Skip to main content

AWS IAM Permissions

Each version of Fix Inventory programmatically generates the specific IAM permissions it requires to collect (and optionally, manipulate) AWS resources.

Service NamespaceFixOrgListFixCollectFixMutate
acm
  • DescribeCertificate
  • ListCertificates
apigateway
  • GET
  • DELETE
  • PATCH
  • POST
  • PUT
athena
  • GetDataCatalog
  • GetWorkGroup
  • ListDataCatalogs
  • ListTagsForResource
  • ListWorkGroups
  • DeleteDataCatalog
  • DeleteWorkGroup
  • TagResource
  • UntagResource
autoscaling
  • DescribeAutoScalingGroups
  • CreateOrUpdateTags
  • DeleteAutoScalingGroup
  • DeleteTags
backup
  • GetBackupVaultAccessPolicy
  • ListBackupJobs
  • ListBackupPlans
  • ListBackupVaults
  • ListCopyJobs
  • ListFrameworks
  • ListLegalHolds
  • ListProtectedResources
  • ListRecoveryPointsByBackupVault
  • ListReportPlans
  • ListRestoreJobs
  • ListRestoreTestingPlans
  • ListTags
  • DeleteBackupPlan
  • DeleteBackupVault
  • DeleteFramework
  • DeleteRecoveryPoint
  • DeleteReportPlan
  • DeleteRestoreTestingPlan
  • TagResource
  • UntagResource
bedrock
  • GetCustomModel
  • GetEvaluationJob
  • GetGuardrail
  • GetModelCustomizationJob
  • ListCustomModels
  • ListEvaluationJobs
  • ListFoundationModels
  • ListGuardrails
  • ListModelCustomizationJobs
  • ListProvisionedModelThroughputs
  • ListTagsForResource
  • DeleteCustomModel
  • DeleteGuardrail
  • DeleteProvisionedModelThroughput
  • TagResource
  • UntagResource
bedrock-agent
  • GetAgent
  • GetFlow
  • GetFlowVersion
  • GetKnowledgeBase
  • GetPrompt
  • ListAgents
  • ListFlows
  • ListKnowledgeBases
  • ListPrompts
  • ListTagsForResource
  • DeleteAgent
  • DeleteFlow
  • DeleteFlowVersion
  • DeleteKnowledgeBase
  • DeletePrompt
  • TagResource
  • UntagResource
cloudformation
  • DescribeStacks
  • ListStackInstances
  • ListStackResources
  • ListStackSets
  • ListStacks
  • DeleteStack
  • DeleteStackSet
  • UpdateStack
  • UpdateStackSet
cloudfront
  • GetDistribution
  • ListCachePolicies
  • ListDistributions
  • ListFieldLevelEncryptionConfigs
  • ListFieldLevelEncryptionProfiles
  • ListFunctions
  • ListOriginAccessControls
  • ListPublicKeys
  • ListRealtimeLogConfigs
  • ListResponseHeadersPolicies
  • ListStreamingDistributions
  • TagResource
  • UntagResource
  • DeleteCachePolicy
  • DeleteDistribution
  • DeleteFieldLevelEncryptionConfig
  • DeleteFieldLevelEncryptionProfile
  • DeleteFunction
  • DeleteOriginAccessControl
  • DeletePublicKey
  • DeleteRealtimeLogConfig
  • DeleteResponseHeadersPolicy
  • DescribeFunction
  • GetCachePolicy
  • GetDistribution
  • GetDistributionConfig
  • GetFieldLevelEncryptionConfig
  • GetFieldLevelEncryptionProfile
  • GetOriginAccessControl
  • GetPublicKey
  • GetResponseHeadersPolicy
  • TagResource
  • UntagResource
  • UpdateDistribution
cloudtrail
  • GetEventSelectors
  • GetInsightSelectors
  • GetTrail
  • GetTrailStatus
  • ListTags
  • ListTrails
  • AddTags
  • DeleteTrail
  • RemoveTags
cloudwatch
  • DescribeAlarms
  • DescribeResourcePolicies
  • GetMetricData
  • DeleteAlarms
  • DeleteMetricFilter
  • TagResource
  • UntagResource
cognito-idp
  • ListGroups
  • ListTagsForResource
  • ListUserPools
  • ListUsers
  • DeleteGroup
  • DeleteUserPool
  • TagResource
  • UntagResource
config
  • DescribeConfigurationRecorderStatus
  • DescribeConfigurationRecorders
  • DeleteConfigurationRecorder
dynamodb
  • DescribeContinuousBackups
  • DescribeGlobalTable
  • DescribeTable
  • GetResourcePolicy
  • ListGlobalTables
  • ListTables
  • ListTagsOfResource
  • DeleteTable
  • TagResource
  • UntagResource
ec2
  • DescribeRegions
  • DescribeAddresses
  • DescribeFlowLogs
  • DescribeHosts
  • DescribeImages
  • DescribeInstanceTypes
  • DescribeInstances
  • DescribeInternetGateways
  • DescribeKeyPairs
  • DescribeLaunchTemplateVersions
  • DescribeNatGateways
  • DescribeNetworkAcls
  • DescribeNetworkInterfaces
  • DescribeRegions
  • DescribeReservedInstances
  • DescribeRouteTables
  • DescribeSecurityGroups
  • DescribeSnapshots
  • DescribeSubnets
  • DescribeVolumes
  • DescribeVpcEndpoints
  • DescribeVpcPeeringConnections
  • DescribeVpcs
  • CreateTags
  • DeleteInternetGateway
  • DeleteKeyPair
  • DeleteNatGateway
  • DeleteNetworkAcl
  • DeleteNetworkInterface
  • DeleteRouteTable
  • DeleteSecurityGroup
  • DeleteSnapshot
  • DeleteSubnet
  • DeleteTags
  • DeleteVolume
  • DeleteVpc
  • DeleteVpcEndpoints
  • DeleteVpcPeeringConnection
  • DescribeInstanceAttribute
  • DetachInternetGateway
  • DisassociateAddress
  • DisassociateRouteTable
  • ReleaseAddress
  • ReleaseHosts
  • RevokeSecurityGroupEgress
  • RevokeSecurityGroupIngress
  • StartInstances
  • StopInstances
  • TerminateInstances
ecr
  • DescribeRepositories
  • GetLifecyclePolicy
  • GetRepositoryPolicy
ecr-public
  • DescribeRepositories
ecs
  • DescribeCapacityProviders
  • DescribeClusters
  • DescribeContainerInstances
  • DescribeServices
  • DescribeTaskDefinition
  • DescribeTasks
  • ListClusters
  • ListContainerInstances
  • ListServices
  • ListTaskDefinitions
  • ListTasks
  • DeleteCapacityProvider
  • DeleteCluster
  • DeleteService
  • DeregisterContainerInstance
  • DeregisterTaskDefinition
  • PutClusterCapacityProviders
  • StopTask
  • TagResource
  • UntagResource
  • UpdateService
eks
  • DescribeCluster
  • DescribeNodegroup
  • ListClusters
  • ListNodegroups
  • DeleteCluster
  • DeleteNodegroup
  • TagResource
  • UntagResource
elasticache
  • DescribeCacheClusters
  • DescribeReplicationGroups
  • ListTagsForResource
  • AddTagsToResource
  • DeleteCacheCluster
  • DeleteReplicationGroup
  • RemoveTagsFromResource
elasticbeanstalk
  • DescribeApplications
  • DescribeEnvironmentResources
  • DescribeEnvironments
  • ListTagsForResource
  • DeleteApplication
  • TerminateEnvironment
  • UpdateTagsForResource
elasticfilesystem
  • DescribeAccessPoints
  • DescribeFileSystemPolicy
  • DescribeFileSystems
  • DescribeMountTargets
  • DeleteFileSystem
elasticloadbalancing
  • DescribeListeners
  • DescribeLoadBalancerAttributes
  • DescribeLoadBalancers
  • DescribeTags
  • DescribeTargetGroups
  • DescribeTargetHealth
  • AddTags
  • DeleteLoadBalancer
  • DeleteTargetGroup
  • RemoveTags
glacier
  • ListJobs
  • ListTagsForVault
  • ListVaults
  • AddTagsToVault
  • DeleteVault
  • RemoveTagsFromVault
iam
  • ListAccountAliases
  • GenerateCredentialReport
  • GetAccessKeyLastUsed
  • GetAccountAuthorizationDetails
  • GetAccountPasswordPolicy
  • GetAccountSummary
  • GetCredentialReport
  • ListAccessKeys
  • ListAccountAliases
  • ListInstanceProfiles
  • ListServerCertificates
  • DeleteGroup
  • DeleteGroupPolicy
  • DeleteInstanceProfile
  • DeletePolicy
  • DeleteRole
  • DeleteRolePolicy
  • DeleteServerCertificate
  • DeleteUser
  • DeleteUserPolicy
  • DetachGroupPolicy
  • DetachRolePolicy
  • DetachUserPolicy
  • RemoveRoleFromInstanceProfile
  • TagInstanceProfile
  • TagPolicy
  • TagRole
  • TagServerCertificate
  • TagUser
  • UntagInstanceProfile
  • UntagPolicy
  • UntagRole
  • UntagServerCertificate
  • UntagUser
inspector2
  • ListFindings
kinesis
  • DescribeStream
  • GetResourcePolicy
  • ListStreams
  • ListTagsForStream
  • AddTagsToStream
  • DeleteStream
  • RemoveTagsFromStream
kms
  • DescribeKey
  • GetKeyPolicy
  • GetKeyRotationStatus
  • ListKeys
  • ListResourceTags
  • DisableKey
  • ScheduleKeyDeletion
  • TagResource
  • UntagResource
lambda
  • GetFunctionUrlConfig
  • GetPolicy
  • ListFunctions
  • ListTags
  • DeleteFunction
  • TagResource
  • UntagResource
logs
  • DescribeLogGroups
  • DescribeMetricFilters
  • DeleteLogGroup
  • TagResource
  • UntagResource
opensearch
  • DescribeDomainNames
  • ListDomainNames
organizations
  • ListAccounts
  • DescribeAccount
  • ListAccounts
pricing
  • GetProducts
qapps
  • ListLibraryItems
  • ListQApps
  • ListTagsForResource
  • DeleteLibraryItem
  • DeleteQApp
  • TagResource
  • UntagResource
qbusiness
  • ListApplications
  • ListConversations
  • ListDataSourceSyncJobs
  • ListDataSources
  • ListDocuments
  • ListIndices
  • ListMessages
  • ListPlugins
  • ListRetrievers
  • ListTagsForResource
  • ListWebExperiences
  • DeleteApplication
  • DeleteDataSource
  • DeleteIndex
  • DeletePlugin
  • DeleteRetriever
  • DeleteWebExperience
  • TagResource
  • UntagResource
rds
  • DescribeDbClusterSnapshots
  • DescribeDbClusters
  • DescribeDbInstances
  • DescribeDbSnapshots
  • ListTagsForResource
  • AddTagsToResource
  • DeleteDbCluster
  • DeleteDbInstance
  • RemoveTagsFromResource
redshift
  • DescribeClusters
  • DescribeLoggingStatus
  • CreateTags
  • DeleteCluster
  • DeleteTags
route53
  • ListHostedZones
  • ListResourceRecordSets
  • ListTagsForResource
  • ChangeTagsForResource
  • DeleteHostedZone
s3
  • GetAccountPublicAccessBlock
  • GetBucketAcl
  • GetBucketLifecycleConfiguration
  • GetBucketLocation
  • GetBucketLogging
  • GetBucketPolicy
  • GetBucketTagging
  • GetBucketVersioning
  • GetEncryptionConfiguration
  • ListAllMyBuckets
  • DeleteBucket
  • DeleteObject
  • PutBucketTagging
sagemaker
  • DescribeAlgorithm
  • DescribeApp
  • DescribeArtifact
  • DescribeAutoMlJob
  • DescribeCompilationJob
  • DescribeDomain
  • DescribeEndpoint
  • DescribeHyperParameterTuningJob
  • DescribeImage
  • DescribeInferenceRecommendationsJob
  • DescribeLabelingJob
  • DescribeModel
  • DescribeNotebookInstance
  • DescribePipeline
  • DescribeProcessingJob
  • DescribeTrainingJob
  • DescribeTransformJob
  • DescribeTrial
  • ListAlgorithms
  • ListApps
  • ListArtifacts
  • ListAutoMlJobs
  • ListCodeRepositories
  • ListCompilationJobs
  • ListDomains
  • ListEndpoints
  • ListExperiments
  • ListHyperParameterTuningJobs
  • ListImages
  • ListInferenceRecommendationsJobs
  • ListLabelingJobs
  • ListModels
  • ListNotebookInstances
  • ListPipelines
  • ListProcessingJobs
  • ListProjects
  • ListTags
  • ListTrainingJobs
  • ListTransformJobs
  • ListTrials
  • ListUserProfiles
  • ListWorkteams
  • AddTags
  • DeleteAlgorithm
  • DeleteApp
  • DeleteArtifact
  • DeleteCodeRepository
  • DeleteDomain
  • DeleteEndpoint
  • DeleteExperiment
  • DeleteImage
  • DeleteModel
  • DeleteNotebookInstance
  • DeletePipeline
  • DeleteProject
  • DeleteTags
  • DeleteTrial
  • DeleteUserProfile
  • DeleteWorkteam
secretsmanager
  • GetResourcePolicy
  • ListSecrets
servicequotas
  • ListServiceQuotas
  • TagResource
  • UntagResource
sns
  • GetPlatformApplicationAttributes
  • GetSubscriptionAttributes
  • GetTopicAttributes
  • ListEndpointsByPlatformApplication
  • ListPlatformApplications
  • ListSubscriptions
  • ListTagsForResource
  • ListTopics
  • DeleteEndpoint
  • DeletePlatformApplication
  • DeleteTopic
  • TagResource
  • Unsubscribe
  • UntagResource
sqs
  • GetQueueAttributes
  • ListQueueTags
  • ListQueues
  • DeleteQueue
  • TagQueue
  • UntagQueue
ssm
  • DescribeDocument
  • DescribeInstanceInformation
  • GetDocument
  • ListComplianceItems
  • ListDocuments
  • ListResourceComplianceSummaries
wafv2
  • GetLoggingConfiguration
  • GetWebAcl
  • ListResourcesForWebAcl
  • ListWebAcls

FixOrgList​

https://cdn.some.engineering/fix/aws/edge/FixOrgList.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"organizations:ListAccounts",
"organizations:DescribeAccount",
"ec2:DescribeRegions",
"iam:ListAccountAliases"
]
}
]
}

FixCollect​

https://cdn.some.engineering/fix/aws/edge/FixCollect.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"athena:GetDataCatalog",
"athena:GetWorkGroup",
"athena:ListDataCatalogs",
"athena:ListTagsForResource",
"athena:ListWorkGroups",
"autoscaling:DescribeAutoScalingGroups",
"backup:GetBackupVaultAccessPolicy",
"backup:ListBackupJobs",
"backup:ListBackupPlans",
"backup:ListBackupVaults",
"backup:ListCopyJobs",
"backup:ListFrameworks",
"backup:ListLegalHolds",
"backup:ListProtectedResources",
"backup:ListRecoveryPointsByBackupVault",
"backup:ListReportPlans",
"backup:ListRestoreJobs",
"backup:ListRestoreTestingPlans",
"backup:ListTags",
"bedrock-agent:GetAgent",
"bedrock-agent:GetFlow",
"bedrock-agent:GetFlowVersion",
"bedrock-agent:GetKnowledgeBase",
"bedrock-agent:GetPrompt",
"bedrock-agent:ListAgents",
"bedrock-agent:ListFlows",
"bedrock-agent:ListKnowledgeBases",
"bedrock-agent:ListPrompts",
"bedrock-agent:ListTagsForResource",
"bedrock:GetCustomModel",
"bedrock:GetEvaluationJob",
"bedrock:GetGuardrail",
"bedrock:GetModelCustomizationJob",
"bedrock:ListCustomModels",
"bedrock:ListEvaluationJobs",
"bedrock:ListFoundationModels",
"bedrock:ListGuardrails",
"bedrock:ListModelCustomizationJobs",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:ListTagsForResource",
"cloudformation:DescribeStacks",
"cloudformation:ListStackInstances",
"cloudformation:ListStackResources",
"cloudformation:ListStackSets",
"cloudformation:ListStacks",
"cloudfront:GetDistribution",
"cloudfront:ListCachePolicies",
"cloudfront:ListDistributions",
"cloudfront:ListFieldLevelEncryptionConfigs",
"cloudfront:ListFieldLevelEncryptionProfiles",
"cloudfront:ListFunctions",
"cloudfront:ListOriginAccessControls",
"cloudfront:ListPublicKeys",
"cloudfront:ListRealtimeLogConfigs",
"cloudfront:ListResponseHeadersPolicies",
"cloudfront:ListStreamingDistributions",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetInsightSelectors",
"cloudtrail:GetTrail",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:ListTrails",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeResourcePolicies",
"cloudwatch:GetMetricData",
"cognito-idp:ListGroups",
"cognito-idp:ListTagsForResource",
"cognito-idp:ListUserPools",
"cognito-idp:ListUsers",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeGlobalTable",
"dynamodb:DescribeTable",
"dynamodb:GetResourcePolicy",
"dynamodb:ListGlobalTables",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAddresses",
"ec2:DescribeFlowLogs",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ecr-public:DescribeRepositories",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecs:DescribeCapacityProviders",
"ecs:DescribeClusters",
"ecs:DescribeContainerInstances",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeReplicationGroups",
"elasticache:ListTagsForResource",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:ListTagsForResource",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"glacier:ListJobs",
"glacier:ListTagsForVault",
"glacier:ListVaults",
"iam:GenerateCredentialReport",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListInstanceProfiles",
"iam:ListServerCertificates",
"inspector2:ListFindings",
"kinesis:DescribeStream",
"kinesis:GetResourcePolicy",
"kinesis:ListStreams",
"kinesis:ListTagsForStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListKeys",
"kms:ListResourceTags",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListTags",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"opensearch:DescribeDomainNames",
"opensearch:ListDomainNames",
"organizations:ListAccounts",
"pricing:GetProducts",
"qapps:ListLibraryItems",
"qapps:ListQApps",
"qapps:ListTagsForResource",
"qbusiness:ListApplications",
"qbusiness:ListConversations",
"qbusiness:ListDataSourceSyncJobs",
"qbusiness:ListDataSources",
"qbusiness:ListDocuments",
"qbusiness:ListIndices",
"qbusiness:ListMessages",
"qbusiness:ListPlugins",
"qbusiness:ListRetrievers",
"qbusiness:ListTagsForResource",
"qbusiness:ListWebExperiences",
"rds:DescribeDbClusterSnapshots",
"rds:DescribeDbClusters",
"rds:DescribeDbInstances",
"rds:DescribeDbSnapshots",
"rds:ListTagsForResource",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListAllMyBuckets",
"sagemaker:DescribeAlgorithm",
"sagemaker:DescribeApp",
"sagemaker:DescribeArtifact",
"sagemaker:DescribeAutoMlJob",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeDomain",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeHyperParameterTuningJob",
"sagemaker:DescribeImage",
"sagemaker:DescribeInferenceRecommendationsJob",
"sagemaker:DescribeLabelingJob",
"sagemaker:DescribeModel",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribePipeline",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:DescribeTrial",
"sagemaker:ListAlgorithms",
"sagemaker:ListApps",
"sagemaker:ListArtifacts",
"sagemaker:ListAutoMlJobs",
"sagemaker:ListCodeRepositories",
"sagemaker:ListCompilationJobs",
"sagemaker:ListDomains",
"sagemaker:ListEndpoints",
"sagemaker:ListExperiments",
"sagemaker:ListHyperParameterTuningJobs",
"sagemaker:ListImages",
"sagemaker:ListInferenceRecommendationsJobs",
"sagemaker:ListLabelingJobs",
"sagemaker:ListModels",
"sagemaker:ListNotebookInstances",
"sagemaker:ListPipelines",
"sagemaker:ListProcessingJobs",
"sagemaker:ListProjects",
"sagemaker:ListTags",
"sagemaker:ListTrainingJobs",
"sagemaker:ListTransformJobs",
"sagemaker:ListTrials",
"sagemaker:ListUserProfiles",
"sagemaker:ListWorkteams",
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecrets",
"servicequotas:ListServiceQuotas",
"sns:GetPlatformApplicationAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListEndpointsByPlatformApplication",
"sns:ListPlatformApplications",
"sns:ListSubscriptions",
"sns:ListTagsForResource",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueueTags",
"sqs:ListQueues",
"ssm:DescribeDocument",
"ssm:DescribeInstanceInformation",
"ssm:GetDocument",
"ssm:ListComplianceItems",
"ssm:ListDocuments",
"ssm:ListResourceComplianceSummaries",
"wafv2:GetLoggingConfiguration",
"wafv2:GetWebAcl",
"wafv2:ListResourcesForWebAcl",
"wafv2:ListWebAcls"
]
}
]
}

FixMutate​

https://cdn.some.engineering/fix/aws/edge/FixMutate.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:POST",
"apigateway:PUT",
"athena:DeleteDataCatalog",
"athena:DeleteWorkGroup",
"athena:TagResource",
"athena:UntagResource",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteTags",
"backup:DeleteBackupPlan",
"backup:DeleteBackupVault",
"backup:DeleteFramework",
"backup:DeleteRecoveryPoint",
"backup:DeleteReportPlan",
"backup:DeleteRestoreTestingPlan",
"backup:TagResource",
"backup:UntagResource",
"bedrock-agent:DeleteAgent",
"bedrock-agent:DeleteFlow",
"bedrock-agent:DeleteFlowVersion",
"bedrock-agent:DeleteKnowledgeBase",
"bedrock-agent:DeletePrompt",
"bedrock-agent:TagResource",
"bedrock-agent:UntagResource",
"bedrock:DeleteCustomModel",
"bedrock:DeleteGuardrail",
"bedrock:DeleteProvisionedModelThroughput",
"bedrock:TagResource",
"bedrock:UntagResource",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackSet",
"cloudformation:UpdateStack",
"cloudformation:UpdateStackSet",
"cloudfront:DeleteCachePolicy",
"cloudfront:DeleteDistribution",
"cloudfront:DeleteFieldLevelEncryptionConfig",
"cloudfront:DeleteFieldLevelEncryptionProfile",
"cloudfront:DeleteFunction",
"cloudfront:DeleteOriginAccessControl",
"cloudfront:DeletePublicKey",
"cloudfront:DeleteRealtimeLogConfig",
"cloudfront:DeleteResponseHeadersPolicy",
"cloudfront:DescribeFunction",
"cloudfront:GetCachePolicy",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetFieldLevelEncryptionConfig",
"cloudfront:GetFieldLevelEncryptionProfile",
"cloudfront:GetOriginAccessControl",
"cloudfront:GetPublicKey",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateDistribution",
"cloudtrail:AddTags",
"cloudtrail:DeleteTrail",
"cloudtrail:RemoveTags",
"cloudwatch:DeleteAlarms",
"cloudwatch:DeleteMetricFilter",
"cloudwatch:TagResource",
"cloudwatch:UntagResource",
"cognito-idp:DeleteGroup",
"cognito-idp:DeleteUserPool",
"cognito-idp:TagResource",
"cognito-idp:UntagResource",
"config:DeleteConfigurationRecorder",
"dynamodb:DeleteTable",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"ec2:CreateTags",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeleteVpcPeeringConnection",
"ec2:DescribeInstanceAttribute",
"ec2:DetachInternetGateway",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ReleaseAddress",
"ec2:ReleaseHosts",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ecs:DeleteCapacityProvider",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:DeregisterContainerInstance",
"ecs:DeregisterTaskDefinition",
"ecs:PutClusterCapacityProviders",
"ecs:StopTask",
"ecs:TagResource",
"ecs:UntagResource",
"ecs:UpdateService",
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"eks:TagResource",
"eks:UntagResource",
"elasticache:AddTagsToResource",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteReplicationGroup",
"elasticache:RemoveTagsFromResource",
"elasticbeanstalk:DeleteApplication",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:UpdateTagsForResource",
"elasticfilesystem:DeleteFileSystem",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:RemoveTags",
"glacier:AddTagsToVault",
"glacier:DeleteVault",
"glacier:RemoveTagsFromVault",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteServerCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagInstanceProfile",
"iam:TagPolicy",
"iam:TagRole",
"iam:TagServerCertificate",
"iam:TagUser",
"iam:UntagInstanceProfile",
"iam:UntagPolicy",
"iam:UntagRole",
"iam:UntagServerCertificate",
"iam:UntagUser",
"kinesis:AddTagsToStream",
"kinesis:DeleteStream",
"kinesis:RemoveTagsFromStream",
"kms:DisableKey",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"lambda:DeleteFunction",
"lambda:TagResource",
"lambda:UntagResource",
"logs:DeleteLogGroup",
"logs:TagResource",
"logs:UntagResource",
"qapps:DeleteLibraryItem",
"qapps:DeleteQApp",
"qapps:TagResource",
"qapps:UntagResource",
"qbusiness:DeleteApplication",
"qbusiness:DeleteDataSource",
"qbusiness:DeleteIndex",
"qbusiness:DeletePlugin",
"qbusiness:DeleteRetriever",
"qbusiness:DeleteWebExperience",
"qbusiness:TagResource",
"qbusiness:UntagResource",
"rds:AddTagsToResource",
"rds:DeleteDbCluster",
"rds:DeleteDbInstance",
"rds:RemoveTagsFromResource",
"redshift:CreateTags",
"redshift:DeleteCluster",
"redshift:DeleteTags",
"route53:ChangeTagsForResource",
"route53:DeleteHostedZone",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:PutBucketTagging",
"sagemaker:AddTags",
"sagemaker:DeleteAlgorithm",
"sagemaker:DeleteApp",
"sagemaker:DeleteArtifact",
"sagemaker:DeleteCodeRepository",
"sagemaker:DeleteDomain",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteExperiment",
"sagemaker:DeleteImage",
"sagemaker:DeleteModel",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeletePipeline",
"sagemaker:DeleteProject",
"sagemaker:DeleteTags",
"sagemaker:DeleteTrial",
"sagemaker:DeleteUserProfile",
"sagemaker:DeleteWorkteam",
"servicequotas:TagResource",
"servicequotas:UntagResource",
"sns:DeleteEndpoint",
"sns:DeletePlatformApplication",
"sns:DeleteTopic",
"sns:TagResource",
"sns:Unsubscribe",
"sns:UntagResource",
"sqs:DeleteQueue",
"sqs:TagQueue",
"sqs:UntagQueue"
]
}
]
}