListTagsForResource" - "servicecatalog:TagResource" - "servicecatalog:UntagResource" - "network-firewall:ListTagsForResource" - "network-firewall:TagResource" - "network-firewall:UntagResource" - "airflow:ListTagsForResource" - "airflow:TagResource" - "airflow:UntagResource" - "app-integrations:ListTagsForResource" - "app-integrations:TagResource" - "app-integrations:UntagResource" - "ecr-public:DescribeImageTags" - "profile:ListTagsForResource" - "profile:TagResource" - "profile:UntagResource" - "auditmanager:ListTagsForResource" - "auditmanager:TagResource" - "auditmanager:UntagResource" - "greengrass:ListTagsForResource" - "greengrass:TagResource" - "greengrass:UntagResource" - "iotdeviceadvisor:ListTagsForResource" - "iotdeviceadvisor:TagResource" - "iotdeviceadvisor:UntagResource" - "iotfleethub:ListTagsForResource" - "iotfleethub:TagResource" - "iotfleethub:UntagResource" - "iotwireless:ListTagsForResource" - "iotwireless:TagResource" - "iotwireless:UntagResource" - "lex:ListTagsForResource" - "lex:TagResource" - "lex:UntagResource" - "iam:ListInstanceProfileTags" - "iam:ListMFADeviceTags" - "iam:ListOpenIDConnectProviderTags" - "iam:ListPolicyTags" - "iam:ListSAMLProviderTags" - "iam:ListServerCertificateTags" - "iam:TagInstanceProfile" - "iam:TagMFADevice" - "iam:TagOpenIDConnectProvider" - "iam:TagPolicy" - "iam:TagSAMLProvider" - "iam:TagServerCertificate" - "iam:UntagInstanceProfile" - "iam:UntagMFADevice" - "iam:UntagOpenIDConnectProvider" - "iam:UntagPolicy" - "iam:UntagSAMLProvider" - "iam:UntagServerCertificate" - "lookoutvision:ListTagsForResource" - "lookoutvision:TagResource" - "lookoutvision:UntagResource" - "wellarchitected:ListTagsForResource" - "wellarchitected:TagResource" - "wellarchitected:UntagResource" - "fis:ListTagsForResource" - "fis:TagResource" - "fis:UntagResource" - "elasticache:AddTagsToResource" - "rekognition:ListTagsForResource" - "rekognition:TagResource" - "rekognition:UntagResource" - "shield:ListTagsForResource" - "shield:TagResource" - "shield:UntagResource" - "fsx:TagResource" - "imagebuilder:TagResource" - "detective:ListTagsForResource" - "detective:TagResource" - "detective:UntagResource" - "lookoutmetrics:ListTagsForResource" - "lookoutmetrics:TagResource" - "lookoutmetrics:UntagResource" - "mgn:ListTagsForResource" - "ec2:CreateTags" - "mgn:ListTagsForResource" - "mgn:ListTagsForResource" - "mgn:TagResource" - "mgn:UntagResource" - "lookoutequipment:ListTagsForResource" - "lookoutequipment:TagResource" - "lookoutequipment:UntagResource" - "workspaces:CreateTags" - "amplify:ListTagsForResource" - "mediaconnect:ListTagsForResource" - "mediaconnect:TagResource" - "mediaconnect:UntagResource" - "imagebuilder:TagResource" - "nimble:ListTagsForResource" - "nimble:TagResource" - "nimble:UntagResource" - "apprunner:ListTagsForResource" - "apprunner:TagResource" - "apprunner:UntagResource" - "cognito-identity:GetPrincipalTagAttributeMap" - "cognito-identity:SetPrincipalTagAttributeMap" - "elastic-inference:ListTagsForResource" - "elastic-inference:TagResource" - "elastic-inference:UntagResource" - "codecommit:TagResource" - "codeguru-reviewer:ListTagsForResource" - "codeguru-reviewer:TagResource" - "codeguru-reviewer:UnTagResource" - "ecr-public:ListTagsForResource" - "ecr-public:TagResource" - "ecr-public:UntagResource" - "emr-containers:ListTagsForResource" - "emr-containers:TagResource" - "emr-containers:UntagResource" - "ssm-incidents:ListTagsForResource" - "ssm-incidents:TagResource" - "ssm-incidents:UntagResource" - "ssm-contacts:ListTagsForResource" - "ssm-contacts:TagResource" - "ssm-contacts:UntagResource" - "finspace:ListTagsForResource" - "finspace:TagResource" - "finspace:UntagResource" - "lakeformation:AddLFTagsToResource" - "lakeformation:CreateLFTag" - "lakeformation:DeleteLFTag" - "lakeformation:GetLFTag" - "lakeformation:GetResourceLFTags" - "lakeformation:ListLFTags" - "lakeformation:RemoveLFTagsFromResource" - "lakeformation:SearchDatabasesByLFTags" - "lakeformation:SearchTablesByLFTags" - "lakeformation:UpdateLFTag" - "proton:ListTagsForResource" - "proton:TagResource" - "proton:UntagResource" - "config:GetAggregateConformancePackComplianceSummary" - "geo:ListTagsForResource" - "geo:TagResource" - "geo:UntagResource" - "rds:AddTagsToResource" - "healthlake:ListTagsForResource" - "healthlake:TagResource" - "healthlake:UntagResource" - "elasticbeanstalk:UpdateTagsForResource" - "ce:GetTags" - "connect:ListAgentStatuses" - "fsx:TagResource" - "memorydb:TagResource" - "memorydb:ListTags" - "memorydb:TagResource" - "memorydb:UntagResource" - "es:AddTags" - "es:ListTags" - "es:RemoveTags" - "aps:ListTagsForResource" - "aps:TagResource" - "aps:UntagResource" - "firehose:TagDeliveryStream" - "wisdom:ListTagsForResource" - "wisdom:TagResource" - "wisdom:UntagResource" - "panorama:ListTagsForResource" - "panorama:TagResource" - "panorama:UntagResource" - "rds:AddTagsToResource" - "fsx:TagResource" - "timestream:ListTagsForResource" - "timestream:TagResource" - "timestream:UntagResource" - "lex:ListAggregatedUtterances" - "resiliencehub:ListTagsForResource" - "resiliencehub:TagResource" - "resiliencehub:UntagResource" - "drs:ListTagsForResource" - "drs:TagResource" - "drs:UntagResource" - "inspector2:ListTagsForResource" - "inspector2:TagResource" - "inspector2:UntagResource" - "rbin:ListTagsForResource" - "rbin:TagResource" - "rbin:UntagResource" - "rum:ListTagsForResource" - "rum:TagResource" - "rum:UntagResource" - "iottwinmaker:ListTagsForResource" - "iottwinmaker:TagResource" - "iottwinmaker:UntagResource" - "evidently:ListTagsForResource" - "evidently:UntagResource" - "route53-recovery-readiness:ListTagsForResources" - "route53-recovery-readiness:TagResource" - "route53-recovery-readiness:UntagResource" - "snow-device-management:ListTagsForResource" - "snow-device-management:TagResource" - "snow-device-management:UntagResource" - "voiceid:ListTagsForResource" - "voiceid:TagResource" - "voiceid:UntagResource" - "backup-gateway:ListTagsForResource" - "backup-gateway:TagResource" - "backup-gateway:UntagResource" - "workspaces-web:ListTagsForResource" - "workspaces-web:TagResource" - "workspaces-web:UntagResource" - "route53-recovery-control-config:ListTagsForResource" - "route53-recovery-control-config:TagResource" - "route53-recovery-control-config:UntagResource" - "honeycode:ListTagsForResource" - "honeycode:TagResource" - "honeycode:UntagResource" - "chime:ListTagsForResource" - "chime:TagResource" - "chime:UntagResource" - "refactor-spaces:ListTagsForResource" - "refactor-spaces:TagResource" - "refactor-spaces:UntagResource" - "evidently:TagResource" - "transcribe:ListTagsForResource" - "transcribe:TagResource" - "transcribe:UntagResource" - "ce:ListTagsForResource" - "ce:TagResource" - "ce:UntagResource" - "grafana:ListTagsForResource" - "grafana:TagResource" - "grafana:UntagResource" - "billingconductor:ListTagsForResource" - "billingconductor:TagResource" - "billingconductor:UntagResource" - "gamesparks:ListTagsForResource" - "gamesparks:TagResource" - "gamesparks:UntagResource" - "ivschat:ListTagsForResource" - "ivschat:TagResource" - "ivschat:UntagResource" - "ce:ListCostAllocationTags" - "ce:UpdateCostAllocationTagsStatus" - "m2:ListTagsForResource" - "m2:TagResource" - "m2:UntagResource" - "connect-campaigns:ListTagsForResource" - "connect-campaigns:TagResource" - "connect-campaigns:UntagResource" - "transfer:ListAgreements" - "rolesanywhere:ListTagsForResource" - "rolesanywhere:TagResource" - "rolesanywhere:UntagResource" - "sagemaker:AddTags" - "personalize:ListTagsForResource" - "personalize:TagResource" - "personalize:UntagResource" - "redshift-serverless:ListTagsForResource" - "redshift-serverless:TagResource" - "redshift-serverless:UntagResource" - "iotfleetwise:ListTagsForResource" - "iotfleetwise:TagResource" - "iotfleetwise:UntagResource" - "migrationhub-orchestrator:ListTagsForResource" - "migrationhub-orchestrator:TagResource" - "migrationhub-orchestrator:UntagResource" - "chime:ListTagsForResource" - "chime:TagResource" - "chime:UntagResource" - "chime:ListTagsForResource" - "chime:TagResource" - "chime:UntagResource" - "cassandra:TagResource" - "cassandra:UntagResource" - "sms-voice:ListTagsForResource" - "sms-voice:TagResource" - "sms-voice:UntagResource" - "chime:ListTagsForResource" - "chime:TagResource" - "chime:UntagResource" - "private-networks:ListTagsForResource" - "private-networks:UntagResource" - "logs:ListTagsForResource" - "logs:TagResource" - "logs:UntagResource" - "sagemaker:AddTags" - "translate:ListTagsForResource" - "translate:TagResource" - "translate:UntagResource" - "fsx:TagResource" - "aws-marketplace:ListTagsForResource" - "aws-marketplace:TagResource" - "aws-marketplace:UntagResource" - "memorydb:TagResource" - "emr-serverless:ListTagsForResource" - "emr-serverless:TagResource" - "emr-serverless:UntagResource" - "private-networks:TagResource" - "scheduler:ListTagsForResource" - "scheduler:TagResource" - "scheduler:UntagResource" - "oam:TagResource" - "oam:ListTagsForResource" - "oam:TagResource" - "oam:UntagResource" - "omics:ListTagsForResource" - "omics:TagResource" - "omics:UntagResource" - "simspaceweaver:ListTagsForResource" - "simspaceweaver:TagResource" - "simspaceweaver:UntagResource" - "pipes:ListTagsForResource" - "pipes:TagResource" - "pipes:UntagResource" - "cloudtrail:AddTags" - "rds:AddTagsToResource" - "application-autoscaling:ListTagsForResource" - "application-autoscaling:TagResource" - "application-autoscaling:UntagResource" - "sagemaker:AddTags" - "ram:TagResource" - "groundstation:GetAgentConfiguration" - "resource-explorer-2:ListTagsForResource" - "resource-explorer-2:TagResource" - "resource-explorer-2:UntagResource" - "ssm-sap:ListTagsForResource" - "ssm-sap:TagResource" - "ssm-sap:UntagResource" - "docdb-elastic:ListTagsForResource" - "docdb-elastic:TagResource" - "docdb-elastic:UntagResource" - "sagemaker-geospatial:ListTagsForResource" - "sagemaker-geospatial:TagResource" - "sagemaker-geospatial:UntagResource" - "kendra-ranking:ListTagsForResource" - "kendra-ranking:TagResource" - "kendra-ranking:UntagResource" - "cleanrooms:ListTagsForResource" - "cleanrooms:TagResource" - "cleanrooms:UntagResource" - "tnb:ListTagsForResource" - "tnb:TagResource" - "tnb:UntagResource" - "internetmonitor:ListTagsForResource" - "internetmonitor:TagResource" - "internetmonitor:UntagResource" - "osis:ListTagsForResource" - "osis:TagResource" - "osis:UntagResource" - "vpc-lattice:ListTagsForResource" - "vpc-lattice:TagResource" - "vpc-lattice:UntagResource" - "connect:SearchResourceTags" - "mediapackagev2:ListTagsForResource" - "mediapackagev2:TagResource" - "mediapackagev2:UntagResource" - "payment-cryptography:TagResource" - "payment-cryptography:ListTagsForResource" - "payment-cryptography:TagResource" - "payment-cryptography:UntagResource" - "codeguru-security:ListTagsForResource" - "codeguru-security:TagResource" - "codeguru-security:UntagResource" - "pi:ListTagsForResource" - "pi:TagResource" - "pi:UntagResource" - "securitylake:ListTagsForResource" - "securitylake:TagResource" - "securitylake:UntagResource" - "appfabric:ListTagsForResource" - "appfabric:TagResource" - "appfabric:UntagResource" - "entityresolution:ListTagsForResource" - "entityresolution:TagResource" - "entityresolution:UntagResource" - "cur:ListTagsForResource" - "cur:TagResource" - "cur:UntagResource" - "elasticache:AddTagsToResource" - "ec2:DescribeTags" - "elasticache:AddTagsToResource" - "ec2:DescribeTags" - "elasticloadbalancing:AddTags" - "s3:ListTagsForResource" - "s3:TagResource" - "s3:UntagResource" - "sagemaker:AddTags" - "textract:ListTagsForResource" - "textract:TagResource" - "textract:UntagResource" - "imagebuilder:TagResource" - "aps:TagResource" - "controltower:TagResource" - "controltower:ListTagsForResource" - "controltower:TagResource" - "controltower:UntagResource" - "bedrock:ListTagsForResource" - "bedrock:TagResource" - "bedrock:UntagResource" - "datazone:ListTagsForResource" - "datazone:TagResource" - "datazone:UntagResource" - "repostspace:ListTagsForResource" - "repostspace:TagResource" - "repostspace:UntagResource" - "b2bi:ListTagsForResource" - "b2bi:TagResource" - "b2bi:UntagResource" - "qbusiness:ListTagsForResource" - "qbusiness:TagResource" - "qbusiness:UntagResource" - "cleanrooms-ml:ListTagsForResource" - "cleanrooms-ml:TagResource" - "cleanrooms-ml:UnTagResource" - "connect:UntagContact"