Run
sh ./run.sh
Enjoy this generated README.md.
Policy | Description |
---|---|
AWSDirectConnectReadOnlyAccess | Provides read only access to AWS Direct Connect via the AWS Management Console. |
AmazonGlacierReadOnlyAccess | Provides read only access to Amazon Glacier via the AWS Management Console. |
AWSMarketplaceFullAccess | Provides the ability to subscribe and unsubscribe to AWS Marketplace software, allows users to manage Marketplace software instances from the Marketplace 'Your Software' page, and provides administrative access to EC2. |
ClientVPNServiceRolePolicy | Policy to enable AWS Client VPN to manage your Client VPN endpoints. |
AWSSSODirectoryAdministrator | Administrator access for SSO Directory |
AWSIoT1ClickReadOnlyAccess | Provides read only access to AWS IoT 1-Click. |
AutoScalingConsoleReadOnlyAccess | Provides read-only access to Auto Scaling via the AWS Management Console. |
AmazonDMSRedshiftS3Role | Provides access to manage S3 settings for Redshift endpoints for DMS. |
AWSQuickSightListIAM | Allow QuickSight to list IAM entities |
AWSHealthFullAccess | Allows full access to the AWS Health Apis and Notifications and the Personal Health Dashboard |
AlexaForBusinessGatewayExecution | Provide gateway execution access to AlexaForBusiness services |
AmazonElasticTranscoder_ReadOnlyAccess | Grants users read-only access to Elastic Transcoder and list access to related services. |
AmazonRDSFullAccess | Provides full access to Amazon RDS via the AWS Management Console. |
SupportUser | This policy grants permissions to troubleshoot and resolve issues in an AWS account. This policy also enables the user to contact AWS support to create and manage cases. |
AmazonEC2FullAccess | Provides full access to Amazon EC2 via the AWS Management Console. |
SecretsManagerReadWrite | Provides read/write access to AWS Secrets Manager via the AWS Management Console. Note: this exludes IAM actions, so combine with IAMFullAccess if rotation configuration is required. |
AWSIoTThingsRegistration | This policy allows users to register things at bulk using AWS IoT StartThingRegistrationTask API |
AmazonDocDBReadOnlyAccess | Provides read-only access to Amazon DocumentDB with MongoDB compatibility. Note that this policy also grants access to Amazon RDS and Amazon Neptune resources. |
AmazonMQApiFullAccess | Provides full access to AmazonMQ via our API/SDK. |
AWSElementalMediaStoreReadOnly | Provides read-only permissions for MediaStore APIs |
AWSCertificateManagerReadOnly | Provides read only access to AWS Certificate Manager (ACM). |
AWSQuicksightAthenaAccess | Quicksight access to Athena API and S3 buckets used for Athena query results |
AWSCloudMapRegisterInstanceAccess | Provides registrant level access to AWS Cloud Map actions. |
AWSMarketplaceImageBuildFullAccess | Provides full access to AWS Marketplace Private Image Build Feature. In addition to create private images, it also provides permissions to add tags to images, launch and terminate ec2 instances. |
AWSCodeCommitPowerUser | Provides full access to AWS CodeCommit repositories, but does not allow repository deletion. |
AWSCodeCommitFullAccess | Provides full access to AWS CodeCommit via the AWS Management Console. |
IAMSelfManageServiceSpecificCredentials | Allows an IAM user to manage their own Service Specific Credentials. |
AmazonEMRCleanupPolicy | Allows the actions that EMR requires to terminate and delete AWS EC2 resources if the EMR Service role has lost that ability. |
AWSCloud9EnvironmentMember | Provides the ability to be invited into AWS Cloud9 shared development environments. |
AWSApplicationAutoscalingSageMakerEndpointPolicy | Policy granting permissions to Application Auto Scaling to access SageMaker and CloudWatch. |
FMSServiceRolePolicy | Access policy to allow FM service linked role to perform FM-related actions on FM-managed resources within a customer AWS Organization account. |
AmazonSQSFullAccess | Provides full access to Amazon SQS via the AWS Management Console. |
AlexaForBusinessReadOnlyAccess | Provide read only access to AlexaForBusiness services |
AWSLambdaFullAccess | This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html. Provides full access to Lambda, S3, DynamoDB, CloudWatch Metrics and Logs. |
AmazonLexBotPolicy | Policy for AWS Lex Bot use case |
AWSIoTLogging | Allows creation of Amazon CloudWatch Log groups and streaming logs to the groups |
AmazonEC2RoleforSSM | This policy will soon be deprecated. Please use AmazonSSMManagedInstanceCore policy to enable AWS Systems Manager service core functionality on EC2 instances. For more information see https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html |
AlexaForBusinessNetworkProfileServicePolicy | This policy enables Alexa for Business to perform automated tasks scheduled by your network profiles. |
AWSCloudHSMRole | Default policy for the AWS CloudHSM service role. |
AWSEnhancedClassicNetworkingMangementPolicy | Policy to enable enhanced classic networking management feature. |
IAMFullAccess | Provides full access to IAM via the AWS Management Console. |
AmazonInspectorFullAccess | Provides full access to Amazon Inspector. |
AmazonElastiCacheFullAccess | Provides full access to Amazon ElastiCache via the AWS Management Console. |
AWSAgentlessDiscoveryService | Provides access for the Discovery Agentless Connector to register with AWS Application Discovery Service. |
AWSXrayWriteOnlyAccess | AWS X-Ray write only managed policy |
AWSPriceListServiceFullAccess | Provides full access to AWS Price List Service. |
AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy | Enables access to AWS services and resources required for AWS KMS custom key stores |
AutoScalingReadOnlyAccess | Provides read-only access to Auto Scaling. |
AmazonForecastFullAccess | Gives access to all actions for Amazon Forecast |
AmazonWorkLinkReadOnly | Grants read only access to Amazon WorkLink resources |
TranslateFullAccess | Provides full access to Amazon Translate. |
AutoScalingFullAccess | Provides full access to Auto Scaling. |
AmazonEC2RoleforAWSCodeDeploy | Provides EC2 access to S3 bucket to download revision. This role is needed by the CodeDeploy agent on EC2 instances. |
AWSFMMemberReadOnlyAccess | Provides read only access to AWS WAF actions for AWS Firewall Manager member accounts |
AmazonElasticMapReduceEditorsRole | Default policy for the Amazon Elastic MapReduce Editors service role. |
AmazonEKSClusterPolicy | This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces. |
AmazonEKSWorkerNodePolicy | This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. |
AWSMobileHub_ReadOnly | This policy may be attached to any User, Role, or Group, in order to grant users permission to list and view projects in AWS Mobile Hub. This also includes permissions to generate and download sample mobile app source code for each Mobile Hub project. It does not allow the user to modify any configuration for any Mobile Hub project. |
CloudWatchEventsBuiltInTargetExecutionAccess | Allows built-in targets in Amazon CloudWatch Events to perform EC2 actions on your behalf. |
AutoScalingServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Auto Scaling |
AmazonElasticTranscoder_FullAccess | Grants users full access to Elastic Transcoder and the access to associated services that is required for full Elastic Transcoder functionality. |
AmazonCloudDirectoryReadOnlyAccess | Provides read only access to Amazon Cloud Directory Service. |
CloudWatchAgentAdminPolicy | Full permissions required to use AmazonCloudWatchAgent. |
AWSOpsWorksCMInstanceProfileRole | Provides S3 access for instances launched by OpsWorks CM. |
AWSBatchServiceEventTargetRole | Policy to enable CloudWatch Event Target for AWS Batch Job Submission |
AWSCodePipelineApproverAccess | Provides access to view and approve manual changes for all pipelines |
AWSApplicationDiscoveryAgentAccess | Provides access for the Discovery Agent to register with AWS Application Discovery Service. |
ViewOnlyAccess | This policy grants permissions to view resources and basic metadata across all AWS services. |
AmazonElasticMapReduceRole | This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html. Default policy for the Amazon Elastic MapReduce service role. |
ElasticLoadBalancingFullAccess | Provides full access to Amazon ElasticLoadBalancing, and limited access to other services necessary to provide ElasticLoadBalancing features. |
AmazonRoute53DomainsReadOnlyAccess | Provides access to Route53 Domains list and actions. |
AmazonSSMAutomationApproverAccess | Provides access to view automation executions and send approval decisions to automation waiting for approval |
AWSSecurityHubReadOnlyAccess | Provides read only access to AWS Security Hub resources |
AWSConfigRoleForOrganizations | Allows AWS Config to call read-only AWS Organizations APIs |
ApplicationAutoScalingForAmazonAppStreamAccess | Policy to enable Application Autoscaling for Amazon AppStream |
AmazonEC2ContainerRegistryFullAccess | Provides administrative access to Amazon ECR resources |
AmazonFSxFullAccess | Provides full access to Amazon FSx and access to related AWS services. |
SimpleWorkflowFullAccess | Provides full access to the Simple Workflow configuration service. |
GreengrassOTAUpdateArtifactAccess | Provides read access to the Greengrass OTA Update artifacts in all Greengrass regions |
AmazonS3FullAccess | Provides full access to all buckets via the AWS Management Console. |
AWSStorageGatewayReadOnlyAccess | Provides access to AWS Storage Gateway via the AWS Management Console. |
Billing | Grants permissions for billing and cost management. This includes viewing account usage and viewing and modifying budgets and payment methods. |
QuickSightAccessForS3StorageManagementAnalyticsReadOnly | Policy used by QuickSight team to access customer data produced by S3 Storage Management Analytics. |
AmazonEC2ContainerRegistryReadOnly | Provides read-only access to Amazon EC2 Container Registry repositories. |
AmazonElasticMapReduceforEC2Role | Default policy for the Amazon Elastic MapReduce for EC2 service role. |
DatabaseAdministrator | Grants full access permissions to AWS services and actions required to set up and configure AWS database services. |
AmazonRedshiftReadOnlyAccess | Provides read only access to Amazon Redshift via the AWS Management Console. |
AmazonEC2ReadOnlyAccess | Provides read only access to Amazon EC2 via the AWS Management Console. |
CloudWatchAgentServerPolicy | Permissions required to use AmazonCloudWatchAgent on servers |
AWSXrayReadOnlyAccess | AWS X-Ray read only managed policy |
AWSElasticBeanstalkEnhancedHealth | AWS Elastic Beanstalk Service policy for Health Monitoring system |
WellArchitectedConsoleFullAccess | Provides full access to AWS Well-Architected Tool via the AWS Management Console |
AmazonElasticMapReduceReadOnlyAccess | Provides read only access to Amazon Elastic MapReduce via the AWS Management Console. |
AWSDirectoryServiceReadOnlyAccess | Provides read only access to AWS Directory Service. |
AWSSSOMasterAccountAdministrator | Provides access within AWS SSO to manage AWS Organizations master and member accounts and cloud application |
AmazonGuardDutyServiceRolePolicy | Enable access to AWS Resources used or managed by Amazon Guard Duty |
AmazonVPCReadOnlyAccess | Provides read only access to Amazon VPC via the AWS Management Console. |
AWSElasticBeanstalkServiceRolePolicy | AWS Elastic Beanstalk Service Linked Role policy which grants permissions to create & manage resources (i.e.: AutoScaling, EC2, S3, CloudFormation, ELB, etc.) on your behalf. |
ServerMigrationServiceLaunchRole | Permissions to allow the AWS Server Migration Service to create and update relevant AWS resources into the customer's AWS account for launching migrated servers and applications. |
AWSCodeDeployRoleForECS | Provides CodeDeploy service wide access to perform an ECS blue/green deployment on your behalf. Grants full access to support services, such as full access to read all S3 objects, invoke all Lambda functions, publish to all SNS topics within the account and update all ECS services. |
CloudWatchEventsReadOnlyAccess | Provides read only access to Amazon CloudWatch Events. |
AWSLambdaReplicator | Grants Lambda Replicator necessary permissions to replicate functions across regions |
AmazonAPIGatewayInvokeFullAccess | Provides full access to invoke APIs in Amazon API Gateway. |
AWSSSOServiceRolePolicy | Grants AWS SSO permissions to manage AWS resources, including IAM roles, policies and SAML IdP on your behalf. |
AWSLicenseManagerMasterAccountRolePolicy | AWS License Manager service master account role policy |
AmazonKinesisAnalyticsReadOnly | Provides read-only access to Amazon Kinesis Analytics via the AWS Management Console. |
AmazonMobileAnalyticsFullAccess | Provides full access to all application resources. |
AWSMobileHub_FullAccess | This policy may be attached to any User, Role, or Group, in order to grant users permission to create, delete, and modify projects (and their associated AWS resources) in AWS Mobile Hub. This also includes permissions to generate and download sample mobile app source code for each Mobile Hub project. |
AmazonAPIGatewayPushToCloudWatchLogs | Allows API Gateway to push logs to user's account. |
AWSDataPipelineRole | This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html. Default policy for the AWS Data Pipeline service role. |
CloudWatchFullAccess | Provides full access to CloudWatch. |
AmazonMQApiReadOnlyAccess | Provides read only access to AmazonMQ via our API/SDK. |
AWSDeepLensLambdaFunctionAccessPolicy | This policy specifies permissions required by DeepLens Administrative lambda functions that run on a DeepLens device |
AmazonGuardDutyFullAccess | Provides full access to use Amazon GuardDuty. |
AmazonRDSDirectoryServiceAccess | Allow RDS to access Directory Service Managed AD on behalf of the customer for domain-joined SQL Server DB instances. |
AWSCodePipelineReadOnlyAccess | Provides read only access to AWS CodePipeline via the AWS Management Console. |
ReadOnlyAccess | Provides read-only access to AWS services and resources. |
AWSAppSyncInvokeFullAccess | Provides full invoking access to the AppSync service - both through the console and independently |
AmazonMachineLearningBatchPredictionsAccess | Grants users permission to request Amazon Machine Learning batch predictions. |
AWSIoTSiteWiseFullAccess | Provides full access to IoT SiteWise. |
AlexaForBusinessFullAccess | Grants full access to AlexaForBusiness resources and access to related AWS Services |
AWSEC2SpotFleetServiceRolePolicy | Allows EC2 Spot Fleet to launch and manage spot fleet instances |
AmazonRekognitionReadOnlyAccess | Access to all Read rekognition APIs |
AWSCodeDeployReadOnlyAccess | Provides read only access to CodeDeploy resources. |
CloudSearchFullAccess | Provides full access to the Amazon CloudSearch configuration service. |
AWSLicenseManagerServiceRolePolicy | AWS License Manager service default role policy |
AWSCloudHSMFullAccess | Provides full access to all CloudHSM resources. |
AmazonEC2SpotFleetAutoscaleRole | Policy to enable Autoscaling for Amazon EC2 Spot Fleet |
AWSElasticLoadBalancingServiceRolePolicy | Service Linked Role Policy for AWS Elastic Load Balancing Control Plane |
AWSCodeBuildDeveloperAccess | Provides access to AWS CodeBuild via the AWS Management Console, but does not allow CodeBuild project administration. Also attach AmazonS3ReadOnlyAccess to provide access to download build artifacts. |
ElastiCacheServiceRolePolicy | This policy allows ElastiCache to manage AWS resources on your behalf as necessary for managing your cache |
AWSGlueServiceNotebookRole | Policy for AWS Glue service role which allows customer to manage notebook server |
AWSDataPipeline_PowerUser | Provides full access to Data Pipeline, list access for S3, DynamoDB, Redshift, RDS, SNS, and IAM roles, and passRole access for default Roles. |
AWSCodeStarServiceRole | DO NOT USE - AWS CodeStar Service Role Policy which grants administrative privileges in order for CodeStar to manage IAM and other service resources on behalf of the customer. |
AmazonTranscribeFullAccess | Provides full access to Amazon Transcribe operations |
AWSDirectoryServiceFullAccess | Provides full access to AWS Directory Service. |
AmazonFreeRTOSOTAUpdate | Allows user to access Amazon FreeRTOS OTA Update |
AmazonWorkLinkServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Amazon WorkLink |
AmazonDynamoDBFullAccess | Provides full access to Amazon DynamoDB via the AWS Management Console. |
AmazonSESReadOnlyAccess | Provides read only access to Amazon SES via the AWS Management Console. |
AmazonRedshiftQueryEditor | Provides full access to the Amazon Redshift Query Editor and to saved queries via the AWS Management Console. |
AWSWAFReadOnlyAccess | Provides read only access to AWS WAF actions. |
AutoScalingNotificationAccessRole | Default policy for the AutoScaling Notification Access service role. |
AmazonMechanicalTurkReadOnly | Provides access to read only APIs in Amazon Mechanical Turk. |
AmazonKinesisReadOnlyAccess | Provides read only access to all streams via the AWS Management Console. |
AWSXRayDaemonWriteAccess | Allow the AWS X-Ray Daemon to relay raw trace segments data to the service's API and retrieve sampling data (rules, targets, etc.) to be used by the X-Ray SDK. |
AWSCloudMapReadOnlyAccess | Provides read-only access to all AWS Cloud Map actions. |
AWSCloudFrontLogger | Grants CloudFront Logger write permissions to CloudWatch Logs. |
AWSCodeDeployFullAccess | Provides full access to CodeDeploy resources. |
AWSBackupServiceRolePolicyForBackup | Provides AWS Backup permission to create backups on your behalf across AWS services |
AWSRoboMakerServiceRolePolicy | RoboMaker service policy |
CloudWatchActionsEC2Access | Provides read-only access to CloudWatch alarms and metrics as well as EC2 metadata. Provides access to Stop, Terminate and Reboot EC2 instances. |
AWSLambdaDynamoDBExecutionRole | Provides list and read access to DynamoDB streams and write permissions to CloudWatch logs. |
AmazonRoute53DomainsFullAccess | Provides full access to all Route53 Domains actions and Create Hosted Zone to allow Hosted Zone creation as part of domain registrations. |
AmazonElastiCacheReadOnlyAccess | Provides read only access to Amazon ElastiCache via the AWS Management Console. |
AmazonRDSServiceRolePolicy | Allows Amazon RDS to manage AWS resources on your behalf. |
AmazonAthenaFullAccess | Provide full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. |
AmazonElasticFileSystemReadOnlyAccess | Provides read only access to Amazon EFS via the AWS Management Console. |
AWSCloudMapDiscoverInstanceAccess | Provides access to AWS Cloud Map discovery API. |
CloudFrontFullAccess | Provides full access to the CloudFront console plus the ability to list Amazon S3 buckets via the AWS Management Console. |
AWSCloud9Administrator | Provides administrator access to AWS Cloud9. |
AWSApplicationAutoscalingEMRInstanceGroupPolicy | Policy granting permissions to Application Auto Scaling to access Elastic Map Reduce and CloudWatch. |
AmazonTextractFullAccess | Access to all Amazon Textract APIs |
AWSOrganizationsServiceTrustPolicy | A policy to allow AWS Organizations to share trust with other approved AWS Services for the purpose of simplifying customer configuration. |
AmazonDocDBFullAccess | Provides full access to Amazon DocumentDB with MongoDB compatibility. Note this policy also grants full access to publish on all SNS topics within the account and full access to Amazon RDS and Amazon Neptune. |
AmazonMobileAnalyticsNon-financialReportAccess | Provides read only access to non financial reports for all application resources. |
AmazonCognitoDeveloperAuthenticatedIdentities | Provides access to Amazon Cognito APIs to support developer authenticated identities from your authentication backend. |
AWSConfigRole | Default policy for AWS Config service role. |
AWSSSOMemberAccountAdministrator | Provides access within AWS SSO to manage AWS Organizations member accounts and cloud application |
AWSApplicationAutoscalingAppStreamFleetPolicy | Policy granting permissions to Application Auto Scaling to access AppStream and CloudWatch. |
AWSCertificateManagerPrivateCAFullAccess | Provides full access to AWS Certificate Manager Private Certificate Authority |
AWSGlueServiceRole | Policy for AWS Glue service role which allows access to related services including EC2, S3, and Cloudwatch Logs |
AmazonAppStreamServiceAccess | Default policy for Amazon AppStream service role. |
AmazonRedshiftFullAccess | Provides full access to Amazon Redshift via the AWS Management Console. |
AWSTransferLoggingAccess | Allows AWS Transfer full access to create log streams and groups and put log events to your account |
AmazonZocaloReadOnlyAccess | Provides read only access to Amazon Zocalo |
AWSCloudHSMReadOnlyAccess | Provides read only access to all CloudHSM resources. |
ComprehendFullAccess | Provides full access to Amazon Comprehend. |
AmazonFSxConsoleFullAccess | Provides full access to Amazon FSx and access to related AWS services via the AWS Management Console. |
SystemAdministrator | Grants full access permissions necessary for resources required for application and development operations. |
AmazonEC2ContainerServiceEventsRole | Policy to enable CloudWatch Events for EC2 Container Service |
AmazonRoute53ReadOnlyAccess | Provides read only access to all Amazon Route 53 via the AWS Management Console. |
AWSMigrationHubDiscoveryAccess | Policy allows AWSMigrationHubService to call AWSApplicationDiscoveryService on behalf of the customer. |
AmazonEC2ContainerServiceAutoscaleRole | Policy to enable Task Autoscaling for Amazon EC2 Container Service |
AWSAppSyncSchemaAuthor | Provides access to create, update, and query the schema. |
AlexaForBusinessDeviceSetup | Provide device setup access to AlexaForBusiness services |
AWSBatchServiceRole | Policy for AWS Batch service role which allows access to related services including EC2, Autoscaling, EC2 Container service and Cloudwatch Logs. |
AWSElasticBeanstalkWebTier | Provide the instances in your web server environment access to upload log files to Amazon S3. |
AmazonSQSReadOnlyAccess | Provides read only access to Amazon SQS via the AWS Management Console. |
AmazonChimeFullAccess | Provides full access to Amazon Chime Admin Console via the AWS Management Console. |
AWSDeepRacerRoboMakerAccessPolicy | Allows RoboMaker to create required resources and call AWS services on your behalf. |
AWSElasticLoadBalancingClassicServiceRolePolicy | Service Linked Role Policy for AWS Elastic Load Balancing Control Plane - Classic |
AWSMigrationHubDMSAccess | Policy for Database Migration Service to assume role in customer's account to call Migration Hub |
WellArchitectedConsoleReadOnlyAccess | Provides read-only access to AWS Well-Architected Tool via the AWS Management Console |
AmazonKinesisFullAccess | Provides full access to all streams via the AWS Management Console. |
AmazonGuardDutyReadOnlyAccess | Provides read only access to Amazon GuardDuty resources |
AmazonFSxServiceRolePolicy | Allows Amazon FSx to manage AWS resources on your behalf |
AmazonECSServiceRolePolicy | Policy to enable Amazon ECS to manage your cluster. |
AmazonConnectReadOnlyAccess | Grants permission to view the Amazon Connect instances in your AWS account. |
AmazonMachineLearningReadOnlyAccess | Provides read only access to Amazon Machine Learning resources. |
AmazonRekognitionFullAccess | Access to all Amazon Rekognition APIs |
RDSCloudHsmAuthorizationRole | Default policy for the Amazon RDS service role. |
AmazonMachineLearningFullAccess | Provides full access to Amazon Machine Learning resources. |
AdministratorAccess | Provides full access to AWS services and resources. |
AmazonMachineLearningRealTimePredictionOnlyAccess | Grants users permission to request Amazon Machine Learning real-time predictions. |
AWSAppSyncPushToCloudWatchLogs | Allows AppSync to push logs to user's CloudWatch account. |
AWSMigrationHubSMSAccess | Policy for Server Migration Service to assume role in customer's account to call Migration Hub |
AWSConfigUserAccess | Provides access to use AWS Config, including searching by tags on resources, and reading all tags. This does not provide permission to configure AWS Config, which requires administrative privileges. |
AWSIoTConfigAccess | This policy gives full access to the AWS IoT configuration actions |
SecurityAudit | The security audit template grants access to read security configuration metadata. It is useful for software that audits the configuration of an AWS account. |
AWSDiscoveryContinuousExportFirehosePolicy | Provides write access to AWS resources required for AWS Discovery Continuous Export |
AmazonCognitoIdpEmailServiceRolePolicy | Allows Amazon Cognito User Pools service to use your SES identities for email sending |
AWSElementalMediaConvertFullAccess | Provides full access to AWS Elemental MediaConvert via the AWS Management Console and SDK. |
AWSRoboMakerReadOnlyAccess | Provides read only access to AWS RoboMaker via the AWS Management Console and SDK |
AWSResourceGroupsReadOnlyAccess | This is the read only policy for AWS Resource Groups |
AWSCodeStarFullAccess | Provides full access to AWS CodeStar via the AWS Management Console. |
AmazonSSMServiceRolePolicy | Provides access to AWS Resources managed or used by Amazon SSM |
AWSDataPipeline_FullAccess | Provides full access to Data Pipeline, list access for S3, DynamoDB, Redshift, RDS, SNS, and IAM roles, and passRole access for default Roles. |
NeptuneFullAccess | Provides full access to Amazon Neptune. Note this policy also grants full access to publish on all SNS topics within the account and full access to Amazon RDS. For more information, see https://aws.amazon.com/neptune/faqs/. |
AmazonSSMManagedInstanceCore | The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality. |
AWSAutoScalingPlansEC2AutoScalingPolicy | Policy granting permissions to AWS Auto Scaling to periodically forecast capacity and generate scheduled scaling actions for Auto Scaling groups in a scaling plan |
AmazonDynamoDBReadOnlyAccess | Provides read only access to Amazon DynamoDB via the AWS Management Console. |
AutoScalingConsoleFullAccess | Provides full access to Auto Scaling via the AWS Management Console. |
AWSElementalMediaPackageFullAccess | Provides full access to AWS Elemental MediaPackage resources |
AmazonKinesisVideoStreamsFullAccess | Provides full access to Amazon Kinesis Video Streams via the AWS Management Console. |
AmazonSNSReadOnlyAccess | Provides read only access to Amazon SNS via the AWS Management Console. |
AmazonRDSPreviewServiceRolePolicy | Amazon RDS Preview Service Role Policy |
AWSEC2SpotServiceRolePolicy | Allows EC2 Spot to launch and manage spot instances |
AmazonElasticMapReduceFullAccess | This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html. Provides full access to Amazon Elastic MapReduce and underlying services that it requires such as EC2 and S3 |
AWSCloudMapFullAccess | Provides full access to all AWS Cloud Map actions. |
AWSDataLifecycleManagerServiceRole | Provides appropriate permissions to AWS Data Lifecycle Manager to take actions on AWS resources |
AmazonS3ReadOnlyAccess | Provides read only access to all buckets via the AWS Management Console. |
AmazonWorkSpacesAdmin | Provides access to Amazon WorkSpaces administrative actions via AWS SDK and CLI. |
AWSCodeDeployRole | Provides CodeDeploy service access to expand tags and interact with Auto Scaling on your behalf. |
AmazonSESFullAccess | Provides full access to Amazon SES via the AWS Management Console. |
CloudWatchLogsReadOnlyAccess | Provides read only access to CloudWatch Logs |
AmazonRDSBetaServiceRolePolicy | Allows Amazon RDS to manage AWS resources on your behalf. |
AmazonKinesisFirehoseReadOnlyAccess | Provides read only access to all Amazon Kinesis Firehose Delivery Streams. |
GlobalAcceleratorFullAccess | Allow GlobalAccelerator Users full Access to all APIs |
AmazonDynamoDBFullAccesswithDataPipeline | This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBPipeline.html. Provides full access to Amazon DynamoDB including Export/Import using AWS Data Pipeline via the AWS Management Console. |
AWSIoTAnalyticsReadOnlyAccess | Provides read only access to IoT Analytics. |
AmazonEC2RoleforDataPipelineRole | Default policy for the Amazon EC2 Role for Data Pipeline service role. |
CloudWatchLogsFullAccess | Provides full access to CloudWatch Logs |
AWSSecurityHubFullAccess | Provides full access to use AWS Security Hub. |
AWSElementalMediaPackageReadOnly | Provides read only access to AWS Elemental MediaPackage resources |
AWSElasticBeanstalkMulticontainerDocker | Provide the instances in your multicontainer Docker environment access to use the Amazon EC2 Container Service to manage container deployment tasks. |
AmazonPersonalizeFullAccess | Provides full access to Amazon Personalize via the AWS Management Console and SDK. Also provides select access to related services (e.g., S3, CloudWatch). |
AWSMigrationHubFullAccess | Managed policy to provide the customer access to the Migration Hub Service |
AmazonFSxReadOnlyAccess | Provides read only access to Amazon FSx. |
IAMUserChangePassword | Provides the ability for an IAM user to change their own password. |
LightsailExportAccess | AWS Lightsail service linked role policy which grants permissions to export resources |
AmazonAPIGatewayAdministrator | Provides full access to create/edit/delete APIs in Amazon API Gateway via the AWS Management Console. |
AmazonVPCCrossAccountNetworkInterfaceOperations | Provides access to create network interfaces and attach them to cross-account resources |
AmazonMacieSetupRole | Provides Macie with access to your AWS account. |
AmazonPollyReadOnlyAccess | Grants read-only access to Amazon Polly resources. |
AmazonRDSDataFullAccess | Allows full access to use the RDS data APIs, secret store APIs for RDS database credentials, and DB console query management APIs to execute SQL statements on Aurora Serverless clusters in the AWS account. |
AmazonMobileAnalyticsWriteOnlyAccess | Provides write only access to put event data for all application resources. (Recommended for SDK integration) |
AmazonEC2SpotFleetTaggingRole | Allows EC2 Spot Fleet to request, terminate and tag Spot Instances on your behalf. |
DataScientist | Grants permissions to AWS data analytics services. |
AWSMarketplaceMeteringFullAccess | Provides full access to AWS Marketplace Metering. |
AWSOpsWorksCMServiceRole | Service Role Policy to be used for Creating OpsWorks CM servers. |
FSxDeleteServiceLinkedRoleAccess | Allows Amazon FSx to delete its Service Linked Roles for Amazon S3 access |
WorkLinkServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Amazon WorkLink |
AmazonConnectServiceLinkedRolePolicy | Allows Amazon Connect to create and manage AWS resources on your behalf. |
AWSPrivateMarketplaceAdminFullAccess | Provides full access to all administrative actions for an AWS Private Marketplace. |
AWSConnector | Enables broad read/write access to ALL EC2 objects, read/write access to S3 buckets starting with 'import-to-ec2-', and the ability to list all S3 buckets, for the AWS Connector to import VMs on your behalf. |
AWSCodeDeployRoleForECSLimited | Provides CodeDeploy service limited access to perform an ECS blue/green deployment on your behalf. |
AmazonElasticTranscoder_JobsSubmitter | Grants users permission to change presets, submit jobs, and view Elastic Transcoder settings. This policy also grants some read-only access to some other services required to use the Elastic Transcode console, including S3, IAM, and SNS. |
AmazonMacieHandshakeRole | Grants permission to create the service-linked role of Amazon Macie. |
AWSIoTAnalyticsFullAccess | Provides full access to IoT Analytics. |
AWSBatchFullAccess | Provides full access for AWS Batch resources. |
AmazonSSMDirectoryServiceAccess | This policy allows SSM Agent to access Directory Service on behalf of the customer for domain-join the managed instance. |
AmazonECS_FullAccess | Provides administrative access to Amazon ECS resources and enables ECS features through access to other AWS service resources, including VPCs, Auto Scaling groups, and CloudFormation stacks. |
AWSSupportServiceRolePolicy | Allows AWS Support to access AWS resources to provide billing, administrative, and support services. |
AWSApplicationAutoscalingRDSClusterPolicy | Policy granting permissions to Application Auto Scaling to access RDS and CloudWatch. |
AWSServiceRoleForEC2ScheduledInstances | Allows EC2 Scheduled Instances to launch and manage spot instances. |
AWSCodeDeployRoleForLambda | Provides CodeDeploy service access to perform a Lambda deployment on your behalf. |
AWSFMAdminReadOnlyAccess | Read only access for AWS FM Administrator that allows monitoring AWS FM operations |
AmazonSSMFullAccess | Provides full access to Amazon SSM. |
AWSCodeCommitReadOnly | Provides read only access to AWS CodeCommit via the AWS Management Console. |
AmazonFreeRTOSFullAccess | Full Access Policy for Amazon FreeRTOS |
AmazonTextractServiceRole | Allows Textract to call AWS services on your behalf. |
AmazonCognitoReadOnly | Provides read only access to Amazon Cognito resources. |
AmazonDMSCloudWatchLogsRole | Provides access to upload DMS replication logs to cloudwatch logs in customer account. |
AWSApplicationDiscoveryServiceFullAccess | Provides full access to view and tag Configuration Items maintained by the AWS Application Discovery Service |
AmazonRoute53AutoNamingReadOnlyAccess | Provides read-only access to all Route 53 Auto Naming actions. |
AWSSSOReadOnly | Provides read only access to AWS SSO configurations. |
AmazonVPCFullAccess | Provides full access to Amazon VPC via the AWS Management Console. |
AWSCertificateManagerPrivateCAUser | Provides certificate user access to AWS Certificate Manager Private Certificate Authority |
AWSAppSyncAdministrator | Provides administrative access to the AppSync service, though not enough to access via the console. |
AWSEC2FleetServiceRolePolicy | Allows EC2 Fleet to launch and manage instances. |
AmazonRoute53AutoNamingFullAccess | Provides full access to all Route 53 Auto Naming actions. |
AWSImportExportFullAccess | Provides read and write access to the jobs created under the AWS account. |
DynamoDBReplicationServiceRolePolicy | Permissions required by DynamoDB for cross-region data replication |
AmazonMechanicalTurkFullAccess | Provides full access to all APIs in Amazon Mechanical Turk. |
AmazonEC2ContainerRegistryPowerUser | Provides full access to Amazon EC2 Container Registry repositories, but does not allow repository deletion or policy changes. |
AWSSSODirectoryReadOnly | ReadOnly access for SSO Directory |
AmazonMachineLearningCreateOnlyAccess | Provides create access for non-prediction Amazon Machine Learning resources. |
AmazonKinesisVideoStreamsReadOnlyAccess | Provides read only access to AWS Kinesis Video Streams via the AWS Management Console. |
AWSCloudTrailReadOnlyAccess | Provides read only access to AWS CloudTrail. |
WAFRegionalLoggingServiceRolePolicy | Creating SLR to write customer's logs to a firehose stream |
AWSLambdaExecute | Provides Put, Get access to S3 and full access to CloudWatch Logs. |
AWSGlueConsoleSageMakerNotebookFullAccess | Provides full access to AWS Glue via the AWS Management Console and access to sagemaker notebook instances. |
AmazonMSKFullAccess | Provide full access to Amazon MSK and other required permissions for its dependencies. |
AWSIoTRuleActions | Allows access to all AWS services supported in AWS IoT Rule Actions |
AmazonEKSServicePolicy | This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters. |
AWSQuickSightDescribeRedshift | Allow QuickSight to describe Redshift resources |
AmazonElasticsearchServiceRolePolicy | Allow Amazon Elasticsearch Service to access other AWS services such as EC2 Networking APIs on your behalf. |
AmazonMQReadOnlyAccess | Provides read only access to AmazonMQ via the AWS Management Console. |
VMImportExportRoleForAWSConnector | Default policy for the VM Import/Export service role, for customers using the AWS Connector. The VM Import/Export service assumes a role with this policy to fulfill virtual machine migration requests from the AWS Connector virtual appliance. (Note that the AWS Connector uses the "AWSConnector" managed policy to issue requests on the customer's behalf to the VM Import/Export service.) Provides the ability to create AMIs and EBS snapshots, modify EBS snapshot attributes, make "Describe*" calls on EC2 objects, and read from S3 buckets starting with 'import-to-ec2-'. |
AWSCodePipelineCustomActionAccess | Provides access for custom actions to poll for jobs details (including temporary credentials) and report status updates to AWS CodePipeline. |
AWSLambdaSQSQueueExecutionRole | Provides receive message, delete message, and read attribute access to SQS queues, and write permissions to CloudWatch logs. |
AWSCloud9ServiceRolePolicy | Service Linked Role Policy for AWS Cloud9 |
AWSApplicationAutoscalingECSServicePolicy | Policy granting permissions to Application Auto Scaling to access EC2 Container Service and CloudWatch. |
AWSOpsWorksInstanceRegistration | Provides access for an Amazon EC2 instance to register with an AWS OpsWorks stack. |
AmazonCloudDirectoryFullAccess | Provides full access to Amazon Cloud Directory Service. |
AmazonECSTaskExecutionRolePolicy | Provides access to other AWS service resources that are required to run Amazon ECS tasks |
AWSStorageGatewayFullAccess | Provides full access to AWS Storage Gateway via the AWS Management Console. |
AWSIoTEventsFullAccess | Provides full access to IoT Events. |
AmazonLexReadOnly | Provides read-only access to Amazon Lex. |
AmazonChimeUserManagement | Provides user management access to Amazon Chime Admin Console via the AWS Management Console. |
AmazonMSKReadOnlyAccess | Provide readonly access to Amazon MSK |
AWSDataSyncFullAccess | Provides full access to AWS DataSync and minimal access to its dependencies |
AWSServiceRoleForIoTSiteWise | Allows AWS IoT SiteWise to provision and manage gateways as well as query data. The policy includes required AWS Greengrass permissions for deploying to groups, AWS Lambda permissions for creating and updating service-prefixed functions, and AWS IoT Analytics permissions for querying data from datastores. |
CloudwatchApplicationInsightsServiceLinkedRolePolicy | Cloudwatch Application Insights Service Linked Role Policy |
AWSTrustedAdvisorServiceRolePolicy | Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment. |
AWSIoTConfigReadOnlyAccess | This policy gives read only access to the AWS IoT configuration actions |
AmazonWorkMailReadOnlyAccess | Provides read only access to WorkMail and SES. |
AmazonDMSVPCManagementRole | Provides access to manage VPC settings for AWS managed customer configurations |
AWSLambdaKinesisExecutionRole | Provides list and read access to Kinesis streams and write permissions to CloudWatch logs. |
ComprehendDataAccessRolePolicy | Policy for AWS Comprehend service role which allows access to S3 resources for data access |
AmazonDocDBConsoleFullAccess | Provides full access to manage Amazon DocumentDB with MongoDB compatibility using the AWS Management Console. Note this policy also grants full access to publish on all SNS topics within the account, permissions to create and edit Amazon EC2 instances and VPC configurations, permissions to view and list keys on Amazon KMS, and full access to Amazon RDS and Amazon Neptune. |
ResourceGroupsandTagEditorReadOnlyAccess | Provides access to use Resource Groups and Tag Editor, but does not allow editing of tags via the Tag Editor. |
AmazonRekognitionServiceRole | Allows Rekognition to call AWS services on your behalf. |
AmazonSSMAutomationRole | Provides permissions for EC2 Automation service to execute activities defined within Automation documents |
CloudHSMServiceRolePolicy | Enables access to AWS resources used or managed by CloudHSM |
ComprehendReadOnly | Provides read-only access to Amazon Comprehend. |
AWSStepFunctionsConsoleFullAccess | An access policy for providing a user/role/etc access to the AWS StepFunctions console. For a full console experience, in addition to this policy, a user may need iam:PassRole permission on other IAM roles that can be assumed by the service. |
AWSQuickSightIoTAnalyticsAccess | Give QuickSight read-only access to IoT Analytics datasets |
AWSCodeBuildReadOnlyAccess | Provides read only access to AWS CodeBuild via the AWS Management Console. Also attach AmazonS3ReadOnlyAccess to provide access to download build artifacts. |
LexBotPolicy | Policy for AWS Lex Bot use case |
AmazonMacieFullAccess | Provides full access to Amazon Macie. |
AmazonMachineLearningManageRealTimeEndpointOnlyAccess | Grants users permission to create and delete the real-time endpoint for Amazon Machine Learning models. |
CloudWatchEventsInvocationAccess | Allows Amazon CloudWatch Events to relay events to the streams in AWS Kinesis Streams in your account. |
CloudFrontReadOnlyAccess | Provides access to CloudFront distribution configuration information and list distributions via the AWS Management Console. |
AWSDeepLensServiceRolePolicy | Grants AWS DeepLens access to AWS Services, resources and roles needed by DeepLens and its dependencies including IoT, S3, GreenGrass and AWS Lambda. |
AmazonSNSRole | Default policy for Amazon SNS service role. |
AmazonInspectorServiceRolePolicy | Grants Amazon Inspector access to AWS Services needed to perform security assessments |
AmazonMobileAnalyticsFinancialReportAccess | Provides read only access to all reports including financial data for all application resources. |
AWSElasticBeanstalkService | This policy is on a deprecation path. See documentation for guidance: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-servicerole.html. AWS Elastic Beanstalk Service role policy which grants permissions to create & manage resources (i.e.: AutoScaling, EC2, S3, CloudFormation, ELB, etc.) on your behalf. |
IAMReadOnlyAccess | Provides read only access to IAM via the AWS Management Console. |
AmazonRDSReadOnlyAccess | Provides read only access to Amazon RDS via the AWS Management Console. |
AWSIoTDeviceDefenderAudit | Provides read access for IoT and related resources |
AmazonCognitoPowerUser | Provides administrative access to existing Amazon Cognito resources. You will need AWS account admin privileges to create new Cognito resources. |
AmazonRoute53AutoNamingRegistrantAccess | Provides registrant level access to Route 53 Auto Naming actions. |
AmazonElasticFileSystemFullAccess | Provides full access to Amazon EFS via the AWS Management Console. |
LexChannelPolicy | Policy for AWS Lex Channel use case |
ServerMigrationConnector | Permissions to allow the AWS Server Migration Connector to migrate VMs to EC2. Allows communication with the AWS Server Migration Service, read/write access to S3 buckets starting with 'sms-b-' and 'import-to-ec2-' as well as the buckets used for AWS Server Migration Connector upgrade, AWS Server Migration Connector registration with AWS, and metrics upload to AWS. |
AmazonESCognitoAccess | Provides limited access to the Amazon Cognito configuration service. |
AWSFMAdminFullAccess | Full access for AWS FM Administrator |
AmazonChimeReadOnly | Provides read only access to Amazon Chime Admin Console via the AWS Management Console. |
AmazonZocaloFullAccess | Provides full access to Amazon Zocalo. |
AWSIoTSiteWiseReadOnlyAccess | Provides read only access to IoT SiteWise. |
AWSAccountUsageReportAccess | Allows users to access the Account Usage Report page. |
AWSIoTOTAUpdate | Allows access to create AWS IoT Job and describe the AWS code signer job |
AmazonMQFullAccess | Provides full access to AmazonMQ via the AWS Management Console. |
AWSMarketplaceGetEntitlements | Provides read access to AWS Marketplace Entitlements |
AWSGreengrassReadOnlyAccess | This policy gives read only access to the AWS Greengrass configuration, management and deployment actions |
AmazonEC2ContainerServiceforEC2Role | Default policy for the Amazon EC2 Role for Amazon EC2 Container Service. |
AmazonAppStreamFullAccess | Provides full access to Amazon AppStream via the AWS Management Console. |
AWSIoTDataAccess | This policy gives full access to the AWS IoT messaging actions |
AmazonWorkLinkFullAccess | Grants full access to Amazon WorkLink resources |
AmazonTranscribeReadOnlyAccess | Provides access to read only operation for Amazon Transcribe |
AmazonESFullAccess | Provides full access to the Amazon ES configuration service. |
ApplicationDiscoveryServiceContinuousExportServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Application Discovery Service Continuous Export feature |
AmazonSumerianFullAccess | Provides full access to Amazon Sumerian. |
AWSWAFFullAccess | Provides full access to AWS WAF actions. |
ElasticLoadBalancingReadOnly | Provides read only access to Amazon ElasticLoadBalancing and dependent services |
AWSArtifactAccountSync | Allows AWS Artifact read-only access to operations in AWS Organizations. |
AmazonKinesisFirehoseFullAccess | Provides full access to all Amazon Kinesis Firehose Delivery Streams. |
CloudWatchReadOnlyAccess | Provides read only access to CloudWatch. |
AWSLambdaBasicExecutionRole | Provides write permissions to CloudWatch Logs. |
ResourceGroupsandTagEditorFullAccess | Provides full access to Resource Groups and Tag Editor. |
AWSKeyManagementServicePowerUser | Provides access to AWS Key Management Service (KMS). |
AWSApplicationAutoscalingEC2SpotFleetRequestPolicy | Policy granting permissions to Application Auto Scaling to access EC2 Spot Fleet and CloudWatch. |
AWSImportExportReadOnlyAccess | Provides read only access to the jobs created under the AWS account. |
CloudWatchEventsServiceRolePolicy | Allow AWS CloudWatch to execute actions on your behalf configured through alarms and events. |
AmazonElasticTranscoderRole | Default policy for the Amazon Elastic Transcoder service role. |
AWSGlueConsoleFullAccess | Provides full access to AWS Glue via the AWS Management Console |
AmazonEC2ContainerServiceRole | Default policy for Amazon ECS service role. |
AWSDeviceFarmFullAccess | Provides full access to all AWS Device Farm operations. |
AmazonSSMReadOnlyAccess | Provides read only access to Amazon SSM. |
AWSStepFunctionsReadOnlyAccess | An access policy for providing a user/role/etc read only access to the AWS StepFunctions service. |
AWSMarketplaceRead-only | Provides the ability to review AWS Marketplace subscriptions |
AWSApplicationAutoscalingDynamoDBTablePolicy | Policy granting permissions to Application Auto Scaling to access DynamoDB and CloudWatch. |
AWSCodePipelineFullAccess | Provides full access to AWS CodePipeline via the AWS Management Console. |
AWSCloud9User | Provides permission to create AWS Cloud9 development environments and to manage owned environments. |
AWSGreengrassResourceAccessRolePolicy | Policy for AWS Greengrass service role which allows access to related services including AWS Lambda and AWS IoT thing shadows. |
AmazonMacieServiceRolePolicy | Service linked role for Amazon Macie |
NetworkAdministrator | Grants full access permissions to AWS services and actions required to set up and configure AWS network resources. |
AWSIoT1ClickFullAccess | Provides full access to AWS IoT 1-Click. |
AmazonWorkSpacesApplicationManagerAdminAccess | Provides administrator access for packaging an application in Amazon WorkSpaces Application Manager. |
AmazonDRSVPCManagement | Provides access to manage VPC settings for Amazon managed customer configurations |
AmazonRedshiftServiceLinkedRolePolicy | Allows Amazon Redshift to call AWS services on your behalf |
AWSCertificateManagerPrivateCAReadOnly | Provides read only access to AWS Certificate Manager Private Certificate Authority |
AWSXrayFullAccess | AWS X-Ray full access managed policy |
AWSElasticBeanstalkWorkerTier | Provide the instances in your worker environment access to upload log files to Amazon S3, to use Amazon SQS to monitor your application's job queue, to use Amazon DynamoDB to perform leader election, and to Amazon CloudWatch to publish metrics for health monitoring. |
AWSDirectConnectFullAccess | Provides full access to AWS Direct Connect via the AWS Management Console. |
AWSCodeBuildAdminAccess | Provides full access to AWS CodeBuild via the AWS Management Console. Also attach AmazonS3ReadOnlyAccess to provide access to download build artifacts, and attach IAMFullAccess to create and manage the service role for CodeBuild. |
AmazonKinesisAnalyticsFullAccess | Provides full access to Amazon Kinesis Analytics via the AWS Management Console. |
AWSSecurityHubServiceRolePolicy | A service-linked role required for AWS Security Hub to access your resources. |
AWSElasticBeanstalkMaintenance | AWS Elastic Beanstalk Service Role policy that grants limited permissions to update your resources on your behalf for maintenance purposes. |
APIGatewayServiceRolePolicy | Allows API Gateway to manage associated AWS Resources on behalf of the customer. |
AWSAccountActivityAccess | Allows users to access the Account Activity page. |
AmazonGlacierFullAccess | Provides full access to Amazon Glacier via the AWS Management Console. |
AmazonFSxConsoleReadOnlyAccess | Provides read only access to Amazon FSx and access to related AWS services via the AWS Management Console. |
AmazonWorkMailFullAccess | Provides full access to WorkMail, Directory Service, SES, EC2 and read access to KMS metadata. |
DAXServiceRolePolicy | This policy allows DAX to create and manage Network interface, Security group, Subnet and Vpc on behalf of customer |
ComprehendMedicalFullAccess | Provides full access to Amazon Comprehend Medical |
AWSMarketplaceManageSubscriptions | Provides the ability to subscribe and unsubscribe to AWS Marketplace software |
AWSElasticBeanstalkCustomPlatformforEC2Role | Provide the instance in your custom platform builder environment permission to launch EC2 instance, create EBS snapshot and AMI, stream logs to Amazon CloudWatch Logs, and store artifacts in Amazon S3. |
AWSDataSyncReadOnlyAccess | Provides read-only access to AWS DataSync |
AWSVPCTransitGatewayServiceRolePolicy | Allow VPC Transit Gateway to create and manage necessary resources for your Transit Gateway VPC Attachments. |
NeptuneReadOnlyAccess | Provides read only access to Amazon Neptune. Note that this policy also grants access to Amazon RDS resources. For more information, see https://aws.amazon.com/neptune/faqs/. |
AWSSupportAccess | Allows users to access the AWS Support Center. |
AmazonElasticMapReduceforAutoScalingRole | Amazon Elastic MapReduce for Auto Scaling. Role to allow Auto Scaling to add and remove instances from your EMR cluster. |
AWSElementalMediaConvertReadOnly | Provides read only access to AWS Elemental MediaConvert via the AWS Management Console and SDK. |
AWSLambdaInvocation-DynamoDB | Provides read access to DynamoDB Streams. |
AWSServiceCatalogEndUserFullAccess | Provides full access to service catalog enduser capabilities |
IAMUserSSHKeys | Provides the ability for an IAM user to manage their own SSH keys. |
AWSDeepRacerServiceRolePolicy | Allows DeepRacer to create required resources and call AWS services on your behalf. |
AmazonSageMakerReadOnly | Provides read only access to Amazon SageMaker via the AWS Management Console and SDK. |
AWSIoTFullAccess | This policy gives full access to the AWS IoT configuration and messaging actions |
AWSQuickSightDescribeRDS | Allow QuickSight to describe the RDS resources |
AWSResourceAccessManagerServiceRolePolicy | Policy containing Read-only AWS Resource Access Manager access to customers' Organizations structure. It also contains IAM permissions to self-delete the role. |
AWSConfigRulesExecutionRole | Allows an AWS Lambda function to access the AWS Config API and the configuration snapshots that AWS Config delivers periodically to Amazon S3. This access is required by functions that evaluate configuration changes for custom Config rules. |
AWSConfigServiceRolePolicy | Allows Config to call AWS services and collect resource configurations on your behalf. |
AmazonESReadOnlyAccess | Provides read-only access to the Amazon ES configuration service. |
AWSCodeDeployDeployerAccess | Provides access to register and deploy a revision. |
KafkaServiceRolePolicy | IAM service linked role policy for Kafka. |
AmazonPollyFullAccess | Grants full access to Amazon Polly service and resources. |
AmazonSSMMaintenanceWindowRole | Service Role to be used for EC2 Maintenance Window |
AmazonRDSEnhancedMonitoringRole | Provides access to Cloudwatch for RDS Enhanced Monitoring |
AmazonLexFullAccess | Provides full access to Amazon Lex via the AWS Management Console. Also provides access to create Lex Service Linked Roles and grant Lex permissions to invoke a limited set of Lambda functions. |
AWSLambdaVPCAccessExecutionRole | Provides minimum permissions for a Lambda function to execute while accessing a resource within a VPC - create, describe, delete network interfaces and write permissions to CloudWatch Logs. |
AmazonMacieServiceRole | Grants Macie read-only access to resource dependencies in your account in order to enable data analysis. |
AmazonLexRunBotsOnly | Provides access to Amazon Lex conversational APIs. |
AWSCertificateManagerPrivateCAAuditor | Provides auditor access to AWS Certificate Manager Private Certificate Authority |
AmazonSNSFullAccess | Provides full access to Amazon SNS via the AWS Management Console. |
AmazonEKS_CNI_Policy | This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set allows the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. More information on the AWS VPC CNI Plugin is available here: https://github.com/aws/amazon-vpc-cni-k8s |
AWSServiceCatalogAdminFullAccess | Provides full access to service catalog admin capabilities |
AWSShieldDRTAccessPolicy | Provides the AWS DDoS Response Team with limited access to your AWS account to assist with DDoS attack mitigation during a high-severity event. |
CloudSearchReadOnlyAccess | Provides read only access to the Amazon CloudSearch configuration service. |
AWSGreengrassFullAccess | This policy gives full access to the AWS Greengrass configuration, management and deployment actions |
NeptuneConsoleFullAccess | Provides full access to manage Amazon Neptune using the AWS Console. Note this policy also grants full access to publish on all SNS topics within the account, permissions to create and edit Amazon EC2 instances and VPC configurations, permissions to view and list keys on Amazon KMS, and full access to Amazon RDS. For more information, see https://aws.amazon.com/neptune/faqs/. |
AWSCloudFormationReadOnlyAccess | Provides access to AWS CloudFormation via the AWS Management Console. |
AmazonRoute53FullAccess | Provides full access to all Amazon Route 53 via the AWS Management Console. |
AWSLambdaRole | Default policy for AWS Lambda service role. |
AWSLambdaENIManagementAccess | Provides minimum permissions for a Lambda function to manage ENIs (create, describe, delete) used by a VPC-enabled Lambda Function. |
AWSOpsWorksCloudWatchLogs | Enables OpsWorks instances with the CWLogs integration enabled to ship logs and create required log groups |
AmazonAppStreamReadOnlyAccess | Provides read only access to Amazon AppStream via the AWS Management Console. |
AWSStepFunctionsFullAccess | An access policy for providing a user/role/etc access to the AWS StepFunctions API. For full access, in addition to this policy, a user MUST have iam:PassRole permission on at least one IAM role that can be assumed by the service. |
CloudTrailServiceRolePolicy | Permission policy for CloudTrail ServiceLinkedRole |
AmazonInspectorReadOnlyAccess | Provides read only access to Amazon Inspector. |
AWSOrganizationsReadOnlyAccess | Provides read-only access to AWS Organizations. |
TranslateReadOnly | Provides read-only access to Amazon Translate. |
AWSCertificateManagerFullAccess | Provides full access to AWS Certificate Manager (ACM) |
AWSDeepRacerCloudFormationAccessPolicy | Allows CloudFormation to create and manage AWS stacks and resources on your behalf. |
AWSIoTEventsReadOnlyAccess | Provides read only access to IoT Events. |
AWSRoboMakerServicePolicy | RoboMaker service policy |
PowerUserAccess | Provides full access to AWS services and resources, but does not allow management of Users and groups. |
AWSApplicationAutoScalingCustomResourcePolicy | Policy granting permissions to Application Auto Scaling to access APIGateway and CloudWatch for custom resource scaling |
GlobalAcceleratorReadOnlyAccess | Allow GlobalAccelerator Users Access to Read Only APIs |
AmazonSageMakerFullAccess | Provides full access to Amazon SageMaker via the AWS Management Console and SDK. Also provides select access to related services (e.g., S3, ECR, CloudWatch Logs). |
WAFLoggingServiceRolePolicy | Creating SLR to write customer's logs to a firehose stream |
AWSBackupServiceRolePolicyForRestores | Provides AWS Backup permission to perform restores on your behalf across AWS services. This policy includes permissions to create and delete AWS resources, such as EBS volumes, RDS instances, and EFS file systems, which are part of the restore process. |
AWSElementalMediaStoreFullAccess | Provides full read and write access to all MediaStore APIs |
CloudWatchEventsFullAccess | Provides full access to Amazon CloudWatch Events. |
AWSLicenseManagerMemberAccountRolePolicy | AWS License Manager service member account role policy |
AWSOrganizationsFullAccess | Provides full access to AWS Organizations. |
AWSCodePipeline_FullAccess | Provides full access to AWS CodePipeline via the AWS Management Console. |
DynamoDBKinesisReplicationServiceRolePolicy | Provide AWS DynamoDB access to KinesisDataStreams |
AmazonAugmentedAIIntegratedAPIAccess | Provides access to perform all operations Amazon Augmented AI resources, including FlowDefinitions, HumanTaskUis and HumanLoops. Also provides access to those operations of services that are integrated with Amazon Augmented AI. |
AmazonFraudDetectorFullAccessPolicy | Gives access to all actions for Amazon Fraud Detector |
AmazonLaunchWizard_Fullaccess | Full access to AWS Launch wizard and other required services. |
AmazonChimeSDK | Provides access to Amazon Chime SDK operations |
AwsGlueDataBrewFullAccessPolicy | Provides full access to AWS Glue DataBrew via the AWS Management Console. Also provides select access to related services (e.g., S3, KMS, Glue). |
AmazonElasticContainerRegistryPublicReadOnly | Provides read-only access to Amazon ECR Public repositories. |
AWSIoTDeviceTesterForFreeRTOSFullAccess | Allows AWS IoT Device Tester to run the FreeRTOS qualification suite by allowing access to services including IoT, S3, and IAM |
Route53ResolverServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Route53 Resolver |
WAFV2LoggingServiceRolePolicy | This policy creates a service-linked role that allows AWS WAF to write logs to Amazon Kinesis Data Firehose. |
AWSBudgetsActionsWithAWSResourceControlAccess | Provides full access to AWS Budgets Actions including using Budgets Actions to control states of running AWS resources via AWS Management Console |
AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy | This policy is for the AWS Elastic Beanstalk service role used to perform managed updates of Elastic Beanstalk environments. This policy should not be attached to other users or roles. The policy grants broad permissions to create and manage resources across a number of AWS services including AutoScaling, EC2, ECS, Elastic Load Balancing and CloudFormation. This policy also allows passing of any IAM role usable with those services. |
AdministratorAccess-Amplify | Grants account administrative permissions while explicitly allowing direct access to resources needed by Amplify applications. |
AWSNetworkManagerFullAccess | Provides full access to Amazon NetworkManager via the AWS Management Console. |
AWSMarketplaceAmiIngestion | Allows AWS Marketplace to copy your Amazon Machine Images (AMIs) in order to list them on AWS Marketplace |
AWSPrivateMarketplaceRequests | Provides access to creating requests in an AWS Private Marketplace. |
CloudWatchApplicationInsightsReadOnlyAccess | Provides read only access to CloudWatch Application Insights. |
AdministratorAccess-AWSElasticBeanstalk | Grants account administrative permissions. Explicitly allows developers and administrators to gain direct access to resources they need to manage AWS Elastic Beanstalk applications |
AmazonSageMakerMechanicalTurkAccess | Provides access to create Amazon Augmented AI FlowDefinition resources against any Workteam. |
AmazonTimestreamConsoleFullAccess | Provides full access to manage Amazon Timestream using the AWS Management Console. Note that this policy also grants permissions for certain KMS operations, and operations to manage your saved queries. If using Customer managed CMK, please refer to documentation for additional permissions needed. |
AWSWAFConsoleFullAccess | Provides full access to AWS WAF via the AWS Management Console. Note that this policy also grants permissions to list and update Amazon CloudFront distributions, permissions to view load balancers on AWS Elastic Load Balancing, permissions to view Amazon API Gateway REST APIs and stages, permissions to list and view Amazon CloudWatch metrics, and permissions to view regions enabled within the account. |
AWSGlueSchemaRegistryReadonlyAccess | Provides readonly access to the AWS Glue Schema Registry Service |
AWSNetworkManagerServiceRolePolicy | Allow NetworkManager to access resources associated with your Global Networks |
AWSAppMeshServiceRolePolicy | Enables access to AWS Services and Resources used or managed by AWS AppMesh |
AWSConfigRemediationServiceRolePolicy | Allows AWS Config to remediate noncompliant resources on your behalf. |
ConfigConformsServiceRolePolicy | Policy needed for AWSConfig to create conformance packs |
AmazonEventBridgeReadOnlyAccess | Provides read only access to Amazon EventBridge. |
AWSCodeStarNotificationsServiceRolePolicy | Allows AWS CodeStar Notifications to access Amazon CloudWatch Events on your behalf |
AmazonKendraFullAccess | Provides full access to Amazon Kendra via the AWS Management Console. |
AmazonEMRFullAccessPolicy_v2 | Provides full access to Amazon EMR |
AmazonS3OutpostsFullAccess | Provides full access to Amazon S3 on Outposts via the AWS Management Console. |
AWSQuickSightElasticsearchPolicy | Provides access to Amazon Elasticsearch resources from Amazon QuickSight |
AWSApplicationAutoscalingCassandraTablePolicy | Policy granting permissions to Application Auto Scaling to access Cassandra and CloudWatch. |
AWSSystemsManagerAccountDiscoveryServicePolicy | Grants AWS Systems Manager (SSM) permission to discover AWS account information. |
AmazonDevOpsGuruFullAccess | Provides full access to Amazon DevOps Guru. |
AWSResourceAccessManagerReadOnlyAccess | Provides read only access to AWS Resource Access Manager. |
AmazonEventBridgeFullAccess | Provides full access to Amazon EventBridge. |
AWSThinkboxAWSPortalAdminPolicy | This policy grants AWS Thinkbox's Deadline software full access to multiple AWS services as required for AWS Portal administration. This includes access to create arbitrary tags on several EC2 resource types. |
AWSElasticBeanstalkReadOnly | Grants read-only permissions. Explicitly allows operators to gain direct access to retrieve information about resources related to AWS Elastic Beanstalk applications. |
EC2InstanceProfileForImageBuilderECRContainerBuilds | EC2 Instance profile for building container images with EC2 Image Builder. This policy grants the user broad permissions to upload ECR images. |
AWSCodeDeployRoleForLambdaLimited | Provides CodeDeploy service limited access to perform a Lambda deployment on your behalf. |
AWSAuditManagerServiceRolePolicy | Enables access to AWS Services and Resources used or managed by AWS Audit Manager |
CloudWatchSyntheticsReadOnlyAccess | Provides read only access to CloudWatch Synthetics. |
AmazonNimbleStudio-StudioUser | This policy grants access to Amazon Nimble Studio resources associated with the studio user and related studio resources in other services. Attach this policy to the User role associated with your studio. |
AWSCloudTrail_FullAccess | Provides full access to AWS CloudTrail. |
AccessAnalyzerServiceRolePolicy | Allow Access Analyzer to analyze resource metadata |
AmazonRoute53ResolverReadOnlyAccess | Read only policy for Route 53 Resolver |
AmazonEC2RolePolicyForLaunchWizard | Managed policy for the Amazon LaunchWizard service role for EC2 |
AmazonAppFlowReadOnlyAccess | Provides read only access to Amazon Appflow flows |
AmazonLookoutVisionConsoleReadOnlyAccess | Provides read only access to Amazon Lookout for Vision and scoped access to required service and console dependencies. |
AWSQuickSightTimestreamPolicy | AWS QuickSight access to AWS Timestream APIs. Customers can attach this policy to AWS QuickSight role to allow retrieval of data and metadata. |
AmazonManagedBlockchainFullAccess | Provides full access to Amazon Managed Blockchain. |
ServiceQuotasFullAccess | Provides full access to Service Quotas |
AmazonTimestreamFullAccess | Provides full access to Amazon Timestream. Note that this policy also grants certain KMS operation access. If using Customer managed CMK, please refer to documentation for additional permissions needed. |
ElementalAppliancesSoftwareReadOnlyAccess | Read-only access to view Elemental Appliances and Software quotes and orders |
AmazonLookoutVisionFullAccess | Provides full access to Amazon Lookout for Vision and scoped access to required dependencies. |
AWSCodeDeployRoleForCloudFormation | Provides CodeDeploy service access to invoke Lambda function on your behalf to perform blue/green deployment through CloudFormation. |
BatchServiceRolePolicy | Provides access for the AWS Batch service to manage the required resources, including Amazon EC2 and Amazon ECS resources. |
AmazonHoneycodeServiceRolePolicy | A service-linked role required for Amazon Honeycode to access your resources. |
AmazonSageMakerEdgeDeviceFleetPolicy | Provides permissions necessary for SageMaker Edge to create and manage a device fleet for the customer using the default cloud connection. |
AWSIoTSiteWiseMonitorServiceRolePolicy | This role grants AWS IoT SiteWise monitor permissions to access your AWS IoT SiteWise assets & asset properties, and create AWS IoT Sitewise projects, dashboards & access policies through AWS IoT SiteWise portals. |
AmazonHoneycodeReadOnlyAccess | Provides read only access to Honeycode via the AWS Management Console and the SDK. |
AWSCloudFormationFullAccess | Provides full access to AWS CloudFormation. |
AWSPanoramaApplianceRolePolicy | Allows AWS IoT software on an AWS Panorama Appliance to upload logs to Amazon CloudWatch. |
AmazonLookoutMetricsFullAccess | Gives access to all actions for Amazon Lookout for Metrics |
AWSApplicationMigrationAgentPolicy | This policy allows installing and using the AWS Replication Agent, which is used with AWS Application Migration Service (MGN) to migrate external servers to AWS. Attach this policy to your IAM users or roles whose credentials you provide when installing the AWS Replication Agent. |
AWSOpsWorks_FullAccess | Provides full access to AWS OpsWorks. |
AWSNetworkFirewallServiceRolePolicy | Allow AWSNetworkFirewall to create and manage necessary resources for your Firewalls. |
ElementalAppliancesSoftwareFullAccess | Full access to view and take action on Elemental Appliances and Software quotes and orders |
AmazonMachineLearningRoleforRedshiftDataSourceV3 | Allows Machine Learning to configure and use your Redshift Clusters and S3 Staging Locations for Redshift Data Source. |
AmazonAugmentedAIHumanLoopFullAccess | Provides access to perform all operations on HumanLoops. |
AmazonLookoutEquipmentReadOnlyAccess | Provides read only access to Amazon Lookout for Equipments |
AWSDataExchangeReadOnly | Grants read-only access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. |
AWSMarketplaceSellerProductsFullAccess | Provides sellers full access to AWS Marketplace Management Products page and other AWS services such as AMI management. |
AWSMarketplaceLicenseManagementServiceRolePolicy | Enables access to AWS Services and Resources used or managed by AWS Marketplace for license management. |
AWSProtonReadOnlyAccess | Provides read only access to the AWS Proton APIs and Management Console. |
AmazonLexV2BotPolicy | Provides Lex V2 bots access to call other AWS services on your behalf. |
AWSIQContractServiceRolePolicy | Used by AWS IQ to execute payment requests on behalf of a customer |
AWSStorageGatewayServiceRolePolicy | Service-linked role used by AWS Storage Gateway to enable integration of other AWS services with Storage Gateway. |
AWSBackupOrganizationAdminAccess | This policy is for backup administators who use cross-account backup management to manage backups for the organization. |
AWSIoTSiteWiseMonitorPortalAccess | This policy grants permissions to access AWS IoT SiteWise assets and asset data, create AWS IoT SiteWise Monitor resources, and list AWS SSO users. |
AWSAuditManagerAdministratorAccess | Provides administrative access to enable or disable AWS Audit Manager, update settings, and manage assessments, controls, and frameworks |
ElementalSupportCenterFullAccess | Full access to view and take action on Elemental Appliance and Software support cases and product support content |
AmazonHoneycodeFullAccess | Provides full access to Honeycode via the AWS Management Console and the SDK. |
AmazonWorkDocsReadOnlyAccess | Provides read only access to Amazon WorkDocs via the AWS Management Console |
CloudWatchLambdaInsightsExecutionRolePolicy | Policy required for the Lambda Insights Extension |
AWSGlobalAcceleratorSLRPolicy | Policy granting permissions to AWS Global Accelerator to manage EC2 Elastic Network Interfaces and Security Groups. |
EC2InstanceProfileForImageBuilder | EC2 Instance profile for Image Builder service. |
AWSServiceRoleForLogDeliveryPolicy | Allows Log Delivery service to deliver logs by calling log destination on your behalf. |
AmazonCodeGuruReviewerFullAccess | Grants full access to Amazon CodeGuru Reviewer and scoped access to required dependencies. |
AWSVPCS2SVpnServiceRolePolicy | Allow Site-to-Site VPN to create and manage resources related to your VPN Connections. |
AWSImageBuilderFullAccess | Provides full access to all AWS Image Builder actions and resource scoped access to related AWS services. |
AWSIncidentManagerResolverAccess | This policy grants permissions to start, view, and update incidents with full access to custom timeline events & related items. Assign this policy to users who will create and resolve incidents. |
AWSCertificateManagerPrivateCAPrivilegedUser | Provides privileged certificate user access to AWS Certificate Manager Private Certificate Authority |
AmazonSSMPatchAssociation | Provide access to child instances for patch association operation. |
AWSBudgetsReadOnlyAccess | Provides read only access to AWS Budgets Console via the AWS Management Console. |
AWSOpsWorksRegisterCLI_OnPremises | Policy to enable registration of On-Premises instances via the OpsWorks CLI |
Health_OrganizationsServiceRolePolicy | AWS Health policy to enable Organizational View feature |
AmazonElasticContainerRegistryPublicFullAccess | Provides administrative access to Amazon ECR Public resources |
AmazonMCSReadOnlyAccess | Provide read only access to Amazon Managed Apache Cassandra Service |
AWSRoboMaker_FullAccess | Provides full access to AWS RoboMaker via the AWS Management Console and SDK. Also provides select access to related services (e.g., S3, IAM). |
AWSAppMeshPreviewServiceRolePolicy | Enables access to AWS Services and Resources used or managed by AWS App Mesh |
ServiceQuotasServiceRolePolicy | Allows Service Quotas to create support cases on your behalf |
AWSLambdaMSKExecutionRole | Provides permissions required to access MSK Cluster within a VPC, manage ENIs (create, describe, delete) in the VPC and write permissions to CloudWatch Logs. |
ComputeOptimizerReadOnlyAccess | Provides read only access to ComputeOptimizer. |
AlexaForBusinessPolyDelegatedAccessPolicy | Provide access to Poly AVS devices |
AWSMarketplaceProcurementSystemAdminFullAccess | Provides full access to all administrative actions for an AWS Marketplace eProcurement integration. |
AmazonEKSFargatePodExecutionRolePolicy | Provides access to other AWS service resources that are required to run Amazon EKS pods on AWS Fargate |
AWSIoTWirelessReadOnlyAccess | Allows the associated identity read only access to AWS IoT wireless. |
AppRunnerServiceRolePolicy | Allows AWS AppRunner to manage related AWS resources on your behalf. |
AWSThinkboxDeadlineResourceTrackerAdminPolicy | Grants permissions required to create, destroy, and administer AWS Thinkbox's Deadline Resource Tracker. |
IAMAccessAdvisorReadOnly | This policy grants access to read all access information provided by IAM access advisor such as service last accessed information. |
AmazonSageMakerFeatureStoreAccess | Provides permissions required to enable the offline store for an Amazon SageMaker FeatureStore feature group. |
AmazonCodeGuruReviewerReadOnlyAccess | Provides read only access to Amazon CodeGuru Reviewer. |
AWSThinkboxAWSPortalGatewayPolicy | This policy grants the AWS Portal Gateway machine the necessary permissions required for normal operation. |
AWSApplicationAutoscalingKafkaClusterPolicy | Policy granting permissions to Application Auto Scaling to access Managed Streaming for Apache Kafka and CloudWatch. |
AWSSystemsManagerOpsDataSyncServiceRolePolicy | IAM role for SSM Explorer to manage OpsData related operations |
AmazonCodeGuruProfilerFullAccess | Provides full access to Amazon CodeGuru Profiler. |
AWSProtonDeveloperAccess | Provides access to the AWS Proton APIs and Management Console, but does not allow administration of Proton templates or environments. |
AmazonElasticFileSystemServiceRolePolicy | Allows Amazon Elastic File System to manage AWS resources on your behalf |
AmazonSageMakerGroundTruthExecution | Provides access to AWS services that are required to run SageMaker GroundTruth Labeling job |
AWSResourceAccessManagerFullAccess | Provides full access to AWS Resource Access Manager |
CertificateManagerServiceRolePolicy | Amazon Certificate Manager Service Role Policy |
AWSIoTDeviceDefenderEnableIoTLoggingMitigationAction | Provides access for enabling IoT logging for execution of ENABLE_IOT_LOGGING mitigation action |
AWSGrafanaWorkspacePermissionManagement | Provides only the ability to update user and group permissions for AWS Grafana workspaces. |
AmazonNimbleStudio-LaunchProfileWorker | This policy grants access to resources needed by Nimble Studio Launch Profile workers. Attach this policy to EC2 instances created by Nimble Studio Builder. |
AWSElasticBeanstalkRoleCWL | (Elastic Beanstalk operations role) Allows an environment to manage Amazon CloudWatch Logs log groups. |
DynamoDBCloudWatchContributorInsightsServiceRolePolicy | Permissions required to support Amazon CloudWatch Contributor Insights for Amazon DynamoDB. |
AWSElasticBeanstalkRoleRDS | (Elastic Beanstalk operations role) Allows an environment to integrate an Amazon RDS instance. |
AWSPanoramaServiceRolePolicy | Allows AWS Panorama to manage resources in Amazon S3, AWS IoT, AWS IoT GreenGrass, AWS Lambda, Amazon SageMaker, and Amazon CloudWatch Logs, and to pass service roles to AWS IoT, AWS IoT GreenGrass, and Amazon SageMaker. |
AmazonEMRReadOnlyAccessPolicy_v2 | Provides read only access to Amazon EMR and the associated CloudWatch Metrics. |
AmazonEventBridgeApiDestinationsServiceRolePolicy | Allows EventBridge to access Secret Manager resources on your behalf. |
AWSServiceRoleForCodeGuru-Profiler | A service-linked role required for Amazon CodeGuru Profiler to send notifications on your behalf. |
AmazonChimeVoiceConnectorServiceLinkedRolePolicy | Managed policy for Service Linked Role for Amazon Chime VoiceConnector |
AmazonPrometheusQueryAccess | Grants access to run queries against AWS Managed Prometheus resources |
AmazonWorkDocsFullAccess | Provides full access to Amazon WorkDocs via the AWS Management Console |
AmazonHoneycodeWorkbookReadOnlyAccess | Provides read only access to Honeycode Workbook via the AWS Management Console and the SDK. |
MediaPackageServiceRolePolicy | Allows MediaPackage to publish logs to CloudWatch |
IAMAccessAnalyzerReadOnlyAccess | Provides read only access to IAM Access Analyzer resources |
AmazonEventBridgeSchemasServiceRolePolicy | Grants permissions to Managed Rules created by Amazon EventBridge schemas. |
AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction | Provides messages publish access to SNS topic for execution of PUBLISH_FINDING_TO_SNS mitigation action |
AmazonQLDBConsoleFullAccess | Provides full access to Amazon QLDB via the AWS Management Console. |
AWSGlueSchemaRegistryFullAccess | Provides full access to the AWS Glue Schema Registry Service |
AWSServiceCatalogAppRegistryServiceRolePolicy | Allows Service Catalog AppRegistry to manage Resource Groups on your behalf |
AWSIoTFleetHubFederationAccess | Federation access for IoT Fleet Hub applications |
AmazonElasticFileSystemClientReadWriteAccess | Provides read and write client access to an Amazon EFS file system |
AWSApplicationAutoscalingComprehendEndpointPolicy | Policy granting permissions to Application Auto Scaling to access Comprehend and CloudWatch. |
AWSCloudShellFullAccess | Grants using AWS CloudShell with all features |
AWSIoTDeviceDefenderAddThingsToThingGroupMitigationAction | Provides write access to IoT thing groups and read access to IoT Certificates for execution of ADD_THINGS_TO_THING_GROUP mitigation action |
AWSIoTWirelessDataAccess | Allows the associated identity data access to AWS IoT Wireless devices. |
AmazonQLDBFullAccess | Provides full access to Amazon QLDB via the service API. |
AmazonAugmentedAIFullAccess | Provides access to perform all operations Amazon Augmented AI resources, including FlowDefinitions, HumanTaskUis and HumanLoops. Does not allow access for creating FlowDefinitions against the public-crowd Workteam. |
AmazonKeyspacesFullAccess | Provide full access to Amazon Keyspaces |
AWSIoTDeviceDefenderReplaceDefaultPolicyMitigationAction | Provides write access to IoT policies for execution of REPLACE_DEFAULT_POLICY_VERSION mitigation action |
AWSAppMeshReadOnly | Provides read-only access to the AWS App Mesh APIs and Management Console. |
ComputeOptimizerServiceRolePolicy | Allows ComputeOptimizer to call AWS services and collect workload details on your behalf. |
AWSApplicationMigrationFullAccess | This policy provides permissions to all public APIs of AWS Application Migration Service (MGN), as well as permissions to read KMS key information. Attach this policy to your IAM users or roles. |
AWSLakeFormationCrossAccountManager | Provides cross account access to Glue resources via Lake Formation. Also grants read access to other required services such as organizations and resource access manager |
AWSGlueDataBrewServiceRole | This policy grants permission to glue to perform action on user's glue data catalog, this policy also provides permission to ec2 actions to allow glue to create ENI to connect to resources in the VPC, also allow glue to access registered data in lakeformation and permission to access user's cloudwatch |
AmazonBraketFullAccess | Provides full access to Amazon Braket via the AWS Management Console and SDK. Also provides access to related services (e.g., S3, logs). |
AWSElasticBeanstalkManagedUpdatesServiceRolePolicy | AWS Elastic Beanstalk Service Role policy that grants limited permissions to managed updates. |
AmazonLexChannelsAccess | This policy allows customers to call Lex runtime from channels |
AlexaForBusinessLifesizeDelegatedAccessPolicy | Provide access to Lifesize AVS devices |
AmazonTimestreamReadOnlyAccess | Provides read only access to Amazon Timestream. Policy also provides permission to cancel any running query. If using Customer managed CMK, please refer to documentation for additional permissions needed. |
AWSPanoramaFullAccess | Provides full access to AWS Panorama |
AmazonQLDBReadOnly | Provides read only access to Amazon QLDB. |
AWSChatbotServiceLinkedRolePolicy | The Service Linked Role used by AWS Chatbot. |
AWSLambda_ReadOnlyAccess | Grants read-only access to AWS Lambda service, AWS Lambda console features, and other related AWS services. |
AWSCodePipeline_ReadOnlyAccess | Provides read only access to AWS CodePipeline via the AWS Management Console. |
S3StorageLensServiceRolePolicy | Enables access to AWS Services and Resources used or managed by S3 Storage Lens |
ServerMigrationServiceConsoleFullAccess | Required permissions to use all features of the Server Migration Service Console |
AWSAppSyncServiceRolePolicy | Enables access to AWS services and resources used or managed by AppSync |
AWSAppMeshFullAccess | Provides full access to the AWS App Mesh APIs and Management Console. |
AWSIncidentManagerServiceRolePolicy | This policy grants Incident Manager permission to manage incident records and related resources on your behalf. |
AWSProtonFullAccess | Provides full access to the AWS Proton APIs and Management Console. In addition to these permissions, access to Amazon S3 is also needed to register template bundles from your S3 buckets, as well as access to Amazon IAM to create and manage the service roles for Proton. |
AWSCloud9SSMInstanceProfile | This policy will be used to attach a role on a InstanceProfile which will allow Cloud9 to use the SSM Session Manager to connect to the instance |
ElementalActivationsDownloadSoftwareAccess | Access to view purchased assets and download related software and kickstart files |
AWSPanoramaGreengrassGroupRolePolicy | Allows an AWS Lambda function on an AWS Panorama Appliance to manage resources in Panorama, upload logs and metrics to Amazon CloudWatch, and to manage objects in buckets created for use with Panorama. |
AmazonDetectiveFullAccess | Provides full access to Amazon Detective service and scoped access to the console UI dependencies |
AWSTransferReadOnlyAccess | Provide readonly access to AWS Transfer services. |
ServiceQuotasReadOnlyAccess | Provides read only access to Service Quotas |
EC2FleetTimeShiftableServiceRolePolicy | Policy granting permissions to EC2 Fleet to launch instances in the future. |
MigrationHubDMSAccessServiceRolePolicy | Policy for Database Migration Service to assume role in customer's account to call Migration Hub |
AWSServiceCatalogEndUserReadOnlyAccess | Provides read-only access to Service Catalog end-user capabilities |
ElementalActivationsFullAccess | Full access to view and take action on Elemental Appliances and Software purchased assets |
AWSIQPermissionServiceRolePolicy | Allows AWS IQ to manage the role assumed by AWS IQ experts. |
AmazonEKSForFargateServiceRolePolicy | This policy grants necessary permissions to Amazon EKS to run fargate tasks |
ElementalActivationsReadOnlyAccess | Read-only access to the detailed list of purchased assets associated to the AWS account of the user |
MigrationHubSMSAccessServiceRolePolicy | Policy for Server Migration Service to assume role in customer's account to call Migration Hub |
CloudFormationStackSetsOrgAdminServiceRolePolicy | Service Role for CloudFormation StackSets (Organization Master Account) |
AmazonEventBridgeSchemasFullAccess | Provides full access to Amazon EventBridge Schemas. |
AWSMarketplaceSellerFullAccess | Provides full access to all seller operations on the AWS Marketplace and other AWS services such as AMI management. |
CloudWatchAutomaticDashboardsAccess | Provides access to the non-CloudWatch APIs used to display CloudWatch Automatic Dashboards, including the contents of objects such as Lambda functions |
AWSDeepRacerFullAccess | Provides full access to AWS DeepRacer. Also provides select access to related services (e.g., S3). |
AmazonWorkMailEventsServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Amazon WorkMail Events |
AmazonHoneycodeTeamAssociationFullAccess | Provides full access to Honeycode Team Association via the AWS Management Console and the SDK. |
AmazonPrometheusRemoteWriteAccess | Grants write only access to AWS Managed Prometheus workspaces |
AmazonDevOpsGuruReadOnlyAccess | Provides read only access to Amazon DevOps Guru Console. |
AmazonEventBridgeSchemasReadOnlyAccess | Provides read only access to Amazon EventBridge Schemas. |
AmazonFISServiceRolePolicy | Policy to enable AWS FIS to manage monitoring and resource selection for experiments. |
AWSThinkboxDeadlineSpotEventPluginWorkerPolicy | Grant permissions required for an EC2 instance running AWS Thinkbox Deadline Spot Event Plugin Worker software. |
AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy | This policy is used by the service-linked role named AWSServiceRoleForCloudWatchAlarms_ActionSSMIncidents. CloudWatch uses this service-linked role to perform AWS System Manager Incident Manager actions when a CloudWatch alarm goes in to ALARM state. This policy grants permission to start incidents on your behalf. |
AWSIoTWirelessFullPublishAccess | Provides IoT Wireless full access to publish to IoT Rules Engine on your behalf. |
GameLiftGameServerGroupPolicy | Policy to allow Gamelift GameServerGroups to manage customer resources |
AmazonMWAAServiceRolePolicy | The Service Linked Role used by Amazon Managed Workflows for Apache Airflow. |
AmazonConnect_FullAccess | The purpose of this policy is to grant permissions to AWS Connect users required to use Connect resources. This policy provides full access to AWS Connect resources via the Connect Console and public APIs |
AWSElementalMediaLiveFullAccess | Provides full access to AWS Elemental MediaLive resources |
AWSMarketplaceSellerProductsReadOnly | Provide sellers read-only access to AWS Marketplace Management Products page. |
AmazonMCSFullAccess | Provide full access to Amazon Managed Apache Cassandra Service |
AWSIoTSiteWiseConsoleFullAccess | Provides full access to manage AWS IoT SiteWise using the AWS Management Console. Note this policy also grants access to create and list data stores used with AWS IoT SiteWise (e.g. AWS IoT Analytics), access to list and view AWS IoT Greengrass resources, list and modify AWS Secrets Manager secrets, retrieve AWS IoT thing shadows, list resources with specific tags, and create and use a service-linked role for AWS IoT SiteWise. |
AmazonElasticFileSystemClientFullAccess | Provides root client access to an Amazon EFS file system |
AWSIoTDeviceDefenderUpdateDeviceCertMitigationAction | Provides write access to IoT certificates for execution of UPDATE_DEVICE_CERTIFICATE mitigation action |
AWSThinkboxAssetServerPolicy | This policy grants the AWS Portal Asset Server the necessary permissions required for normal operation. |
AWSForWordPressPluginPolicy | Managed policy for AWS For Wordpress Plugin |
AWSTransferFullAccess | Provides full access to AWS Transfer Service. |
AWSServiceRoleForAmazonEKSNodegroup | Permissions required for managing nodegroups in the customer's account. These policies related to management of the following resources: AutoscalingGroups, SecurityGroups, LaunchTemplates and InstanceProfiles. |
AWSGrafanaAccountAdministrator | Provides access within Amazon Grafana to create and manage workspaces for the entire organization. |
AWSBackupOperatorAccess | This policy grants users permissions to assign AWS resources to backup plans, create on-demand backups, and restore backups. This policy does not allow the user to create or edit backup plans or to delete scheduled backups after they are created. |
AWSApplicationAutoscalingLambdaConcurrencyPolicy | Policy granting permissions to Application Auto Scaling to access Lambda and CloudWatch. |
AWSBudgetsActionsRolePolicyForResourceAdministrationWithSSM | This policy gives AWS Budgets broad permission to control AWS resources. For example, to start and stop EC2 or RDS instances by executing AWS Systems Manager (SSM) scripts. |
AWSIoTDeviceDefenderUpdateCACertMitigationAction | Provides write access to IoT CA certificates for execution of UPDATE_CA_CERTIFICATE mitigation action |
AWSBackupServiceLinkedRolePolicyForBackupTest | Provides AWS Backup permission to create backups on your behalf across AWS services |
AWSApplicationMigrationMGHAccess | This policy allows AWS Application Migration Service (MGN) to send meta-data about the progress of servers being migrated using MGN to AWS Migration Hub (MGH). MGN automatically creates an IAM role with this policy attached, and assumes this role. We do not recommend that you attach this policy to your IAM users or roles. |
AWSDeviceFarmTestGridServiceRolePolicy | Grant permissions to AWS Device Farm to call EC2 APIs on your behalf. |
AmazonLookoutEquipmentFullAccess | Provides full access to Amazon Lookout for Equipment operations |
AWSPurchaseOrdersServiceRolePolicy | Grants permissions to view and modify purchase orders on billing console |
AmazonHoneycodeTeamAssociationReadOnlyAccess | Provides read only access to Honeycode Team Association via the AWS Management Console and the SDK. |
AmazonWorkSpacesServiceAccess | Provides customer account access to AWS WorkSpaces service for launching a Workspace. |
AWSSecurityHubOrganizationsAccess | Grants permission to enable and manage AWS Security Hub within an organization. Includes enabling the service across the organization, and determining the delegated administrator account for the service. |
AmazonElasticFileSystemsUtils | Allows customers to use AWS Systems Manager to automatically manage Amazon EFS utilities (amazon-efs-utils) package on their EC2 instances, and use CloudWatchLog to get EFS file system mount success/failure notifications. |
AWSTransferConsoleFullAccess | Provides full access to AWS Transfer via the AWS Management Console |
AmazonEKSServiceRolePolicy | A Service-Linked Role required for Amazon EKS to call AWS services on your behalf. |
AWSIoTWirelessLogging | Allows the associated identity to create Amazon CloudWatch Logs groups and stream logs to the groups. |
AWSConfigMultiAccountSetupPolicy | Allows Config to call AWS services and deploy config resources across organization |
AWSIoTWirelessFullAccess | Allows the associated identity full access to all AWS IoT Wireless operations. |
AWSElementalMediaLiveReadOnly | Provides read only access to AWS Elemental MediaLive resources |
AmazonElasticFileSystemClientReadOnlyAccess | Provides read only client access to an Amazon EFS file system |
AmazonElasticMapReducePlacementGroupPolicy | Policy to allow EMR to create, describe and delete EC2 placement groups. |
AmazonCognitoIdpServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Amazon Cognito User Pools |
AmazonMQServiceRolePolicy | Service Linked Role Policy for AWS Amazon MQ |
AWSApplicationMigrationServiceRolePolicy | Allows AWS application Migration Service to create and manage AWS resources on your behalf. |
AmazonKeyspacesReadOnlyAccess | Provide read only access to Amazon Keyspaces |
CloudFormationStackSetsOrgMemberServiceRolePolicy | Service Role for CloudFormation StackSets (Organization Member Account) |
AWSResourceAccessManagerResourceShareParticipantAccess | Provides access to AWS Resource Access Manager APIs needed by a resource share participant. |
AWSBillingReadOnlyAccess | Allows users to view bills on the Billing Console. |
ServerMigrationServiceRoleForInstanceValidation | Permissions to allow the AWS SMS to run used data validation script and send script success/failure back to SMS |
AWSBackupFullAccess | This policy is for backup administrators, granting full access to AWS Backup operations, including creating or editing backup plans, assigning AWS resources to backup plans, deleting backups, and restoring backups. |
AmazonDevOpsGuruServiceRolePolicy | A service-linked role required for Amazon DevOpsGuru to access your resources. |
AWSElasticBeanstalkRoleWorkerTier | (Elastic Beanstalk operations role) Allows a worker environment tier to create an Amazon DynamoDB table and an Amazon SQS queue. |
AmazonCodeGuruProfilerReadOnlyAccess | Provides read only access to Amazon CodeGuru Profiler. |
ElementalActivationsGenerateLicenses | Access to view purchased assets and generate software licenses for pending activations |
AWSAppRunnerServicePolicyForECRAccess | AWS App Runner service policy that grants read permissions to Amazon ECR resources in the customer's account. Use it in a role that is passed to App Runner when creating or updating an App Runner service. |
AWSNetworkManagerReadOnlyAccess | Provides read only access to Amazon NetworkManager via the AWS Management Console. |
AmazonEMRServicePolicy_v2 | This policy is used for the Amazon EMR Service Role and should NOT be used for any other IAM users or roles in your account. The policy grants permissions to create and manage resources associated with EMR and related services necessary for the operation of your EMR cluster. |
AWSApplicationMigrationReadOnlyAccess | This policy provides permissions to all read-only public APIs of Application Migration Service (MGN), as well as some read-only APIs of other AWS services that are required in order to make full read-only use of the MGN console. Attach this policy to your IAM users or roles. |
AWSServiceCatalogAppRegistryReadOnlyAccess | Provides read-only access to Service Catalog App Registry capabilites |
AWSServiceRoleForCloudWatchAlarmsActionSSMServiceRolePolicy | Provides access to Systems Manager resources used by CloudWatch Alarms |
IVSRecordToS3 | Service Linked Role to perform S3 PutObject to recording IVS live streams |
AmazonWorkMailMessageFlowReadOnlyAccess | Read only access to WorkMail messages for the GetRawMessageContent API |
CloudWatchSyntheticsFullAccess | Provides full access to CloudWatch Synthetics. |
AWSDataExchangeSubscriberFullAccess | Grants data subscriber access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. |
IAMAccessAnalyzerFullAccess | Provides full access to IAM Access Analyzer |
AWSCodeArtifactAdminAccess | Provides full access to AWS CodeArtifact via the AWS Management Console. |
AWSServiceCatalogAdminReadOnlyAccess | Provides read-only access to Service Catalog admin capabilities |
AWSQuickSightSageMakerPolicy | Provides access to Amazon SageMaker resources from Amazon QuickSight |
AWSDataLifecycleManagerServiceRoleForAMIManagement | Provides appropriate permissions to AWS Data Lifecycle Manager to take actions on AWS resources for AMI Management |
AmazonMonitronFullAccess | Provides full access to manage Amazon Monitron |
AmazonHealthLakeReadOnlyAccess | Provides read only access to Amazon HealthLake service. |
AmazonWorkSpacesSelfServiceAccess | Provides access to Amazon WorkSpaces backend service to perform Workspace Self Service actions |
AmazonManagedBlockchainServiceRolePolicy | Enables access to AWS Services and Resources used or managed by Amazon Managed Blockchain |
AmazonSageMakerCoreServiceRolePolicy | Managed policy for Service Linked Role for Amazon SageMaker Core Services |
AWSThinkboxDeadlineSpotEventPluginAdminPolicy | Grants permissions required for AWS Thinkbox's Deadline Spot Event Plugin. This includes permission to request, modify, and cancel a spot fleet, as well as limited PassRole permission. |
AmazonLookoutMetricsReadOnlyAccess | Gives access to all read-only actions for Amazon Lookout for Metrics |
AWSDataExchangeFullAccess | Grants full access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. |
AWSDataExchangeProviderFullAccess | Grants data provider access to AWS Data Exchange and AWS Marketplace actions using the AWS Management Console and SDK. It also provides select access to related services needed to take full advantage of AWS Data Exchange. |
CloudWatchApplicationInsightsFullAccess | Provides full access to CloudWatch Application Insights and required dependencies. |
AWSControlTowerServiceRolePolicy | Provides access to AWS Resources managed or used by AWS Control Tower |
AmazonSageMakerNotebooksServiceRolePolicy | Managed policy for Service Linked Role for Amazon SageMaker Notebooks |
AmazonRoute53ResolverFullAccess | Full access policy for Route 53 Resolver |
AWSSystemsManagerChangeManagementServicePolicy | Provides access to AWS resources managed or used by the AWS Systems Manager change management framework. |
AWSServiceCatalogAppRegistryFullAccess | Provides full access to Service Catalog App Registry capabilities |
LakeFormationDataAccessServiceRolePolicy | Policy to grant temporary data access to Lake Formation resources |
AmazonChimeServiceRolePolicy | Enables access to AWS Resources used or managed by Amazon Chime |
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy | Service role policy used by the AWS Service Catalog service to provision products from Amazon SageMaker portfolio of products. Grants permissions to a set of related services including CodePipeline, CodeBuild, CodeCommit, Glue, CloudFormation, etc,. |
AWSTrustedAdvisorReportingServiceRolePolicy | Service Policy for Trusted Advisor Multi-account Reporting |
AWSOpsWorksRegisterCLI_EC2 | Policy to enable registration of EC2 instances via the OpsWorks CLI |
AWSWAFConsoleReadOnlyAccess | Provides read-only access to AWS WAF via the AWS Management Console. Note that this policy also grants permissions to list Amazon CloudFront distributions, permissions to view load balancers on AWS Elastic Load Balancing, permissions to view Amazon API Gateway REST APIs and stages, permissions to list and view Amazon CloudWatch metrics, and permissions to view regions enabled within the account. |
AWSSavingsPlansFullAccess | Provides full access to Savings Plans service |
AWSServiceRoleForImageBuilder | Allows EC2ImageBuilder to call AWS services on your behalf. |
AmazonBraketServiceRolePolicy | Allows Amazon Braket to create and manage AWS resources on your behalf |
AmazonCodeGuruProfilerAgentAccess | Provides access required by Amazon CodeGuru Profiler agent. |
AmazonLookoutVisionConsoleFullAccess | Provides full access to Amazon Lookout for Vision and scoped access to required service and console dependencies. |
AmazonCodeGuruReviewerServiceRolePolicy | A service-linked role required for Amazon CodeGuru Reviewer to access resources on your behalf. |
ServerMigration_ServiceRole | Permissions to allow the AWS Server Migration Service to migrate VMs to EC2: allows the Server Migration Service to place the migrated resources into the customer's EC2 account. |
AWSAppMeshPreviewEnvoyAccess | App Mesh Preview Envoy policy for accessing Virtual Node configuration. |
AWSOutpostsServiceRolePolicy | Service Linked Role policy to enable access to AWS resources managed by AWS Outposts |
AmazonLambdaRolePolicyForLaunchWizardSAP | Managed policy to support SAP provisioning using Amazon LaunchWizard service role for Lambda |
AmazonEC2RoleforAWSCodeDeployLimited | Provides EC2 limited access to S3 bucket to download revision. This role is needed by the CodeDeploy agent on EC2 instances. |
ECRReplicationServiceRolePolicy | Enables access to AWS Services and Resources used or managed by ECR Replication |
MigrationHubServiceRolePolicy | Allows Migration Hub to call Application Discovery Service on your behalf |
AWSServiceRoleForMonitronPolicy | Grants Amazon Monitron permissions to manage AWS resources, including AWS SSO user assignment on your behalf. |
AWSPanoramaSageMakerRolePolicy | Allows Amazon SageMaker to manage objects in buckets created for use with AWS Panorama. |
AWSIoTWirelessGatewayCertManager | Allows the associated identity access to create, list and describe IoT Certificates |
AWSDirectConnectServiceRolePolicy | Provides AWS Direct Connect permission to create and manage AWS resources on your behalf. |
AWSApplicationMigrationEC2Access | This policy provides Amazon EC2 operations required to use Application Migration Service (MGN) to launch the migrated servers as EC2 instances. Attach this policy to your IAM users or roles. |
AWSImageBuilderReadOnlyAccess | Provides read only access to all AWS Image Builder actions. |
AWSGrafanaConsoleReadOnlyAccess | Access to read only operations in Amazon Grafana. |
AWSMarketplaceMeteringRegisterUsage | Provides permissions to register a resource and track usage through AWS Marketplace Metering Service. |
AmazonManagedBlockchainReadOnlyAccess | Provides read-only access to Amazon Managed Blockchain. |
AmazonLookoutVisionReadOnlyAccess | Provides read only access to Amazon Lookout for Vision and scoped access to required dependencies. |
AmazonRekognitionCustomLabelsFullAccess | This policy specifies rekognition and s3 permissions required by Amazon Rekognition Custom Labels feature. |
AmazonHealthLakeFullAccess | Provides full access to Amazon HealthLake service. |
AWSBackupServiceLinkedRolePolicyForBackup | Provides AWS Backup permission to create backups on your behalf across AWS services |
AmazonManagedBlockchainConsoleFullAccess | Provides full access to Amazon Managed Blockchain via the AWS Management Console |
AWSApplicationMigrationConversionServerPolicy | his policy allows the Application Migration Service (MGN) Conversion Server, which are EC2 instances launched by Application Migration Service, to communicate with the MGN service. An IAM role with this policy is attached (as an EC2 Instance Profile) by MGN to the MGN Conversion Servers, which are automatically launched and terminated by MGN, when needed. We do not recommend that you attach this policy to your IAM users or roles. MGN Conversion Servers are used by Application Migration Service when users choose to launch Test or Cutover instances using the MGN console, CLI, or API. |
AWSSavingsPlansReadOnlyAccess | Provides read only access to Savings Plans service |
AmazonHoneycodeWorkbookFullAccess | Provides full access to Honeycode Workbook via the AWS Management Console and the SDK. |
AWSIoTDeviceTesterForGreengrassFullAccess | Allows AWS IoT Device Tester to run the AWS Greengrass qualification suite by allowing access to related services including Lambda, IoT, API Gateway, IAM |
AWSElasticBeanstalkRoleECS | (Elastic Beanstalk operations role) Allows a multicontainer Docker environment to manage Amazon ECS clusters. |
AmazonWorkMailMessageFlowFullAccess | Full access to the WorkMail Message Flow APIs |
AWSServiceRoleForSMS | Provides access to AWS services and resources necessary to migrate service instances into AWS including EC2, S3 and Cloudformation. |
AWSThinkboxDeadlineResourceTrackerAccessPolicy | Grants permissions required for the operation of AWS Thinkbox's Deadline Resource Tracker. This includes full access to some EC2 actions, including DeleteFleets and CancelSpotFleetRequests. |
CloudWatch-CrossAccountAccess | Allows CloudWatch to assume CloudWatch-CrossAccountSharing roles in remote accounts on behalf of the current account in order to display data cross-account, cross-region |
AWSLakeFormationDataAdmin | Grants administrative access to AWS Lake Formation and related services, such as AWS Glue, to manage data lakes |
AWSElasticBeanstalkRoleCore | AWSElasticBeanstalkRoleCore (Elastic Beanstalk operations role) Allows core operation of a web service environment. |
AWSLambda_FullAccess | Grants full access to AWS Lambda service, AWS Lambda console features, and other related AWS services. |
AmazonEMRContainersServiceRolePolicy | Allows access to other AWS service resources that are required to run Amazon EMR |
AWSDenyAll | Deny all access. |
AWSIQFullAccess | Provides full access to AWS IQ |
AmazonElasticContainerRegistryPublicPowerUser | Provides full access to Amazon ECR Public repositories, but does not allow repository deletion or policy changes. |
AmazonPrometheusConsoleFullAccess | Grants full access to AWS Managed Prometheus resources in the AWS console |
AWSElasticBeanstalkRoleSNS | (Elastic Beanstalk operations role) Allows an environment to enable Amazon SNS topic integration. |
AmazonEKSVPCResourceController | Policy used by VPC Resource Controller to manage ENI and IPs for worker nodes. |
EC2InstanceConnect | Allows customers to call EC2 Instance Connect to publish ephemeral keys to their EC2 instances and connect via ssh or the EC2 Instance Connect CLI. |
AWSCompromisedKeyQuarantineV2 | Denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly. Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event. |
ClientVPNServiceConnectionsRolePolicy | Policy to enable AWS Client VPN to manage your Client VPN endpoint connections. |
AmazonAppFlowFullAccess | Provides full access to Amazon AppFlow and access to AWS services supported as flow source or destination (S3 and Redshift). Also provides access to KMS for encryption |
Ec2ImageBuilderCrossAccountDistributionAccess | Permissions need by EC2 Image Builder to perform a cross account distribution. |
AWSThinkboxAWSPortalWorkerPolicy | This policy grants the Deadline Workers in AWS Portal the necessary permissions required for normal operation. |
AmazonS3OutpostsReadOnlyAccess | Provides read only access to Amazon S3 on Outposts via the AWS Management Console. |
AWSCompromisedKeyQuarantine | Denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly. Do NOT remove this policy. Instead, please follow the instructions specified in the email sent to you regarding this event. |
AWSAppMeshEnvoyAccess | App Mesh Envoy policy for accessing Virtual Node configuration. |
AmazonKendraReadOnlyAccess | Provides read only access to Amazon Kendra via the AWS Management Console. |
AmazonPrometheusFullAccess | Grants full access to AWS Managed Prometheus resources |
AWS_ConfigRole | Default policy for AWS Config service role. Provides permissions required for AWS Config to track changes to your AWS resources. |
AmazonNimbleStudio-StudioAdmin | This policy grants access to Amazon Nimble Studio resources associated with the studio admin and related studio resources in other services. Attach this policy to the Admin role associated with your studio. |
AWSCodeArtifactReadOnlyAccess | Provides read only access to AWS CodeArtifact via the AWS Management Console. |
AmazonRedshiftDataFullAccess | This policy provides full access to Amazon Redshift Data APIs. This policy also grants scoped access to other required services. |
AWSApplicationMigrationReplicationServerPolicy | This policy allows the Application Migration Service (MGN) Replication Servers, which are EC2 instances launched by Application Migration Service - to communicate with the MGN service, and to create EBS snapshots in your AWS account. An IAM role with this policy is attached (as an EC2 Instance Profile) by Application Migration Service to the MGN Replication Servers which are automatically launched and terminated by MGN, as needed. MGN Replication Servers are used to facilitate data replication from your external servers to AWS, as part of the migration process managed using MGN. We do not recommend that you attach this policy to your IAM users or roles. |