Cloudaware AWS CloudFormation Template
This document stores the Cloudaware-provided CloudFormation template for the AWS cross-account integration role. The json file is also available here.
The template contains placeholders for buckets. Replace placeholders (e.g., YOUR-CLOUDTRAIL-BUCKET, YOUR-BILLING-BUCKET or YOUR-BUCKET) with your data.
JSON
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "CloudAware IAM Role Stack Template",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Access"
},
"Parameters": [
"AccessRoleArn",
"AccessRoleName",
"AccessExternalId"
]
},
{
"Label": {
"default": "Policies"
},
"Parameters": [
"PolicyCloudTrailStatus",
"PolicyBillingStatus",
"PolicyCloudAwareMonitoringStatus",
"PolicyBackupsStatus",
"PolicyTaggingStatus",
"PolicyInstanceSchedulerStatus",
"PolicyConfluxStatus"
]
},
{
"Label": {
"default": "Parameters"
},
"Parameters": [
"S3BackupDestinationBucket"
]
}
],
"ParameterLabels": {
"AccessRoleArn": {
"default": "CloudAware Role ARN"
},
"AccessRoleName": {
"default": "CloudAware Role Name"
},
"AccessExternalId": {
"default": "External ID"
},
"S3BackupDestinationBucket": {
"default": "S3 Backup Destination Bucket Name"
},
"PolicyCloudTrailStatus": {
"default": "CloudTrail"
},
"PolicyBillingStatus": {
"default": "Billing"
},
"PolicyCloudAwareMonitoringStatus": {
"default": "CloudAware Monitoring"
},
"PolicyBackupsStatus": {
"default": "Backups"
},
"PolicyTaggingStatus": {
"default": "Tagging"
},
"PolicyInstanceSchedulerStatus": {
"default": "Instance Scheduler"
},
"PolicyConfluxStatus": {
"default": "Conflux"
}
}
}
},
"Parameters": {
"AccessRoleArn": {
"Type": "String",
"Default": "CloudAware.aws",
"MinLength": "1",
"AllowedValues": [
"CloudAware.aws",
"CloudAware.aws-us-gov"
],
"Description": "CloudAware trusted role ARN"
},
"AccessRoleName": {
"Type": "String",
"Default": "auto-generate",
"Description": "Role name inside this account"
},
"AccessExternalId": {
"Type": "String"
},
"S3BackupDestinationBucket": {
"Type": "String"
},
"PolicyCloudTrailStatus": {
"Type": "String",
"Default": "Not Available",
"MinLength": "1",
"AllowedValues": [
"Not Available"
]
},
"PolicyBillingStatus": {
"Type": "String",
"Default": "Not Available",
"MinLength": "1",
"AllowedValues": [
"Not Available"
]
},
"PolicyCloudAwareMonitoringStatus": {
"Type": "String",
"Default": "Disabled",
"MinLength": "1",
"AllowedValues": [
"Enabled",
"Disabled"
]
},
"PolicyBackupsStatus": {
"Type": "String",
"Default": "Disabled",
"MinLength": "1",
"AllowedValues": [
"Enabled",
"Disabled"
]
},
"PolicyTaggingStatus": {
"Type": "String",
"Default": "Disabled",
"MinLength": "1",
"AllowedValues": [
"Enabled",
"Disabled"
]
},
"PolicyInstanceSchedulerStatus": {
"Type": "String",
"Default": "Disabled",
"MinLength": "1",
"AllowedValues": [
"Enabled",
"Disabled"
]
},
"PolicyConfluxStatus": {
"Type": "String",
"Default": "Not Available",
"MinLength": "1",
"AllowedValues": [
"Not Available"
]
}
},
"Conditions": {
"AccessRoleNameProvided": {
"Fn::Not": [
{
"Fn::Equals": [
{
"Ref": "AccessRoleName"
},
"auto-generate"
]
}
]
},
"PartitionAws": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws"
]
},
"PartitionAwsUsGov": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-us-gov"
]
},
"PartitionAwsCn": {
"Fn::Equals": [
{
"Ref": "AWS::Partition"
},
"aws-cn"
]
},
"PolicyCloudTrailEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyCloudTrailStatus"
},
"Enabled"
]
},
"PolicyBillingEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyBillingStatus"
},
"Enabled"
]
},
"PolicyCloudAwareMonitoringEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyCloudAwareMonitoringStatus"
},
"Enabled"
]
},
"PolicyBackupsEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyBackupsStatus"
},
"Enabled"
]
},
"PolicyTaggingEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyTaggingStatus"
},
"Enabled"
]
},
"PolicyInstanceSchedulerEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyInstanceSchedulerStatus"
},
"Enabled"
]
},
"PolicyConfluxEnabled": {
"Fn::Equals": [
{
"Ref": "PolicyConfluxStatus"
},
"Enabled"
]
}
},
"Mappings": {
"AccessRoleArnMap": {
"CloudAware.aws": {
"Arn": "arn:aws:iam::814021343637:user/ca-collector"
},
"CloudAware.aws-us-gov": {
"Arn": "arn:aws-us-gov:iam::321683528484:user/cloudaware-collector"
}
}
},
"Resources": {
"CloudAwareIamRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::If": [
"AccessRoleNameProvided",
{
"Ref": "AccessRoleName"
},
{
"Ref": "AWS::NoValue"
}
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::FindInMap": [
"AccessRoleArnMap",
{
"Ref": "AccessRoleArn"
},
"Arn"
]
}
},
"Condition": {
"StringEquals": {
"sts:ExternalId": {
"Ref": "AccessExternalId"
}
}
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"CollectorPolicy1": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "CloudAwareCollectorPolicy1",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Des*",
"ec2:GetA*",
"ec2:GetC*",
"ec2:GetD*",
"ec2:GetE*",
"ec2:GetFlowLogsIntegrationTemplate",
"ec2:GetGroupsForCapacityReservation",
"ec2:GetHostReservationPurchasePreview",
"ec2:GetI*",
"ec2:GetLaunchTemplateData",
"ec2:GetM*",
"ec2:GetN*",
"ec2:GetR*",
"ec2:GetS*",
"ec2:GetT*",
"ec2:GetV*",
"ec2:Li*",
"rds:Des*",
"rds:ListTagsForResource",
"iam:GenerateCredentialReport",
"iam:Get*",
"iam:L*",
"s3:Des*",
"s3:GetA*",
"s3:GetB*",
"s3:GetEncryptionConfiguration",
"s3:GetI*",
"s3:GetJobTagging",
"s3:GetLifecycleConfiguration",
"s3:GetM*",
"s3:GetObjectA*",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectVersionA*",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetReplicationConfiguration",
"s3:GetS*",
"s3:L*",
"sqs:G*",
"sqs:L*",
"cloudfront:Des*",
"cloudfront:G*",
"cloudfront:L*",
"elasticmapreduce:Des*",
"elasticmapreduce:GetAutoTerminationPolicy",
"elasticmapreduce:GetBlockPublicAccessConfiguration",
"elasticmapreduce:GetManagedScalingPolicy",
"elasticmapreduce:GetStudioSessionMapping",
"elasticmapreduce:Lis*",
"elasticmapreduce:ViewEventsFromAllClustersInConsole",
"elasticloadbalancing:Des*",
"elasticloadbalancing:G*",
"snowball:D*",
"snowball:GetJobManifest",
"snowball:GetS*",
"snowball:L*",
"sns:G*",
"sns:L*",
"cloudformation:Des*",
"cloudformation:G*",
"cloudformation:L*",
"route53:G*",
"route53:L*",
"elasticbeanstalk:Des*",
"elasticbeanstalk:L*",
"cloudwatch:B*",
"cloudwatch:Des*",
"cloudwatch:Get*",
"cloudwatch:Lis*",
"autoscaling:Des*",
"autoscaling:GetPredictiveScalingForecast",
"ses:BatchGetMetricData",
"ses:Des*",
"ses:G*",
"ses:L*",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:GetServiceBearerToken",
"dynamodb:Des*",
"dynamodb:G*",
"dynamodb:L*",
"dynamodb:ReadDataForReplication",
"glacier:Des*",
"glacier:G*",
"glacier:L*",
"redshift:Des*",
"redshift:GetIdentityCenterAuthToken",
"redshift:GetR*",
"redshift:L*",
"redshift:V*",
"cloudtrail:Des*",
"cloudtrail:Get*",
"cloudtrail:L*",
"kinesis:Des*",
"kinesis:G*",
"kinesis:L*",
"kinesisanalytics:Des*",
"kinesisanalytics:GetApplicationState",
"kinesisanalytics:L*",
"kinesisvideo:Des*",
"kinesisvideo:G*",
"kinesisvideo:L*",
"ecs:Des*",
"ecs:GetTaskProtection",
"ecs:L*",
"lambda:G*",
"lambda:L*",
"machinelearning:Des*",
"machinelearning:G*",
"kms:Des*",
"kms:Get*",
"kms:L*",
"elasticache:Des*",
"elasticache:L*",
"iot:Des*",
"iot:G*",
"iot:L*",
"storagegateway:DescribeAvailabilityMonitorTest",
"storagegateway:DescribeB*",
"storagegateway:DescribeCa*",
"storagegateway:DescribeFileSystemAssociations",
"storagegateway:DescribeGatewayInformation",
"storagegateway:DescribeMaintenanceStartTime",
"storagegateway:DescribeNFSFileShares",
"storagegateway:DescribeS*",
"storagegateway:DescribeT*",
"storagegateway:DescribeUploadBuffer",
"storagegateway:DescribeVTLDevices",
"storagegateway:DescribeWorkingStorage",
"storagegateway:L*",
"workspaces:Des*",
"workspaces:GetAccountLink",
"workspaces:L*",
"support:*",
"opsworks:Des*",
"opsworks:GetHostnameSuggestion",
"opsworks:ListTags",
"glue:BatchGetBlueprints",
"glue:BatchGetC*",
"glue:BatchGetDevEndpoints",
"glue:BatchGetJobs",
"glue:BatchGetPartition",
"glue:BatchGetT*",
"glue:BatchGetWorkflows",
"glue:DescribeI*",
"glue:GetB*",
"glue:GetC*",
"glue:GetDashboardUrl",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetDataQ*",
"glue:GetDatab*",
"glue:GetDataflowGraph",
"glue:GetDe*",
"glue:GetEntityRecords",
"glue:GetG*",
"glue:GetI*",
"glue:GetJ*",
"glue:GetM*",
"glue:GetP*",
"glue:GetRegistry",
"glue:GetRes*",
"glue:GetSc*",
"glue:GetSe*",
"glue:GetStatement",
"glue:GetT*",
"glue:GetU*",
"glue:GetW*",
"glue:ListBlueprints",
"glue:ListColumnStatisticsTaskRuns",
"glue:ListCr*",
"glue:ListCustomEntityTypes",
"glue:ListD*",
"glue:ListIntegrationResourceProperties",
"glue:ListJ*",
"glue:ListMLTransforms",
"glue:ListRegistries",
"glue:ListS*",
"glue:ListT*",
"glue:ListUsageProfiles",
"glue:ListWorkflows",
"application-autoscaling:Des*",
"application-autoscaling:GetPredictiveScalingForecast",
"application-autoscaling:ListTagsForResource",
"apigateway:G*",
"apigateway:L*",
"clouddirectory:G*",
"clouddirectory:L*",
"pricing:*",
"organizations:Des*",
"organizations:Li*",
"elasticfilesystem:Des*",
"elasticfilesystem:ListTagsForResource",
"ecr:BatchG*",
"ecr:Des*",
"ecr:GetAccountSetting",
"ecr:GetDownloadUrlForLayer",
"ecr:GetImageCopyStatus",
"ecr:GetL*",
"ecr:GetR*",
"ecr:GetSigningConfiguration",
"ecr:L*",
"comprehend:Des*",
"comprehend:L*",
"mobileanalytics:G*",
"dms:Des*",
"dms:GetTargetSelectionRules",
"dms:L*",
"ssm:Des*",
"ssm:GetA*",
"ssm:GetC*",
"ssm:GetD*",
"ssm:GetExecutionPreview",
"ssm:GetI*",
"ssm:GetM*",
"ssm:GetO*",
"ssm:GetPat*",
"ssm:GetResourcePolicies",
"ssm:GetServiceSetting",
"ssm:Li*",
"sso:Des*",
"sso:G*",
"sso:L*",
"mgh:Des*",
"mgh:G*",
"mgh:L*",
"artifact:G*",
"artifact:L*",
"transcribe:DescribeLanguageModel",
"transcribe:G*",
"transcribe:L*",
"devicefarm:G*",
"devicefarm:L*",
"guardduty:Des*",
"guardduty:G*",
"guardduty:L*",
"events:Des*",
"events:L*",
"lex:Des*",
"lex:Get*",
"lex:L*",
"ram:G*",
"ram:L*",
"signer:DescribeSigningJob",
"signer:G*",
"signer:L*",
"mediaconnect:Des*",
"mediaconnect:Ge*",
"mediaconnect:L*",
"sagemaker:BatchG*",
"sagemaker:Des*",
"sagemaker:G*",
"sagemaker:L*",
"resource-groups:Ge*",
"resource-groups:L*",
"globalaccelerator:Des*",
"globalaccelerator:L*",
"serverlessrepo:G*",
"serverlessrepo:L*",
"sdb:G*",
"sdb:L*",
"mediapackage:Des*",
"mediapackage:L*",
"kafka:Des*",
"kafka:G*",
"kafka:L*",
"sms-voice:Des*",
"sms-voice:G*",
"sms-voice:L*",
"athena:B*",
"athena:GetC*",
"athena:GetD*",
"athena:GetE*",
"athena:GetN*",
"athena:GetPreparedStatement",
"athena:GetQ*",
"athena:GetResourceDashboard",
"athena:GetSessionStatus",
"athena:GetT*",
"athena:GetWorkGroup",
"athena:L*",
"aws-marketplace:Des*",
"aws-marketplace:G*",
"aws-marketplace:L*",
"aws-marketplace:ViewSubscriptions",
"mobiletargeting:G*",
"mobiletargeting:L*"
],
"Resource": [
"*"
]
}
]
}
}
},
"CollectorPolicy2": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "CloudAwareCollectorPolicy2",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling-plans:Des*",
"autoscaling-plans:GetScalingPlanResourceForecastData",
"cur:DescribeReportDefinitions",
"cur:G*",
"cur:ListTagsForResource",
"shield:Des*",
"shield:G*",
"shield:L*",
"secretsmanager:DescribeSecret",
"secretsmanager:GetR*",
"secretsmanager:L*",
"route53domains:G*",
"route53domains:L*",
"route53domains:ViewBilling",
"fsx:Des*",
"fsx:ListTagsForResource",
"amplify:Get*",
"amplify:L*",
"freertos:Des*",
"freertos:G*",
"freertos:L*",
"medialive:Des*",
"medialive:G*",
"medialive:L*",
"cloudhsm:Des*",
"cloudhsm:GetResourcePolicy",
"cloudhsm:ListTags",
"codedeploy:B*",
"codedeploy:G*",
"codedeploy:L*",
"route53resolver:G*",
"route53resolver:L*",
"importexport:G*",
"importexport:ListJobs",
"workmail:Des*",
"workmail:G*",
"workmail:L*",
"datapipeline:Des*",
"datapipeline:G*",
"datapipeline:ListPipelines",
"sms:Get*",
"sms:ListApps",
"codebuild:BatchG*",
"codebuild:Des*",
"codebuild:G*",
"codebuild:L*",
"iotanalytics:Des*",
"iotanalytics:GetDatasetContent",
"iotanalytics:L*",
"connect:BatchG*",
"connect:Des*",
"connect:GetAttachedFile",
"connect:GetC*",
"connect:GetEffectiveHoursOfOperations",
"connect:GetFlowAssociation",
"connect:GetM*",
"connect:GetPromptFile",
"connect:GetT*",
"connect:ListA*",
"connect:ListBots",
"connect:ListC*",
"connect:ListD*",
"connect:ListE*",
"connect:ListFlowAssociations",
"connect:ListH*",
"connect:ListI*",
"connect:ListL*",
"connect:ListNotifications",
"connect:ListP*",
"connect:ListQ*",
"connect:ListR*",
"connect:ListSecurityP*",
"connect:ListT*",
"connect:ListU*",
"connect:ListV*",
"connect:ListW*",
"ce:Des*",
"ce:G*",
"ce:L*",
"health:De*",
"gamelift:Des*",
"gamelift:GetComputeAccess",
"gamelift:GetPlayerConnectionDetails",
"gamelift:L*",
"opsworks-cm:Des*",
"opsworks-cm:ListTagsForResource",
"sso-directory:Des*",
"sso-directory:G*",
"sso-directory:ListE*",
"sso-directory:ListG*",
"sso-directory:ListM*",
"sso-directory:ListProvisioningTenants",
"sso-directory:ListUsers",
"discovery:Des*",
"discovery:G*",
"discovery:L*",
"codecommit:BatchG*",
"codecommit:Des*",
"codecommit:Ge*",
"codecommit:L*",
"trustedadvisor:Des*",
"trustedadvisor:Get*",
"trustedadvisor:L*",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:DescribeM*",
"cognito-idp:DescribeR*",
"cognito-idp:DescribeTerms",
"cognito-idp:DescribeUserImportJob",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:GetCSVHeader",
"cognito-idp:GetDevice",
"cognito-idp:GetGroup",
"cognito-idp:GetIdentityProviderByIdentifier",
"cognito-idp:GetLogDeliveryConfiguration",
"cognito-idp:GetSigningCertificate",
"cognito-idp:GetUICustomization",
"cognito-idp:GetUser",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:GetWebACLForResource",
"cognito-idp:L*",
"config:B*",
"config:Des*",
"config:G*",
"config:L*",
"swf:CountClosedWorkflowExecutions",
"swf:CountOpenWorkflowExecutions",
"swf:Des*",
"swf:GetWorkflowExecutionHistory",
"swf:L*",
"appsync:Ge*",
"appsync:ListApis",
"appsync:ListChannelNamespaces",
"appsync:ListD*",
"appsync:ListFunctions",
"appsync:ListGraphqlApis",
"appsync:ListR*",
"appsync:ListSourceApiAssociations",
"appsync:ListT*",
"acm:DescribeCertificate",
"acm:G*",
"acm:L*",
"xray:B*",
"xray:G*",
"xray:Lis*",
"eks:Des*",
"eks:L*",
"fms:G*",
"fms:L*",
"translate:DescribeTextTranslationJob",
"translate:G*",
"translate:L*",
"ds:Des*",
"ds:G*",
"ds:L*",
"waf-regional:GetByteMatchSet",
"waf-regional:GetChangeTokenStatus",
"waf-regional:GetGeoMatchSet",
"waf-regional:GetIPSet",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetPermissionPolicy",
"waf-regional:GetR*",
"waf-regional:GetS*",
"waf-regional:GetW*",
"waf-regional:GetXssMatchSet",
"waf-regional:L*",
"dax:Des*",
"dax:GetItem",
"dax:ListTags",
"tag:DescribeReportCreation",
"tag:G*",
"tag:ListRequiredTags",
"logs:Des*",
"logs:G*",
"logs:Lis*",
"chime:Des*",
"chime:G*",
"chime:Li*",
"firehose:DescribeDeliveryStream",
"firehose:L*",
"servicecatalog:Des*",
"servicecatalog:G*",
"servicecatalog:L*",
"servicecatalog:Se*",
"mechanicalturk:G*",
"mechanicalturk:L*",
"mq:Des*",
"mq:L*",
"batch:Des*",
"batch:GetJobQueueSnapshot",
"batch:L*",
"iotevents:Des*",
"iotevents:GetDetectorModelAnalysisResults",
"iotevents:L*",
"es:Des*",
"es:G*",
"es:L*",
"cloud9:Des*",
"cloud9:G*",
"cloud9:L*",
"transfer:Des*",
"transfer:L*",
"budgets:Des*",
"budgets:ListTagsForResource",
"budgets:ViewBudget",
"textract:G*",
"textract:L*",
"groundtruthlabeling:DescribeConsoleJob",
"groundtruthlabeling:Get*",
"groundtruthlabeling:L*",
"cognito-identity:Des*",
"cognito-identity:GetIde*",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-identity:L*",
"mediastore:Des*",
"mediastore:G*",
"mediastore:L*",
"polly:DescribeVoices",
"polly:G*",
"polly:L*",
"license-manager:G*",
"license-manager:L*",
"a4b:G*",
"a4b:L*",
"acm-pca:Des*",
"acm-pca:G*",
"acm-pca:L*",
"iot1click:Des*",
"iot1click:G*",
"iot1click:L*",
"states:Des*",
"states:GetExecutionHistory",
"states:L*",
"codepipeline:G*",
"codepipeline:L*",
"securityhub:BatchG*",
"securityhub:Des*",
"securityhub:G*",
"securityhub:L*",
"ec2messages:G*"
],
"Resource": [
"*"
]
}
]
}
}
},
"CollectorPolicy3": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "CloudAwareCollectorPolicy3",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"greengrass:DescribeComponent",
"greengrass:G*",
"greengrass:L*",
"servicediscovery:G*",
"servicediscovery:L*",
"workdocs:Des*",
"workdocs:G*",
"aws-marketplace-management:G*",
"aws-marketplace-management:v*",
"comprehendmedical:Des*",
"comprehendmedical:L*",
"rekognition:Des*",
"rekognition:G*",
"rekognition:L*",
"waf:GetByteMatchSet",
"waf:GetChangeTokenStatus",
"waf:GetGeoMatchSet",
"waf:GetIPSet",
"waf:GetLoggingConfiguration",
"waf:GetPermissionPolicy",
"waf:GetR*",
"waf:GetS*",
"waf:GetWebACL",
"waf:GetXssMatchSet",
"waf:L*",
"appstream:Des*",
"appstream:GetExportImageTask",
"appstream:L*",
"quicksight:BatchGetPreferences",
"quicksight:DescribeA*",
"quicksight:DescribeB*",
"quicksight:DescribeC*",
"quicksight:DescribeDas*",
"quicksight:DescribeDataSet",
"quicksight:DescribeDataSetRefreshProperties",
"quicksight:DescribeDataSource",
"quicksight:DescribeDefaultQBusinessApplication",
"quicksight:DescribeE*",
"quicksight:DescribeF*",
"quicksight:DescribeG*",
"quicksight:DescribeI*",
"quicksight:DescribeKeyRegistration",
"quicksight:DescribeNamespace",
"quicksight:DescribeQ*",
"quicksight:DescribeR*",
"quicksight:DescribeSelfUpgradeConfiguration",
"quicksight:DescribeTe*",
"quicksight:DescribeTh*",
"quicksight:DescribeTopic",
"quicksight:DescribeTopicR*",
"quicksight:DescribeUser",
"quicksight:DescribeVPCConnection",
"quicksight:Get*",
"quicksight:L*",
"dlm:G*",
"dlm:ListTagsForResource",
"wellarchitected:G*",
"wellarchitected:L*",
"mediaconvert:DescribeEndpoints",
"mediaconvert:G*",
"mediaconvert:L*",
"inspector:Des*",
"inspector:G*",
"inspector:L*",
"lightsail:GetA*",
"lightsail:GetBlueprints",
"lightsail:GetBucketBundles",
"lightsail:GetBucketMetricData",
"lightsail:GetBuckets",
"lightsail:GetBundles",
"lightsail:GetC*",
"lightsail:GetD*",
"lightsail:GetExportSnapshotRecords",
"lightsail:GetInstance",
"lightsail:GetInstanceMetricData",
"lightsail:GetInstancePortStates",
"lightsail:GetInstanceS*",
"lightsail:GetInstances",
"lightsail:GetL*",
"lightsail:GetO*",
"lightsail:GetRegions",
"lightsail:GetRelationalDatabase",
"lightsail:GetRelationalDatabaseB*",
"lightsail:GetRelationalDatabaseEvents",
"lightsail:GetRelationalDatabaseL*",
"lightsail:GetRelationalDatabaseMetricData",
"lightsail:GetRelationalDatabaseParameters",
"lightsail:GetRelationalDatabaseS*",
"lightsail:GetRelationalDatabases",
"lightsail:GetS*",
"robomaker:Des*",
"robomaker:GetWorldTemplateBody",
"robomaker:L*",
"codestar:Des*",
"codestar:GetExtendedAccess",
"codestar:L*",
"cognito-sync:Des*",
"cognito-sync:G*",
"cognito-sync:L*",
"cloudsearch:Des*",
"cloudsearch:L*",
"directconnect:Des*",
"directconnect:ListVirtualInterfaceTestHistory",
"neptune-db:G*",
"neptune-db:L*",
"neptune-db:ReadDataViaQuery",
"elastictranscoder:L*",
"elastictranscoder:R*",
"pi:DescribeDimensionKeys",
"pi:G*",
"pi:L*",
"activate:G*",
"backup:Des*",
"backup:G*",
"backup:ListB*",
"backup:ListC*",
"backup:ListFrameworks",
"backup:ListIndexedRecoveryPoints",
"backup:ListLegalHolds",
"backup:ListP*",
"backup:ListR*",
"backup:ListS*",
"backup:ListT*",
"worklink:Des*",
"worklink:L*",
"datasync:Des*",
"datasync:L*",
"iotsitewise:BatchG*",
"iotsitewise:Des*",
"iotsitewise:G*",
"iotsitewise:L*",
"mediatailor:Des*",
"mediatailor:G*",
"mediatailor:L*",
"account:G*",
"account:ListRegions",
"appmesh:Des*",
"appmesh:GetMeshPolicy",
"appmesh:L*",
"managedblockchain:Ge*",
"managedblockchain:L*",
"groundstation:Des*",
"groundstation:G*",
"groundstation:L*",
"personalize:Des*",
"personalize:G*",
"personalize:L*",
"applicationinsights:Des*",
"applicationinsights:Lis*",
"servicequotas:G*",
"servicequotas:L*",
"chatbot:Des*",
"chatbot:GetAccountPreferences",
"chatbot:GetCustomAction",
"chatbot:GetMicrosoftTeamsChannelConfiguration",
"chatbot:L*",
"qldb:Des*",
"qldb:G*",
"qldb:L*",
"mediapackage-vod:Des*",
"mediapackage-vod:L*",
"lakeformation:Des*",
"lakeformation:GetDataCellsFilter",
"lakeformation:GetDataL*",
"lakeformation:GetEffectivePermissionsForPath",
"lakeformation:GetL*",
"lakeformation:GetQ*",
"lakeformation:GetResourceLFTags",
"lakeformation:GetT*",
"lakeformation:GetW*",
"lakeformation:L*",
"forecast:Des*",
"forecast:G*",
"forecast:L*",
"dbqms:Des*",
"dbqms:GetQueryString",
"workmailmessageflow:GetRawMessageContent",
"deepracer:G*",
"deepracer:L*",
"codestar-notifications:DescribeNotificationRule",
"codestar-notifications:L*",
"savingsplans:Des*",
"savingsplans:ListTagsForResource",
"dataexchange:G*",
"dataexchange:L*",
"launchwizard:Des*",
"launchwizard:G*",
"launchwizard:L*",
"appmesh-preview:Des*",
"appmesh-preview:GetMeshPolicy",
"appmesh-preview:L*",
"synthetics:Des*",
"synthetics:G*",
"synthetics:L*",
"schemas:Des*",
"schemas:G*",
"schemas:L*",
"access-analyzer:Get*",
"access-analyzer:L*",
"imagebuilder:G*",
"imagebuilder:L*",
"cassandra:G*",
"cassandra:ListStreams",
"networkmanager:DescribeGlobalNetworks",
"networkmanager:G*",
"networkmanager:L*",
"kendra:BatchGetDocumentStatus",
"kendra:Des*",
"kendra:G*",
"kendra:L*",
"compute-optimizer:DescribeRecommendationExportJobs",
"compute-optimizer:G*",
"frauddetector:BatchGetVariable",
"frauddetector:Des*",
"frauddetector:G*",
"frauddetector:L*",
"detective:B*",
"detective:DescribeOrganizationConfiguration",
"detective:G*",
"detective:L*",
"outposts:G*",
"outposts:L*",
"ebs:GetSnapshotBlock",
"ebs:L*",
"wafv2:Des*",
"wafv2:Get*",
"wafv2:L*",
"codeguru-reviewer:De*",
"codeguru-reviewer:GetMetricsData",
"codeguru-reviewer:L*",
"codeguru-profiler:BatchGetFrameMetricData",
"codeguru-profiler:DescribeProfilingGroup",
"codeguru-profiler:G*",
"codeguru-profiler:L*",
"appconfig:G*",
"appconfig:L*",
"awsconnector:GetConnectorHealth",
"deepcomposer:G*",
"deepcomposer:L*",
"codeguru:GetCodeGuruFreeTrialSummary",
"iq-permission:GetPermissionRequest",
"iq-permission:ListPermissionRequests",
"iq:G*",
"iq:Lis*",
"appflow:Des*",
"appflow:L*"
],
"Resource": [
"*"
]
}
]
}
}
},
"CollectorPolicy4": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "CloudAwareCollectorPolicy4",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"purchase-orders:G*",
"purchase-orders:L*",
"codestar-connections:G*",
"codestar-connections:L*",
"macie2:BatchGetCustomDataIdentifiers",
"macie2:Des*",
"macie2:G*",
"macie2:L*",
"resource-explorer:*",
"codeartifact:Des*",
"codeartifact:GetAssociatedPackageGroup",
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:GetP*",
"codeartifact:GetR*",
"codeartifact:L*",
"codeartifact:ReadFromRepository",
"honeycode:Des*",
"honeycode:GetScreenData",
"honeycode:ListDomains",
"honeycode:ListGroups",
"honeycode:ListTab*",
"honeycode:ListTe*",
"ivs:BatchG*",
"ivs:G*",
"ivs:L*",
"identitystore:Des*",
"identitystore:G*",
"identitystore:L*",
"elemental-appliances-software:G*",
"elemental-appliances-software:ListQuotes",
"elemental-activations:Get*",
"braket:G*",
"braket:ListTagsForResource",
"redshift-data:D*",
"redshift-data:G*",
"redshift-data:L*",
"timestream:Des*",
"timestream:G*",
"timestream:L*",
"s3-outposts:G*",
"s3-outposts:L*",
"databrew:Des*",
"databrew:L*",
"network-firewall:Des*",
"network-firewall:GetAnalysisReportResults",
"network-firewall:L*",
"elemental-support-cases:G*",
"elemental-support-cases:ListTagsForCase",
"airflow:GetEnvironment",
"airflow:L*",
"amplifybackend:Get*",
"amplifybackend:L*",
"proton:G*",
"proton:L*",
"profile:B*",
"profile:G*",
"profile:L*",
"devops-guru:Des*",
"devops-guru:G*",
"devops-guru:L*",
"ecr-public:Des*",
"ecr-public:GetR*",
"ecr-public:ListTagsForResource",
"panorama:Des*",
"panorama:GetWebSocketURL",
"panorama:L*",
"lookoutvision:Des*",
"lookoutvision:L*",
"monitron:G*",
"monitron:ListProjectUserAssociations",
"monitron:ListProjects",
"monitron:ListTagsForResource",
"monitron:ListUserAccessRoleAssociations",
"auditmanager:G*",
"auditmanager:L*",
"emr-containers:Des*",
"emr-containers:L*",
"iotfleethub:DescribeApplication",
"iotfleethub:L*",
"aps:Des*",
"aps:G*",
"aps:L*",
"iotwireless:G*",
"iotwireless:L*",
"cloudshell:DescribeEnvironments",
"cloudshell:GetEnvironmentStatus",
"iotdeviceadvisor:G*",
"iotdeviceadvisor:L*",
"geo:BatchGetDevicePosition",
"geo:Des*",
"geo:G*",
"geo:L*",
"grafana:Des*",
"grafana:L*",
"app-integrations:G*",
"app-integrations:L*",
"lookoutequipment:Des*",
"lookoutequipment:L*",
"tiros:G*",
"lookoutmetrics:Des*",
"lookoutmetrics:G*",
"lookoutmetrics:L*",
"fis:G*",
"fis:L*",
"s3-object-lambda:G*",
"s3-object-lambda:L*",
"healthlake:Des*",
"healthlake:Get*",
"healthlake:L*",
"healthlake:ReadResource",
"mgn:Des*",
"mgn:G*",
"mgn:L*",
"ssm-incidents:BatchGetIncidentFindings",
"ssm-incidents:G*",
"ssm-incidents:L*",
"controltower:Des*",
"controltower:G*",
"controltower:L*",
"nimble:G*",
"nimble:L*",
"kafka-cluster:Des*",
"kafka-cluster:ReadData",
"ssm-contacts:Des*",
"ssm-contacts:G*",
"ssm-contacts:L*",
"application-cost-profiler:GetReportDefinition",
"application-cost-profiler:ListReportDefinitions",
"apprunner:Des*",
"apprunner:L*",
"bugbust:G*",
"bugbust:L*",
"route53-recovery-readiness:G*",
"route53-recovery-readiness:L*",
"route53-recovery-cluster:GetRoutingControlState",
"route53-recovery-cluster:ListRoutingControls",
"route53-recovery-control-config:Des*",
"route53-recovery-control-config:GetResourcePolicy",
"route53-recovery-control-config:L*",
"snow-device-management:D*",
"snow-device-management:L*",
"memorydb:Des*",
"memorydb:L*",
"sqlworkbench:BatchGetNotebookCell",
"sqlworkbench:Get*",
"sqlworkbench:L*",
"connect-campaigns:DescribeCampaign",
"connect-campaigns:G*",
"connect-campaigns:L*",
"voiceid:Des*",
"voiceid:L*",
"wisdom:G*",
"wisdom:L*",
"migrationhub-strategy:G*",
"migrationhub-strategy:L*",
"finspace:G*",
"finspace:Li*",
"kafkaconnect:Des*",
"kafkaconnect:L*",
"resiliencehub:Des*",
"resiliencehub:L*",
"inspector2:BatchG*",
"inspector2:DescribeOrganizationConfiguration",
"inspector2:G*",
"inspector2:L*",
"drs:Des*",
"drs:G*",
"drs:L*",
"ssm-guiconnect:G*",
"ssm-guiconnect:ListConnections",
"backup-gateway:G*",
"backup-gateway:L*",
"evidently:G*",
"evidently:L*",
"refactor-spaces:G*",
"refactor-spaces:L*",
"rum:BatchGetRumMetricDefinitions",
"rum:G*",
"rum:L*",
"rbin:GetRule",
"rbin:Li*",
"iotfleetwise:Get*",
"iotfleetwise:L*",
"workspaces-web:G*",
"workspaces-web:L*",
"iottwinmaker:G*",
"iottwinmaker:L*",
"serviceextract:GetConfig",
"amplifyuibuilder:G*",
"amplifyuibuilder:L*",
"codedeploy-commands-secure:GetDeploymentSpecification",
"sustainability:*",
"rhelkb:GetRhelURL",
"tax:G*",
"tax:L*",
"billingconductor:GetBillingGroupCostReport",
"billingconductor:L*",
"identity-sync:G*",
"identity-sync:ListSyncFilters",
"migrationhub-orchestrator:G*",
"migrationhub-orchestrator:L*",
"iotjobsdata:DescribeJobExecution",
"iotjobsdata:GetPendingJobExecutions",
"ivschat:G*",
"ivschat:L*",
"emr-serverless:G*",
"emr-serverless:L*",
"m2:G*",
"m2:L*",
"rolesanywhere:G*",
"rolesanywhere:L*",
"redshift-serverless:DescribeOneTimeCredit",
"redshift-serverless:GetCustomDomainAssociation",
"redshift-serverless:GetEndpointAccess",
"redshift-serverless:GetIdentityCenterAuthToken",
"redshift-serverless:GetManagedWorkgroup",
"redshift-serverless:GetNamespace",
"redshift-serverless:GetR*",
"redshift-serverless:GetS*",
"redshift-serverless:GetT*",
"redshift-serverless:GetUsageLimit",
"redshift-serverless:GetWorkgroup",
"redshift-serverless:L*",
"vendor-insights:G*",
"vendor-insights:L*",
"license-manager-user-subscriptions:L*",
"private-networks:G*",
"private-networks:L*",
"cases:BatchG*",
"cases:G*",
"cases:L*",
"billing:GetB*",
"billing:GetC*",
"billing:GetIAMAccessPreference",
"billing:GetSellerOfRecord",
"billing:L*",
"supportplans:G*",
"supportplans:ListSupportPlanModifiers",
"supportapp:DescribeSlackChannels",
"supportapp:G*",
"supportapp:L*",
"identitystore-auth:BatchGetSession",
"identitystore-auth:ListSessions",
"a2c:G*",
"resource-explorer-2:BatchGetView",
"resource-explorer-2:G*",
"resource-explorer-2:L*",
"scheduler:G*",
"scheduler:L*",
"ssm-sap:GetApplication",
"ssm-sap:GetC*",
"ssm-sap:GetDatabase",
"ssm-sap:GetOperation",
"ssm-sap:L*",
"wickr:G*",
"wickr:L*"
],
"Resource": [
"*"
]
}
]
}
}
},
"CollectorPolicy5": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "CloudAwareCollectorPolicy5",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oam:G*",
"oam:L*",
"internetmonitor:G*",
"internetmonitor:Lis*",
"arc-zonal-shift:G*",
"arc-zonal-shift:L*",
"securitylake:G*",
"securitylake:L*",
"aoss:B*",
"aoss:G*",
"aoss:L*",
"simspaceweaver:Des*",
"simspaceweaver:L*",
"omics:G*",
"omics:L*",
"docdb-elastic:G*",
"docdb-elastic:L*",
"sagemaker-geospatial:G*",
"sagemaker-geospatial:L*",
"vpc-lattice:G*",
"vpc-lattice:L*",
"pipes:DescribePipe",
"pipes:L*",
"codewhisperer:GetCustomization",
"codewhisperer:L*",
"license-manager-linux-subscriptions:G*",
"license-manager-linux-subscriptions:L*",
"codecatalyst:G*",
"codecatalyst:L*",
"invoicing:BatchGetInvoiceProfile",
"invoicing:G*",
"invoicing:L*",
"payments:G*",
"payments:L*",
"kendra-ranking:DescribeRescoreExecutionPlan",
"kendra-ranking:L*",
"freetier:G*",
"freetier:ListAccountActivities",
"consolidatedbilling:*",
"cleanrooms:B*",
"cleanrooms:G*",
"cleanrooms:L*",
"finspace-api:GetProgrammaticAccessCredentials",
"scn:DescribeInstance",
"scn:G*",
"scn:L*",
"tnb:G*",
"tnb:L*",
"codeguru-security:BatchGetFindings",
"codeguru-security:G*",
"codeguru-security:L*",
"datazone:BatchG*",
"datazone:GetA*",
"datazone:GetC*",
"datazone:GetD*",
"datazone:GetE*",
"datazone:GetFormType",
"datazone:GetG*",
"datazone:GetJobRun",
"datazone:GetL*",
"datazone:GetMetadataGenerationRun",
"datazone:GetN*",
"datazone:GetP*",
"datazone:GetRule",
"datazone:GetS*",
"datazone:GetTimeSeriesDataPoint",
"datazone:GetU*",
"datazone:L*",
"notifications-contacts:GetEmailContact",
"notifications-contacts:L*",
"consoleapp:*",
"notifications:G*",
"notifications:L*",
"osis:G*",
"osis:L*",
"customer-verification:G*",
"mediapackagev2:G*",
"mediapackagev2:L*",
"verifiedpermissions:G*",
"verifiedpermissions:L*",
"payment-cryptography:Get*",
"payment-cryptography:L*",
"appfabric:G*",
"appfabric:L*",
"bedrock:Get*",
"bedrock:L*",
"medical-imaging:G*",
"medical-imaging:L*",
"entityresolution:Get*",
"entityresolution:L*",
"managedblockchain-query:*",
"mapcredits:*",
"pca-connector-ad:G*",
"pca-connector-ad:L*",
"application-transformation:G*",
"cloudfront-keyvaluestore:DescribeKeyValueStore",
"cloudfront-keyvaluestore:GetKey",
"cloudfront-keyvaluestore:ListKeys",
"bcm-data-exports:G*",
"bcm-data-exports:L*",
"cost-optimization-hub:G*",
"cost-optimization-hub:L*",
"thinclient:G*",
"thinclient:L*",
"b2bi:Get*",
"b2bi:L*",
"ts:G*",
"ts:L*",
"repostspace:G*",
"repostspace:L*",
"networkmanager-chat:L*",
"one:G*",
"one:L*",
"q:Get*",
"q:L*",
"qbusiness:G*",
"qbusiness:L*",
"s3express:G*",
"s3express:L*",
"cleanrooms-ml:G*",
"cleanrooms-ml:L*",
"neptune-graph:G*",
"neptune-graph:L*",
"neptune-graph:ReadDataViaQuery",
"networkmonitor:G*",
"networkmonitor:L*",
"timestream-influxdb:G*",
"timestream-influxdb:L*",
"codeconnections:G*",
"codeconnections:L*",
"deadline:BatchGetJobEntity",
"deadline:G*",
"deadline:L*",
"controlcatalog:*",
"route53profiles:G*",
"route53profiles:L*",
"signin:ListTrustedIdentityPropagationApplicationsForConsole",
"qapps:DescribeQAppPermissions",
"qapps:G*",
"qapps:L*",
"user-subscriptions:L*",
"application-signals:BatchGetServiceLevelObjectiveBudgetReport",
"application-signals:G*",
"application-signals:Lis*",
"pca-connector-scep:G*",
"pca-connector-scep:L*",
"apptest:G*",
"apptest:L*",
"sagemaker-mlflow:G*",
"sagemaker-mlflow:Li*",
"ssm-quicksetup:G*",
"ssm-quicksetup:L*",
"appstudio:G*",
"pcs:G*",
"pcs:L*",
"ds-data:Des*",
"ds-data:L*",
"social-messaging:GetL*",
"social-messaging:GetWhatsAppMessageTemplate",
"social-messaging:L*",
"geo-maps:*",
"geo-places:GetPlace",
"opensearch:G*",
"opensearch:ListAutoOptimizeJobs",
"partnercentral:G*",
"partnercentral:L*",
"bcm-pricing-calculator:G*",
"bcm-pricing-calculator:ListB*",
"bcm-pricing-calculator:ListW*",
"observabilityadmin:G*",
"observabilityadmin:L*",
"security-ir:BatchGetMemberAccountDetails",
"security-ir:GetCase",
"security-ir:GetCaseAttachmentDownloadUrl",
"security-ir:GetMembership",
"security-ir:L*",
"networkflowmonitor:G*",
"networkflowmonitor:L*",
"aiops:Get*",
"aiops:L*",
"dsql:G*",
"dsql:L*",
"s3tables:G*",
"s3tables:L*",
"backup-search:G*",
"backup-search:L*",
"qdeveloper:ListTagsForResource",
"iotmanagedintegrations:G*",
"iotmanagedintegrations:L*",
"gameliftstreams:G*",
"gameliftstreams:L*",
"transform:G*",
"transform:L*",
"workspaces-instances:GetWorkspaceInstance",
"workspaces-instances:L*",
"evs:G*",
"evs:L*",
"support-console:DescribeDynamicHelp",
"support-console:G*",
"mpa:G*",
"mpa:L*",
"odb:G*",
"odb:L*",
"network-security-director:G*",
"network-security-director:L*",
"s3vectors:G*",
"s3vectors:L*",
"bedrock-agentcore:GetA*",
"bedrock-agentcore:GetB*",
"bedrock-agentcore:GetC*",
"bedrock-agentcore:GetE*",
"bedrock-agentcore:GetG*",
"bedrock-agentcore:GetM*",
"bedrock-agentcore:GetO*",
"bedrock-agentcore:GetP*",
"bedrock-agentcore:GetR*",
"bedrock-agentcore:GetTokenVault",
"bedrock-agentcore:GetWorkloadIdentity",
"bedrock-agentcore:L*",
"arc-region-switch:GetP*",
"arc-region-switch:L*",
"awsbillingconsole-deprecated:V*",
"diode:Des*",
"diode:GetAccountMappingPin",
"diode:ListAccountMappings",
"diode:ListT*",
"diode-messaging:G*",
"diode-messaging:L*",
"bcm-recommended-actions:ListRecommendedActions",
"uxc:G*",
"uxc:ListServices",
"bcm-dashboards:G*",
"bcm-dashboards:L*",
"action-recommendations:ListRecommendedActions",
"rtbfabric:G*",
"rtbfabric:L*",
"airflow-serverless:G*",
"airflow-serverless:L*",
"pricingplanmanager:GetSubscription",
"pricingplanmanager:ListSubscriptions",
"route53globalresolver:G*",
"route53globalresolver:ListA*",
"route53globalresolver:ListDNSViews",
"route53globalresolver:ListF*",
"route53globalresolver:ListGlobalResolvers",
"route53globalresolver:ListHostedZoneAssociations",
"route53globalresolver:ListManagedFirewallDomainLists",
"transform-custom:G*",
"transform-custom:L*",
"aidevops:G*",
"aidevops:L*",
"securityagent:BatchG*",
"securityagent:DescribeFindings",
"securityagent:G*",
"securityagent:L*",
"bedrock-mantle:G*",
"bedrock-mantle:L*",
"aco-automation:G*",
"aco-automation:L*",
"nova-act:G*",
"nova-act:L*",
"elemental-inference:G*",
"elemental-inference:L*",
"health-agent:G*",
"health-agent:L*",
"interconnect:DescribeConnectionProposal",
"interconnect:G*",
"interconnect:L*",
"aws-external-anthropic:G*",
"aws-external-anthropic:L*"
],
"Resource": [
"*"
]
}
]
}
}
},
"CloudTrailPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyCloudTrailEnabled",
"Properties": {
"PolicyName": "CloudTrailPolicy",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents",
"kms:ListAliases",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": {
"Fn::If": [
"PartitionAws",
[
"arn:aws:s3:::YOUR-CLOUDTRAIL-BUCKET"
],
{
"Fn::If": [
"PartitionAwsUsGov",
[
"arn:aws-us-gov:s3:::YOUR-CLOUDTRAIL-BUCKET"
],
{
"Fn::If": [
"PartitionAwsCn",
[
"arn:aws-cn:s3:::YOUR-CLOUDTRAIL-BUCKET"
],
{
"Ref": "AWS::NoValue"
}
]
}
]
}
]
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": {
"Fn::If": [
"PartitionAws",
[
"arn:aws:s3:::YOUR-CLOUDTRAIL-BUCKET/LOG-PREFIX/*"
],
{
"Fn::If": [
"PartitionAwsUsGov",
[
"arn:aws-us-gov:s3:::YOUR-CLOUDTRAIL-BUCKET/LOG-PREFIX/*"
],
{
"Fn::If": [
"PartitionAwsCn",
[
"arn:aws-cn:s3:::YOUR-CLOUDTRAIL-BUCKET/LOG-PREFIX/*"
],
{
"Ref": "AWS::NoValue"
}
]
}
]
}
]
}
}
]
}
}
},
"BillingPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyBillingEnabled",
"Properties": {
"PolicyName": "BillingPolicy",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR-BILLING-BUCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::YOUR-BILLING-BUCKET/*"
]
}
]
}
}
},
"CloudAwareMonitoringPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyCloudAwareMonitoringEnabled",
"Properties": {
"PolicyName": "CloudAwareMonitoringPolicy",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CaMonitoring",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"cloudwatch:List*",
"cloudwatch:Get*"
],
"Resource": [
"*"
]
}
]
}
}
},
"BackupsPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyBackupsEnabled",
"Properties": {
"PolicyName": "BackupsPolicy",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Ec2Backup",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:CreateImage",
"ec2:DeregisterImage",
"ec2:CopyImage",
"ec2:DescribeSnapshots",
"ec2:DeleteSnapshot",
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": [
"*"
]
},
{
"Sid": "RdsBackup",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:ListTagsForResource",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"rds:CreateDBClusterSnapshot",
"rds:DeleteDBClusterSnapshot",
"rds:DescribeDBClusterSnapshots"
],
"Resource": [
"*"
]
},
{
"Sid": "S3Backup",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:PutBucketTagging"
],
"Resource": [
"*"
]
},
{
"Sid": "S3BackupWrite",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::",
{
"Ref": "S3BackupDestinationBucket"
},
"/*"
]
]
}
}
]
}
}
},
"TaggingPolicy1": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyTaggingEnabled",
"Properties": {
"PolicyName": "TaggingPolicy1",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"iam:Tag*",
"iam:Untag*",
"s3:DeleteJobTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutBucketTagging",
"s3:PutJobTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:PutStorageLensConfigurationTagging",
"s3:ReplicateTags",
"s3:TagResource",
"s3:UntagResource",
"sqs:TagQueue",
"sqs:UntagQueue",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"elasticmapreduce:AddTags",
"elasticmapreduce:RemoveTags",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags",
"sns:TagResource",
"sns:UntagResource",
"route53:ChangeTagsForResource",
"cloudwatch:TagResource",
"cloudwatch:UntagResource",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteTags",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"redshift:CreateTags",
"redshift:DeleteTags",
"cloudtrail:AddTags",
"cloudtrail:RemoveTags",
"kinesis:AddTagsToStream",
"kinesis:RemoveTagsFromStream",
"kinesis:TagResource",
"kinesis:UntagResource",
"ecs:TagResource",
"ecs:UntagResource",
"lambda:TagResource",
"lambda:UntagResource",
"kms:TagResource",
"kms:UntagResource",
"elasticache:AddTagsToResource",
"elasticache:RemoveTagsFromResource",
"workspaces:CreateTags",
"workspaces:DeleteTags",
"opsworks:TagResource",
"opsworks:UntagResource",
"glue:TagResource",
"glue:UntagResource",
"organizations:TagResource",
"organizations:UntagResource",
"elasticfilesystem:CreateTags",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"ecr:TagResource",
"ecr:UntagResource",
"dms:AddTagsToResource",
"dms:RemoveTagsFromResource",
"ssm:AddTagsToResource",
"ssm:RemoveTagsFromResource",
"transcribe:TagResource",
"transcribe:UntagResource",
"guardduty:TagResource",
"guardduty:UntagResource",
"events:TagResource",
"events:UntagResource",
"ram:TagResource",
"ram:UntagResource",
"sagemaker:AddTags",
"sagemaker:DeleteTags",
"kafka:TagResource",
"kafka:UntagResource",
"athena:TagResource",
"athena:UntagResource",
"shield:TagResource",
"shield:UntagResource",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
"route53domains:DeleteTagsForDomain",
"route53domains:UpdateTagsForDomain",
"fsx:TagResource",
"fsx:UntagResource",
"cloudhsm:TagResource",
"cloudhsm:UntagResource",
"codedeploy:AddTagsToOnPremisesInstances",
"codedeploy:RemoveTagsFromOnPremisesInstances",
"codedeploy:TagResource",
"codedeploy:UntagResource",
"datapipeline:AddTags",
"datapipeline:RemoveTags",
"cognito-idp:TagResource",
"cognito-idp:UntagResource",
"swf:TagResource",
"swf:UntagResource",
"acm:AddTagsToCertificate",
"acm:RemoveTagsFromCertificate",
"xray:TagResource",
"xray:UntagResource",
"eks:TagResource",
"eks:UntagResource",
"fms:TagResource",
"fms:UntagResource",
"ds:AddTagsToResource",
"ds:RemoveTagsFromResource",
"dax:TagResource",
"dax:UntagResource",
"logs:Tag*",
"logs:Untag*",
"firehose:TagDeliveryStream",
"firehose:UntagDeliveryStream",
"mq:CreateTags",
"mq:DeleteTags",
"es:AddTags",
"es:RemoveTags",
"cognito-identity:TagResource",
"cognito-identity:UntagResource",
"codepipeline:TagResource",
"codepipeline:UntagResource",
"servicediscovery:TagResource",
"servicediscovery:UntagResource",
"waf:TagResource",
"waf:UntagResource",
"appstream:TagResource",
"appstream:UntagResource",
"quicksight:TagResource",
"quicksight:UntagResource",
"wellarchitected:TagResource",
"wellarchitected:UntagResource",
"mediaconvert:TagResource",
"mediaconvert:UntagResource",
"directconnect:TagResource",
"directconnect:UntagResource",
"backup:TagResource",
"backup:UntagResource",
"appmesh:TagResource",
"appmesh:UntagResource",
"savingsplans:TagResource",
"savingsplans:UntagResource",
"access-analyzer:TagResource",
"access-analyzer:UntagResource",
"kendra:TagResource",
"kendra:UntagResource",
"wafv2:TagResource",
"wafv2:UntagResource",
"profile:TagResource",
"profile:UntagResource",
"bedrock:TagResource",
"bedrock:UntagResource",
"workspaces-instances:TagResource",
"workspaces-instances:UntagResource"
],
"Resource": [
"*"
]
}
]
}
}
},
"InstanceSchedulerPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyInstanceSchedulerEnabled",
"Properties": {
"PolicyName": "InstanceSchedulerPolicy",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CaInstanceScheduler",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"rds:StartDBInstance",
"rds:StopDBInstance"
],
"Resource": [
"*"
]
}
]
}
}
},
"ConfluxPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "PolicyConfluxEnabled",
"Properties": {
"PolicyName": "ConfluxPolicy",
"Roles": [
{
"Ref": "CloudAwareIamRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:Describe*",
"config:List*",
"elasticloadbalancing:Describe*",
"firehose:Describe*",
"firehose:List*",
"cloudfront:Describe*",
"cloudfront:List*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"logs:GetLogEvents",
"logs:FilterLogEvents",
"cloudtrail:Describe*",
"cloudtrail:List*",
"cloudtrail:GetTrailStatus",
"eks:Describe*",
"eks:List*",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:DownloadCompleteDBLogFile"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": {
"Fn::If": [
"PartitionAws",
[
"arn:aws:s3:::YOUR-BUCKET"
],
{
"Fn::If": [
"PartitionAwsUsGov",
[
"arn:aws-us-gov:s3:::YOUR-BUCKET"
],
{
"Fn::If": [
"PartitionAwsCn",
[
"arn:aws-cn:s3:::YOUR-BUCKET"
],
{
"Ref": "AWS::NoValue"
}
]
}
]
}
]
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": {
"Fn::If": [
"PartitionAws",
[
"arn:aws:s3:::YOUR-BUCKET/*"
],
{
"Fn::If": [
"PartitionAwsUsGov",
[
"arn:aws-us-gov:s3:::YOUR-BUCKET/*"
],
{
"Fn::If": [
"PartitionAwsCn",
[
"arn:aws-cn:s3:::YOUR-BUCKET/*"
],
{
"Ref": "AWS::NoValue"
}
]
}
]
}
]
}
}
]
}
}
}
},
"Outputs": {
"IamRoleArn": {
"Value": {
"Fn::GetAtt": [
"CloudAwareIamRole",
"Arn"
]
}
}
}
}