annotated.yaml

CredentialExposure:
  Actions:

  - appsync:ListApiKeys:
      access_level: List
      description: Grants permission to list the API keys for a given API
      risk_category:
      - CredentialExposure
      service_name: AWS AppSync

  - athena:GetSession:
      access_level: Read
      description: Grants permission to get a session
      risk_category:
      - CredentialExposure
      service_name: Amazon Athena

  - chatbot:GetMicrosoftTeamsOauthParameters:
      access_level: Read
      description: Grants permission to generate OAuth parameters to request Microsoft Teams OAuth code to be used by the AWS Chatbot service
      risk_category:
      - CredentialExposure
      service_name: AWS Chatbot

  - chatbot:GetSlackOauthParameters:
      access_level: Read
      description: Grants permission to generate OAuth parameters to request Slack OAuth code to be used by the AWS Chatbot service
      risk_category:
      - CredentialExposure
      service_name: AWS Chatbot

  - chime:CreateApiKey:
      access_level: Write
      description: Grants permission to create a new SCIM access key for your Amazon Chime account and Okta configuration
      risk_category:
      - CredentialExposure
      service_name: Amazon Chime

  - cloud9:CreateEnvironmentSSH:
      access_level: Write
      description: Grants permission to create an AWS Cloud9 SSH development environment
      risk_category:
      - CredentialExposure
      service_name: AWS Cloud9

  - cloud9:CreateEnvironmentToken:
      access_level: Read
      description: Grants permission to create an authentication token that allows a connection between the AWS Cloud9 IDE and the user's environment
      risk_category:
      - CredentialExposure
      service_name: AWS Cloud9

  - codeartifact:GetAuthorizationToken:
      access_level: Read
      description: Grants permission to generate a temporary authentication token for accessing repositories in a domain
      risk_category:
      - CredentialExposure
      service_name: AWS CodeArtifact

  - codepipeline:PollForJobs:
      access_level: Write
      description: Grants permission to view information about any jobs for CodePipeline to act on
      risk_category:
      - CredentialExposure
      service_name: AWS CodePipeline

  - cognito-identity:GetCredentialsForIdentity:
      access_level: Read
      description: Grants permission to return credentials for the provided identity ID
      risk_category:
      - CredentialExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:GetOpenIdToken:
      access_level: Read
      description: Grants permission to get an OpenID token, using a known Cognito ID
      risk_category:
      - CredentialExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:GetOpenIdTokenForDeveloperIdentity:
      access_level: Read
      description: Grants permission to register (or retrieve) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process
      risk_category:
      - CredentialExposure
      service_name: Amazon Cognito Identity

  - cognito-idp:DescribeUserPoolClient:
      access_level: Read
      description: Grants permission to describe any user pool app client
      risk_category:
      - CredentialExposure
      service_name: Amazon Cognito User Pools

  - cognito-idp:GetUserAttributeVerificationCode:
      access_level: Read
      description: Grants permission to get the user attribute verification code for the specified attribute name
      risk_category:
      - CredentialExposure
      service_name: Amazon Cognito User Pools

  - connect:GetFederationToken:
      access_level: Read
      description: Grants permission to federate into an Amazon Connect instance when using SAML-based authentication for identity management
      risk_category:
      - CredentialExposure
      service_name: Amazon Connect

  - connect:ListSecurityKeys:
      access_level: List
      description: Grants permission to view the security keys of an existing Amazon Connect instance
      risk_category:
      - CredentialExposure
      service_name: Amazon Connect

  - ec2:GetPasswordData:
      access_level: Read
      description: Grants permission to retrieve the encrypted administrator password for a running Windows instance
      risk_category:
      - CredentialExposure
      service_name: Amazon EC2

  - ec2-instance-connect:SendSSHPublicKey:
      access_level: Write
      description: Grants permission to push an SSH public key to the specified EC2 instance to be used for standard SSH
      risk_category:
      - CredentialExposure
      - PrivEsc
      service_name: Amazon EC2 Instance Connect

  - ecr-public:GetAuthorizationToken:
      access_level: Read
      description: Grants permission to retrieve a token that is valid for a specified registry for 12 hours
      risk_category:
      - CredentialExposure
      service_name: Amazon Elastic Container Registry Public

  - ecr:GetAuthorizationToken:
      access_level: Read
      description: Grants permission to retrieve a token that is valid for a specified registry for 12 hours
      risk_category:
      - CredentialExposure
      service_name: Amazon Elastic Container Registry

  - gamelift:GetComputeAuthToken:
      access_level: Read
      description: Grants permission to retrieve an authorization token for a compute and fleet to use in game server processes
      risk_category:
      - CredentialExposure
      service_name: Amazon GameLift

  - gamelift:GetGameSessionLogUrl:
      access_level: Read
      description: Grants permission to retrieve the location of stored logs for a game session
      risk_category:
      - CredentialExposure
      service_name: Amazon GameLift

  - gamelift:GetInstanceAccess:
      access_level: Read
      description: Grants permission to request remote access to a specified fleet instance
      risk_category:
      - CredentialExposure
      - DataAccess
      service_name: Amazon GameLift

  - gamelift:RequestUploadCredentials:
      access_level: Read
      description: Grants permission to retrieve fresh upload credentials to use when uploading a new game build
      risk_category:
      - CredentialExposure
      service_name: Amazon GameLift

  - iam:CreateAccessKey:
      access_level: Write
      description: Grants permission to create access key and secret access key for the specified IAM user
      risk_category:
      - CredentialExposure
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateLoginProfile:
      access_level: Write
      description: Grants permission to create a password for the specified IAM user
      risk_category:
      - CredentialExposure
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateServiceSpecificCredential:
      access_level: Write
      description: Grants permission to create a new service-specific credential for an IAM user
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:ResetServiceSpecificCredential:
      access_level: Write
      description: Grants permission to reset the password for an existing service-specific credential for an IAM user
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateAccessKey:
      access_level: Write
      description: Grants permission to update the status of the specified access key as Active or Inactive
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - lightsail:DownloadDefaultKeyPair:
      access_level: Write
      description: Grants permission to download the default key pair used to authenticate and connect to instances in a specific AWS Region
      risk_category:
      - CredentialExposure
      service_name: Amazon Lightsail

  - lightsail:GetBucketAccessKeys:
      access_level: Read
      description: Grants permission to get the existing access key IDs for the specified Amazon Lightsail bucket
      risk_category:
      - CredentialExposure
      service_name: Amazon Lightsail

  - lightsail:GetKeyPair:
      access_level: Read
      description: Grants permission to get information about a key pair
      risk_category:
      - CredentialExposure
      service_name: Amazon Lightsail

  - lightsail:GetKeyPairs:
      access_level: Read
      description: Grants permission to get information about all key pairs
      risk_category:
      - CredentialExposure
      service_name: Amazon Lightsail

  - lightsail:GetRelationalDatabaseMasterUserPassword:
      access_level: Write
      description: Grants permission to get the master user password of a relational database
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: Amazon Lightsail

  - mediapackage:RotateChannelCredentials:
      access_level: Write
      description: Grants permission to rotate credentials for the first IngestEndpoint of a Channel in AWS Elemental MediaPackage
      risk_category:
      - CredentialExposure
      service_name: AWS Elemental MediaPackage

  - mediapackage:RotateIngestEndpointCredentials:
      access_level: Write
      description: Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Elemental MediaPackage

  - rds-db:connect:
      access_level: Permissions management
      description: Allows IAM role or user to connect to RDS database
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: Amazon RDS IAM Authentication

  - redshift:GetClusterCredentials:
      access_level: Write
      description: Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account
      risk_category:
      - CredentialExposure
      service_name: Amazon Redshift

  - s3:GetDataAccess:
      access_level: Read
      description: Grants permission to get Access
      risk_category:
      - CredentialExposure
      service_name: Amazon S3

  - snowball:GetJobUnlockCode:
      access_level: Read
      description: Grants permission to get the UnlockCode code value for the specified job
      risk_category:
      - CredentialExposure
      service_name: AWS Snowball

  - sso-directory:ListBearerTokens:
      access_level: Read
      description: Grants permission to list bearer tokens for a given provisioning tenant
      risk_category:
      - CredentialExposure
      service_name: AWS IAM Identity Center Directory

  - storagegateway:DescribeChapCredentials:
      access_level: Read
      description: Grants permission to get an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair
      risk_category:
      - CredentialExposure
      service_name: AWS Storage Gateway

  - sts:AssumeRole:
      access_level: Write
      description: Grants permission to obtain a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to
      risk_category:
      - CredentialExposure
      service_name: AWS Security Token Service

  - sts:AssumeRoleWithSAML:
      access_level: Write
      description: Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response
      risk_category:
      - CredentialExposure
      service_name: AWS Security Token Service

  - sts:AssumeRoleWithWebIdentity:
      access_level: Write
      description: Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider
      risk_category:
      - CredentialExposure
      service_name: AWS Security Token Service

  - sts:GetFederationToken:
      access_level: Read
      description: Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user
      risk_category:
      - CredentialExposure
      service_name: AWS Security Token Service

  - sts:GetSessionToken:
      access_level: Read
      description: Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user
      risk_category:
      - CredentialExposure
      service_name: AWS Security Token Service

  - waf-regional:GetChangeToken:
      access_level: Read
      description: Grants permission to retrieve a change token to use in create, update, and delete requests
      risk_category:
      - CredentialExposure
      service_name: AWS WAF Regional

  - waf:GetChangeToken:
      access_level: Read
      description: Grants permission to retrieve a change token to use in create, update, and delete requests
      risk_category:
      - CredentialExposure
      service_name: AWS WAF

DataAccess:
  Actions:

  - aoss:APIAccessAll:
      access_level: Write
      description: Grant permission to all the supported Opensearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Serverless

  - aoss:DashboardsAccessAll:
      access_level: Write
      description: Grants permission to Opensearch Serverless Dashboards
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Serverless

  - appsync:GetDataSource:
      access_level: Read
      description: Grants permission to retrieve a data source
      risk_category:
      - DataAccess
      service_name: AWS AppSync

  - appsync:GetFunction:
      access_level: Read
      description: Grants permission to retrieve a function
      risk_category:
      - DataAccess
      service_name: AWS AppSync

  - athena:GetQueryExecution:
      access_level: Read
      description: Grants permission to get information about the specified query execution
      risk_category:
      - DataAccess
      service_name: Amazon Athena

  - athena:GetQueryResults:
      access_level: Read
      description: Grants permission to get the query results
      risk_category:
      - DataAccess
      service_name: Amazon Athena

  - athena:GetQueryResultsStream:
      access_level: Read
      description: Grants permission to get the query results stream
      risk_category:
      - DataAccess
      service_name: Amazon Athena

  - cassandra:Select:
      access_level: Read
      description: Grants permission to SELECT data from a table
      risk_category:
      - DataAccess
      service_name: Amazon Keyspaces (for Apache Cassandra)

  - chatbot:DescribeSlackChannels:
      access_level: Read
      description: Grants permission to list all public Slack channels in the Slack workspace connected to the AWS Account onboarded with AWS Chatbot service
      risk_category:
      - DataAccess
      service_name: AWS Chatbot

  - chatbot:DescribeSlackUserIdentities:
      access_level: Read
      description: Grants permission to describe AWS Chatbot Slack User Identities
      risk_category:
      - DataAccess
      service_name: AWS Chatbot

  - chatbot:ListMicrosoftTeamsConfiguredTeams:
      access_level: Read
      description: Grants permission to list all Microsoft Teams connected to the AWS Account onboarded with AWS Chatbot service
      risk_category:
      - DataAccess
      service_name: AWS Chatbot

  - chatbot:ListMicrosoftTeamsUserIdentities:
      access_level: Read
      description: Grants permission to describe AWS Chatbot Microsoft Teams User Identities
      risk_category:
      - DataAccess
      service_name: AWS Chatbot

  - chime:GetAttendee:
      access_level: Read
      description: Grants permission to get attendee details for a specified meeting ID and attendee ID
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetChannelMessage:
      access_level: Read
      description: Grants permission to get the full details of a channel message
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetMeeting:
      access_level: Read
      description: Grants permission to get the meeting record for a specified meeting ID
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetMeetingDetail:
      access_level: Read
      description: Grants permission to get attendee, connection, and other details for a meeting
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetRoom:
      access_level: Read
      description: Grants permission to retrieve a room
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetUser:
      access_level: Read
      description: Grants permission to get details for the specified user ID
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetUserActivityReportData:
      access_level: Read
      description: Grants permission to get a summary of user activity on the user details page
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetUserByEmail:
      access_level: Read
      description: Grants permission to get user details for an Amazon Chime user based on the email address in an Amazon Chime Enterprise or Team account
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:GetUserSettings:
      access_level: Read
      description: Grants permission to get user settings related to the specified Amazon Chime user
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:ListAttendees:
      access_level: List
      description: Grants permission to list up to 100 attendees for a specified Amazon Chime SDK meeting
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:ListMeetingEvents:
      access_level: List
      description: Grants permission to list all events that occurred for a specified meeting
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:ListMeetings:
      access_level: List
      description: Grants permission to list up to 100 active Amazon Chime SDK meetings
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - chime:ListUsers:
      access_level: List
      description: Grants permission to list the users that belong to the specified Amazon Chime account
      risk_category:
      - DataAccess
      service_name: Amazon Chime

  - cleanrooms:GetProtectedQuery:
      access_level: Read
      description: Grants permission to view a protected query
      risk_category:
      - DataAccess
      service_name: AWS Clean Rooms

  - cloudformation:GetTemplate:
      access_level: Read
      description: Grants permission to return the template body for a specified stack
      risk_category:
      - DataAccess
      service_name: AWS CloudFormation & Cloud Control API

  - cloudfront:GetFunction:
      access_level: Read
      description: Grants permission to get a CloudFront function's code
      risk_category:
      - DataAccess
      service_name: Amazon CloudFront

  - cloudtrail:GetQueryResults:
      access_level: Read
      description: Grants permission to fetch results of a complete query
      risk_category:
      - DataAccess
      service_name: AWS CloudTrail

  - cloudtrail:LookupEvents:
      access_level: Read
      description: Grants permission to look up and retrieve metric data for API activity events captured by CloudTrail that create, update, or delete resources in your account
      risk_category:
      - DataAccess
      service_name: AWS CloudTrail

  - codeartifact:GetPackageVersionAsset:
      access_level: Read
      description: Grants permission to return an asset (or file) that is part of a package version
      risk_category:
      - DataAccess
      service_name: AWS CodeArtifact

  - codeartifact:GetPackageVersionReadme:
      access_level: Read
      description: Grants permission to return a package version's readme file
      risk_category:
      - DataAccess
      service_name: AWS CodeArtifact

  - codeartifact:ReadFromRepository:
      access_level: Read
      description: Grants permission to return package assets and metadata from a repository endpoint
      risk_category:
      - DataAccess
      service_name: AWS CodeArtifact

  - codebuild:BatchGetReportGroups:
      access_level: Read
      description: Grants permission to return an array of ReportGroup objects that are specified by the input reportGroupArns parameter
      risk_category:
      - DataAccess
      service_name: AWS CodeBuild

  - codebuild:BatchGetReports:
      access_level: Read
      description: Grants permission to return an array of the Report objects specified by the input reportArns parameter
      risk_category:
      - DataAccess
      service_name: AWS CodeBuild

  - codecommit:BatchGetCommits:
      access_level: Read
      description: Grants permission to return information about one or more commits in an AWS CodeCommit repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:BatchGetPullRequests:
      access_level: Read
      description: Grants permission to return information about one or more pull requests in an AWS CodeCommit repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:BatchGetRepositories:
      access_level: Read
      description: Grants permission to get information about multiple repositories
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:DescribeMergeConflicts:
      access_level: Read
      description: Grants permission to get information about specific merge conflicts when attempting to merge two commits using either the three-way or the squash merge option
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:DescribePullRequestEvents:
      access_level: Read
      description: Grants permission to return information about one or more pull request events
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetApprovalRuleTemplate:
      access_level: Read
      description: Grants permission to return information about an approval rule template
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetBlob:
      access_level: Read
      description: Grants permission to view the encoded content of an individual file in an AWS CodeCommit repository from the AWS CodeCommit console
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetBranch:
      access_level: Read
      description: Grants permission to get details about a branch in an AWS CodeCommit repository with this API; does not control Git branch actions
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetComment:
      access_level: Read
      description: Grants permission to get the content of a comment made on a change, file, or commit in a repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetCommentReactions:
      access_level: Read
      description: Grants permission to get the reactions on a comment
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetCommentsForComparedCommit:
      access_level: Read
      description: Grants permission to get information about comments made on the comparison between two commits
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetCommentsForPullRequest:
      access_level: Read
      description: Grants permission to get comments made on a pull request
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetCommit:
      access_level: Read
      description: Grants permission to return information about a commit, including commit message and committer information, with this API; does not control Git log actions
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetCommitHistory:
      access_level: Read
      description: Grants permission to get information about the history of commits in a repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetCommitsFromMergeBase:
      access_level: Read
      description: Grants permission to get information about the difference between commits in the context of a potential merge
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetDifferences:
      access_level: Read
      description: Grants permission to view information about the differences between valid commit specifiers such as a branch, tag, HEAD, commit ID, or other fully qualified reference
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetFile:
      access_level: Read
      description: Grants permission to return the base-64 encoded contents of a specified file and its metadata
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetFolder:
      access_level: Read
      description: Grants permission to return the contents of a specified folder in a repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetMergeCommit:
      access_level: Read
      description: Grants permission to get information about a merge commit created by one of the merge options for pull requests that creates merge commits. Not all merge options create merge commits. This permission does not control Git merge actions
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetMergeConflicts:
      access_level: Read
      description: Grants permission to get information about merge conflicts between the before and after commit IDs for a pull request in a repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetMergeOptions:
      access_level: Read
      description: Grants permission to get information about merge options for pull requests that can be used to merge two commits; does not control Git merge actions
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetObjectIdentifier:
      access_level: Read
      description: Grants permission to resolve blobs, trees, and commits to their identifier
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetPullRequest:
      access_level: Read
      description: Grants permission to get information about a pull request in a specified repository
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetPullRequestApprovalStates:
      access_level: Read
      description: Grants permission to retrieve the current approvals on an inputted pull request
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetPullRequestOverrideState:
      access_level: Read
      description: Grants permission to retrieve the current override state of a given pull request
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetReferences:
      access_level: Read
      description: Grants permission to get details about references in an AWS CodeCommit repository; does not control Git reference actions
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GetTree:
      access_level: Read
      description: Grants permission to view the contents of a specified tree in an AWS CodeCommit repository from the AWS CodeCommit console
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codecommit:GitPull:
      access_level: Read
      description: Grants permission to pull information from an AWS CodeCommit repository to a local repo
      risk_category:
      - DataAccess
      service_name: AWS CodeCommit

  - codeguru-profiler:GetRecommendations:
      access_level: Read
      description: Grants permission to get recommendations
      risk_category:
      - DataAccess
      service_name: Amazon CodeGuru Profiler

  - codeguru-reviewer:DescribeCodeReview:
      access_level: Read
      description: Grants permission to describe a code review
      risk_category:
      - DataAccess
      service_name: Amazon CodeGuru Reviewer

  - codeguru-reviewer:DescribeRecommendationFeedback:
      access_level: Read
      description: Grants permission to describe a recommendation feedback on a code review
      risk_category:
      - DataAccess
      service_name: Amazon CodeGuru Reviewer

  - codepipeline:GetPipelineExecution:
      access_level: Read
      description: Grants permission to view information about an execution of a pipeline, including details about artifacts, the pipeline execution ID, and the name, version, and status of the pipeline
      risk_category:
      - DataAccess
      service_name: AWS CodePipeline

  - cognito-identity:LookupDeveloperIdentity:
      access_level: Read
      description: Grants permission to retrieve the IdentityId associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifiers associated with an IdentityId for an existing identity
      risk_category:
      - DataAccess
      service_name: Amazon Cognito Identity

  - cognito-idp:AdminGetDevice:
      access_level: Read
      description: Grants permission to get information about any user's devices
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:AdminGetUser:
      access_level: Read
      description: Grants permission to look up any user by user name
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:AdminListDevices:
      access_level: List
      description: Grants permission to list any user's remembered devices
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:AdminListGroupsForUser:
      access_level: List
      description: Grants permission to list the groups that any user belongs to
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:AdminListUserAuthEvents:
      access_level: Read
      description: Grants permission to lists sign-in events for any user
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:GetDevice:
      access_level: Read
      description: Grants permission to get the device
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:GetGroup:
      access_level: Read
      description: Grants permission to describe a user pool group
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:GetUser:
      access_level: Read
      description: Grants permission to get the user attributes and metadata for a user
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:ListUsers:
      access_level: List
      description: Grants permission to list all user pool users
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:ListDevices:
      access_level: List
      description: Grants permission to list the devices
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-idp:ListGroups:
      access_level: List
      description: Grants permission to list all groups in user pools
      risk_category:
      - DataAccess
      service_name: Amazon Cognito User Pools

  - cognito-sync:ListRecords:
      access_level: Read
      description: Grants permission to get paginated records, optionally changed after a particular sync count for a dataset and identity
      risk_category:
      - DataAccess
      service_name: Amazon Cognito Sync

  - cognito-sync:QueryRecords:
      access_level: Read
      description: Grants permission to query records
      risk_category:
      - DataAccess
      service_name: Amazon Cognito Sync

  - connect:ListUsers:
      access_level: List
      description: Grants permission to list user resources in an Amazon Connect instance
      risk_category:
      - DataAccess
      service_name: Amazon Connect

  - datapipeline:QueryObjects:
      access_level: Read
      description: Grants permission to query the specified pipeline for the names of objects that match the specified set of conditions
      risk_category:
      - DataAccess
      service_name: AWS Data Pipeline

  - dax:BatchGetItem:
      access_level: Read
      description: Grants permission to return the attributes of one or more items from one or more tables
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB Accelerator (DAX)

  - dax:GetItem:
      access_level: Read
      description: Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB Accelerator (DAX)

  - dax:Query:
      access_level: Read
      description: Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB Accelerator (DAX)

  - dax:Scan:
      access_level: Read
      description: Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB Accelerator (DAX)

  - dynamodb:BatchGetItem:
      access_level: Read
      description: Grants permission to return the attributes of one or more items from one or more tables
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB

  - dynamodb:GetItem:
      access_level: Read
      description: Grants permission to the GetItem operation that returns a set of attributes for the item with the given primary key
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB

  - dynamodb:GetRecords:
      access_level: Read
      description: Grants permission to retrieve the stream records from a given shard
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB

  - dynamodb:Query:
      access_level: Read
      description: Grants permission to use the primary key of a table or a secondary index to directly access items from that table or index
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB

  - dynamodb:Scan:
      access_level: Read
      description: Grants permission to return one or more items and item attributes by accessing every item in a table or a secondary index
      risk_category:
      - DataAccess
      service_name: Amazon DynamoDB

  - ecr:GetDownloadUrlForLayer:
      access_level: Read
      description: Grants permission to retrieve the download URL corresponding to an image layer
      risk_category:
      - DataAccess
      service_name: Amazon Elastic Container Registry

  - es:ESHttpDelete:
      access_level: Write
      description: Grants permission to send HTTP DELETE requests to the OpenSearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Service

  - es:ESHttpGet:
      access_level: Read
      description: Grants permission to send HTTP GET requests to the OpenSearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Service

  - es:ESHttpHead:
      access_level: Read
      description: Grants permission to send HTTP HEAD requests to the OpenSearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Service

  - es:ESHttpPatch:
      access_level: Write
      description: Grants permission to send HTTP PATCH requests to the OpenSearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Service

  - es:ESHttpPost:
      access_level: Write
      description: Grants permission to send HTTP POST requests to the OpenSearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Service

  - es:ESHttpPut:
      access_level: Write
      description: Grants permission to send HTTP PUT requests to the OpenSearch APIs
      risk_category:
      - DataAccess
      service_name: Amazon OpenSearch Service

  - gamelift:GetInstanceAccess:
      access_level: Read
      description: Grants permission to request remote access to a specified fleet instance
      risk_category:
      - CredentialExposure
      - DataAccess
      service_name: Amazon GameLift

  - healthlake:ReadResource:
      access_level: Read
      description: Grants permission to read resource
      risk_category:
      - DataAccess
      service_name: AWS HealthLake

  - healthlake:SearchWithGet:
      access_level: Read
      description: Grants permission to search resources with GET method
      risk_category:
      - DataAccess
      service_name: AWS HealthLake

  - healthlake:SearchWithPost:
      access_level: Read
      description: Grants permission to search resources with POST method
      risk_category:
      - DataAccess
      service_name: AWS HealthLake

  - kendra:Query:
      access_level: Read
      description: Grants permission to query documents and faqs
      risk_category:
      - DataAccess
      service_name: Amazon Kendra

  - kinesis:GetRecords:
      access_level: Read
      description: Grants permission to get data records from a shard
      risk_category:
      - DataAccess
      service_name: Amazon Kinesis Data Streams

  - kinesisvideo:GetImages:
      access_level: Read
      description: Grants permission to get generated images from your Kinesis video stream
      risk_category:
      - DataAccess
      service_name: Amazon Kinesis Video Streams

  - kinesisvideo:GetMedia:
      access_level: Read
      description: Grants permission to return media content of a Kinesis video stream
      risk_category:
      - DataAccess
      service_name: Amazon Kinesis Video Streams

  - kms:CreateGrant:
      access_level: Permissions management
      description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy
      risk_category:
      - DataAccess
      - PrivEsc
      - ResourceExposure
      service_name: AWS Key Management Service

  - lambda:GetFunction:
      access_level: Read
      description: Grants permission to view details about an AWS Lambda function
      risk_category:
      - DataAccess
      service_name: AWS Lambda

  - lambda:GetLayerVersion:
      access_level: Read
      description: Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API
      risk_category:
      - DataAccess
      service_name: AWS Lambda

  - lightsail:GetContainerImages:
      access_level: Read
      description: Grants permission to view the container images that are registered to your Amazon Lightsail container service
      risk_category:
      - DataAccess
      service_name: Amazon Lightsail

  - logs:GetLogEvents:
      access_level: Read
      description: Grants permission to retrieve log events from the specified log stream
      risk_category:
      - DataAccess
      service_name: Amazon CloudWatch Logs

  - logs:GetLogRecord:
      access_level: Read
      description: Grants permission to retrieve all the fields and values of a single log event
      risk_category:
      - DataAccess
      service_name: Amazon CloudWatch Logs

  - logs:GetQueryResults:
      access_level: Read
      description: Grants permission to return the results from the specified query
      risk_category:
      - DataAccess
      service_name: Amazon CloudWatch Logs

  - logs:Unmask:
      access_level: Read
      description: Grants permission to fetch unmasked log events that have been redacted with a data protection policy
      risk_category:
      - DataAccess
      service_name: Amazon CloudWatch Logs

  - macie2:GetFindings:
      access_level: Read
      description: Grants permission to retrieve the details of one or more findings
      risk_category:
      - DataAccess
      service_name: Amazon Macie

  - mediastore:GetObject:
      access_level: Read
      description: Grants permission to retrieve an object
      risk_category:
      - DataAccess
      service_name: AWS Elemental MediaStore

  - qldb:GetBlock:
      access_level: Read
      description: Grants permission to retrieve a block from a ledger for a given BlockAddress
      risk_category:
      - DataAccess
      service_name: Amazon QLDB

  - rds:DownloadCompleteDBLogFile:
      access_level: Read
      description: Grants permission to download specified log file
      risk_category:
      - DataAccess
      service_name: Amazon RDS, Neptune & DocumentDB

  - rds:DownloadDBLogFilePortion:
      access_level: Read
      description: Grants permission to download all or a portion of the specified log file, up to 1 MB in size
      risk_category:
      - DataAccess
      service_name: Amazon RDS, Neptune & DocumentDB

  - robomaker:GetWorldTemplateBody:
      access_level: Read
      description: Get the body of a world template
      risk_category:
      - DataAccess
      service_name: AWS RoboMaker

  - s3-object-lambda:GetObject:
      access_level: Read
      description: Grants permission to retrieve objects from Amazon S3
      risk_category:
      - DataAccess
      service_name: Amazon S3 Object Lambda

  - s3-object-lambda:GetObjectVersion:
      access_level: Read
      description: Grants permission to retrieve a specific version of an object
      risk_category:
      - DataAccess
      service_name: Amazon S3 Object Lambda

  - s3-object-lambda:ListBucket:
      access_level: List
      description: Grants permission to list some or all of the objects in an Amazon S3 bucket (up to 1000)
      risk_category:
      - DataAccess
      service_name: Amazon S3 Object Lambda

  - s3:GetObject:
      access_level: Read
      description: Grants permission to retrieve objects from Amazon S3
      risk_category:
      - DataAccess
      service_name: Amazon S3

  - s3:GetObjectVersion:
      access_level: Read
      description: Grants permission to retrieve a specific version of an object
      risk_category:
      - DataAccess
      service_name: Amazon S3

  - sagemaker:Search:
      access_level: Read
      description: Grants permission to search for SageMaker objects
      risk_category:
      - DataAccess
      service_name: Amazon SageMaker

  - sdb:Select:
      access_level: Read
      description: Description for Select
      risk_category:
      - DataAccess
      service_name: Amazon SimpleDB

  - serverlessrepo:GetApplication:
      access_level: Read
      description: Grants permission to get the specified application
      risk_category:
      - DataAccess
      service_name: AWS Serverless Application Repository

  - serverlessrepo:GetCloudFormationTemplate:
      access_level: Read
      description: Grants permission to get the specified AWS CloudFormation template
      risk_category:
      - DataAccess
      service_name: AWS Serverless Application Repository

  - sqs:ReceiveMessage:
      access_level: Read
      description: Grants permission to retrieve one or more messages, with a maximum limit of 10 messages, from the specified queue
      risk_category:
      - DataAccess
      service_name: Amazon SQS

  - ssm:GetDocument:
      access_level: Read
      description: Grants permission to view the contents of a specified SSM document
      risk_category:
      - DataAccess
      service_name: AWS Systems Manager

  - ssm:GetParameter:
      access_level: Read
      description: Grants permission to view information about a specified parameter
      risk_category:
      - DataAccess
      service_name: AWS Systems Manager

  - ssm:GetParameterHistory:
      access_level: Read
      description: Grants permission to view details and changes for a specified parameter
      risk_category:
      - DataAccess
      service_name: AWS Systems Manager

  - ssm:GetParameters:
      access_level: Read
      description: Grants permission to view information about multiple specified parameters
      risk_category:
      - DataAccess
      service_name: AWS Systems Manager

  - ssm:GetParametersByPath:
      access_level: Read
      description: Grants permission to view information about parameters in a specified hierarchy
      risk_category:
      - DataAccess
      service_name: AWS Systems Manager

  - sso-directory:DescribeGroup:
      access_level: Read
      description: Grants permission to query the group data, not including user and group members
      risk_category:
      - DataAccess
      service_name: AWS IAM Identity Center Directory

  - sso-directory:DescribeUser:
      access_level: Read
      description: Grants permission to retrieve information about a user from the directory that AWS IAM Identity Center provides by default
      risk_category:
      - DataAccess
      service_name: AWS IAM Identity Center Directory

  - sso-directory:SearchGroups:
      access_level: Read
      description: Grants permission to search for groups within the associated directory
      risk_category:
      - DataAccess
      service_name: AWS IAM Identity Center Directory

  - sso-directory:SearchUsers:
      access_level: Read
      description: Grants permission to search for users within the associated directory
      risk_category:
      - DataAccess
      service_name: AWS IAM Identity Center Directory

  - sso:SearchGroups:
      access_level: Read
      description: Grants permission to search for groups within the associated directory
      risk_category:
      - DataAccess
      service_name: AWS IAM Identity Center

  - sso:SearchUsers:
      access_level: Read
      description: Grants permission to search for users within the associated directory
      risk_category:
      - DataAccess
      service_name: AWS IAM Identity Center

  - support:DescribeAttachment:
      access_level: Read
      description: Grants permission to describe attachment detail
      risk_category:
      - DataAccess
      service_name: AWS Support

  - support:DescribeCommunications:
      access_level: Read
      description: Grants permission to list the communications and attachments for one or more AWS Support cases
      risk_category:
      - DataAccess
      service_name: AWS Support

  - wafv2:GetSampledRequests:
      access_level: Read
      description: Grants permission to retrieve detailed information about a sampling of web requests
      risk_category:
      - DataAccess
      service_name: AWS WAF V2

  - workdocs:GetDocument:
      access_level: Read
      description: Grants permission to retrieve the specified document object
      risk_category:
      - DataAccess
      service_name: Amazon WorkDocs

  - workdocs:GetDocumentPath:
      access_level: Read
      description: Grants permission to retrieve the path information (the hierarchy from the root folder) for the requested document
      risk_category:
      - DataAccess
      service_name: Amazon WorkDocs

  - workdocs:GetDocumentVersion:
      access_level: Read
      description: Grants permission to retrieve version metadata for the specified document
      risk_category:
      - DataAccess
      service_name: Amazon WorkDocs

  - workmail:ListGroupMembers:
      access_level: List
      description: Grants permission to read an overview of the members of a group. Users and groups can be members of a group
      risk_category:
      - DataAccess
      service_name: Amazon WorkMail

  - workmail:ListGroups:
      access_level: List
      description: Grants permission to list summaries of the organization's groups
      risk_category:
      - DataAccess
      service_name: Amazon WorkMail

  - workmail:ListUsers:
      access_level: List
      description: Grants permission to list the organization's users
      risk_category:
      - DataAccess
      service_name: Amazon WorkMail

PrivEsc:
  Actions:

  - codestar:AssociateTeamMember:
      access_level: Permissions management
      description: Grants permission to add a user to the team for an AWS CodeStar project
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS CodeStar

  - codestar:CreateProject:
      access_level: Permissions management
      description: Grants permission to create a project with minimal structure, customer policies, and no resources
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS CodeStar

  - ec2-instance-connect:SendSSHPublicKey:
      access_level: Write
      description: Grants permission to push an SSH public key to the specified EC2 instance to be used for standard SSH
      risk_category:
      - CredentialExposure
      - PrivEsc
      service_name: Amazon EC2 Instance Connect

  - glue:UpdateDevEndpoint:
      access_level: Write
      description: Grants permission to update a development endpoint
      risk_category:
      - PrivEsc
      service_name: AWS Glue

  - iam:AddUserToGroup:
      access_level: Write
      description: Grants permission to add an IAM user to the specified IAM group
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AttachGroupPolicy:
      access_level: Permissions management
      description: Grants permission to attach a managed policy to the specified IAM group
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AttachRolePolicy:
      access_level: Permissions management
      description: Grants permission to attach a managed policy to the specified IAM role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AttachUserPolicy:
      access_level: Permissions management
      description: Grants permission to attach a managed policy to the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateAccessKey:
      access_level: Write
      description: Grants permission to create access key and secret access key for the specified IAM user
      risk_category:
      - CredentialExposure
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateLoginProfile:
      access_level: Write
      description: Grants permission to create a password for the specified IAM user
      risk_category:
      - CredentialExposure
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreatePolicyVersion:
      access_level: Permissions management
      description: Grants permission to create a new version of the specified managed policy
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateServiceLinkedRole:
      access_level: Write
      description: Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateVirtualMFADevice:
      access_level: Write
      description: Grants permission to create a new virtual MFA device
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteRolePermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to remove the permissions boundary from a role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteUserPermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to remove the permissions boundary from the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:EnableMFADevice:
      access_level: Write
      description: Grants permission to enable an MFA device and associate it with the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PassRole:
      access_level: Write
      description: Grants permission to pass a role to a service
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutGroupPolicy:
      access_level: Permissions management
      description: Grants permission to create or update an inline policy document that is embedded in the specified IAM group
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutRolePermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to set a managed policy as a permissions boundary for a role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutRolePolicy:
      access_level: Permissions management
      description: Grants permission to create or update an inline policy document that is embedded in the specified IAM role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutUserPermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to set a managed policy as a permissions boundary for an IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutUserPolicy:
      access_level: Permissions management
      description: Grants permission to create or update an inline policy document that is embedded in the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:ResyncMFADevice:
      access_level: Write
      description: Grants permission to synchronize the specified MFA device with its IAM entity (user or role)
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:SetDefaultPolicyVersion:
      access_level: Permissions management
      description: Grants permission to set the version of the specified policy as the policy's default version
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateAssumeRolePolicy:
      access_level: Permissions management
      description: Grants permission to update the policy that grants an IAM entity permission to assume a role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateLoginProfile:
      access_level: Write
      description: Grants permission to change the password for the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - kms:CreateGrant:
      access_level: Permissions management
      description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy
      risk_category:
      - DataAccess
      - PrivEsc
      - ResourceExposure
      service_name: AWS Key Management Service

ResourceExposure:
  Actions:

  - acm-pca:CreatePermission:
      access_level: Permissions management
      description: Grants permission to create a permission for an AWS Private CA
      risk_category:
      - ResourceExposure
      service_name: AWS Private Certificate Authority

  - acm-pca:DeletePermission:
      access_level: Permissions management
      description: Grants permission to delete a permission for an AWS Private CA
      risk_category:
      - ResourceExposure
      service_name: AWS Private Certificate Authority

  - acm-pca:DeletePolicy:
      access_level: Permissions management
      description: Grants permission to delete the policy for an AWS Private CA
      risk_category:
      - ResourceExposure
      service_name: AWS Private Certificate Authority

  - acm-pca:PutPolicy:
      access_level: Permissions management
      description: Grants permission to put a policy on an AWS Private CA
      risk_category:
      - ResourceExposure
      service_name: AWS Private Certificate Authority

  - apigateway:UpdateRestApiPolicy:
      access_level: Permissions management
      description: Grants permission to manage the IAM resource policy for an API. This is an additional authorization control for managing an API due to the sensitive nature of the resource policy
      risk_category:
      - ResourceExposure
      service_name: Amazon API Gateway Management

  - backup:DeleteBackupVaultAccessPolicy:
      access_level: Permissions management
      description: Grants permission to delete backup vault access policy
      risk_category:
      - ResourceExposure
      service_name: AWS Backup

  - backup:PutBackupVaultAccessPolicy:
      access_level: Permissions management
      description: Grants permission to add an access policy to the backup vault
      risk_category:
      - ResourceExposure
      service_name: AWS Backup

  - chime:DeleteVoiceConnectorTerminationCredentials:
      access_level: Write
      description: Grants permission to delete SIP termination credentials for the specified Amazon Chime Voice Connector
      risk_category:
      - ResourceExposure
      service_name: Amazon Chime

  - chime:PutVoiceConnectorTerminationCredentials:
      access_level: Write
      description: Grants permission to add SIP termination credentials for the specified Amazon Chime Voice Connector
      risk_category:
      - ResourceExposure
      service_name: Amazon Chime

  - cloudformation:SetStackPolicy:
      access_level: Permissions management
      description: Grants permission to set a stack policy for a specified stack
      risk_category:
      - ResourceExposure
      service_name: AWS CloudFormation & Cloud Control API

  - cloudsearch:UpdateServiceAccessPolicies:
      access_level: Permissions management
      description: Configures the access rules that control access to the domain's document and search endpoints
      risk_category:
      - ResourceExposure
      service_name: Amazon CloudSearch

  - codeartifact:DeleteDomainPermissionsPolicy:
      access_level: Permissions management
      description: Grants permission to delete the resource policy set on a domain
      risk_category:
      - ResourceExposure
      service_name: AWS CodeArtifact

  - codeartifact:DeleteRepositoryPermissionsPolicy:
      access_level: Permissions management
      description: Grants permission to delete the resource policy set on a repository
      risk_category:
      - ResourceExposure
      service_name: AWS CodeArtifact

  - codebuild:DeleteResourcePolicy:
      access_level: Permissions management
      description: Grants permission to delete a resource policy for the associated project or report group
      risk_category:
      - ResourceExposure
      service_name: AWS CodeBuild

  - codebuild:DeleteSourceCredentials:
      access_level: Write
      description: Grants permission to delete a set of GitHub, GitHub Enterprise, or Bitbucket source credentials
      risk_category:
      - ResourceExposure
      service_name: AWS CodeBuild

  - codebuild:ImportSourceCredentials:
      access_level: Write
      description: Grants permission to import the source repository credentials for an AWS CodeBuild project that has its source code stored in a GitHub, GitHub Enterprise, or Bitbucket repository
      risk_category:
      - ResourceExposure
      service_name: AWS CodeBuild

  - codebuild:PutResourcePolicy:
      access_level: Permissions management
      description: Grants permission to create a resource policy for the associated project or report group
      risk_category:
      - ResourceExposure
      service_name: AWS CodeBuild

  - codeguru-profiler:PutPermission:
      access_level: Permissions management
      description: Grants permission to update the list of principals allowed for an action group in the resource policy associated with the specified Profiling Group
      risk_category:
      - ResourceExposure
      service_name: Amazon CodeGuru Profiler

  - codeguru-profiler:RemovePermission:
      access_level: Permissions management
      description: Grants permission to remove the permission of specified Action Group from the resource policy associated with the specified Profiling Group
      risk_category:
      - ResourceExposure
      service_name: Amazon CodeGuru Profiler

  - codestar:AssociateTeamMember:
      access_level: Permissions management
      description: Grants permission to add a user to the team for an AWS CodeStar project
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS CodeStar

  - codestar:CreateProject:
      access_level: Permissions management
      description: Grants permission to create a project with minimal structure, customer policies, and no resources
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS CodeStar

  - codestar:DeleteProject:
      access_level: Permissions management
      description: Grants permission to delete a project, including project resources. Does not delete users associated with the project, but does delete the IAM roles that allowed access to the project
      risk_category:
      - ResourceExposure
      service_name: AWS CodeStar

  - codestar:DisassociateTeamMember:
      access_level: Permissions management
      description: Grants permission to remove a user from a project. Removing a user from a project also removes the IAM policies from that user that allowed access to the project and its resources
      risk_category:
      - ResourceExposure
      service_name: AWS CodeStar

  - codestar:UpdateTeamMember:
      access_level: Permissions management
      description: Grants permission to update team member attributes within a CodeStar project
      risk_category:
      - ResourceExposure
      service_name: AWS CodeStar

  - cognito-identity:CreateIdentityPool:
      access_level: Write
      description: Grants permission to create a new identity pool
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:DeleteIdentities:
      access_level: Write
      description: Grants permission to delete identities from an identity pool. You can specify a list of 1-60 identities that you want to delete
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:DeleteIdentityPool:
      access_level: Write
      description: Grants permission to delete a user pool. Once a pool is deleted, users will not be able to authenticate with the pool
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:GetId:
      access_level: Write
      description: Grants permission to generate (or retrieve) a Cognito ID. Supplying multiple logins will create an implicit linked account
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:MergeDeveloperIdentities:
      access_level: Write
      description: Grants permission to merge two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:SetIdentityPoolRoles:
      access_level: Write
      description: Grants permission to set the roles for an identity pool. These roles are used when making calls to GetCredentialsForIdentity action
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:UnlinkDeveloperIdentity:
      access_level: Write
      description: Grants permission to unlink a DeveloperUserIdentifier from an existing identity
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:UnlinkIdentity:
      access_level: Write
      description: Grants permission to unlink a federated identity from an existing account
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - cognito-identity:UpdateIdentityPool:
      access_level: Write
      description: Grants permission to update an identity pool
      risk_category:
      - ResourceExposure
      service_name: Amazon Cognito Identity

  - deeplens:AssociateServiceRoleToAccount:
      access_level: Permissions management
      description: Associates the user's account with IAM roles controlling various permissions needed by AWS DeepLens for proper functionality.
      risk_category:
      - ResourceExposure
      service_name: AWS DeepLens

  - ds:CreateConditionalForwarder:
      access_level: Write
      description: Grants permission to create a conditional forwarder associated with your AWS directory
      risk_category:
      - ResourceExposure
      service_name: AWS Directory Service

  - ds:CreateDirectory:
      access_level: Write
      description: Grants permission to create a Simple AD directory
      risk_category:
      - ResourceExposure
      service_name: AWS Directory Service

  - ds:CreateMicrosoftAD:
      access_level: Write
      description: Grants permission to create a Microsoft AD in the AWS cloud
      risk_category:
      - ResourceExposure
      service_name: AWS Directory Service

  - ds:CreateTrust:
      access_level: Write
      description: Grants permission to initiate the creation of the AWS side of a trust relationship between a Microsoft AD in the AWS cloud and an external domain
      risk_category:
      - ResourceExposure
      service_name: AWS Directory Service

  - ds:ShareDirectory:
      access_level: Write
      description: Grants permission to share a specified directory in your AWS account (directory owner) with another AWS account (directory consumer). With this operation you can use your directory from any AWS account and from any Amazon VPC within an AWS Region
      risk_category:
      - ResourceExposure
      service_name: AWS Directory Service

  - ec2:CreateNetworkInterfacePermission:
      access_level: Permissions management
      description: Grants permission to create a permission for an AWS-authorized user to perform certain operations on a network interface
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2

  - ec2:DeleteNetworkInterfacePermission:
      access_level: Permissions management
      description: Grants permission to delete a permission that is associated with a network interface
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2

  - ec2:DisableImageBlockPublicAccess:
      access_level: Write
      description: Grants permission to disable block public access for AMIs at the account level in the specified AWS Region
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2

  - ec2:ModifySnapshotAttribute:
      access_level: Permissions management
      description: Grants permission to add or remove permission settings for a snapshot
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2

  - ec2:ModifyVpcEndpointServicePermissions:
      access_level: Permissions management
      description: Grants permission to modify the permissions for a VPC endpoint service
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2

  - ec2:ResetSnapshotAttribute:
      access_level: Permissions management
      description: Grants permission to reset permission settings for a snapshot
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2

  - ecr:DeleteRepositoryPolicy:
      access_level: Permissions management
      description: Grants permission to delete the repository policy from a specified repository
      risk_category:
      - ResourceExposure
      service_name: Amazon Elastic Container Registry

  - ecr:SetRepositoryPolicy:
      access_level: Permissions management
      description: Grants permission to apply a repository policy on a specified repository to control access permissions
      risk_category:
      - ResourceExposure
      service_name: Amazon Elastic Container Registry

  - elasticfilesystem:DeleteFileSystemPolicy:
      access_level: Permissions management
      description: Grants permission to delete the resource-level policy for a file system
      risk_category:
      - ResourceExposure
      service_name: Amazon Elastic File System

  - elasticfilesystem:PutFileSystemPolicy:
      access_level: Permissions management
      description: Grants permission to apply a resource-level policy that defines the actions allowed or denied from given actors for the specified file system
      risk_category:
      - ResourceExposure
      service_name: Amazon Elastic File System

  - elasticmapreduce:PutBlockPublicAccessConfiguration:
      access_level: Permissions management
      description: Grants permission to create or update the EMR block public access configuration for the AWS account in the Region
      risk_category:
      - ResourceExposure
      service_name: Amazon Elastic MapReduce

  - es:CreateElasticsearchDomain:
      access_level: Write
      description: Grants permission to create an OpenSearch Service domain. This permission is deprecated. Use CreateDomain instead
      risk_category:
      - ResourceExposure
      service_name: Amazon OpenSearch Service

  - es:UpdateElasticsearchDomainConfig:
      access_level: Write
      description: Grants permission to modify the configuration of an OpenSearch Service domain, such as the instance type or number of instances. This permission is deprecated. Use UpdateDomainConfig instead
      risk_category:
      - ResourceExposure
      service_name: Amazon OpenSearch Service

  - glacier:AbortVaultLock:
      access_level: Permissions management
      description: Grants permission to abort the vault locking process if the vault lock is not in the Locked state
      risk_category:
      - ResourceExposure
      service_name: Amazon S3 Glacier

  - glacier:CompleteVaultLock:
      access_level: Permissions management
      description: Grants permission to complete the vault locking process
      risk_category:
      - ResourceExposure
      service_name: Amazon S3 Glacier

  - glacier:DeleteVaultAccessPolicy:
      access_level: Permissions management
      description: Grants permission to delete the access policy associated with the specified vault
      risk_category:
      - ResourceExposure
      service_name: Amazon S3 Glacier

  - glacier:InitiateVaultLock:
      access_level: Permissions management
      description: Grants permission to initiate the vault locking process
      risk_category:
      - ResourceExposure
      service_name: Amazon S3 Glacier

  - glacier:SetDataRetrievalPolicy:
      access_level: Permissions management
      description: Grants permission to set and then enacts a data retrieval policy in the region specified in the PUT request
      risk_category:
      - ResourceExposure
      service_name: Amazon S3 Glacier

  - glacier:SetVaultAccessPolicy:
      access_level: Permissions management
      description: Grants permission to configure an access policy for a vault; will overwrite an existing policy
      risk_category:
      - ResourceExposure
      service_name: Amazon S3 Glacier

  - glue:DeleteResourcePolicy:
      access_level: Permissions management
      description: Grants permission to delete a resource policy
      risk_category:
      - ResourceExposure
      service_name: AWS Glue

  - glue:PutResourcePolicy:
      access_level: Permissions management
      description: Grants permission to update a resource policy
      risk_category:
      - ResourceExposure
      service_name: AWS Glue

  - greengrass:AssociateServiceRoleToAccount:
      access_level: Permissions management
      description: Grants permission to associate a role with your account. AWS IoT Greengrass uses this role to access your Lambda functions and AWS IoT resources
      risk_category:
      - ResourceExposure
      service_name: AWS IoT Greengrass

  - health:DisableHealthServiceAccessForOrganization:
      access_level: Permissions management
      description: Grants permission to disable the Organizational View feature
      risk_category:
      - ResourceExposure
      service_name: AWS Health APIs and Notifications

  - health:EnableHealthServiceAccessForOrganization:
      access_level: Permissions management
      description: Grants permission to enable the Organizational View feature
      risk_category:
      - ResourceExposure
      service_name: AWS Health APIs and Notifications

  - iam:AddClientIDToOpenIDConnectProvider:
      access_level: Write
      description: Grants permission to add a new client ID (audience) to the list of registered IDs for the specified IAM OpenID Connect (OIDC) provider resource
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AddRoleToInstanceProfile:
      access_level: Write
      description: Grants permission to add an IAM role to the specified instance profile
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AddUserToGroup:
      access_level: Write
      description: Grants permission to add an IAM user to the specified IAM group
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AttachGroupPolicy:
      access_level: Permissions management
      description: Grants permission to attach a managed policy to the specified IAM group
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AttachRolePolicy:
      access_level: Permissions management
      description: Grants permission to attach a managed policy to the specified IAM role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:AttachUserPolicy:
      access_level: Permissions management
      description: Grants permission to attach a managed policy to the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:ChangePassword:
      access_level: Write
      description: Grants permission to an IAM user to change their own password
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateAccessKey:
      access_level: Write
      description: Grants permission to create access key and secret access key for the specified IAM user
      risk_category:
      - CredentialExposure
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateAccountAlias:
      access_level: Write
      description: Grants permission to create an alias for your AWS account
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateGroup:
      access_level: Write
      description: Grants permission to create a new group
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateInstanceProfile:
      access_level: Write
      description: Grants permission to create a new instance profile
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateLoginProfile:
      access_level: Write
      description: Grants permission to create a password for the specified IAM user
      risk_category:
      - CredentialExposure
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateOpenIDConnectProvider:
      access_level: Write
      description: Grants permission to create an IAM resource that describes an identity provider (IdP) that supports OpenID Connect (OIDC)
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreatePolicy:
      access_level: Permissions management
      description: Grants permission to create a new managed policy
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreatePolicyVersion:
      access_level: Permissions management
      description: Grants permission to create a new version of the specified managed policy
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateRole:
      access_level: Write
      description: Grants permission to create a new role
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateSAMLProvider:
      access_level: Write
      description: Grants permission to create an IAM resource that describes an identity provider (IdP) that supports SAML 2.0
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateServiceLinkedRole:
      access_level: Write
      description: Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateServiceSpecificCredential:
      access_level: Write
      description: Grants permission to create a new service-specific credential for an IAM user
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateUser:
      access_level: Write
      description: Grants permission to create a new IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:CreateVirtualMFADevice:
      access_level: Write
      description: Grants permission to create a new virtual MFA device
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeactivateMFADevice:
      access_level: Write
      description: Grants permission to deactivate the specified MFA device and remove its association with the IAM user for which it was originally enabled
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteAccessKey:
      access_level: Write
      description: Grants permission to delete the access key pair that is associated with the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteAccountAlias:
      access_level: Write
      description: Grants permission to delete the specified AWS account alias
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteAccountPasswordPolicy:
      access_level: Permissions management
      description: Grants permission to delete the password policy for the AWS account
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteGroup:
      access_level: Write
      description: Grants permission to delete the specified IAM group
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteGroupPolicy:
      access_level: Permissions management
      description: Grants permission to delete the specified inline policy from its group
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteInstanceProfile:
      access_level: Write
      description: Grants permission to delete the specified instance profile
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteLoginProfile:
      access_level: Write
      description: Grants permission to delete the password for the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteOpenIDConnectProvider:
      access_level: Write
      description: Grants permission to delete an OpenID Connect identity provider (IdP) resource object in IAM
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeletePolicy:
      access_level: Permissions management
      description: Grants permission to delete the specified managed policy and remove it from any IAM entities (users, groups, or roles) to which it is attached
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeletePolicyVersion:
      access_level: Permissions management
      description: Grants permission to delete a version from the specified managed policy
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteRole:
      access_level: Write
      description: Grants permission to delete the specified role
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteRolePermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to remove the permissions boundary from a role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteRolePolicy:
      access_level: Permissions management
      description: Grants permission to delete the specified inline policy from the specified role
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteSAMLProvider:
      access_level: Write
      description: Grants permission to delete a SAML provider resource in IAM
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteServerCertificate:
      access_level: Write
      description: Grants permission to delete the specified server certificate
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteServiceLinkedRole:
      access_level: Write
      description: Grants permission to delete an IAM role that is linked to a specific AWS service, if the service is no longer using it
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteServiceSpecificCredential:
      access_level: Write
      description: Grants permission to delete the specified service-specific credential for an IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteSigningCertificate:
      access_level: Write
      description: Grants permission to delete a signing certificate that is associated with the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteSSHPublicKey:
      access_level: Write
      description: Grants permission to delete the specified SSH public key
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteUser:
      access_level: Write
      description: Grants permission to delete the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteUserPermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to remove the permissions boundary from the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteUserPolicy:
      access_level: Permissions management
      description: Grants permission to delete the specified inline policy from an IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DeleteVirtualMFADevice:
      access_level: Write
      description: Grants permission to delete a virtual MFA device
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DetachGroupPolicy:
      access_level: Permissions management
      description: Grants permission to detach a managed policy from the specified IAM group
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DetachRolePolicy:
      access_level: Permissions management
      description: Grants permission to detach a managed policy from the specified role
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:DetachUserPolicy:
      access_level: Permissions management
      description: Grants permission to detach a managed policy from the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:EnableMFADevice:
      access_level: Write
      description: Grants permission to enable an MFA device and associate it with the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PassRole:
      access_level: Write
      description: Grants permission to pass a role to a service
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutGroupPolicy:
      access_level: Permissions management
      description: Grants permission to create or update an inline policy document that is embedded in the specified IAM group
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutRolePermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to set a managed policy as a permissions boundary for a role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutRolePolicy:
      access_level: Permissions management
      description: Grants permission to create or update an inline policy document that is embedded in the specified IAM role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutUserPermissionsBoundary:
      access_level: Permissions management
      description: Grants permission to set a managed policy as a permissions boundary for an IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:PutUserPolicy:
      access_level: Permissions management
      description: Grants permission to create or update an inline policy document that is embedded in the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:RemoveClientIDFromOpenIDConnectProvider:
      access_level: Write
      description: Grants permission to remove the client ID (audience) from the list of client IDs in the specified IAM OpenID Connect (OIDC) provider resource
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:RemoveRoleFromInstanceProfile:
      access_level: Write
      description: Grants permission to remove an IAM role from the specified EC2 instance profile
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:RemoveUserFromGroup:
      access_level: Write
      description: Grants permission to remove an IAM user from the specified group
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:ResetServiceSpecificCredential:
      access_level: Write
      description: Grants permission to reset the password for an existing service-specific credential for an IAM user
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:ResyncMFADevice:
      access_level: Write
      description: Grants permission to synchronize the specified MFA device with its IAM entity (user or role)
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:SetDefaultPolicyVersion:
      access_level: Permissions management
      description: Grants permission to set the version of the specified policy as the policy's default version
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:SetSecurityTokenServicePreferences:
      access_level: Write
      description: Grants permission to set the STS global endpoint token version
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateAccessKey:
      access_level: Write
      description: Grants permission to update the status of the specified access key as Active or Inactive
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateAccountPasswordPolicy:
      access_level: Write
      description: Grants permission to update the password policy settings for the AWS account
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateAssumeRolePolicy:
      access_level: Permissions management
      description: Grants permission to update the policy that grants an IAM entity permission to assume a role
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateGroup:
      access_level: Write
      description: Grants permission to update the name or path of the specified IAM group
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateLoginProfile:
      access_level: Write
      description: Grants permission to change the password for the specified IAM user
      risk_category:
      - PrivEsc
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateOpenIDConnectProviderThumbprint:
      access_level: Write
      description: Grants permission to update the entire list of server certificate thumbprints that are associated with an OpenID Connect (OIDC) provider resource
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateRole:
      access_level: Write
      description: Grants permission to update the description or maximum session duration setting of a role
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateRoleDescription:
      access_level: Write
      description: Grants permission to update only the description of a role
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateSAMLProvider:
      access_level: Write
      description: Grants permission to update the metadata document for an existing SAML provider resource
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateServerCertificate:
      access_level: Write
      description: Grants permission to update the name or the path of the specified server certificate stored in IAM
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateServiceSpecificCredential:
      access_level: Write
      description: Grants permission to update the status of a service-specific credential to active or inactive for an IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateSigningCertificate:
      access_level: Write
      description: Grants permission to update the status of the specified user signing certificate to active or disabled
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateSSHPublicKey:
      access_level: Write
      description: Grants permission to update the status of an IAM user's SSH public key to active or inactive
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UpdateUser:
      access_level: Write
      description: Grants permission to update the name or the path of the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UploadServerCertificate:
      access_level: Write
      description: Grants permission to upload a server certificate entity for the AWS account
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UploadSigningCertificate:
      access_level: Write
      description: Grants permission to upload an X.509 signing certificate and associate it with the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - iam:UploadSSHPublicKey:
      access_level: Write
      description: Grants permission to upload an SSH public key and associate it with the specified IAM user
      risk_category:
      - ResourceExposure
      service_name: AWS Identity and Access Management (IAM)

  - imagebuilder:PutComponentPolicy:
      access_level: Permissions management
      description: Grants permission to set the resource policy associated with a component
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2 Image Builder

  - imagebuilder:PutImagePolicy:
      access_level: Permissions management
      description: Grants permission to set the resource policy associated with an image
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2 Image Builder

  - imagebuilder:PutImageRecipePolicy:
      access_level: Permissions management
      description: Grants permission to set the resource policy associated with an image recipe
      risk_category:
      - ResourceExposure
      service_name: Amazon EC2 Image Builder

  - iot:AttachPolicy:
      access_level: Permissions management
      description: Grants permission to attach a policy to the specified target
      risk_category:
      - ResourceExposure
      service_name: AWS IoT

  - iot:AttachPrincipalPolicy:
      access_level: Permissions management
      description: Grants permission to attach the specified policy to the specified principal (certificate or other credential)
      risk_category:
      - ResourceExposure
      service_name: AWS IoT

  - iot:DetachPolicy:
      access_level: Permissions management
      description: Grants permission to detach a policy from the specified target
      risk_category:
      - ResourceExposure
      service_name: AWS IoT

  - iot:DetachPrincipalPolicy:
      access_level: Permissions management
      description: Grants permission to remove the specified policy from the specified certificate
      risk_category:
      - ResourceExposure
      service_name: AWS IoT

  - iot:SetDefaultAuthorizer:
      access_level: Permissions management
      description: Grants permission to set the default authorizer. This will be used if a websocket connection is made without specifying an authorizer
      risk_category:
      - ResourceExposure
      service_name: AWS IoT

  - iot:SetDefaultPolicyVersion:
      access_level: Permissions management
      description: Grants permission to set the specified version of the specified policy as the policy's default (operative) version
      risk_category:
      - ResourceExposure
      service_name: AWS IoT

  - iotsitewise:CreateAccessPolicy:
      access_level: Write
      description: Grants permission to create an access policy for a portal or a project
      risk_category:
      - ResourceExposure
      service_name: AWS IoT SiteWise

  - iotsitewise:DeleteAccessPolicy:
      access_level: Write
      description: Grants permission to delete an access policy
      risk_category:
      - ResourceExposure
      service_name: AWS IoT SiteWise

  - iotsitewise:UpdateAccessPolicy:
      access_level: Write
      description: Grants permission to update an access policy
      risk_category:
      - ResourceExposure
      service_name: AWS IoT SiteWise

  - kms:CreateGrant:
      access_level: Permissions management
      description: Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy
      risk_category:
      - DataAccess
      - PrivEsc
      - ResourceExposure
      service_name: AWS Key Management Service

  - kms:PutKeyPolicy:
      access_level: Permissions management
      description: Controls permission to replace the key policy for the specified AWS KMS key
      risk_category:
      - ResourceExposure
      service_name: AWS Key Management Service

  - kms:RetireGrant:
      access_level: Permissions management
      description: Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform
      risk_category:
      - ResourceExposure
      service_name: AWS Key Management Service

  - kms:RevokeGrant:
      access_level: Permissions management
      description: Controls permission to revoke a grant, which denies permission for all operations that depend on the grant
      risk_category:
      - ResourceExposure
      service_name: AWS Key Management Service

  - lakeformation:BatchGrantPermissions:
      access_level: Permissions management
      description: Grants permission to data lake permissions to one or more principals in a batch
      risk_category:
      - ResourceExposure
      service_name: AWS Lake Formation

  - lakeformation:BatchRevokePermissions:
      access_level: Permissions management
      description: Grants permission to revoke data lake permissions from one or more principals in a batch
      risk_category:
      - ResourceExposure
      service_name: AWS Lake Formation

  - lakeformation:GrantPermissions:
      access_level: Permissions management
      description: Grants permission to data lake permissions to a principal
      risk_category:
      - ResourceExposure
      service_name: AWS Lake Formation

  - lakeformation:PutDataLakeSettings:
      access_level: Permissions management
      description: Grants permission to overwrite data lake settings such as the list of data lake administrators and database and table default permissions
      risk_category:
      - ResourceExposure
      service_name: AWS Lake Formation

  - lakeformation:RevokePermissions:
      access_level: Permissions management
      description: Grants permission to revoke data lake permissions from a principal
      risk_category:
      - ResourceExposure
      service_name: AWS Lake Formation

  - lambda:AddLayerVersionPermission:
      access_level: Permissions management
      description: Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer
      risk_category:
      - ResourceExposure
      service_name: AWS Lambda

  - lambda:AddPermission:
      access_level: Permissions management
      description: Grants permission to give an AWS service or another account permission to use an AWS Lambda function
      risk_category:
      - ResourceExposure
      service_name: AWS Lambda

  - lambda:DisableReplication:
      access_level: Permissions management
      description: Grants permission to disable replication for a Lambda@Edge function
      risk_category:
      - ResourceExposure
      service_name: AWS Lambda

  - lambda:EnableReplication:
      access_level: Permissions management
      description: Grants permission to enable replication for a Lambda@Edge function
      risk_category:
      - ResourceExposure
      service_name: AWS Lambda

  - lambda:RemoveLayerVersionPermission:
      access_level: Permissions management
      description: Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer
      risk_category:
      - ResourceExposure
      service_name: AWS Lambda

  - lambda:RemovePermission:
      access_level: Permissions management
      description: Grants permission to revoke function-use permission from an AWS service or another account
      risk_category:
      - ResourceExposure
      service_name: AWS Lambda

  - license-manager:UpdateServiceSettings:
      access_level: Permissions management
      description: Grants permission to updates service settings
      risk_category:
      - ResourceExposure
      service_name: AWS License Manager

  - lightsail:GetRelationalDatabaseMasterUserPassword:
      access_level: Write
      description: Grants permission to get the master user password of a relational database
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: Amazon Lightsail

  - logs:DeleteResourcePolicy:
      access_level: Permissions management
      description: Grants permission to delete a resource policy from this account
      risk_category:
      - ResourceExposure
      service_name: Amazon CloudWatch Logs

  - logs:PutResourcePolicy:
      access_level: Permissions management
      description: Grants permission to create or update a resource policy allowing other AWS services to put log events to this account
      risk_category:
      - ResourceExposure
      service_name: Amazon CloudWatch Logs

  - mediapackage:RotateIngestEndpointCredentials:
      access_level: Write
      description: Grants permission to rotate IngestEndpoint credentials for a Channel in AWS Elemental MediaPackage
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: AWS Elemental MediaPackage

  - mediastore:DeleteContainerPolicy:
      access_level: Permissions management
      description: Grants permission to delete the access policy of a container
      risk_category:
      - ResourceExposure
      service_name: AWS Elemental MediaStore

  - mediastore:PutContainerPolicy:
      access_level: Permissions management
      description: Grants permission to create or replace the access policy of a container
      risk_category:
      - ResourceExposure
      service_name: AWS Elemental MediaStore

  - opsworks:SetPermission:
      access_level: Permissions management
      description: Grants permission to specify a user's permissions
      risk_category:
      - ResourceExposure
      service_name: AWS OpsWorks

  - opsworks:UpdateUserProfile:
      access_level: Permissions management
      description: Grants permission to update a specified user profile
      risk_category:
      - ResourceExposure
      service_name: AWS OpsWorks

  - quicksight:CreateAdmin:
      access_level: Write
      description: Grants permission to provision Amazon QuickSight administrators, authors, and readers
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:CreateGroup:
      access_level: Write
      description: Grants permission to create a QuickSight group
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:CreateGroupMembership:
      access_level: Write
      description: Grants permission to add a QuickSight user to a QuickSight group
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:CreateIAMPolicyAssignment:
      access_level: Write
      description: Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:CreateUser:
      access_level: Write
      description: Grants permission to provision Amazon QuickSight authors and readers
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:DeleteGroup:
      access_level: Write
      description: Grants permission to remove a user group from QuickSight
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:DeleteGroupMembership:
      access_level: Write
      description: Grants permission to remove a user from a group so that he/she is no longer a member of the group
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:DeleteIAMPolicyAssignment:
      access_level: Write
      description: Grants permission to update an existing assignment
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:DeleteUser:
      access_level: Write
      description: Grants permission to delete a QuickSight user, given the user name
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:DeleteUserByPrincipalId:
      access_level: Write
      description: Grants permission to deletes a user identified by its principal ID
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:RegisterUser:
      access_level: Write
      description: Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:UpdateDashboardPermissions:
      access_level: Permissions management
      description: Grants permission to update permissions for a QuickSight Dashboard
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:UpdateGroup:
      access_level: Write
      description: Grants permission to change group description
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:UpdateIAMPolicyAssignment:
      access_level: Write
      description: Grants permission to update an existing assignment
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:UpdateTemplatePermissions:
      access_level: Permissions management
      description: Grants permission to update permissions for a template
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - quicksight:UpdateUser:
      access_level: Write
      description: Grants permission to update an Amazon QuickSight user
      risk_category:
      - ResourceExposure
      service_name: Amazon QuickSight

  - ram:AcceptResourceShareInvitation:
      access_level: Write
      description: Grants permission to accept the specified resource share invitation
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:AssociateResourceShare:
      access_level: Write
      description: Grants permission to associate resource(s) and/or principal(s) to a resource share
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:CreateResourceShare:
      access_level: Write
      description: Grants permission to create a resource share with provided resource(s) and/or principal(s)
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:DeleteResourceShare:
      access_level: Write
      description: Grants permission to delete resource share
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:DisassociateResourceShare:
      access_level: Write
      description: Grants permission to disassociate resource(s) and/or principal(s) from a resource share
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:EnableSharingWithAwsOrganization:
      access_level: Permissions management
      description: Grants permission to access customer's organization and create a SLR in the customer's account
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:RejectResourceShareInvitation:
      access_level: Write
      description: Grants permission to reject the specified resource share invitation
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - ram:UpdateResourceShare:
      access_level: Write
      description: Grants permission to update attributes of the resource share
      risk_category:
      - ResourceExposure
      service_name: AWS Resource Access Manager (RAM)

  - rds-db:connect:
      access_level: Permissions management
      description: Allows IAM role or user to connect to RDS database
      risk_category:
      - CredentialExposure
      - ResourceExposure
      service_name: Amazon RDS IAM Authentication

  - rds:AuthorizeDBSecurityGroupIngress:
      access_level: Permissions management
      description: Grants permission to enable ingress to a DBSecurityGroup using one of two forms of authorization
      risk_category:
      - ResourceExposure
      service_name: Amazon RDS, Neptune & DocumentDB

  - redshift:AuthorizeSnapshotAccess:
      access_level: Permissions management
      description: Grants permission to the specified AWS account to restore a snapshot
      risk_category:
      - ResourceExposure
      service_name: Amazon Redshift

  - redshift:CreateClusterUser:
      access_level: Permissions management
      description: Grants permission to automatically create the specified Amazon Redshift user if it does not exist
      risk_category:
      - ResourceExposure
      service_name: Amazon Redshift

  - redshift:CreateSnapshotCopyGrant:
      access_level: Permissions management
      description: Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region
      risk_category:
      - ResourceExposure
      service_name: Amazon Redshift

  - redshift:JoinGroup:
      access_level: Permissions management
      description: Grants permission to join the specified Amazon Redshift group
      risk_category:
      - ResourceExposure
      service_name: Amazon Redshift

  - redshift:ModifyClusterIamRoles:
      access_level: Permissions management
      description: Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services
      risk_category:
      - ResourceExposure
      service_name: Amazon Redshift

  - redshift:RevokeSnapshotAccess:
      access_level: Permissions management
      description: Grants permission to revoke access from the specified AWS account to restore a snapshot
      risk_category:
      - ResourceExposure
      service_name: Amazon Redshift

  - route53resolver:PutResolverRulePolicy:
      access_level: Permissions management
      description: Grants permission to specify an AWS account that you want to share rules with, the Resolver rules that you want to share, and the operations that you want the account to be able to perform on those rules
      risk_category:
      - ResourceExposure
      service_name: Amazon Route 53 Resolver

  - s3:BypassGovernanceRetention:
      access_level: Permissions management
      description: Grants permission to allow circumvention of governance-mode object retention settings
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:DeleteAccessPointPolicy:
      access_level: Permissions management
      description: Grants permission to delete the policy on a specified access point
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:DeleteBucketPolicy:
      access_level: Permissions management
      description: Grants permission to delete the policy on a specified bucket
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:ObjectOwnerOverrideToBucketOwner:
      access_level: Permissions management
      description: Grants permission to change replica ownership
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutAccessPointPolicy:
      access_level: Permissions management
      description: Grants permission to associate an access policy with a specified access point
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutAccountPublicAccessBlock:
      access_level: Permissions management
      description: Grants permission to create or modify the PublicAccessBlock configuration for an AWS account
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutBucketAcl:
      access_level: Permissions management
      description: Grants permission to set the permissions on an existing bucket using access control lists (ACLs)
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutBucketPolicy:
      access_level: Permissions management
      description: Grants permission to add or replace a bucket policy on a bucket
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutBucketPublicAccessBlock:
      access_level: Permissions management
      description: Grants permission to create or modify the PublicAccessBlock configuration for a specific Amazon S3 bucket
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutObjectAcl:
      access_level: Permissions management
      description: Grants permission to set the access control list (ACL) permissions for new or existing objects in an S3 bucket
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - s3:PutObjectVersionAcl:
      access_level: Permissions management
      description: Grants permission to use the acl subresource to set the access control list (ACL) permissions for an object that already exists in a bucket
      risk_category:
      - ResourceExposure
      service_name: Amazon S3

  - secretsmanager:DeleteResourcePolicy:
      access_level: Permissions management
      description: Grants permission to delete the resource policy attached to a secret
      risk_category:
      - ResourceExposure
      service_name: AWS Secrets Manager

  - secretsmanager:PutResourcePolicy:
      access_level: Permissions management
      description: Grants permission to attach a resource policy to a secret
      risk_category:
      - ResourceExposure
      service_name: AWS Secrets Manager

  - secretsmanager:ValidateResourcePolicy:
      access_level: Permissions management
      description: Grants permission to validate a resource policy before attaching policy
      risk_category:
      - ResourceExposure
      service_name: AWS Secrets Manager

  - servicecatalog:CreatePortfolioShare:
      access_level: Permissions management
      description: Grants permission to share a portfolio you own with another AWS account
      risk_category:
      - ResourceExposure
      service_name: AWS Service Catalog

  - servicecatalog:DeletePortfolioShare:
      access_level: Permissions management
      description: Grants permission to unshare a portfolio you own from an AWS account you previously shared the portfolio with
      risk_category:
      - ResourceExposure
      service_name: AWS Service Catalog

  - sns:AddPermission:
      access_level: Permissions management
      description: Grants permission to add a statement to a topic's access control policy, granting access for the specified AWS accounts to the specified actions
      risk_category:
      - ResourceExposure
      service_name: Amazon SNS

  - sns:CreateTopic:
      access_level: Write
      description: Grants permission to create a topic to which notifications can be published
      risk_category:
      - ResourceExposure
      service_name: Amazon SNS

  - sns:RemovePermission:
      access_level: Permissions management
      description: Grants permission to remove a statement from a topic's access control policy
      risk_category:
      - ResourceExposure
      service_name: Amazon SNS

  - sns:SetTopicAttributes:
      access_level: Permissions management
      description: Grants permission to allow a topic owner to set an attribute of the topic to a new value
      risk_category:
      - ResourceExposure
      service_name: Amazon SNS

  - sqs:AddPermission:
      access_level: Permissions management
      description: Grants permission to a queue for a specific principal
      risk_category:
      - ResourceExposure
      service_name: Amazon SQS

  - sqs:CreateQueue:
      access_level: Write
      description: Grants permission to create a new queue, or returns the URL of an existing one
      risk_category:
      - ResourceExposure
      service_name: Amazon SQS

  - sqs:RemovePermission:
      access_level: Permissions management
      description: Grants permission to revoke any permissions in the queue policy that matches the specified Label parameter
      risk_category:
      - ResourceExposure
      service_name: Amazon SQS

  - sqs:SetQueueAttributes:
      access_level: Write
      description: Grants permission to set the value of one or more queue attributes
      risk_category:
      - ResourceExposure
      service_name: Amazon SQS

  - ssm:ModifyDocumentPermission:
      access_level: Permissions management
      description: Grants permission to share a custom SSM document publicly or privately with specified AWS accounts
      risk_category:
      - ResourceExposure
      service_name: AWS Systems Manager

  - sso-directory:AddMemberToGroup:
      access_level: Write
      description: Grants permission to add a member to a group in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:CreateAlias:
      access_level: Write
      description: Grants permission to create an alias for the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:CreateGroup:
      access_level: Write
      description: Grants permission to create a group in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:CreateUser:
      access_level: Write
      description: Grants permission to create a user in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:DeleteGroup:
      access_level: Write
      description: Grants permission to delete a group from the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:DeleteUser:
      access_level: Write
      description: Grants permission to delete a user from the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:DisableUser:
      access_level: Write
      description: Grants permission to deactivate a user in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:EnableUser:
      access_level: Write
      description: Grants permission to activate user in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:RemoveMemberFromGroup:
      access_level: Write
      description: Grants permission to remove a member that is part of a group in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:UpdateGroup:
      access_level: Write
      description: Grants permission to update information about a group in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:UpdatePassword:
      access_level: Write
      description: Grants permission to update a password by sending password reset link via email or generating one time password for a user in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:UpdateUser:
      access_level: Write
      description: Grants permission to update user information in the directory that AWS IAM Identity Center provides by default
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso-directory:VerifyEmail:
      access_level: Write
      description: Grants permission to verify an email address of an User
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center Directory

  - sso:AssociateDirectory:
      access_level: Write
      description: Grants permission to connect a directory to be used by AWS IAM Identity Center
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:AssociateProfile:
      access_level: Write
      description: Grants permission to create an association between a directory user or group and a profile
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:CreateApplicationInstance:
      access_level: Write
      description: Grants permission to add an application instance to AWS IAM Identity Center
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:CreateApplicationInstanceCertificate:
      access_level: Write
      description: Grants permission to add a new certificate for an application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:CreatePermissionSet:
      access_level: Write
      description: Grants permission to create a permission set
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:CreateProfile:
      access_level: Write
      description: Grants permission to create a profile for an application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:CreateTrust:
      access_level: Write
      description: Grants permission to create a federation trust in a target account
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DeleteApplicationInstance:
      access_level: Write
      description: Grants permission to delete the application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DeleteApplicationInstanceCertificate:
      access_level: Write
      description: Grants permission to delete an inactive or expired certificate from the application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DeletePermissionSet:
      access_level: Write
      description: Grants permission to delete a permission set
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DeletePermissionsPolicy:
      access_level: Permissions management
      description: Grants permission to delete the permission policy associated with a permission set
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DeleteProfile:
      access_level: Write
      description: Grants permission to delete the profile for an application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DisassociateDirectory:
      access_level: Write
      description: Grants permission to disassociate a directory to be used by AWS IAM Identity Center
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:DisassociateProfile:
      access_level: Write
      description: Grants permission to disassociate a directory user or group from a profile
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:ImportApplicationInstanceServiceProviderMetadata:
      access_level: Write
      description: Grants permission to update the application instance by uploading an application SAML metadata file provided by the service provider
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:PutPermissionsPolicy:
      access_level: Permissions management
      description: Grants permission to add a policy to a permission set
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:StartSSO:
      access_level: Write
      description: Grants permission to initialize AWS IAM Identity Center
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceActiveCertificate:
      access_level: Write
      description: Grants permission to set a certificate as the active one for this application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceDisplayData:
      access_level: Write
      description: Grants permission to update display data of an application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceResponseConfiguration:
      access_level: Write
      description: Grants permission to update federation response configuration for the application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceResponseSchemaConfiguration:
      access_level: Write
      description: Grants permission to update federation response schema configuration for the application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceSecurityConfiguration:
      access_level: Write
      description: Grants permission to update security details for the application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceServiceProviderConfiguration:
      access_level: Write
      description: Grants permission to update service provider related configuration for the application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateApplicationInstanceStatus:
      access_level: Write
      description: Grants permission to update the status of an application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateDirectoryAssociation:
      access_level: Write
      description: Grants permission to update the user attribute mappings for your connected directory
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdatePermissionSet:
      access_level: Permissions management
      description: Grants permission to update the permission set
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateProfile:
      access_level: Write
      description: Grants permission to update the profile for an application instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateSSOConfiguration:
      access_level: Write
      description: Grants permission to update the configuration for the current SSO instance
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - sso:UpdateTrust:
      access_level: Write
      description: Grants permission to update the federation trust in a target account
      risk_category:
      - ResourceExposure
      service_name: AWS IAM Identity Center

  - storagegateway:DeleteChapCredentials:
      access_level: Write
      description: Grants permission to delete Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair
      risk_category:
      - ResourceExposure
      service_name: AWS Storage Gateway

  - storagegateway:SetLocalConsolePassword:
      access_level: Write
      description: Grants permission to set the password for your VM local console
      risk_category:
      - ResourceExposure
      service_name: AWS Storage Gateway

  - storagegateway:SetSMBGuestPassword:
      access_level: Write
      description: Grants permission to set the password for SMB Guest user
      risk_category:
      - ResourceExposure
      service_name: AWS Storage Gateway

  - storagegateway:UpdateChapCredentials:
      access_level: Write
      description: Grants permission to update the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target
      risk_category:
      - ResourceExposure
      service_name: AWS Storage Gateway

  - waf-regional:DeletePermissionPolicy:
      access_level: Permissions management
      description: Grants permission to delete an IAM policy from a rule group
      risk_category:
      - ResourceExposure
      service_name: AWS WAF Regional

  - waf-regional:PutPermissionPolicy:
      access_level: Permissions management
      description: Grants permission to attach an IAM policy to a specified rule group, to support rule group sharing between accounts
      risk_category:
      - ResourceExposure
      service_name: AWS WAF Regional

  - waf:DeletePermissionPolicy:
      access_level: Permissions management
      description: Grants permission to delete an IAM policy from a rule group
      risk_category:
      - ResourceExposure
      service_name: AWS WAF

  - waf:PutPermissionPolicy:
      access_level: Permissions management
      description: Grants permission to attach an IAM policy to a rule group, to share the rule group between accounts
      risk_category:
      - ResourceExposure
      service_name: AWS WAF

  - wafv2:CreateWebACL:
      access_level: Write
      description: Grants permission to create a WebACL
      risk_category:
      - ResourceExposure
      service_name: AWS WAF V2

  - wafv2:DeletePermissionPolicy:
      access_level: Permissions management
      description: Grants permission to delete the PermissionPolicy on a RuleGroup
      risk_category:
      - ResourceExposure
      service_name: AWS WAF V2

  - wafv2:DeleteWebACL:
      access_level: Write
      description: Grants permission to delete a WebACL
      risk_category:
      - ResourceExposure
      service_name: AWS WAF V2

  - wafv2:PutPermissionPolicy:
      access_level: Permissions management
      description: Grants permission to attach an IAM policy to a resource, used to share rule groups between accounts
      risk_category:
      - ResourceExposure
      service_name: AWS WAF V2

  - wafv2:UpdateWebACL:
      access_level: Write
      description: Grants permission to update a WebACL
      risk_category:
      - ResourceExposure
      service_name: AWS WAF V2

  - worklink:UpdateDevicePolicyConfiguration:
      access_level: Write
      description: Grants permission to update the device policy configuration for an Amazon WorkLink fleet
      risk_category:
      - ResourceExposure
      service_name: Amazon WorkLink

  - workmail:ResetPassword:
      access_level: Write
      description: Grants permission to allow the administrator to reset the password for a user
      risk_category:
      - ResourceExposure
      service_name: Amazon WorkMail

  - xray:PutEncryptionConfig:
      access_level: Permissions management
      description: Grants permission to update the encryption configuration for X-Ray data
      risk_category:
      - ResourceExposure
      service_name: AWS X-Ray