IAM permissions for the nOps platform

nOps requires safe, secure, and AWS-approved cross account access to your AWS accounts in order to give you the analysis, dashboards, and reports that you need. We only see what you want us to see in order to provide our services, no more, and we need you to give us permission first.

For AWS Payer/Management Account and AWS Linked accounts, nOps uses the following policies:

AWS managed ReadOnlyAccess policy, which is completely managed by AWS and is updated periodically as AWS adds new services.
Since the AWS managed ReadOnlyAccess policy contains some read access to sensitive data, nOps uses an explicit deny list which can be easily update for your own security requires. – Explicit Deny List
Lastly, few other policies that are necessary to create the Cost and Usage Report for Cost Visibility, Well-Architected Review and placeholders to support automating the setup for nOps Commitment Management Program. CUR, S3, Well-Architected, EventBridge, and Organization

IAM Policy JSON – Policy – JSON

What? Why? and How Much?

The following tables describe each permission within the IAM policy:

First column: Permission name.
Second column: What the permission is?
Third column: Why the permission is important for nOps?
Forth column: What kind of access the permission gives to nOps?What? Why? and How Much?The following tables describe each permission within the IAM policy:
- First column: Permission name.
- Second column: What the permission is?
- Third column: Why the permission is important for nOps?
- Forth column: What kind of access the permission gives to nOps?

CUR	What	Why	Access (Full: Read, Limited: Write)
DescribeReportDefinitions	Lists the AWS Cost and Usage Report available to this account.	Used for creating reports in billing bucket setup.	Read: All resource
PutReportDefinition	Creates a new report using the description that you provide.	Used for creating reports in billing bucket setup.	Write: All resource

EventBridge	What	Why	Access(Limited: Write)
CreateEventBus	Creates a new event bus within your account.	Allows nOps to create EventBridge integrations for automation. Required for the Commitment Management program.	Write: All resources

S3	What	Why	Access (Limited: Read)
HeadBucket	Allows you to determine if a bucket exists and you have permission to access it.	This permission allows nOps to see if the bucket for CUR already exists or do we need need to create one.	Read
HeadObject	The HEAD action retrieves metadata from an object without returning the object itself	This permission allows nOps to only see the metadata of a bucket without allowing nOps to see the bucket’s contents.	Read

Support	What	Why	Access (Limited: Read)
DescribeTrustedAdvisorCheckRefreshStatuses	Returns the refresh status of the AWS Trusted Advisor checks that have the specified check IDs.	Not used anymore.	Read: All resources
DescribeTrustedAdvisorCheckResult	Returns the results of the AWS Trusted Advisor check that has the specified check ID.	Not used anymore.	Read: All resources
DescribeTrustedAdvisorChecks	Returns information about all available AWS Trusted Advisor checks, including the name, ID, category, description, and metadata.	Not used anymore.	Read: All resources

Well-Architected	What	Why	Access (Full access)
wellarchitected	Gives full access to Well-Architected.	nOps provides a full functionality dedicated for wellarchitected compliances and it requires full access of this component for managing cloud workloads.	Full access

Explicit Deny

The following is the list of services for which nOps explicitly denies the permission:

ACM (AWS Certificate Manager)
API Gateway
AppConfig
AppFlow
AppStream
AppSync
Athena
Backup
Cassandra
Chime
Cloud9
Cloud Directory
CloudFront
CloudWatch
CodeArtifact
CodeBuild
CodeCommit
CodeDeploy
CodeStar
Cognito
Comprehend
Config
Connect
Data Pipeline
DAX (DynamoDB Accelerator)
DeepComposer
Device Farm
Direct Connect
Discovery
DMS (Database Migration Service)
DS (Directory Service)
DynamoDB
EC2 (Elastic Compute Cloud)
ECR (Elastic Container Registry)
EKS (Elastic Kubernetes Service)
Elastic Beanstalk
ES (Elasticsearch)
FIS (Fault Injection Simulator)
FMS (Firewall Manager)
Fraud Detector
GameLift
GeoLocation
Glue
GuardDuty
Inspector 2
Image Builder
IoT RoboRunner
IoT SiteWise
IVS (Interactive Video Service)
Kafka
Kendra
Kinesis
KMS (Key Management Service)
Lex
Lambda
License Manager
Lightsail
Logs
ML (Machine Learning)
Macie2
Mobile Hub
Nimble
Polly
Proton
QLDB (Quantum Ledger Database)
RDS (Relational Database Service)
Rekognition
Resilience Hub
RoboMaker
S3 (Simple Storage Service)
SageMaker
Schemas
SDB (SimpleDB)
Secrets Manager
Security Hub
SES (Simple Email Service)
Signer
SMS (Server Migration Service)
Snowball
SQS (Simple Queue Service)
S SM (Systems Manager Agent)
SSO (Single Sign-On)
Storage Gateway
Support
TimeStream
Transcribe
Transfer
WAF (Web Application Firewall)
WorkMail

ACM (AWS Certificate Manager)	What
acm-pca:Describe	Denies all Describe permissions in ACM-PCA.
acm-pca:Get	Denies all Get permissions in ACM-PCA.
acm-pca:List	Denies all List permissions in ACM-PCA.
acm:Describe	Denies all Describe permissions in ACM.
acm:Get	Denies all Get permissions in ACM.
acm:List	Denies all List permissions in ACM.

API Gateway	What
GET	Denies all Get permission for API Gateway.

AppConfig	What
GetConfiguration	Denies the permission to view details about a configuration.

AppFlow	What
DescribeConnector	Denies the permission to describe a connector registered in Amazon AppFlow.
ListConnector	Denies the permission to list connectors supported in Amazon AppFlow.

AppStream	What
DescribeDirectoryConfigs	Denies the permission to retrieve a list that describes one or more specified Directory Config objects for AppStream 2.0.
DescribeUsers	Denies the permission to retrieve a list that describes one or more specified users in the user pool.
DescribeSessions	Denies the permission to retrieve a list that describes the streaming sessions for a specified stack and fleet.

AppSync	What
Get	Denies the permission to read resources in this service.
List	Denies the permission to list resources in this service.

Athena	What
Get	Denies the permission to read resources in this service.
List	Denies the permission to list resources in this service.

Backup	What
GetBackupVaultAccessPolicy	Denies the permission to get backup vault access policy.

Cassandra (Keyspaces)	What
Select	Denies the permission to SELECT data from table.

Chime	What
Describe	Denies the permission to read resources in this service.
Get	Denies the permission to read resources in this service.
List	Denies the permission to list resources in this service.

Cloud9	What
Describe	Denies the permission to read resources in this service.
Get	Denies the permission to read resources in this service.
List	Denies the permission to read resources in this service.

Cloud Directory	What
Get	Denies the permission to read resources in this service.
List	Denies the permission to list resources in this service.

CloudFront	What
GetCloudFrontOriginAccessIdentity	Denies the permission to get the information about a cloud front origin access identity.
GetFieldLevelEncryption	Denies the permission to get the field-level encryption configuration information.
GetKeyGroupConfig	Denies the permission to get a key group configuration.

CloudWatch	What
GetMetricData	Denies the permission to retrieve batch amounts of CloudWatch metric data and perform metric math on retrieved data.
GetMetricStream	Denies the permission to return the details of a CloudWatch metric stream.
ListMetricStreams	Denies the permission to return a list of all CloudWatch metric streams in your account.

CodeArtifact	What
GetAuthorizationToken	Denies the permission to generate a temporary authorization token for accessing repositories in a domain.
ReadFromRepository	Denies the permission to return package assets and metadata from a repository endpoint.

CodeBuild	What
BatchGet	Denies the permission to all BatchGet permissions.
ListSourceCredentials	Denies the permission to return a list of SourceCredentialsInfo objects.

CodeCommit	What
BatchGet	Denies the permission to all BatchGet permissions.
Get	Denies the permission to Get permissions.
GitPull	Denies the permission to pull information from an AWS CodeCommit repository to a local repo.

CodeDeploy	What
BatchGet	Denies the permission to all BatchGet permissions.
Get	Denies the permission to Get permissions.

CodeStar	What
DescribeUserProfile	Denies the permission to describe a user in AWS CodeStar and the user attributes across all projects.
ListUserProfiles	Denies the permission to list user profiles in AWS CodeStar.

Cognito	What
cognito-identity (Cognito Identity)	Denies the permission to access any resources in this service.
cognito-idp (Cognito User Pools)	Denies the permission to access any resources in this service.
cognito-sync (Cognito Sync)	Denies the permission to access any resources in this service.

Comprehend	What
Describe	Denies the permission to Describe resources.
List	Denies the permission to List resources.

Config	What
BatchGetAggregateResourceConfig	Denies the permission to return the current configuration items for resources that are present in your AWS Config aggregator.
BatchGetResourceConfig	Denies the permission to return the current configuration for one or more requested resources.
SelectAggregateResourceConfig	Denies the permission to accept a structured query language (SQL) SELECT command and an aggregator to query configuration state of AWS resources across multiple accounts and regions, performs the corresponding search, and returns resource configuration matching the properties.
SelectResourceConfig	Denies the permission to accept a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.

Connect	What
Describe	Denies the permission to Describe resources
Get	Denies the permission to Get resources.
List	Denies the permission to List resources.

Data Pipeline	What
DescribeObjects	Denies the permission to get the object definitions for a set of objects associated with the pipeline.
EvaluateExpression	Denies the permission to task runners to call EvaluateExpression, to evaluate a string in the context of the object.
QueryObjects	Denies the permission to query the specified pipeline for the names of the objects that match the specified set of conditions.

DAX (DynamoDB Accelerator)	What
BatchGetItem	Denies the permission to return the attributes of one or more items from one or more tables.
GetItem	Denies the permission to the GetItem operation that returns a set of attributes for the item with the given primary key.
Query	Denies the permission to use the primary key of a table or a secondary index to directly access items from that table or index.

DeepComposer	What
Get	Denies all Get permissions in DeepComposer.
List	Denies all List permissions in DeepComposer.

Device Farm	What
GetRemoteAccessSession	Denies the permission to retrieve the link to a currently running remote access session.
ListRemoteAccessSessions	Denies the permission to list the information of currently running remote access sessions.

Direct Connect	What
Describe	Denies all Describe permissions in Direct Connect.
List	Denies all List permissions in Direct Connect.

Discovery	What
Describe	Denies all Describe permissions in Discovery.
Get	Denies all Get permissions in Discovery.
List	Denies all List permissions in List.

DMS (Database Migration Service)	What
Describe	Denies all DEscribe permissions in DMS.
List	Denies the permission to list all tags for AWS DMS resources.

DS (Directory Service)	What
Get	Denies all Get permission in Directory Service.

DynamoDB	What
GetItem	Denies permission to the GetItem operation that returns a set of attributes for the item with the given primary key.
BatchGetItem	Denies permission to return the attributes of one or more items from one or more tables.
Query	Denies permission to use the primary key of a table or a secondary index to directly access items from that table or index.
Scan	Denies the permission to return one or more items and item attributes by accessing every item in a table or a secondary index.

EC2 (Elastic Compute Cloud)	What
GetConsoleScreenshot	Denies the permission to retrieve a JPG-format screenshot of a running instance.

ECR (Elastic Container Registry)	What
ecr:BatchGetImage	Denies the permission to get detailed information for specified images within a specified repository.
ecr:GetAuthorizationToken	Denies the permission to retrieve a token that is valid for a specified registry for 12 hours.
ecr:GetDownloadUrlForLayer	Denies the permission to retrieve that download URL corresponding to an image layer.
ecr-public:GetAuthorizationToken	Denies the permission to retrieve a token that is valid for a specified registry for 12 hours.

EKS (Elastic Kubernetes Service)	What
DescribeIdentityProviderConfig	Denies the permission to retrieve descriptive information about an Idp config associated with a cluster.

Elastic Beanstalk	What
DescribeConfigurationOptions	Denies the permission to retrieve descriptions of environment configuration options.
DescribeConfigurationSettings	Denies the permission to retrieve a description of the settings for a configuration set.

ES (OpenSearch Service)	What
ESHttpGet	Denies the permission to send HTTP GET request to the OpenSearch APIs.

FIS (Fault Injection Simulator)	What
GetExperimentTemplate	Denies the permission to retrieve an AWS FIS Experiment Template.

FMS (Firewall Manager)	What
GetAdminAccount	Denies the permission to retrieve the AWS Organization master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator.

Fraud Detector	What
BatchGetVariable	Denies the permission to get a batch of variables.
Get	Denies all Get permission in Fraud Detector.

GameLift	What
GetGameSessionLogUrl	Denies the permission to retrieve the location of stored logs for a game session.
GetInstanceAccess	Denies the permission to request remote access to a specified fleet instance.

GeoLocation (Location)	What
ListDevicePositions	Denies the permission to retrieve a list of devices and their latest positions from the given tracker resource.

Glue	What
GetSecurityConfiguration	Denies the permission to retrieve a security configuration.
SearchTables	Denies the permission to retrieve the tables in the catalog.
GetTable	Denies all GetTable permission in Glue.

GuardDuty	What
GetIPSet	Denies the permission to retrieve GuardDuty IPSets
GetMasterAccount	Denies the permission to retrieve details of the GuardDuty administrator account associated with a member account.
GetMembers	Denies the permission to retrieve the member accounts associated with an administrator account.
ListMembers	Denies the permission to retrieve a list of GuardDuty member accounts associated with an administrator account.
ListOrganizationAdminAccounts	Denies the permission to list details about the organization delegated administrator for GuardDuty.

Inspector 2	What
GetConfiguration	Denies the permission to retrieve information about the Amazon Inspector configuration settings for an AWS account.

Image Builder	What
GetImage	Denies the permission to get an EC2 image.

IoT RoboRunner	What
Get	Denies all Get permission in IoT RoboRunner.

IoT SiteWise	What
ListAccessPolicies	Denies the permission to lit all access policies for an identity or a resource.

IVS (Interactive Video Service)	What
GetPlaybackKeyPair	Denies the permission to get the playback keypair information for a specified ARN.
GetStreamSession	Denies the permission to get information about the stream session on a specified channel.

Kafka (MSK)	What
GetBootstrapBrokers	Denies the permission to get connection details for the brokers in an MSK cluster.

Kendra	What
Query	Denies the permission to query documents and faqs.

Kinesis	What
Get	Denies all Get permission in Kinesis.

KMS (Key Management Service)	What
DescribeKey	Denies the control to the permission to view detailed information about an AWS KMS key.
GetPublicKey	Denies the control to the permission to download the public key of an asymmetric AWS KMS Key.

Lex	What
Get	Denies all Get permission in Lex.

Lambda	What
GetFunctionConfiguration	Denies the permission to view details about the version-specific settings of an AWS Lambda function or version.

License Manager	What
GetGrant	Denies the permission to get a grant.
GetLicense	Denies the permission to get a license.
ListTokens	Denies the permission to list tokens.

Lightsail	What
GetBucketAccessKeys	Denies the permission to get the existing access key IDs for the specified Amazon Lightsail bucket.
GetCertificates	Denies the permission to view information about one or more Amazon Lightsail SSL/TLS certificates.
GetContainerImages	Denies the permission to view the container images that are registered to your Amazon Lightsail container service.
GetKeyPair	Denies the permission to get information about a key pair.
GetRelationalDatabaseLogStreams	Denies the permission to get the log streams available for a relational database.

Logs	What
GetLogEvents	Denies the permission to list log events from the specified log stream.
StartQuery	Denies the permission to schedule a query of a log group using CloudWatch Logs Insights.

ML (Machine Learning)	What
GetMLModel	Denies the permission to return an MLModel that includes detailed metadata, and data source information as well as the current status of the MLModel.

Macie2	What
GetAdministratorAccount	Denies the permission to retrieve information about the Amazon Macie administrator account for an account.
GetMember	Denies the permission to retrieve information about an account that’s associated with an Amazon Macie administrator account.
GetMacieSession	Denies the permission to retrieve information about the status and configuration settings for an Amazon Macie account.
SearchResources	Denies the permission to retrieve statistical data and other information about AWS resources that Amazon MAcie monitors and analyzes.
GetSensitiveDataOccurrences	Denies the permission to retrieve occurrences of sensitive data reported by a finding.

Mobile Hub	What
ExportProject	Denies the permission to export the project configuration.

Nimble Studio	What
GetStreamingSession	Denies the permission to get a streaming session.

Polly	What
SynthesizeSpeech	Denies the permission to synthesize speech.

Proton	What
GetEnvironmentTemplate	Denies the permission to describe an environment template.
GetServiceTemplate	Denies the permission to describe a service template.
ListServiceTemplates	Denies the permission to list service templates.
ListEnvironmentTemplates	Denies the permission to list environment templates.

QLDB (Quantum Ledger Database)	What
GetBlock	Denies the permission to retrieve a block from a ledger for a given BlockAddress.
GetDigest	Denies the permission to retrieve a digest from a ledger from a given BlockAddress.

RDS (Relational Database Service)	What
Download	Denies all Download permission for RDS.

Rekognition	What
CompareFaces	Denies the permission to compare faces in the source input images with each face detected in the target input image.
Detect	Denies all Detect permissions in Rekognition.
Search	Denies all Search permission in Rekognition.

Resilience Hub	What
DescribeAppVersionTemplate	Denies the permission to describe the application version template.
ListRecommendationTemplates	Denies the permission to list recommendation templates.

RoboMaker	What
GetWorldTemplateBody	Denies the permission to get the body of a world template.

S3 (S3 Object Lambda)	What
s3-object-lambda:GetObject	Denies the permission to retrieve objects from Amazon S3.

SageMaker	What
Search	Denies the permission to search for SageMaker objects.

Schemas (EventBridgeSchemas)	What
GetDiscoveredSchema	Denies the permission to retrieve a schema for the provided list of sample events.

SDB (SimpleDB)	What
Get	Denies all Get permissions for SDB.
Select	Denies all Select permissions for SDB.

Secrets Manager	What
*	Denies all permission in Secrets Manager.

Security Hub	What
GetFindings	Denies the permission to retrieve a list of findings from Security Hub.
GetMembers	Denies the permission to retrieve the details of Security Hub member accounts.
ListMembers	Denies the permission to retrieve details about Security Hub member accounts associated with the administrator account.

SES (SES v1, SES v2)	What
GetTemplate	Denies the permission to return the template object, which includes the subject line, HTML part, and text part for the template you specify.
GetEmailTemplate	Denies the permission to return the template object, which includes the subject line, HTML part, and text part for the template you specify.
GetContact	Denies the permission to return a contact from a contact list.
GetContactList	Denies the permission to return contact list metadata.
ListTemplates	Denies the permission to list the email templates present in your account.
ListEmailTemplates	Denies the permission to list all of the email templates for your account.
ListVerifiedEmailAddresses	Denies the permission to list all of the email addresses that have been verified.

Signer	What
GetSigningProfile	Denies the permission to return information about a specific Signing Profile.
ListProfilePermissions	Denies the permission to list the cross-account permissions associated with a Signing Profile.
ListSigningProfiles	Denies the permission to list all Signing Profiles in your account.

SMS (Pinpoint SMS Voice V2)	What
sms-voice:DescribeKeywords	Denies the permission to describe the keywords for a pool or origination phone number.
sms-voice:DescribeOptedOutNumbers	Denies the permission to describe the destination phone numbers in an opt-out list.
sms-voice:DescribePhoneNumbers	Denies the permission to describe the origination phone numbers in your account.
sms-voice:DescribePools	Denies the permission to describe the pools in your account.

Snowball	What
Describe	Denies all Describe permission for Snowball.

SQS (Simple Queue Service)	What
Receive	Denies all Receive permission in SQS.

S SM (Systems Manager)	What
ssm-contacts:*
ssm:DescribeParameters	Denies the permission to view details about a specified SSM parameter.
ssm:GetParameter	Denies all GetParameter permission in Systems Manager.

SSO (Single Sign-On)	What
Describe	Denies all Describe permissions in SSO.
Get	Denies all Get permissions in SSO.
List	Denies all List permissions in SSO.

Storage Gateway	What
DescribeChapCredentials	Denies the permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair.

Support	What
DescribeCommunications	Denies the permission to return the communications and attachments for one or more AWS Support cases.

TimeStream	What
ListDatabases	Denies the permission to list databases in your account.
ListTables	Denies the permission to list tables in your account.

Transcribe	What
Get	Denies all Get permission in Transcribe.
List	Denies all List permission in Transcribe.

Transfer	What
Describe	Denies all Describe permission in Transfer.
List	Denies all List permission in Transfer.

WAF (WAF Regional)	What
waf-regional:GetChangeToken	Denies the permission to retrieve a change token to use in create, update, and delete requests.

WorkMail	What
DescribeUser	Denies the permission to read details for a user.
GetMailUserDetails	Denies the permission to get the details of the user’s mailbox and account.
ListUsers	Denies the permission to list the organization’s users.

IAM policy for nOps Last Updated: 12/17/2022

IAM Policy JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cur:DescribeReportDefinitions",
                "cur:DeleteReportDefinition",
                "cur:PutReportDefinition",
                "ce:ListCostAllocationTags",
                "ce:UpdateCostAllocationTagsStatus",
                "s3:ListBucket",
                "support:DescribeTrustedAdvisorCheckRefreshStatuses",
                "support:DescribeTrustedAdvisorCheckResult",
                "support:DescribeTrustedAdvisorChecks",
                "wellarchitected:*",
                "ce:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "acm-pca:Describe*",
                "acm-pca:Get*",
                "acm-pca:List*",
                "acm:Describe*",
                "acm:Get*",
                "acm:List*",
                "apigateway:GET",
                "appconfig:GetConfiguration*",
                "appflow:DescribeConnector*",
                "appflow:ListConnector*",
                "appstream:DescribeDirectoryConfigs",
                "appstream:DescribeUsers",
                "appstream:DescribeSessions",
                "appsync:Get*",
                "appsync:List*",
                "athena:Get*",
                "athena:List*",
                "backup:GetBackupVaultAccessPolicy",
                "cassandra:Select",
                "chime:Describe*",
                "chime:Get*",
                "chime:List*",
                "cloud9:Describe*",
                "cloud9:Get*",
                "cloud9:List*",
                "clouddirectory:Get*",
                "clouddirectory:List*",
                "cloudfront:GetCloudFrontOriginAccessIdentity",
                "cloudfront:GetFieldLevelEncryption*",
                "cloudfront:GetKeyGroupConfig",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStream",
                "cloudwatch:ListMetricStreams",
                "codeartifact:GetAuthorizationToken",
                "codeartifact:ReadFromRepository",
                "codebuild:BatchGet*",
                "codebuild:ListSourceCredentials",
                "codecommit:BatchGet*",
                "codecommit:Get*",
                "codecommit:GitPull",
                "codedeploy:BatchGet*",
                "codedeploy:Get*",
                "codestar:DescribeUserProfile",
                "codestar:ListUserProfiles",
                "cognito-identity:*",
                "cognito-idp:*",
                "cognito-sync:*",
                "comprehend:Describe*",
                "comprehend:List*",
                "config:BatchGetAggregateResourceConfig",
                "config:BatchGetResourceConfig",
                "config:SelectAggregateResourceConfig",
                "config:SelectResourceConfig",
                "connect:Describe*",
                "connect:Get*",
                "connect:List*",
                "datapipeline:DescribeObjects",
                "datapipeline:EvaluateExpression",
                "datapipeline:QueryObjects",
                "dax:BatchGetItem",
                "dax:GetItem",
                "dax:Query",
                "deepcomposer:Get*",
                "deepcomposer:List*",
                "devicefarm:GetRemoteAccessSession",
                "devicefarm:ListRemoteAccessSessions",
                "directconnect:Describe*",
                "directconnect:List*",
                "discovery:Describe*",
                "discovery:Get*",
                "discovery:List*",
                "dms:Describe*",
                "dms:List*",
                "ds:Get*",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "ec2:GetConsoleScreenshot",
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr-public:GetAuthorizationToken",
                "eks:DescribeIdentityProviderConfig",
                "elasticbeanstalk:DescribeConfigurationOptions",
                "elasticbeanstalk:DescribeConfigurationSettings",
                "es:ESHttpGet*",
                "fis:GetExperimentTemplate",
                "fms:GetAdminAccount",
                "frauddetector:BatchGetVariable",
                "frauddetector:Get*",
                "gamelift:GetGameSessionLogUrl",
                "gamelift:GetInstanceAccess",
                "geo:ListDevicePositions",
                "glue:GetSecurityConfiguration*",
                "glue:SearchTables",
                "glue:GetTable*",
                "guardduty:GetIPSet",
                "guardduty:GetMasterAccount",
                "guardduty:GetMembers",
                "guardduty:ListMembers",
                "guardduty:ListOrganizationAdminAccounts",
                "inspector2:GetConfiguration",
                "imagebuilder:GetImage",
                "iotroborunner:Get*",
                "iotsitewise:ListAccessPolicies",
                "ivs:GetPlaybackKeyPair",
                "ivs:GetStreamSession",
                "kafka:GetBootstrapBrokers",
                "kendra:Query*",
                "kinesis:Get*",
                "kms:DescribeKey",
                "kms:GetPublicKey",
                "lex:Get*",
                "lambda:GetFunctionConfiguration",
                "license-manager:GetGrant",
                "license-manager:GetLicense",
                "license-manager:ListTokens",
                "lightsail:GetBucketAccessKeys",
                "lightsail:GetCertificates",
                "lightsail:GetContainerImages",
                "lightsail:GetKeyPair",
                "lightsail:GetRelationalDatabaseLogStreams",
                "logs:GetLogEvents",
                "logs:StartQuery",
                "machinelearning:GetMLModel",
                "macie2:GetAdministratorAccount",
                "macie2:GetMember",
                "macie2:GetMacieSession",
                "macie2:SearchResources",
                "macie2:GetSensitiveDataOccurrences",
                "nimble:GetStreamingSession",
                "polly:SynthesizeSpeech",
                "proton:GetEnvironmentTemplate",
                "proton:GetServiceTemplate",
                "proton:ListServiceTemplates",
                "proton:ListEnvironmentTemplates",
                "qldb:GetBlock",
                "qldb:GetDigest",
                "rds:Download*",
                "rekognition:CompareFaces",
                "rekognition:Detect*",
                "rekognition:Search*",
                "resiliencehub:DescribeAppVersionTemplate",
                "resiliencehub:ListRecommendationTemplates",
                "robomaker:GetWorldTemplateBody",
                "s3-object-lambda:GetObject",
                "sagemaker:Search",
                "schemas:GetDiscoveredSchema",
                "sdb:Get*",
                "sdb:Select*",
                "secretsmanager:*",
                "securityhub:GetFindings",
                "securityhub:GetMembers",
                "securityhub:ListMembers",
                "ses:GetTemplate",
                "ses:GetEmailTemplate",
                "ses:GetContact",
                "ses:GetContactList",
                "ses:ListTemplates",
                "ses:ListEmailTemplates",
                "ses:ListVerifiedEmailAddresses",
                "signer:GetSigningProfile",
                "signer:ListProfilePermissions",
                "signer:ListSigningProfiles",
                "sms-voice:DescribeKeywords",
                "sms-voice:DescribeOptedOutNumbers",
                "sms-voice:DescribePhoneNumbers",
                "sms-voice:DescribePools",
                "snowball:Describe*",
                "sqs:Receive*",
                "ssm-contacts:*",
                "ssm:DescribeParameters*",
                "ssm:GetParameter*",
                "sso:Describe*",
                "sso:Get*",
                "sso:List*",
                "storagegateway:DescribeChapCredentials",
                "support:DescribeCommunications",
                "timestream:ListDatabases",
                "timestream:ListTables",
                "transcribe:Get*",
                "transcribe:List*",
                "transfer:Describe*",
                "transfer:List*",
                "waf-regional:GetChangeToken",
                "workmail:DescribeUser",
                "workmail:GetMailUserDetails",
                "workmail:ListUsers"
            ],
            "Resource": "*",
            "Effect": "Deny"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::[INSERT CUR S3 BUCKET]",
                "arn:aws:s3:::[INSERT CUR S3 BUCKET]/*"
            ],
            "Effect": "Allow"
        }
    ]
}

What? Why? and How Much?​

Explicit Deny​

IAM Policy JSON​

What? Why? and How Much?

Explicit Deny

IAM Policy JSON