# Identity and Access Management for AWS Config
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Config resources. IAM is an AWS service that you can use with no additional charge.
**Topics**
+ [
## Audience
](#security_iam_audience)
+ [
## Authenticating with identities
](#security_iam_authentication)
+ [
## Managing access using policies
](#security_iam_access-manage)
+ [
# How AWS Config works with IAM
](security_iam_service-with-iam.md)
+ [Identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [AWS managed policies](security-iam-awsmanpol.md)
+ [Permissions for the IAM Role](iamrole-permissions.md)
+ [Updating the IAM Role](update-iam-role.md)
+ [Permissions for the Amazon S3 Bucket](s3-bucket-policy.md)
+ [Permissions for the KMS Key](s3-kms-key-policy.md)
+ [Permissions for the Amazon SNS Topic](sns-topic-policy.md)
+ [Troubleshooting](security_iam_troubleshoot.md)
+ [Using Service-Linked Roles](using-service-linked-roles.md)
## Audience
How you use AWS Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting AWS Config identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How AWS Config works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples for AWS Config](security_iam_id-based-policy-examples.md))
## Authenticating with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### Federated identity
As a best practice, require human users to use federation with an identity provider to access AWS services using temporary credentials.
A *federated identity* is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
For centralized access management, we recommend AWS IAM Identity Center. For more information, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the *AWS IAM Identity Center User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Managing access using policies
You control access in AWS by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. AWS evaluates these policies when a principal makes a request. Most policies are stored in AWS as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.
Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.
By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.
### Identity-based policies
Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.
Resource-based policies are inline policies that are located in that service. You can't use AWS managed policies from IAM in a resource-based policy.
### Other policy types
AWS supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in AWS Organizations. For more information, see [Service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.
### Multiple policy types
When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how AWS determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.
# How AWS Config works with IAM
Before you use IAM to manage access to AWS Config, learn what IAM features are available to use with AWS Config.
**IAM features you can use with AWS Config**
| IAM feature | AWS Config support |
| --- | --- |
| [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | Yes |
| [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | No |
| [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | Yes |
| [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | Yes |
| [Policy condition keys (service-specific)](#security_iam_service-with-iam-id-based-policies-conditionkeys) | Yes |
| [ACLs](#security_iam_service-with-iam-acls) | No |
| [ABAC (tags in policies)](#security_iam_service-with-iam-tags) | Yes |
| [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | Yes |
| [Forward access sessions (FAS)](#security_iam_service-with-iam-principal-permissions) | Yes |
| [Service roles](#security_iam_service-with-iam-roles-service) | Yes |
| [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | Yes |
To get a high-level view of how AWS Config and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Identity-based policies for AWS Config
**Supports identity-based policies:** Yes
Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.
With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.
### Identity-based policy examples for AWS Config
To view examples of AWS Config identity-based policies, see [Identity-based policy examples for AWS Config](security_iam_id-based-policy-examples.md).
## Resource-based policies within AWS Config
**Supports resource-based policies:** No
Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services.
To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
## Policy actions for AWS Config
**Supports policy actions:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.
To see a list of AWS Config actions, see [Actions defined by AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions) in the *Service Authorization Reference*.
Policy actions in AWS Config use the following prefix before the action:
```
config
```
To specify multiple actions in a single statement, separate them with commas.
```
"Action": [
"config:action1",
"config:action2"
]
```
You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action:
```
"Action": "config:Describe*"
```
To view examples of AWS Config identity-based policies, see [Identity-based policy examples for AWS Config](security_iam_id-based-policy-examples.md).
## Policy resources for AWS Config
**Supports policy resources:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.
```
"Resource": "*"
```
To see a list of AWS Config resource types and their ARNs, see [Resources defined by AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions defined by AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions).
To view examples of AWS Config identity-based policies, see [Identity-based policy examples for AWS Config](security_iam_id-based-policy-examples.md).
## Policy condition keys for AWS Config
**Supports service-specific policy condition keys:** Yes
Administrators can use AWS JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.
The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all AWS global condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
To see a list of AWS Config condition keys, see [Condition keys for AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions defined by AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions).
To view examples of AWS Config identity-based policies, see [Identity-based policy examples for AWS Config](security_iam_id-based-policy-examples.md).
## ACLs in AWS Config
**Supports ACLs:** No
Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.
## ABAC with AWS Config
**Supports ABAC (tags in policies):** Yes
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and AWS resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.
To control access based on tags, you provide tag information in the [condition element](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.
If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.
For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.
For more information about tagging AWS Config resources, see [Tagging Your AWS Config Resources](tagging.md).
## Using temporary credentials with AWS Config
**Supports temporary credentials:** Yes
Temporary credentials provide short-term access to AWS resources and are automatically created when you use federation or switch roles. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) and [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.
## Forward access sessions for AWS Config
**Supports forward access sessions (FAS):** Yes
Forward access sessions (FAS) use the permissions of the principal calling an AWS service, combined with the requesting AWS service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html).
## Service roles for AWS Config
**Supports service roles:** Yes
A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
**Warning**
Changing the permissions for a service role might break AWS Config functionality. Edit service roles only when AWS Config provides guidance to do so.
## Service-linked roles for AWS Config
**Supports service-linked roles:** Yes
A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
For details about creating or managing AWS Config service-linked roles, see [Using Service-Linked Roles for AWS Config](using-service-linked-roles.md).
For details about creating or managing service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Find a service in the table that includes a `Yes` in the **Service-linked role** column. Choose the **Yes** link to view the service-linked role documentation for that service.
# Identity-based policy examples for AWS Config
By default, users and roles don't have permission to create or modify AWS Config resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies.
To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*.
For details about actions and resource types defined by AWS Config, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html) in the *Service Authorization Reference*.
**Topics**
+ [
## Policy best practices
](#security_iam_service-with-iam-policy-best-practices)
+ [
## Sign up for an AWS account
](#sign-up-for-aws)
+ [
## Create a user with administrative access
](#create-an-admin)
+ [Using the console](#security_iam_id-based-policy-examples-console)
+ [
## Allow users to view their own permissions
](#security_iam_id-based-policy-examples-view-own-permissions)
+ [
## Read-only access to AWS Config
](#read-only-config-permission)
+ [
## Full access to AWS Config
](#full-config-permission)
+ [Controlling Access to AWS Config Rules](#supported-resource-level-permissions)
+ [Controlling Access to Aggregated Data](#resource-level-permission)
## Policy best practices
Identity-based policies determine whether someone can create, access, or delete AWS Config resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with AWS managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *AWS managed policies* that grant permissions for many common use cases. They are available in your AWS account. We recommend that you reduce permissions further by defining AWS customer managed policies that are specific to your use cases. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific AWS service, such as CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your AWS account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.
For more information about best practices in IAM, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Using the AWS Config console
To access the AWS Config console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the AWS Config resources in your AWS account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS API. Instead, allow access to only the actions that match the API operation that they're trying to perform.
To ensure that users and roles can still use the AWS Config console, also attach the AWS Config `AWSConfigUserAccess` AWS managed policy to the entities. For more information, see [Adding permissions to a user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
You must give users permissions to interact with AWS Config. For users who need full access to AWS Config, use the [Full access to AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security_iam_id-based-policy-examples.html#full-config-permission) managed policy.
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Allow users to view their own permissions
This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "NavigateInConsole",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
```
## Read-only access to AWS Config
The following example shows an AWS managed policy, `AWSConfigUserAccess` that grants read-only access to AWS Config.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"config:Get*",
"config:Describe*",
"config:Deliver*",
"config:List*",
"config:Select*",
"tag:GetResources",
"tag:GetTagKeys",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents"
],
"Resource": "*"
}
]
}
```
------
In the policy statements, the `Effect` element specifies whether the actions are allowed or denied. The `Action` element lists the specific actions that the user is allowed to perform. The `Resource` element lists the AWS resources the user is allowed to perform those actions on. For policies that control access to AWS Config actions, the `Resource` element is always set to `*`, a wildcard that means "all resources."
The values in the `Action` element correspond to the APIs that the services support. The actions are preceded by `config:` to indicate that they refer to AWS Config actions. You can use the `*` wildcard character in the `Action` element, such as in the following examples:
+ `"Action": ["config:*ConfigurationRecorder"]`
This allows all AWS Config actions that end with "ConfigurationRecorder" (`StartConfigurationRecorder`, `StopConfigurationRecorder`).
+ `"Action": ["config:*"]`
This allows all AWS Config actions, but not actions for other AWS services.
+ `"Action": ["*"]`
This allows all AWS actions. This permission is suitable for a user who acts as an AWS administrator for your account.
The read-only policy doesn't grant user permission for the actions such as `StartConfigurationRecorder`, `StopConfigurationRecorder`, and `DeleteConfigurationRecorder`. Users with this policy are not allowed to start configuration recorder, stop configuration recorder, or delete configuration recorder. For the list of AWS Config actions, see the [AWS Config API Reference](https://docs.aws.amazon.com/config/latest/APIReference/).
## Full access to AWS Config
The following example shows a policy that grants full access to AWS Config. It grants users the permission to perform all AWS Config actions. It also lets users manage files in Amazon S3 buckets and manage Amazon SNS topics in the account that the user is associated with.
**Important**
This policy grants broad permissions. Before granting full access, consider starting with a minimum set of permissions and granting additional permissions as necessary. Doing so is better practice than starting with permissions that are too lenient and then trying to tighten them later.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:ListPlatformApplications",
"sns:ListTopics",
"sns:SetTopicAttributes"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketVersioning",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:CreateServiceLinkedRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"config.amazonaws.com",
"ssm.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"config:*",
"tag:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:DescribeAutomationExecutions",
"ssm:GetAutomationExecution",
"ssm:ListDocuments",
"ssm:StartAutomationExecution"
],
"Resource": "*"
}
]
}
```
------
## Supported Resource-Level Permissions for AWS Config Rule API Actions
Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. AWS Config supports resource-level permissions for certain AWS Config rule API actions. This means that for certain AWS Config rule actions, you can control the conditions under which when users are allowed to use those actions. These conditions can be actions that must be fulfilled, or specific resources that users are allowed to use.
The following table describes the AWS Config rule API actions that currently support resource-level permissions. It also describes the supported resources and their ARNs for each action. When specifying an ARN, you can use the \$1 wildcard in your paths; for example, when you cannot or do not want to specify exact resource IDs.
**Important**
If an AWS Config rule API action is not listed in this table, then it does not support resource-level permissions. If an AWS Config rule action does not support resource-level permissions, you can grant users permissions to use the action, but you have to specify a \$1 for the resource element of your policy statement.
****
| API Action | Resources |
| --- | --- |
| DeleteConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| DeleteEvaluationResults | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| DescribeComplianceByConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| DescribeConfigRuleEvaluationStatus | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| GetComplianceDetailsByConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| PutConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| StartConfigRulesEvaluation | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* |
| PutRemediationConfigurations | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* |
| DescribeRemediationConfigurations | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* |
| DeleteRemediationConfiguration | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* |
| PutRemediationExceptions | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* |
| DescribeRemediationExceptions | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* |
| DeleteRemediationExceptions | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* |
For example, you want to allow read access and deny write access to specific rules to specific users.
In the first policy, you allow the AWS Config rule read actions such as `DescribeConfigRuleEvaluationStatus` on the specified rules.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"config:StartConfigRulesEvaluation",
"config:DescribeComplianceByConfigRule",
"config:DescribeConfigRuleEvaluationStatus",
"config:GetComplianceDetailsByConfigRule"
],
"Resource": [
"arn:aws:config:us-east-1:123456789012:config-rule/config-rule-ID",
"arn:aws:config:us-east-1:123456789012:config-rule/config-rule-ID"
]
}
]
}
```
------
In the second policy, you deny the AWS Config rule write actions on the specific rule.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"config:PutConfigRule",
"config:DeleteConfigRule",
"config:DeleteEvaluationResults"
],
"Resource": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-ID"
}
]
}
```
------
With resource-level permissions, you can allow read access and deny write access to perform specific actions on AWS Config rule API actions.
## Supported Resource-Level Permissions for Multi-Account Multi-Region Data Aggregation
You can use resource-level permissions to control a user's ability to perform specific actions on multi-account multi-region data aggregation. The following AWS Config `Aggregator` APIs support resource level permissions:
+ [BatchGetAggregateResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_BatchGetAggregateResourceConfig.html)
+ [DeleteConfigurationAggregator](https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteConfigurationAggregator.html)
+ [DescribeAggregateComplianceByConfigRules](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeAggregateComplianceByConfigRules.html)
+ [DescribeAggregateComplianceByConformancePacks](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeAggregateComplianceByConformancePacks.html)
+ [DescribeConfigurationAggregatorSourcesStatus](https://docs.aws.amazon.com/config/latest/APIReference/API_DescribeConfigurationAggregatorSourcesStatus.html)
+ [GetAggregateComplianceDetailsByConfigRule](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateComplianceDetailsByConfigRule.html)
+ [GetAggregateConfigRuleComplianceSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateConfigRuleComplianceSummary.html)
+ [GetAggregateConformancePackComplianceSummary](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateConformancePackComplianceSummary.html)
+ [GetAggregateDiscoveredResourceCounts](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateDiscoveredResourceCounts.html)
+ [GetAggregateResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_GetAggregateResourceConfig.html)
+ [ListAggregateDiscoveredResources](https://docs.aws.amazon.com/config/latest/APIReference/API_ListAggregateDiscoveredResources.html)
+ [PutConfigurationAggregator](https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationAggregator.html)
+ [SelectAggregateResourceConfig](https://docs.aws.amazon.com/config/latest/APIReference/API_SelectAggregateResourceConfig.html)
For example, you can restrict access to resource data from specific users by creating two aggregators `AccessibleAggregator` and `InAccessibleAggregator` and attaching an IAM policy that allows access to `AccessibleAggregator` but denies access to `InAccessibleAggregator`.
**IAM Policy for AccessibleAggregator**
In this policy, you allow access to the supported aggregator actions for the AWS Config Amazon Resource Name (ARN) that you specify. In this example, the AWS Config ARN is `arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConfigAllow",
"Effect": "Allow",
"Action": [
"config:BatchGetAggregateResourceConfig",
"config:DeleteConfigurationAggregator",
"config:DescribeAggregateComplianceByConfigRules",
"config:DescribeAggregateComplianceByConformancePacks",
"config:DescribeConfigurationAggregatorSourcesStatus",
"config:GetAggregateComplianceDetailsByConfigRule",
"config:GetAggregateConfigRuleComplianceSummary",
"config:GetAggregateConformancePackComplianceSummary",
"config:GetAggregateDiscoveredResourceCounts",
"config:GetAggregateResourceConfig",
"config:ListAggregateDiscoveredResources",
"config:PutConfigurationAggregator",
"config:SelectAggregateResourceConfig"
],
"Resource": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-mocpsqhs"
}
]
}
```
------
**IAM Policy for InAccessibleAggregator**
In this policy, you deny access to the supported aggregator actions for the AWS Config ARN that you specify. In this example, the AWS Config ARN is `arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConfigDeny",
"Effect": "Deny",
"Action": [
"config:BatchGetAggregateResourceConfig",
"config:DeleteConfigurationAggregator",
"config:DescribeAggregateComplianceByConfigRules",
"config:DescribeAggregateComplianceByConformancePacks",
"config:DescribeConfigurationAggregatorSourcesStatus",
"config:GetAggregateComplianceDetailsByConfigRule",
"config:GetAggregateConfigRuleComplianceSummary",
"config:GetAggregateConformancePackComplianceSummary",
"config:GetAggregateDiscoveredResourceCounts",
"config:GetAggregateResourceConfig",
"config:ListAggregateDiscoveredResources",
"config:PutConfigurationAggregator",
"config:SelectAggregateResourceConfig"
],
"Resource": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-pokxzldx"
}
]
}
```
------
If a user of the developer group tries to perform any of these actions on the AWS Config ARN that you specified, that user will get an access denied exception.
**Checking User Access Permissions**
To show the aggregators that you have created, run the following AWS CLI command:
```
aws configservice describe-configuration-aggregators
```
When command has successfully completed, you will be able to see the details for all the aggregators associated with your account. In this example, those are `AccessibleAggregator` and `InAccessibleAggregator`:
```
{
"ConfigurationAggregators": [
{
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "AccessibleAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
]
}
],
"LastUpdatedTime": 1517942461.455
},
{
"ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx",
"CreationTime": 1517942461.442,
"ConfigurationAggregatorName": "InAccessibleAggregator",
"AccountAggregationSources": [
{
"AllAwsRegions": true,
"AccountIds": [
"AccountID1",
"AccountID2",
"AccountID3"
]
}
],
"LastUpdatedTime": 1517942461.455
}
]
}
```
**Note**
For `account-aggregation-sources` enter a comma-separated list of AWS account IDs for which you want to aggregate data. Wrap the account IDs in square brackets, and be sure to escape quotation marks (for example, `"[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"`).
Attach the following IAM policy to deny access to `InAccessibleAggregator`, or the aggregator to which you want to deny access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConfigDeny",
"Effect": "Deny",
"Action": [
"config:BatchGetAggregateResourceConfig",
"config:DeleteConfigurationAggregator",
"config:DescribeAggregateComplianceByConfigRules",
"config:DescribeAggregateComplianceByConformancePacks",
"config:DescribeConfigurationAggregatorSourcesStatus",
"config:GetAggregateComplianceDetailsByConfigRule",
"config:GetAggregateConfigRuleComplianceSummary",
"config:GetAggregateConformancePackComplianceSummary",
"config:GetAggregateDiscoveredResourceCounts",
"config:GetAggregateResourceConfig",
"config:ListAggregateDiscoveredResources",
"config:PutConfigurationAggregator",
"config:SelectAggregateResourceConfig"
],
"Resource": "arn:aws:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-pokxzldx"
}
]
}
```
------
Next, you can confirm that the IAM policy works for restricting access to rules for a specific aggregator:
```
aws configservice get-aggregate-compliance-details-by-config-rule --configuration-aggregator-name InAccessibleAggregator --config-rule-name rule name --account-id AccountID --aws-region AwsRegion
```
The command should return an access denied exception:
```
An error occurred (AccessDeniedException) when calling the GetAggregateComplianceDetailsByConfigRule operation: User: arn:aws:iam::AccountID:user/ is not
authorized to perform: config:GetAggregateComplianceDetailsByConfigRule on resource: arn:aws:config:AwsRegion-1:AccountID:config-aggregator/config-aggregator-pokxzldx
```
# AWS managed policies for AWS Config
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## AWS managed policy: AWSConfigServiceRolePolicy
AWS Config uses the service-linked role named **AWSServiceRoleForConfig** to call other AWS services on your behalf. When you use the AWS Management Console to set up AWS Config, this SLR is automatically created by AWS Config if you select the option to use the AWS Config SLR instead of your own AWS Identity and Access Management (IAM) service role.
The **AWSServiceRoleForConfig** SLR contains the managed policy `AWSConfigServiceRolePolicy`. This managed policy contains read-only and write-only permissions for AWS Config resources and read-only permissions for resources in other services that AWS Config supports. The policy provides comprehensive access to monitor and record configuration changes across your AWS infrastructure, including permissions for over 100 AWS services such as compute, storage, networking, security, analytics, and machine learning services.
The policy includes permissions for the following service categories:
+ `access-analyzer` – Allows principals to analyze access patterns and retrieve security findings.
+ `account` – Allows principals to retrieve account contact information.
+ `acm` and `acm-pca` – Allows principals to manage SSL/TLS certificates and private certificate authorities.
+ `airflow` – Allows principals to monitor managed Apache Airflow environments.
+ `amplify` and `amplifyuibuilder` – Allows principals to monitor web applications and UI components.
+ `aoss` – Allows principals to monitor OpenSearch Serverless collections and security configurations.
+ `app-integrations` – Allows principals to monitor application integration configurations.
+ `appconfig` – Allows principals to monitor application configuration deployments.
+ `appflow` – Allows principals to monitor data flow configurations between applications.
+ `application-autoscaling` and `application-signals` – Allows principals to monitor auto-scaling policies and application performance metrics.
+ `appmesh` – Allows principals to monitor service mesh configurations.
+ `apprunner` – Allows principals to monitor containerized web applications and services.
+ `appstream` – Allows principals to monitor application streaming configurations.
+ `appsync` – Allows principals to monitor GraphQL API configurations.
+ `aps` – Allows principals to monitor Prometheus monitoring configurations.
+ `apptest` – Allows principals to monitor application testing configurations.
+ `arc-zonal-shift` – Allows principals to monitor zonal shift configurations for availability.
+ `athena` – Allows principals to monitor query engine configurations and data catalogs.
+ `auditmanager` – Allows principals to monitor audit and compliance assessments.
+ `autoscaling` and `autoscaling-plans` – Allows principals to monitor auto-scaling groups and scaling plans.
+ `b2bi` – Allows principals to monitor business-to-business integration configurations.
+ `backup` and `backup-gateway` – Allows principals to monitor backup policies and gateway configurations.
+ `batch` – Allows principals to monitor batch computing environments and job queues.
+ `bcm-data-exports` – Allows principals to monitor billing and cost management data exports.
+ `bedrock` and `bedrock-agentcore` – Allows principals to monitor foundation models and AI agent configurations.
+ `billingconductor` – Allows principals to monitor billing group configurations.
+ `budgets` – Allows principals to monitor budget configurations and actions.
+ `cassandra` – Allows principals to query managed Cassandra database configurations.
+ `ce` – Allows principals to monitor cost and usage reporting configurations.
+ `cleanrooms` and `cleanrooms-ml` – Allows principals to monitor data collaboration and machine learning configurations.
+ `cloud9` – Allows principals to monitor cloud development environment configurations.
+ `cloudformation` – Allows principals to monitor infrastructure as code stack configurations.
+ `cloudfront` – Allows principals to monitor content delivery network configurations.
+ `cloudtrail` – Allows principals to monitor API logging and audit trail configurations.
+ `cloudwatch` – Allows principals to monitor metrics, alarms, and dashboard configurations.
+ `codeartifact` – Allows principals to monitor software package repository configurations.
+ `codebuild` – Allows principals to monitor build project configurations.
+ `codecommit` – Allows principals to monitor source code repository configurations.
+ `codeconnections` – Allows principals to monitor third-party source connections.
+ `codedeploy` – Allows principals to monitor application deployment configurations.
+ `codeguru-profiler` and `codeguru-reviewer` – Allows principals to monitor code analysis and profiling configurations.
+ `codepipeline` – Allows principals to monitor continuous integration and deployment pipeline configurations.
+ `codestar-connections` – Allows principals to monitor developer tool connections.
+ `cognito-identity` and `cognito-idp` – Allows principals to monitor identity and user pool configurations.
+ `comprehend` – Allows principals to monitor natural language processing configurations.
+ `config` – Allows principals to manage configuration recording and compliance monitoring.
+ `connect` – Allows principals to monitor contact center configurations.
For more information about supported resource types, see [Supported Resource Types for AWS Config](resource-config-reference.md) and [Using Service-Linked Roles for AWS Config](using-service-linked-roles.md).
To view more details about the policy, including the latest version of the JSON policy document, see [AWSConfigServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigServiceRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
**Recommended: Use the Service-linked role**
It is recommended that you use the service-linked role unless you have a particular use case. A service-linked role adds all the necessary permissions for AWS Config to run as expected. Some features such as service-linked configuration recorders require you to use the service-linked role.
## AWS managed policy: AWS\$1ConfigRole
To record your AWS resource configurations, AWS Config requires IAM permissions to get the configuration details about your resources. If you want to create an IAM role for AWS Config, you can use the managed policy `AWS_ConfigRole` and attach it to your IAM role.
This IAM policy is updated each time AWS Config adds support for an AWS resource type. This means that AWS Config will continue to have the required permissions to record configuration data of supported resource types as long as the **AWS\$1ConfigRole** role has this managed policy attached. The policy provides comprehensive access to monitor and record configuration changes across your AWS infrastructure, including permissions for over 100 AWS services such as compute, storage, networking, security, analytics, and machine learning services. For more information, see [Supported Resource Types for AWS Config](resource-config-reference.md) and [Permissions for the IAM Role Assigned to AWS Config](iamrole-permissions.md).
To view more details about the policy, including the latest version of the JSON policy document, see [AWS\$1ConfigRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWS_ConfigRole.html) in the *AWS Managed Policy Reference Guide*.
## AWS managed policy: AWSConfigUserAccess
This IAM policy provides access to use AWS Config, including searching by tags on resources and reading all tags. This does not provide permission to configure AWS Config, which requires administrative privileges.
View the policy: [AWSConfigUserAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigUserAccess.html).
## AWS managed policy: ConfigConformsServiceRolePolicy
To deploy and manage conformance packs, AWS Config requires IAM permissions and certain permissions from other AWS services. These allow you to deploy and manage conformance packs with full functionality and are updated each time AWS Config adds new functionality for conformance packs. For more information on conformance packs, see [Conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html).
View the policy: [ConfigConformsServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ConfigConformsServiceRolePolicy.html).
## AWS managed policy: AWSConfigRulesExecutionRole
To deploy AWS Custom Lambda Rules, AWS Config requires IAM permissions and certain permissions from other AWS services. These allow AWS Lambda functions to access the AWS Config API and the configuration snapshots that AWS Config delivers periodically to Amazon S3. This access is required by functions that evaluate configuration changes for AWS Custom Lambda rules and is updated each time AWS Config adds new functionality. For more information on AWS Custom Lambda Rules, see [Creating AWS Config Custom Lambda Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html). For more information on configuration snapshots, see [Concepts \$1 Configuration Snapshot](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#config-snapshot). For more information on the delivery of configuration snapshots, see [Managing the Delivery Channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html).
View the policy: [AWSConfigRulesExecutionRole](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRulesExecutionRole.html).
## AWS managed policy: AWSConfigMultiAccountSetupPolicy
To centrally deploy, update, and delete AWS Config rules and conformance packs across member accounts in an organization in AWS Organizations, AWS Config requires IAM permissions and certain permissions from other AWS services. This managed policy is updated each time AWS Config adds new functionality for multi-account setup. For more information, see [Managing AWS Config Rules Across All Accounts in Your Organization](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html) and [Managing Conformance Packs Across All Accounts in Your Organization](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html).
View the policy: [AWSConfigMultiAccountSetupPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigMultiAccountSetupPolicy.html).
## AWS managed policy: AWSConfigRoleForOrganizations
To allow AWS Config to call read-only AWS Organizations APIs, AWS Config requires IAM permissions and certain permissions from other AWS services. This managed policy is updated each time AWS Config adds new functionality for multi-account setup. For more information, see [Managing AWS Config Rules Across All Accounts in Your Organization](https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html) and [Managing Conformance Packs Across All Accounts in Your Organization](https://docs.aws.amazon.com/config/latest/developerguide/conformance-pack-organization-apis.html).
View the policy: [AWSConfigRoleForOrganizations](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRoleForOrganizations.html).
## AWS managed policy: AWSConfigRemediationServiceRolePolicy
To allow AWS Config to remediate `NON_COMPLIANT` resources on your behalf, AWS Config requires IAM permissions and certain permissions from other AWS services. This managed policy is updated each time AWS Config adds new functionality for remediation. For more information on remediation, see [Remediating Noncompliant Resources with AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/remediation.html). For more information on the conditions that initiate the possible AWS Config evaluation results, see [Concepts \$1 AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/config-concepts.html#aws-config-rules).
View the policy: [AWSConfigRemediationServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSConfigRemediationServiceRolePolicy.html).
## AWS Config updates to AWS managed policies
View details about updates to AWS managed policies for AWS Config since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Config [Document history](https://docs.aws.amazon.com/config/latest/developerguide/DocumentHistory.html) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Added permissions: auditmanager:GetAssessmentFramework, auditmanager:GetControl, auditmanager:ListAssessmentFrameworks, auditmanager:ListControls, bcm-dashboards:GetDashboard, bcm-dashboards:ListDashboards, bcm-dashboards:ListTagsForResource, bedrock:GetEvaluationJob, bedrock:ListEvaluationJobs, bedrock-agentcore:GetEvaluator, bedrock-agentcore:GetOnlineEvaluationConfig, bedrock-agentcore:GetPolicyEngine, bedrock-agentcore:ListEvaluators, bedrock-agentcore:ListOnlineEvaluationConfigs, bedrock-agentcore:ListPolicyEngines, chime:DescribeAppInstance, chime:ListAppInstances, chime:ListTagsForResource, dms:ListInstanceProfiles, emr-containers:DescribeManagedEndpoint, emr-containers:ListTagsForResource, gameliftstreams:GetApplication, gameliftstreams:GetStreamGroup, gameliftstreams:ListApplications, gameliftstreams:ListStreamGroups, gameliftstreams:ListTagsForResource, globalaccelerator:DescribeAcceleratorAttributes, glue:GetCatalog, glue:GetCatalogs, glue:GetSession, glue:ListSessions, lambda:ListCapacityProviders, medialive:DescribeNode, medialive:ListNodes, mediapackagev2:GetChannelPolicy, mediapackagev2:GetOriginEndpointPolicy, outposts:GetSite, outposts:ListSites, qbusiness:GetPolicy, redshift:DescribeDataShares, rtbfabric:GetInboundExternalLink, rtbfabric:GetLink, rtbfabric:GetOutboundExternalLink, rtbfabric:GetRequesterGateway, rtbfabric:GetResponderGateway, rtbfabric:ListLinks, rtbfabric:ListRequesterGateways, rtbfabric:ListResponderGateways, rtbfabric:ListTagsForResource, s3express:GetAccessPoint, s3express:GetAccessPointPolicy, s3express:GetAccessPointScope, s3express:ListAccessPointsForDirectoryBuckets, s3express:ListTagsForResource, s3vectors:GetVectorBucket, s3vectors:GetVectorBucketPolicy, s3vectors:ListTagsForResource, s3vectors:ListVectorBuckets, sagemaker:DescribeAutoMLJobV2, sagemaker:DescribeHyperParameterTuningJob, sagemaker:DescribePartnerApp, sagemaker:ListAutoMLJobs, sagemaker:ListHyperParameterTuningJobs, sagemaker:ListPartnerApps, servicecatalog:DescribeTagOption, servicecatalog:ListTagOptions, ssm-contacts:GetRotation, ssm-contacts:ListRotations, ssm-guiconnect:GetConnectionRecordingPreferences, sso:GetPermissionsBoundaryForPermissionSet, sso:ListCustomerManagedPolicyReferencesInPermissionSet, textract:GetAdapter, textract:ListAdapters, textract:ListTagsForResource, transfer:DescribeWebApp, transfer:DescribeWebAppCustomization, transfer:ListWebApps, wisdom:GetAIGuardrail, wisdom:ListAIGuardrails. | This policy now supports additional permissions for recording configuration changes across numerous AWS services. | March 10, 2026 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Added permissions: auditmanager:GetAssessmentFramework, auditmanager:GetControl, auditmanager:ListAssessmentFrameworks, auditmanager:ListControls, bcm-dashboards:GetDashboard, bcm-dashboards:ListDashboards, bcm-dashboards:ListTagsForResource, bedrock:GetEvaluationJob, bedrock:ListEvaluationJobs, bedrock-agentcore:GetEvaluator, bedrock-agentcore:GetOnlineEvaluationConfig, bedrock-agentcore:GetPolicyEngine, bedrock-agentcore:ListEvaluators, bedrock-agentcore:ListOnlineEvaluationConfigs, bedrock-agentcore:ListPolicyEngines, chime:DescribeAppInstance, chime:ListAppInstances, chime:ListTagsForResource, dms:ListInstanceProfiles, emr-containers:DescribeManagedEndpoint, emr-containers:ListTagsForResource, gameliftstreams:GetApplication, gameliftstreams:GetStreamGroup, gameliftstreams:ListApplications, gameliftstreams:ListStreamGroups, gameliftstreams:ListTagsForResource, globalaccelerator:DescribeAcceleratorAttributes, glue:GetCatalog, glue:GetCatalogs, glue:GetSession, glue:ListSessions, lambda:ListCapacityProviders, medialive:DescribeNode, medialive:ListNodes, mediapackagev2:GetChannelPolicy, mediapackagev2:GetOriginEndpointPolicy, outposts:GetSite, outposts:ListSites, qbusiness:GetPolicy, redshift:DescribeDataShares, rtbfabric:GetInboundExternalLink, rtbfabric:GetLink, rtbfabric:GetOutboundExternalLink, rtbfabric:GetRequesterGateway, rtbfabric:GetResponderGateway, rtbfabric:ListLinks, rtbfabric:ListRequesterGateways, rtbfabric:ListResponderGateways, rtbfabric:ListTagsForResource, s3express:GetAccessPoint, s3express:GetAccessPointPolicy, s3express:GetAccessPointScope, s3express:ListAccessPointsForDirectoryBuckets, s3express:ListTagsForResource, s3vectors:GetVectorBucket, s3vectors:GetVectorBucketPolicy, s3vectors:ListTagsForResource, s3vectors:ListVectorBuckets, sagemaker:DescribeAutoMLJobV2, sagemaker:DescribeHyperParameterTuningJob, sagemaker:DescribePartnerApp, sagemaker:ListAutoMLJobs, sagemaker:ListHyperParameterTuningJobs, sagemaker:ListPartnerApps, servicecatalog:DescribeTagOption, servicecatalog:ListTagOptions, ssm-contacts:GetRotation, ssm-contacts:ListRotations, ssm-guiconnect:GetConnectionRecordingPreferences, sso:GetPermissionsBoundaryForPermissionSet, sso:ListCustomerManagedPolicyReferencesInPermissionSet, textract:GetAdapter, textract:ListAdapters, textract:ListTagsForResource, transfer:DescribeWebApp, transfer:DescribeWebAppCustomization, transfer:ListWebApps, wisdom:GetAIGuardrail, wisdom:ListAIGuardrails. | This policy now supports additional permissions for recording configuration changes across numerous AWS services. | March 10, 2026 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Added permissions: application-autoscaling:DescribeScheduledActions, appsync:GetApiAssociation, cloudformation:DescribeStacks, cloudformation:GetStackPolicy, cloudformation:GetTemplate, cloudfront:GetKeyGroup, cloudfront:GetMonitoringSubscription, cloudfront:ListKeyGroups, connect:ListEvaluationFormVersions, cur:DescribeReportDefinitions, cur:ListTagsForResource, datazone:GetDomainUnit, datazone:GetEnvironmentAction, datazone:GetEnvironmentBlueprintConfiguration, datazone:GetEnvironmentProfile, datazone:GetGroupProfile, datazone:GetSubscriptionTarget, datazone:GetUserProfile, datazone:ListDomainUnitsForParent, datazone:ListEntityOwners, datazone:ListEnvironmentActions, datazone:ListEnvironmentBlueprintConfigurations, datazone:ListEnvironmentProfiles, datazone:ListPolicyGrants, datazone:ListProjectMemberships, datazone:ListSubscriptionTargets, datazone:SearchGroupProfiles, datazone:SearchUserProfiles, docdb-elastic:GetCluster, docdb-elastic:ListClusters, docdb-elastic:ListTagsForResource, ec2:GetRouteServerAssociations, ec2:GetRouteServerPropagations, ec2:SearchTransitGatewayRoutes, fis:ListTagsForResource, frauddetector:GetListElements, frauddetector:GetListsMetadata, guardduty:GetThreatEntitySet, guardduty:GetTrustedEntitySet, guardduty:ListThreatEntitySets, guardduty:ListTrustedEntitySets, iotfleetwise:GetCampaign, iotfleetwise:ListCampaigns, iotsitewise:DescribeComputationModel, iotsitewise:DescribeDataset, iotsitewise:ListComputationModels, iotsitewise:ListDatasets, iotwireless:GetWirelessDeviceImportTask, iotwireless:ListWirelessDeviceImportTasks, kendra:ListDataSources, logs:DescribeQueryDefinitions, logs:GetIntegration, logs:ListIntegrations, mediaconnect:ListRouterOutputs, medialive:DescribeMultiplex, medialive:DescribeSdiSource, medialive:GetCloudWatchAlarmTemplate, medialive:GetCloudWatchAlarmTemplateGroup, medialive:GetEventBridgeRuleTemplate, medialive:GetEventBridgeRuleTemplateGroup, medialive:ListCloudWatchAlarmTemplateGroups, medialive:ListCloudWatchAlarmTemplates, medialive:ListEventBridgeRuleTemplateGroups, medialive:ListEventBridgeRuleTemplates, medialive:ListSdiSources, medialive:ListSignalMaps, networkmanager:GetConnectAttachment, networkmanager:GetCoreNetwork, networkmanager:GetCoreNetworkPolicy, networkmanager:GetDirectConnectGatewayAttachment, networkmanager:GetSiteToSiteVpnAttachment, networkmanager:ListAttachments, networkmanager:ListCoreNetworks, notifications:GetEventRule, notifications:ListEventRules, notifications:ListManagedNotificationChannelAssociations, notifications:ListNotificationHubs, notifications:ListOrganizationalUnits, refactor-spaces:GetApplication, refactor-spaces:GetRoute, refactor-spaces:ListRoutes, resource-explorer-2:GetDefaultView, route53resolver:GetOutpostResolver, route53resolver:ListOutpostResolvers, securityhub:DescribeOrganizationConfiguration, securityhub:GetAggregatorV2, securityhub:GetAutomationRuleV2, securityhub:GetConfigurationPolicyAssociation, securityhub:GetFindingAggregator, securityhub:ListAggregatorsV2, securityhub:ListAutomationRulesV2, securityhub:ListConfigurationPolicyAssociations, securityhub:ListFindingAggregators, sms-voice:DescribeConfigurationSets, sms-voice:DescribeKeywords, sms-voice:DescribeProtectConfigurations, sms-voice:GetProtectConfigurationCountryRuleSet, sms-voice:ListPoolOriginationIdentities, sms-voice:ListTagsForResource, workspaces-web:GetTrustStore, workspaces-web:GetTrustStoreCertificate, workspaces-web:GetUserAccessLoggingSettings, workspaces-web:ListTagsForResource. | This policy now supports additional permissions for recording configuration changes across numerous AWS services. | February 17, 2026 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Added permissions: application-autoscaling:DescribeScheduledActions, appsync:GetApiAssociation, cloudformation:DescribeStacks, cloudformation:GetStackPolicy, cloudformation:GetTemplate, cloudfront:GetKeyGroup, cloudfront:GetMonitoringSubscription, cloudfront:ListKeyGroups, connect:ListEvaluationFormVersions, cur:DescribeReportDefinitions, cur:ListTagsForResource, datazone:GetDomainUnit, datazone:GetEnvironmentAction, datazone:GetEnvironmentBlueprintConfiguration, datazone:GetEnvironmentProfile, datazone:GetGroupProfile, datazone:GetSubscriptionTarget, datazone:GetUserProfile, datazone:ListDomainUnitsForParent, datazone:ListEntityOwners, datazone:ListEnvironmentActions, datazone:ListEnvironmentBlueprintConfigurations, datazone:ListEnvironmentProfiles, datazone:ListPolicyGrants, datazone:ListProjectMemberships, datazone:ListSubscriptionTargets, datazone:SearchGroupProfiles, datazone:SearchUserProfiles, docdb-elastic:GetCluster, docdb-elastic:ListClusters, docdb-elastic:ListTagsForResource, ec2:GetRouteServerAssociations, ec2:GetRouteServerPropagations, ec2:SearchTransitGatewayRoutes, fis:ListTagsForResource, frauddetector:GetListElements, frauddetector:GetListsMetadata, guardduty:GetThreatEntitySet, guardduty:GetTrustedEntitySet, guardduty:ListThreatEntitySets, guardduty:ListTrustedEntitySets, iotfleetwise:GetCampaign, iotfleetwise:ListCampaigns, iotsitewise:DescribeComputationModel, iotsitewise:DescribeDataset, iotsitewise:ListComputationModels, iotsitewise:ListDatasets, iotwireless:GetWirelessDeviceImportTask, iotwireless:ListWirelessDeviceImportTasks, kendra:ListDataSources, logs:DescribeQueryDefinitions, logs:GetIntegration, logs:ListIntegrations, mediaconnect:ListRouterOutputs, medialive:DescribeMultiplex, medialive:DescribeSdiSource, medialive:GetCloudWatchAlarmTemplate, medialive:GetCloudWatchAlarmTemplateGroup, medialive:GetEventBridgeRuleTemplate, medialive:GetEventBridgeRuleTemplateGroup, medialive:ListCloudWatchAlarmTemplateGroups, medialive:ListCloudWatchAlarmTemplates, medialive:ListEventBridgeRuleTemplateGroups, medialive:ListEventBridgeRuleTemplates, medialive:ListSdiSources, medialive:ListSignalMaps, networkmanager:GetConnectAttachment, networkmanager:GetCoreNetwork, networkmanager:GetCoreNetworkPolicy, networkmanager:GetDirectConnectGatewayAttachment, networkmanager:GetSiteToSiteVpnAttachment, networkmanager:ListAttachments, networkmanager:ListCoreNetworks, notifications:GetEventRule, notifications:ListEventRules, notifications:ListManagedNotificationChannelAssociations, notifications:ListNotificationHubs, notifications:ListOrganizationalUnits, refactor-spaces:GetApplication, refactor-spaces:GetRoute, refactor-spaces:ListRoutes, resource-explorer-2:GetDefaultView, route53resolver:GetOutpostResolver, route53resolver:ListOutpostResolvers, securityhub:DescribeOrganizationConfiguration, securityhub:GetAggregatorV2, securityhub:GetAutomationRuleV2, securityhub:GetConfigurationPolicyAssociation, securityhub:GetFindingAggregator, securityhub:ListAggregatorsV2, securityhub:ListAutomationRulesV2, securityhub:ListConfigurationPolicyAssociations, securityhub:ListFindingAggregators, sms-voice:DescribeConfigurationSets, sms-voice:DescribeKeywords, sms-voice:DescribeProtectConfigurations, sms-voice:GetProtectConfigurationCountryRuleSet, sms-voice:ListPoolOriginationIdentities, sms-voice:ListTagsForResource, workspaces-web:GetTrustStore, workspaces-web:GetTrustStoreCertificate, workspaces-web:GetUserAccessLoggingSettings, workspaces-web:ListTagsForResource. | This policy now supports additional permissions for recording configuration changes across numerous AWS services. | February 17, 2026 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Updated managed policy with comprehensive permissions for AWS resource configuration recording across over 100 AWS services including compute, storage, networking, security, analytics, and machine learning services. | This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all AWS services that AWS Config supports for configuration recording. | January 27, 2026 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Updated managed policy with comprehensive permissions for AWS resource configuration recording across over 100 AWS services including compute, storage, networking, security, analytics, and machine learning services. | This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all AWS services that AWS Config supports for configuration recording. | January 27, 2026 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – add "s3tables:ListTagsForResource", "s3tables:GetTableBucketMetricsConfiguration", "s3tables:GetTableBucketStorageClass" | This policy now supports additional permissions for S3Tables.. | January 09, 2026 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – add "s3tables:ListTagsForResource", "s3tables:GetTableBucketMetricsConfiguration", "s3tables:GetTableBucketStorageClass" | This policy now supports additional permissions for S3Tables. | January 09, 2026 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – add "lightsail:GetActiveNames" "lightsail:GetOperations" "s3:GetBucketAbac" | This policy now supports additional permissions for Amazon Lightsail and Amazon Simple Storage Service (Amazon S3). | November 20, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – add "lightsail:GetActiveNames" "lightsail:GetOperations" "s3:GetBucketAbac" | This policy now supports additional permissions for Amazon Lightsail and Amazon Simple Storage Service (Amazon S3). | November 20, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Updated managed policy with comprehensive permissions for AWS resource configuration recording across over 100 AWS services including compute, storage, networking, security, analytics, and machine learning services. | This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all AWS services that AWS Config supports for configuration recording. | November 11, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Updated managed policy with comprehensive permissions for AWS resource configuration recording across multiple services including AWS Identity and Access Management, Amazon Elastic Compute Cloud, Amazon Simple Storage Service, AWS Lambda, Amazon Relational Database Service, and many others. | This policy now supports additional permissions for comprehensive AWS resource configuration recording and monitoring across all supported AWS services. | November 10, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint" | This policy now supports additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. | October 1, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint" | This policy now supports additional permissions for AWS Amplify, AWS AppSync, Amazon Bedrock, AWS CloudTrail, CloudFormation, AWS CodeArtifact, AWS CodePipeline, Amazon Connect, AWS Deadline Cloud, Amazon EC2, AWS Entity Resolution, AWS IoT SiteWise, Amazon IVS, AWS Lambda, Amazon EventBridge, Amazon Quick, Amazon Redshift, Amazon Redshift Serverless, AWS Identity and Access Management Roles Anywhere, Amazon SageMaker, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, AWS Shield, Amazon EC2 Systems Manager, and AWS WAFV2. | October 1, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", "bedrock:GetModelInvocationLoggingConfiguration", "cloudtrail:GetEventConfiguration", "codeartifact:DescribeDomain", "codeartifact:GetDomainPermissionsPolicy", "deadline:GetFleet", "deadline:GetQueueFleetAssociation", "deadline:ListFleets", "deadline:ListQueueFleetAssociations", "deadline:ListTagsForResource", "dms:DescribeDataMigrations", "dms:ListMigrationProjects", "glue:GetDataCatalogEncryptionSettings", "kafkaconnect:DescribeCustomPlugin", "kafkaconnect:DescribeWorkerConfiguration", "kafkaconnect:ListCustomPlugins", "kafkaconnect:ListTagsForResource", "kafkaconnect:ListWorkerConfigurations", "lakeformation:DescribeLakeFormationIdentityCenterConfiguration", "medialive:DescribeMultiplexProgram", "medialive:ListMultiplexPrograms", "mediapackagev2:GetChannelGroup", "mediapackagev2:ListChannelGroups", "rds:DescribeEngineDefaultParameters", "rolesanywhere:GetProfile", "rolesanywhere:GetTrustAnchor", "rolesanywhere:ListProfiles", "rolesanywhere:ListTagsForResource", "rolesanywhere:ListTrustAnchors", "s3:GetAccessGrant", "s3:ListAccessGrants", "secretsmanager:DescribeSecret", "securitylake:ListDataLakeExceptions", "securitylake:ListDataLakes", "securitylake:ListLogSources", "servicecatalog:GetAttributeGroup", "servicecatalog:ListAttributeGroups", "servicecatalog:ListServiceActions", "servicecatalog:ListServiceActionsForProvisioningArtifact", "ses:GetTrafficPolicy", "ses:ListTagsForResource", "ses:ListTrafficPolicies", "xray:GetGroup", "xray:GetGroups", "xray:GetSamplingRules", "xray:ListResourcePolicies", "xray:ListTagsForResource" | This policy now supports additional permissions for AWS ARC - Zonal Shift, Amazon Bedrock, AWS CloudTrail, AWS CodeArtifact, AWS Deadline Cloud, AWS Database Migration Service, AWS Glue, AWS Identity and Access Management, Amazon Managed Streaming for Apache Kafka, AWS Lake Formation, Amazon CloudWatch Logs, AWS Elemental MediaLive, AWS Elemental MediaPackage, Amazon Relational Database Service, Amazon Simple Storage Service, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, Amazon Simple Email Service, and AWS X-Ray. | July 28, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", "bedrock:GetModelInvocationLoggingConfiguration", "cloudtrail:GetEventConfiguration", "codeartifact:DescribeDomain", "codeartifact:GetDomainPermissionsPolicy", "deadline:GetFleet", "deadline:GetQueueFleetAssociation", "deadline:ListFleets", "deadline:ListQueueFleetAssociations", "deadline:ListTagsForResource", "dms:DescribeDataMigrations", "dms:ListMigrationProjects", "glue:GetDataCatalogEncryptionSettings", "iam:ListPolicies", "kafkaconnect:DescribeCustomPlugin", "kafkaconnect:DescribeWorkerConfiguration", "kafkaconnect:ListCustomPlugins", "kafkaconnect:ListTagsForResource", "kafkaconnect:ListWorkerConfigurations", "lakeformation:DescribeLakeFormationIdentityCenterConfiguration", "logs:DescribeIndexPolicies", "logs:ListTagsForResource", "medialive:DescribeMultiplexProgram", "medialive:ListMultiplexPrograms", "mediapackagev2:GetChannelGroup", "mediapackagev2:ListChannelGroups", "rds:DescribeEngineDefaultParameters", "rolesanywhere:GetProfile", "rolesanywhere:GetTrustAnchor", "rolesanywhere:ListProfiles", "rolesanywhere:ListTagsForResource", "rolesanywhere:ListTrustAnchors", "s3:GetAccessGrant", "s3:ListAccessGrants", "secretsmanager:DescribeSecret", "securitylake:ListDataLakeExceptions", "securitylake:ListDataLakes", "securitylake:ListLogSources", "servicecatalog:GetAttributeGroup", "servicecatalog:ListAttributeGroups", "servicecatalog:ListServiceActions", "servicecatalog:ListServiceActionsForProvisioningArtifact", "ses:GetTrafficPolicy", "ses:ListTagsForResource", "ses:ListTrafficPolicies", "xray:GetGroup", "xray:GetGroups", "xray:GetSamplingRules", "xray:ListResourcePolicies", "xray:ListTagsForResource", "arn:aws:apigateway:::/account", "arn:aws:apigateway:::/usageplans", "arn:aws:apigateway:::/usageplans/". | This policy now supports additional permissions for AWS ARC - Zonal Shift, Amazon Bedrock, AWS CloudTrail, AWS CodeArtifact, AWS Deadline Cloud, AWS Database Migration Service, AWS Glue, AWS Identity and Access Management, Amazon Managed Streaming for Apache Kafka, AWS Lake Formation, Amazon CloudWatch Logs, AWS Elemental MediaLive, AWS Elemental MediaPackage, Amazon Relational Database Service, Amazon Simple Storage Service, AWS Secrets Manager, Amazon Security Lake, AWS Service Catalog, Amazon Simple Email Service, AWS X-Ray, and Amazon API Gateway. | July 28, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "backup-gateway:GetHypervisor", "backup-gateway:ListHypervisors", "bcm-data-exports:GetExport", "bcm-data-exports:ListExports", "bcm-data-exports:ListTagsForResource", "bedrock:GetAgent", "bedrock:GetAgentActionGroup", "bedrock:GetAgentKnowledgeBase", "bedrock:GetDataSource", "bedrock:GetFlowAlias", "bedrock:GetFlowVersion", "bedrock:ListAgentActionGroups", "bedrock:ListAgentKnowledgeBases", "bedrock:ListDataSources", "bedrock:ListFlowAliases", "bedrock:ListFlowVersions", "cloudformation:BatchDescribeTypeConfigurations", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSet", "cloudformation:ListStackInstances", "cloudformation:ListStackSets", "cloudfront:GetPublicKey", "cloudfront:GetRealtimeLogConfig", "cloudfront:ListPublicKeys", "cloudfront:ListRealtimeLogConfigs", "entityresolution:GetIdMappingWorkflow", "entityresolution:GetSchemaMapping", "entityresolution:ListIdMappingWorkflows", "entityresolution:ListSchemaMappings", "entityresolution:ListTagsForResource", "iotdeviceadvisor:GetSuiteDefinition", "iotdeviceadvisor:ListSuiteDefinitions", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "mediapackagev2:GetChannel", "mediapackagev2:ListChannels", "networkmanager:GetTransitGatewayPeering", "networkmanager:ListPeerings", "pca-connector-ad:GetDirectoryRegistration", "pca-connector-ad:ListDirectoryRegistrations", "pca-connector-ad:ListTagsForResource", "rds:DescribeDBShardGroups", "rds:DescribeIntegrations", "redshift:DescribeIntegrations", "s3tables:GetTableBucket", "s3tables:GetTableBucketEncryption", "s3tables:GetTableBucketMaintenanceConfiguration", "s3tables:ListTableBuckets", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListConfigurationManagers" | This policy now supports additional permissions for AWS Backup gateway, AWS Billing and Cost Management, Amazon Bedrock, AWS CloudFormation, Amazon CloudFront, AWS Entity Resolution, AWS IoT Core Device Advisor, AWS Lambda, AWS Network Manager, AWS Private Certificate Authority, Amazon Relational Database Service, Amazon Redshift, Amazon S3 Tables, AWS Systems Manager Quick Setup. | June 18, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "backup-gateway:GetHypervisor", "backup-gateway:ListHypervisors", "bcm-data-exports:GetExport", "bcm-data-exports:ListExports", "bcm-data-exports:ListTagsForResource", "bedrock:GetAgent", "bedrock:GetAgentActionGroup", "bedrock:GetAgentKnowledgeBase", "bedrock:GetDataSource", "bedrock:GetFlowAlias", "bedrock:GetFlowVersion", "bedrock:ListAgentActionGroups", "bedrock:ListAgentKnowledgeBases", "bedrock:ListDataSources", "bedrock:ListFlowAliases", "bedrock:ListFlowVersions", "cloudformation:BatchDescribeTypeConfigurations", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSet", "cloudformation:ListStackInstances", "cloudformation:ListStackSets", "cloudfront:GetPublicKey", "cloudfront:GetRealtimeLogConfig", "cloudfront:ListPublicKeys", "cloudfront:ListRealtimeLogConfigs", "entityresolution:GetIdMappingWorkflow", "entityresolution:GetSchemaMapping", "entityresolution:ListIdMappingWorkflows", "entityresolution:ListSchemaMappings", "entityresolution:ListTagsForResource", "iotdeviceadvisor:GetSuiteDefinition", "iotdeviceadvisor:ListSuiteDefinitions", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "networkmanager:GetTransitGatewayPeering", "networkmanager:ListPeerings", "pca-connector-ad:GetDirectoryRegistration", "pca-connector-ad:ListDirectoryRegistrations", "pca-connector-ad:ListTagsForResource", "rds:DescribeDBShardGroups", "rds:DescribeIntegrations", "redshift:DescribeIntegrations", "s3tables:GetTableBucket", "s3tables:GetTableBucketEncryption", "s3tables:GetTableBucketMaintenanceConfiguration", "s3tables:ListTableBuckets", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListConfigurationManagers" | This policy now supports additional permissions for AWS Backup gateway, AWS Billing and Cost Management, Amazon Bedrock, AWS CloudFormation, Amazon CloudFront, AWS Entity Resolution, AWS IoT Core Device Advisor, AWS Lambda, AWS Network Manager, AWS Private Certificate Authority, Amazon Relational Database Service, Amazon Redshift, Amazon S3 Tables, AWS Systems Manager Quick Setup. | June 18, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "bedrock:GetGuardrail", "bedrock:GetInferenceProfile", "bedrock:GetKnowledgeBase", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListTagsForResource" | This policy now supports additional permissions for Amazon Bedrock. | May 27, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "bedrock:GetGuardrail", "bedrock:GetInferenceProfile", "bedrock:GetKnowledgeBase", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListTagsForResource" | This policy now supports additional permissions for Amazon Bedrock. | May 27, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "b2bi:GetPartnership", "b2bi:GetProfile", "b2bi:ListPartnerships", "b2bi:ListProfiles", "bedrock:ListAgents", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetMembership", "cleanrooms:GetPrivacyBudgetTemplate", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMemberships", "cleanrooms:ListPrivacyBudgetTemplates", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListTagsForResource", "directconnect:DescribeConnections", "dms:DescribeReplicationConfigs", "logs:DescribeAccountPolicies", "logs:DescribeResourcePolicies", "macie2:ListAutomatedDiscoveryAccounts", "managedblockchain:GetAccessor", "managedblockchain:ListAccessors", "qbusiness:GetApplication", "qbusiness:ListApplications", "qbusiness:ListTagsForResource", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:ListAccessGrantsInstances", "s3:ListAccessGrantsLocations", "sagemaker:DescribeCluster", "sagemaker:DescribeMlflowTrackingServer", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:ListClusters", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListStudioLifecycleConfigs", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:ListContactChannels", "ssm-contacts:ListContacts", "ssm-incidents:GetResponsePlan", "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm:DescribeInstanceInformation" | This policy now supports additional permissions for AWS B2B Data Interchange, Amazon Bedrock, AWS Clean Rooms, AWS CodeConnections, AWS Direct Connect, AWS Database Migration Service (AWS DMS), Amazon CloudWatch Logs, Amazon Macie, Amazon Managed Blockchain, Amazon Q Business, Route 53 Profiles, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, AWS Security Hub CSPM, and AWS Systems Manager Incident Manager, AWS Systems Manager Incident Manager Contacts, and AWS Systems Manager. | April 08, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "b2bi:GetPartnership", "b2bi:GetProfile", "b2bi:ListPartnerships", "b2bi:ListProfiles", "bedrock:ListAgents", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetMembership", "cleanrooms:GetPrivacyBudgetTemplate", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMemberships", "cleanrooms:ListPrivacyBudgetTemplates", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListTagsForResource", "directconnect:DescribeConnections", "dms:DescribeReplicationConfigs", "logs:DescribeAccountPolicies", "logs:DescribeResourcePolicies", "macie2:ListAutomatedDiscoveryAccounts", "managedblockchain:GetAccessor", "managedblockchain:ListAccessors", "qbusiness:GetApplication", "qbusiness:ListApplications", "qbusiness:ListTagsForResource", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:ListAccessGrantsInstances", "s3:ListAccessGrantsLocations", "sagemaker:DescribeCluster", "sagemaker:DescribeMlflowTrackingServer", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:ListClusters", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListStudioLifecycleConfigs", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:ListContactChannels", "ssm-contacts:ListContacts", "ssm-incidents:GetResponsePlan", "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm:DescribeInstanceInformation" | This policy now supports additional permissions for AWS B2B Data Interchange, Amazon Bedrock, AWS Clean Rooms, AWS CodeConnections, AWS Direct Connect, AWS Database Migration Service (AWS DMS), Amazon CloudWatch Logs, Amazon Macie, Amazon Managed Blockchain, Amazon Q Business, Route 53 Profiles, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, AWS Security Hub CSPM, and AWS Systems Manager Incident Manager, AWS Systems Manager Incident Manager Contacts, and AWS Systems Manager. This policy also now supports permission to access all Amazon API Gateway domain names by including the resource pattern "`arn:aws:apigateway:::/domainnames/`". | April 08, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "ec2:GetAllowedImagesSettings" | This policy now supports additional permissions for Amazon Elastic Compute Cloud (Amazon EC2). | March 4, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "ec2:GetAllowedImagesSettings" | This policy now supports additional permissions for Amazon Elastic Compute Cloud (Amazon EC2). | March 4, 2025 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:ListTrainingDatasets", "comprehend:DescribeFlywheel", "comprehend:ListFlywheels", "comprehend:ListTagsForResource", "ec2:GetSnapshotBlockPublicAccessState", "omics:GetAnnotationStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:ListAnnotationStores", "omics:ListRunGroups", "omics:ListSequenceStores", "omics:ListTagsForResource", "omics:ListVariantStores", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", and "ses:ListDedicatedIpPools" | This policy now supports additional permissions for AWS Clean Rooms, Amazon Comprehend, Amazon Elastic Compute Cloud (Amazon EC2), AWS HealthOmics, Amazon Simple Storage Service (Amazon S3), and Amazon Simple Email Service (Amazon SES). | January 16, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:ListTrainingDatasets", "comprehend:DescribeFlywheel", "comprehend:ListFlywheels", "comprehend:ListTagsForResource", "ec2:GetSnapshotBlockPublicAccessState", "omics:GetAnnotationStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:ListAnnotationStores", "omics:ListRunGroups", "omics:ListSequenceStores", "omics:ListTagsForResource", "omics:ListVariantStores", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", and "ses:ListDedicatedIpPools" | This policy now supports additional permissions for AWS Clean Rooms, Amazon Comprehend, Amazon Elastic Compute Cloud (Amazon EC2), AWS HealthOmics, Amazon Simple Storage Service (Amazon S3), and Amazon Simple Email Service (Amazon SES). | January 16, 2025 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "organizations:ListAWSServiceAccessForOrganization" | This policy now supports additional permissions for AWS Organizations. | December 18, 2024 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "app-integrations:GetApplication", "app-integrations:ListApplications", "app-integrations:ListTagsForResource", "appconfig:GetExtension", "appconfig:ListExtensions", "cloudtrail:GetInsightSelectors", "connect:DescribeQueue", "connect:DescribeRoutingProfile", "connect:DescribeSecurityProfile", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListSecurityProfileApplications", "connect:ListSecurityProfilePermissions", "connect:ListSecurityProfiles", "datazone:GetDomain", "datazone:ListDomains", "devops-guru:ListNotificationChannels", "glue:GetRegistry", "glue:ListRegistries", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" "identitystore:ListGroupMemberships", "identitystore:ListGroups", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:ListThingGroups", "iot:ListThingTypes", "iotfleetwise:GetDecoderManifest", "iotfleetwise:GetFleet", "iotfleetwise:GetModelManifest", "iotfleetwise:GetSignalCatalog", "iotfleetwise:GetVehicle", "iotfleetwise:ListDecoderManifestNetworkInterfaces", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListDecoderManifestSignals", "iotfleetwise:ListFleets", "iotfleetwise:ListModelManifestNodes", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogNodes", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListTagsForResource", "iotfleetwise:ListVehicles", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetWirelessGateway", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListWirelessGateways", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom" "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "logs:GetLogAnomalyDetector", "logs:ListLogAnomalyDetectors", "oam:GetSink" "oam:GetSinkPolicy", "oam:ListSinks", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:ListAliases", "payment-cryptography:ListKeys", "payment-cryptography:ListTagsForResource", "rds:DescribeDBProxyTargetGroups", "rds:DescribeDBProxyTargets", "rekognition:DescribeProjects", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:ListTagsForResource", "scheduler:GetScheduleGroup", "scheduler:ListScheduleGroups", "scheduler:ListTagsForResource", "ssm:GetServiceSetting", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetTargetGroup", "vpc-lattice:ListAccessLogSubscriptions", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTagsForResource", "vpc-lattice:ListTargetGroups", and "vpc-lattice:ListTargets" | This policy now supports additional permissions for AWS AppConfig, AWS CloudTrail, Amazon Connect, Amazon DataZone, Amazon DevOps Guru, AWS Glue, Identity Store, AWS IoT, AWS IoT FleetWise, AWS IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, AWS Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, AWS Systems Manager, and Amazon VPC Lattice. | November 7, 2024 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "app-integrations:GetApplication", "app-integrations:ListApplications", "app-integrations:ListTagsForResource", "appconfig:GetExtension", "appconfig:ListExtensions", "cloudtrail:GetInsightSelectors", "connect:DescribeQueue", "connect:DescribeRoutingProfile", "connect:DescribeSecurityProfile", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListSecurityProfileApplications", "connect:ListSecurityProfilePermissions", "connect:ListSecurityProfiles", "datazone:GetDomain", "datazone:ListDomains", "devops-guru:ListNotificationChannels", "glue:GetRegistry", "glue:ListRegistries", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" "identitystore:ListGroupMemberships", "identitystore:ListGroups", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:ListThingGroups", "iot:ListThingTypes", "iotfleetwise:GetDecoderManifest", "iotfleetwise:GetFleet", "iotfleetwise:GetModelManifest", "iotfleetwise:GetSignalCatalog", "iotfleetwise:GetVehicle", "iotfleetwise:ListDecoderManifestNetworkInterfaces", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListDecoderManifestSignals", "iotfleetwise:ListFleets", "iotfleetwise:ListModelManifestNodes", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogNodes", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListTagsForResource", "iotfleetwise:ListVehicles", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetWirelessGateway", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListWirelessGateways", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom" "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "logs:GetLogAnomalyDetector", "logs:ListLogAnomalyDetectors", "oam:GetSink" "oam:GetSinkPolicy", "oam:ListSinks", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:ListAliases", "payment-cryptography:ListKeys", "payment-cryptography:ListTagsForResource", "rds:DescribeDBProxyTargetGroups", "rds:DescribeDBProxyTargets", "rekognition:DescribeProjects", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:ListTagsForResource", "scheduler:GetScheduleGroup", "scheduler:ListScheduleGroups", "scheduler:ListTagsForResource", "ssm:GetServiceSetting", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetTargetGroup", "vpc-lattice:ListAccessLogSubscriptions", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTagsForResource", "vpc-lattice:ListTargetGroups", and "vpc-lattice:ListTargets" | This policy now supports additional permissions for AWS AppConfig, AWS CloudTrail, Amazon Connect, Amazon DataZone, Amazon DevOps Guru, AWS Glue, Identity Store, AWS IoT, AWS IoT FleetWise, AWS IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, AWS Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, AWS Systems Manager, and Amazon VPC Lattice. | November 7, 2024 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "aoss:BatchGetCollection," "aoss:BatchGetLifecyclePolicy," "aoss:BatchGetVpcEndpoint," "aoss:GetAccessPolicy," "aoss:GetSecurityConfig," "aoss:GetSecurityPolicy," "aoss:ListAccessPolicies," "aoss:ListCollections," "aoss:ListLifecyclePolicies," "aoss:ListSecurityConfigs," "aoss:ListSecurityPolicies," "aoss:ListVpcEndpoints," "appstream:DescribeAppBlockBuilders," "backup:GetRestoreTestingPlan," "backup:GetRestoreTestingSelection", "backup:ListRestoreTestingPlans," "backup:ListRestoreTestingSelections," "cloudTrail:GetChannel, "cloudTrail:ListChannels," "glue:GetTrigger," "glue:ListTriggers, "imagebuilder:GetLifecyclePolicy," "imagebuilder:ListLifecyclePolicies," "iot:DescribeBillingGroup," "iot:ListBillingGroups," "ivs:GetEncoderConfiguration," "ivs:GetPlaybackRestrictionPolicy," "ivs:GetStage," "ivs:GetStorageConfiguration," "ivs:ListEncoderConfigurations," "ivs:ListPlaybackRestrictionPolicies," "ivs:ListStages," "ivs:ListStorageConfigurations," "mediaconnect:DescribeBridge", "mediaconnect:DescribeGatewa," "mediaconnect:ListBridges," "mediaconnect:ListGateways", "mediatailor:DescribeChannel," "mediatailor:DescribeLiveSource," "mediatailor:DescribeSourceLocation," "mediatailor:DescribeVodSource", "mediatailor:ListChannels," "mediatailor:ListLiveSources", "mediatailor:ListSourceLocations," "mediatailor:ListVodSources," "omics:GetWorkflow," "omics:ListWorkflows," "scheduler:GetSchedule," and "scheduler:ListSchedules" | This policy now supports additional permissions for Amazon OpenSearch Service Severless, Amazon AppStream, AWS Backup, AWS CloudTrail, AWS Glue, EC2 Image Builder, AWS IoT, Amazon Interactive Video Service (Amazon IVS), AWS Elemental MediaConnect, AWS Elemental MediaTailor, AWS HealthOmics, and Amazon EventBridge Scheduler. | September 16, 2024 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "aoss:BatchGetCollection," "aoss:BatchGetLifecyclePolicy," "aoss:BatchGetVpcEndpoint," "aoss:GetAccessPolicy," "aoss:GetSecurityConfig," "aoss:GetSecurityPolicy," "aoss:ListAccessPolicies," "aoss:ListCollections," "aoss:ListLifecyclePolicies," "aoss:ListSecurityConfigs," "aoss:ListSecurityPolicies," "aoss:ListVpcEndpoints," "appstream:DescribeAppBlockBuilders," "backup:GetRestoreTestingPlan," "backup:GetRestoreTestingSelection", "backup:ListRestoreTestingPlans," "backup:ListRestoreTestingSelections," "cloudTrail:GetChannel, "cloudTrail:ListChannels," "glue:GetTrigger," "glue:ListTriggers, "imagebuilder:GetLifecyclePolicy," "imagebuilder:ListLifecyclePolicies," "iot:DescribeBillingGroup," "iot:ListBillingGroups," "ivs:GetEncoderConfiguration," "ivs:GetPlaybackRestrictionPolicy," "ivs:GetStage," "ivs:GetStorageConfiguration," "ivs:ListEncoderConfigurations," "ivs:ListPlaybackRestrictionPolicies," "ivs:ListStages," "ivs:ListStorageConfigurations," "mediaconnect:DescribeBridge", "mediaconnect:DescribeGatewa," "mediaconnect:ListBridges," "mediaconnect:ListGateways", "mediatailor:DescribeChannel," "mediatailor:DescribeLiveSource," "mediatailor:DescribeSourceLocation," "mediatailor:DescribeVodSource", "mediatailor:ListChannels," "mediatailor:ListLiveSources", "mediatailor:ListSourceLocations," "mediatailor:ListVodSources," "omics:GetWorkflow," "omics:ListWorkflows," "scheduler:GetSchedule," and "scheduler:ListSchedules" | This policy now supports additional permissions for Amazon OpenSearch Service Severless, Amazon AppStream, AWS Backup, AWS CloudTrail, AWS Glue, EC2 Image Builder, AWS IoT, Amazon Interactive Video Service (Amazon IVS), AWS Elemental MediaConnect, AWS Elemental MediaTailor, AWS HealthOmics, and Amazon EventBridge Scheduler. | September 16, 2024 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "elasticfilesystem:DescribeTags," "redshift:DescribeTags," and "ssm-sap:ListTagsForResource" | This policy now supports additional permissions for Amazon Elastic File System (Amazon EFS), Amazon Redshift and AWS Systems Manager for SAP. | June 17, 2024 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "elasticfilesystem:DescribeTags," "redshift:DescribeTags," and "ssm-sap:ListTagsForResource" | This policy now supports additional permissions for Amazon Elastic File System (Amazon EFS), Amazon Redshift and AWS Systems Manager for SAP. | June 17, 2024 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "aps:DescribeAlertManagerDefinition," "cloudwatch:DescribeAlarmsForMetric," "cognito-identity:DescribeIdentityPool, "cognito-identity:GetPrincipalTagAttributeMap," "elasticache:DescribeCacheSecurityGroups," "elasticache:DescribeUserGroups," "elasticache:DescribeUsers," "elasticache:DescribeGlobalReplicationGroups," "fsx:DescribeDataRepositoryAssociations," "glue:GetDatabase," "glue:GetDatabases," "iam:ListUsers," "lambda:GetLayerVersion," "lambda:ListLayers," "lambda:ListLayerVersions," "ram:GetPermission," "ram:ListPermissionAssociations," "ram:ListPermissions," "ram:ListPermissionVersions," "redshift-serverless:GetNamespace," "redshift-serverless:GetWorkgroup," "redshift-serverless:ListNamespaces," "redshift-serverless:ListTagsForResource," "redshift-serverless:ListWorkgroups," "sagemaker:DescribeInferenceExperiment," "sagemaker:ListInferenceExperiments," and "sns:GetSMSSandboxAccountStatus" | This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon Cognito, Amazon ElastiCache, Amazon FSx, AWS Glue, AWS Identity and Access Management (IAM), AWS Lambda, AWS RAM, Amazon Redshift Serverless, Amazon SageMaker AI, and Amazon Simple Notification Service (Amazon SNS). | February 22, 2024 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "aps:DescribeAlertManagerDefinition," "cloudwatch:DescribeAlarmsForMetric," "cognito-identity:DescribeIdentityPool, "cognito-identity:GetPrincipalTagAttributeMap," "elasticache:DescribeCacheSecurityGroups," "elasticache:DescribeUserGroups," "elasticache:DescribeUsers," "elasticache:DescribeGlobalReplicationGroups," "fsx:DescribeDataRepositoryAssociations," "glue:GetDatabase," "glue:GetDatabases," "iam:ListUsers," "lambda:GetLayerVersion," "lambda:ListLayers," "lambda:ListLayerVersions," "ram:GetPermission," "ram:ListPermissionAssociations," "ram:ListPermissions," "ram:ListPermissionVersions," "redshift-serverless:GetNamespace," "redshift-serverless:GetWorkgroup," "redshift-serverless:ListNamespaces," "redshift-serverless:ListTagsForResource," "redshift-serverless:ListWorkgroups," "sagemaker:DescribeInferenceExperiment," "sagemaker:ListInferenceExperiments," and "sns:GetSMSSandboxAccountStatus" | This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon Cognito, Amazon ElastiCache, Amazon FSx, AWS Glue, AWS Identity and Access Management (IAM), AWS Lambda, AWS RAM, Amazon Redshift Serverless, Amazon SageMaker AI, and Amazon Simple Notification Service (Amazon SNS). | February 22, 2024 |
| [AWSConfigUserAccess](#security-iam-awsmanpol-AWSConfigUserAccess) – AWS Config starts tracking changes for this AWS managed policy | This policy provides access to use AWS Config, including searching by tags on resources and reading all tags. This does not provide permission to configure AWS Config, which requires administrative privileges. | February 22, 2024 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "appconfig:GetExtensionAssociation," "appconfig:ListExtensionAssociations," "aps:DescribeLoggingConfiguration," "dms:DescribeReplicationTaskAssessmentRuns," "iam:GetOpenIDConnectProvider," "iam:ListOpenIDConnectProviders," "kafka:DescribeVpcConnection," "kafka:GetClusterPolicy," "kafka:ListVpcConnections," "logs:DescribeMetricFilters," "organizations:ListDelegatedAdministrators," "s3:GetBucketPolicyStatus," "s3express:GetBucketPolicy," and "s3express:ListAllMyDirectoryBuckets" | This policy now supports additional permissions for AWS AppConfig, Amazon Managed Service for Prometheus, AWS Database Migration Service (AWS DMS), (AWS Identity and Access Management) IAM, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon CloudWatch Logs, AWS Organizations, and Amazon Simple Storage Service (Amazon S3). | Decemeber 5, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "appconfig:GetExtensionAssociation," "appconfig:ListExtensionAssociations," "aps:DescribeLoggingConfiguration," "dms:DescribeReplicationTaskAssessmentRuns," "iam:GetOpenIDConnectProvider," "iam:ListOpenIDConnectProviders," "kafka:DescribeVpcConnection," "kafka:GetClusterPolicy," "kafka:ListVpcConnections," "logs:DescribeMetricFilters," "organizations:ListDelegatedAdministrators," "s3:GetBucketPolicyStatus," "s3express:GetBucketPolicy," and "s3express:ListAllMyDirectoryBuckets" | This policy now supports additional permissions for AWS AppConfig, Amazon Managed Service for Prometheus, AWS Database Migration Service (AWS DMS), (AWS Identity and Access Management) IAM, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon CloudWatch Logs, AWS Organizations, and Amazon Simple Storage Service (Amazon S3). | December 5, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "backup:DescribeProtectedResource," "cognito-identity:GetIdentityPoolRoles," "cognito-identity:ListIdentityPools," "cognito-identity:ListTagsForResource," "cognito-idp:DescribeIdentityProvider," "cognito-idp:DescribeResourceServer," "cognito-idp:DescribeUserPool," "cognito-idp:DescribeUserPoolClient," "cognito-idp:DescribeUserPoolDomain," "cognito-idp:GetGroup," "cognito-idp:GetUserPoolMfaConfig," "cognito-idp:ListGroups," "cognito-idp:ListIdentityProviders," "cognito-idp:ListResourceServers," "cognito-idp:ListUserPoolClients," "cognito-idp:ListUserPools," "cognito-idp:ListTagsForResource," "connect:DescribeEvaluationForm," "connect:DescribeInstanceStorageConfig," "connect:DescribePrompt," "connect:DescribeRule," "connect:DescribeUser," "connect:GetTaskTemplate," "connect:ListApprovedOrigins," "connect:ListEvaluationForms," "connect:ListInstanceStorageConfigs," "connect:ListIntegrationAssociations," "connect:ListPrompts," "connect:ListRules," "connect:ListSecurityKeys," "connect:ListTagsForResource," "connect:ListTaskTemplates," "connect:ListUsers," "emr-containers:DescribeVirtualCluster," "emr-containers:ListVirtualClusters," "emr-serverless:GetApplication," "emr-serverless:ListApplications," "groundstation:GetDataflowEndpointGroup," "groundstation:ListDataflowEndpointGroups," "m2:GetEnvironment," "m2:ListEnvironments," "m2:ListTagsForResource," "memorydb:DescribeAcls," "memorydb:DescribeClusters," "memorydb:DescribeParameterGroups," "memorydb:DescribeParameters," "memorydb:DescribeSubnetGroups," "organizations:ListRoots," "quicksight:DescribeAccountSubscription," "quicksight:DescribeDataSetRefreshProperties," "rds:DescribeEngineDefaultClusterParameters," "redshift:DescribeEndpointAccess," "redshift:DescribeEndpointAuthorization," "route53:GetChange," "route53:ListCidrBlocks," "route53:ListCidrLocations," "serviceCatalog:DescribePortfolioShares," "transfer:DescribeProfile," and "transfer:ListProfiles" | This policy now supports additional permissions for Amazon Cognito, Amazon Connect, Amazon EMR, AWS Ground Station, AWS Mainframe Modernization, Amazon MemoryDB, AWS Organizations, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, AWS Service Catalog, and AWS Transfer Family. | November 17, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "Sid": "AWSConfigServiceRolePolicyStatementID," "Sid": "AWSConfigSLRLogStatementID," "Sid": "AWSConfigSLRLogEventStatementID," and "Sid": "AWSConfigSLRApiGatewayStatementID" | This policy now adds security identifiers (SID) for `AWSConfigServiceRolePolicyStatementID`, `AWSConfigSLRLogStatementID`, `AWSConfigSLRLogEventStatementID`, and `AWSConfigSLRApiGatewayStatementID`. | November 17, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "backup:DescribeProtectedResource," "cognito-identity:GetIdentityPoolRoles," "cognito-identity:ListIdentityPools," "cognito-identity:ListTagsForResource," "cognito-idp:DescribeIdentityProvider," "cognito-idp:DescribeResourceServer," "cognito-idp:DescribeUserPool," "cognito-idp:DescribeUserPoolClient," "cognito-idp:DescribeUserPoolDomain," "cognito-idp:GetGroup," "cognito-idp:GetUserPoolMfaConfig," "cognito-idp:ListGroups," "cognito-idp:ListIdentityProviders," "cognito-idp:ListResourceServers," "cognito-idp:ListUserPoolClients," "cognito-idp:ListUserPools," "cognito-idp:ListTagsForResource," "connect:DescribeEvaluationForm," "connect:DescribeInstanceStorageConfig," "connect:DescribePrompt," "connect:DescribeRule," "connect:DescribeUser," "connect:GetTaskTemplate," "connect:ListApprovedOrigins," "connect:ListEvaluationForms," "connect:ListInstanceStorageConfigs," "connect:ListIntegrationAssociations," "connect:ListPrompts," "connect:ListRules," "connect:ListSecurityKeys," "connect:ListTagsForResource," "connect:ListTaskTemplates," "connect:ListUsers," "emr-containers:DescribeVirtualCluster," "emr-containers:ListVirtualClusters," "emr-serverless:GetApplication," "emr-serverless:ListApplications," "groundstation:GetDataflowEndpointGroup," "groundstation:ListDataflowEndpointGroups," "m2:GetEnvironment," "m2:ListEnvironments," "m2:ListTagsForResource," "memorydb:DescribeAcls," "memorydb:DescribeClusters," "memorydb:DescribeParameterGroups," "memorydb:DescribeParameters," "memorydb:DescribeSubnetGroups," "organizations:ListRoots," "quicksight:DescribeAccountSubscription," "quicksight:DescribeDataSetRefreshProperties," "rds:DescribeEngineDefaultClusterParameters," "redshift:DescribeEndpointAccess," "redshift:DescribeEndpointAuthorization," "route53:GetChange," "route53:ListCidrBlocks," "route53:ListCidrLocations," "serviceCatalog:DescribePortfolioShares," "transfer:DescribeProfile," and "transfer:ListProfiles" | This policy now supports additional permissions for Amazon Cognito, Amazon Connect, Amazon EMR, AWS Ground Station, AWS Mainframe Modernization, Amazon MemoryDB, AWS Organizations, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, AWS Service Catalog, and AWS Transfer Family. | November 17, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "Sid": "AWSConfigServiceRolePolicyStatementID," "Sid": "AWSConfigSLRLogStatementID," "Sid": "AWSConfigSLRLogEventStatementID," and "Sid": "AWSConfigSLRApiGatewayStatementID" | This policy now adds security identifiers (SID) for `AWSConfigServiceRolePolicyStatementID`, `AWSConfigSLRLogStatementID`, `AWSConfigSLRLogEventStatementID`, and `AWSConfigSLRApiGatewayStatementID`. | November 17, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "acm-pca:GetCertificateAuthorityCertificate," "appmesh:DescribeMesh," "appmesh:ListGatewayRoutes," "connect:DescribeInstance," "connect:DescribeQuickConnect," "connect:ListQuickConnects," "ecs:DescribeCapacityProviders," "evidently:GetSegment," "evidently:ListSegments," "grafana:DescribeWorkspace," "grafana:DescribeWorkspaceAuthentication," "grafana:DescribeWorkspaceConfiguration," "grafana:DescribeWorkspaceConfiguration," "guardduty:GetMemberDetectors," "inspector2:BatchGetAccountStatus," "inspector2:GetDelegatedAdminAccount," "inspector2:ListMembers," "iot:DescribeCACertificate," "iot:ListCACertificates," "iot:ListTagsForResource," "iottwinmaker:GetSyncJob," "iottwinmaker:ListSyncJobs," "kafka:ListTagsForResource," "kafkaconnect:DescribeConnector," "kafkaconnect:ListConnectors," "lambda:GetCodeSigningConfig," "lambda:ListCodeSigningConfigs," "lambda:ListTags," "networkmanager:GetConnectPeer," "organizations:DescribeOrganization," "organizations:ListTargetsForPolicy," "sagemaker:DescribeDataQualityJob," "sagemaker:DescribeModelExplainabilityJob," "sagemaker:ListDataQualityJob," and "sagemaker:ExplainabilityJob" | This policy now supports additional permissions for AWS Private CA, AWS App Mesh, Amazon Connect, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, AWS IoT, AWS IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), AWS Lambda, AWS Network Manager, AWS Organizations, and Amazon SageMaker AI. | October 4, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "acm-pca:GetCertificateAuthorityCertificate," "appmesh:DescribeMesh," "appmesh:ListGatewayRoutes," "connect:DescribeInstance," "connect:DescribeQuickConnect," "connect:ListQuickConnects," "ecs:DescribeCapacityProviders," "evidently:GetSegment," "evidently:ListSegments," "grafana:DescribeWorkspace," "grafana:DescribeWorkspaceAuthentication," "grafana:DescribeWorkspaceConfiguration," "grafana:DescribeWorkspaceConfiguration," "guardduty:GetMemberDetectors," "inspector2:BatchGetAccountStatus," "inspector2:GetDelegatedAdminAccount," "inspector2:ListMembers," "iot:DescribeCACertificate," "iot:ListCACertificates," "iot:ListTagsForResource," "iottwinmaker:GetSyncJob," "iottwinmaker:ListSyncJobs," "kafka:ListTagsForResource," "kafkaconnect:DescribeConnector," "kafkaconnect:ListConnectors," "lambda:GetCodeSigningConfig," "lambda:ListCodeSigningConfigs," "lambda:ListTags," "networkmanager:GetConnectPeer," "organizations:DescribeOrganization," "organizations:ListTargetsForPolicy," "sagemaker:DescribeDataQualityJob," "sagemaker:DescribeModelExplainabilityJob," "sagemaker:ListDataQualityJob," and "sagemaker:ExplainabilityJob" | This policy now supports additional permissions for AWS Private CA, AWS App Mesh, Amazon Connect, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, AWS IoT, AWS IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), AWS Lambda, AWS Network Manager, AWS Organizations, and Amazon SageMaker AI. | October 4, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Remove "ssm:GetParameter" | This policy now removes permissions for AWS Systems Manager (Systems Manager). | September 6, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "appmesh:DescribeGatewayRoute","appstream:DescribeStacks", "aps:ListTagsForResource", "cloudfront:GetFunction", "cloudfront:GetOriginAccessControl", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "codeartifact:ListPackages", "codeartifact:ListPackageVersions", "codebuild:BatchGetReportGroups", "codebuild:ListReportGroups", "connect:ListInstanceAttributes", "connect:ListInstances", "glue:GetPartition", "glue:GetPartitions", "guardduty:GetAdministratorAccount", "iam:ListInstanceProfileTags", "inspector2:ListFilters", "iot:DescribeJobTemplate", "iot:DescribeProvisioningTemplate", "iot:ListJobTemplates", "iot:ListProvisioningTemplates", "iottwinmaker:GetComponentType", "iottwinmaker:ListComponentTypes", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "kafka:ListScramSecrets", "macie2:ListTagsForResource", "mediaconnect:ListTagsForResource", "networkmanager:GetConnectPeer", "networkmanager:ListConnectPeers", "organizations:DescribeEffectivePolicy", "organizations:DescribeResourcePolicy", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListTagsForResource", "route53:ListCidrCollections", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", and "sns:GetDataProtectionPolicy" | This policy now supports additional permissions for AWS App Mesh, AWS CloudFormation, Amazon CloudFront AWS CodeArtifact, AWS CodeBuild, Amazon Connect, AWS Glue, Amazon GuardDuty, AWS Identity and Access Management (IAM), Amazon Inspector, AWS IoT, AWS IoT TwinMaker, AWS IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, AWS Network Manager, AWS Organizations, AWS Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), and Amazon Simple Notification Service (Amazon SNS). | July 28, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "appmesh:DescribeGatewayRoute", "appstream:DescribeStacks", "aps:ListTagsForResource", "cloudfront:GetFunction", "cloudfront:GetOriginAccessControl", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "codeartifact:ListPackages", "codeartifact:ListPackageVersions", "codebuild:BatchGetReportGroups", "codebuild:ListReportGroups", "connect:ListInstanceAttributes", "connect:ListInstances", "glue:GetPartition", "glue:GetPartitions", "guardduty:GetAdministratorAccount", "iam:ListInstanceProfileTags", "inspector2:ListFilters", "iot:DescribeJobTemplate", "iot:DescribeProvisioningTemplate", "iot:ListJobTemplates", "iot:ListProvisioningTemplates", "iottwinmaker:GetComponentType", "iottwinmaker:ListComponentTypes", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "kafka:ListScramSecrets", "macie2:ListTagsForResource", "mediaconnect:ListTagsForResource", "networkmanager:GetConnectPeer", "networkmanager:ListConnectPeers", "organizations:DescribeEffectivePolicy", "organizations:DescribeResourcePolicy", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListTagsForResource", "route53:ListCidrCollections", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "sns:GetDataProtectionPolicy", "ssm:DescribeParameters", "ssm:GetParameter", and "ssm:ListTagsForResource" | This policy now supports additional permissions for AWS App Mesh, Amazon WorkSpaces Applications, AWS CloudFormation, Amazon CloudFront, AWS CodeArtifact, AWS CodeBuild, Amazon Connect, AWS Glue, Amazon GuardDuty, AWS Identity and Access Management (IAM), Amazon Inspector, AWS IoT, AWS IoT TwinMaker, AWS IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, AWS Network Manager, AWS Organizations, AWS Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service (Amazon SNS), and Amazon EC2 Systems Manager (SSM). | July 28, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "amplify:GetBranch", "amplify:ListBranches", "app-integrations:GetEventIntegration", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", "appmesh:DescribeRoute", "appmesh:ListRoutes", "aps:ListRuleGroupsNamespaces", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "batch:DescribeSchedulingPolicies", "batch:ListSchedulingPolicies", "cloudformation:ListTypes", "cloudtrail:ListTrails", "codeartifact:ListDomains", "codeguru-profiler:DescribeProfilingGroup", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:ListProfilingGroups", "ds:DescribeDomainControllers", “dynamodb:DescribeTableReplicaAutoScaling" "dynamodb:DescribeTimeToLive", "ec2:DescribeTrafficMirrorFilters", "evidently:GetLaunch", "evidently:ListLaunches", "forecast:DescribeDatasetGroup", "forecast:ListDatasetGroups", "greengrass:DescribeComponent", "greengrass:GetComponent", "greengrass:ListComponents", "greengrass:ListComponentVersions", "groundstation:GetMissionProfile", "groundstation:ListMissionProfiles", "iam:ListGroups", "iam:ListRoles", "kafka:DescribeConfiguration", "kafka:DescribeConfigurationRevision", "kafka:ListConfigurations", "lightsail:GetRelationalDatabases" "logs:ListTagsLogGroup", "mediaconnect:DescribeFlow", "mediaconnect:ListFlows", "mediatailor:GetPlaybackConfiguration", "mediatailor:ListPlaybackConfigurations", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEmailTemplate", "mobiletargeting:GetEventStream", "mobiletargeting:ListTemplates", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetLinkAssociations", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", "personalize:DescribeSolution", "personalize:ListDatasetGroups", "personalize:ListDatasetImportJobs", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "personalize:ListTagsForResource", "quicksight:ListTemplates", "refactor-spaces:GetEnvironment", "refactor-spaces:GetService", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", "s3:GetAccessPointPolicyStatusForObjectLambda", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeFeatureGroup", "sagemaker:ListDeviceFleets", "sagemaker:ListFeatureGroups", "sagemaker:ListModels", and "transfer:ListTagsForResource" | This policy now supports additional permissions for AWS Amplify, Amazon Connect, AWS App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, AWS Batch, AWS CloudFormation, AWS CloudTrail, AWS CodeArtifact, Amazon CodeGuru, AWS Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, AWS Organizations, Amazon Forecast, AWS IoT Greengrass, AWS Ground Station, AWS Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon Quick, AWS Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, AWS Transfer Family. | June 13, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "amplify:GetBranch", "amplify:ListBranches", "app-integrations:GetEventIntegration", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", "appmesh:DescribeRoute", "appmesh:ListRoutes", "aps:ListRuleGroupsNamespaces", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "batch:DescribeSchedulingPolicies", "batch:ListSchedulingPolicies", "cloudformation:ListTypes", "cloudtrail:ListTrails", "codeartifact:ListDomains", "codeguru-profiler:DescribeProfilingGroup", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:ListProfilingGroups", "ds:DescribeDomainControllers", "dynamodb:DescribeTableReplicaAutoScaling", "dynamodb:DescribeTimeToLive", "ec2:DescribeTrafficMirrorFilters", "evidently:GetLaunch", "evidently:ListLaunches", "forecast:DescribeDatasetGroup", "forecast:ListDatasetGroups", "greengrass:DescribeComponent", "greengrass:GetComponent", "greengrass:ListComponents", "greengrass:ListComponentVersions", "groundstation:GetMissionProfile", "groundstation:ListMissionProfiles", "iam:ListGroups", "iam:ListRoles", "kafka:DescribeConfiguration", "kafka:DescribeConfigurationRevision", "kafka:ListConfigurations", "lightsail:GetRelationalDatabases", "logs:ListTagsLogGroup", "mediaconnect:DescribeFlow", "mediaconnect:ListFlows", "mediatailor:GetPlaybackConfiguration", "mediatailor:ListPlaybackConfigurations", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEmailTemplate", "mobiletargeting:GetEventStream", "mobiletargeting:ListTemplates", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetLinkAssociations", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", "personalize:DescribeSolution", "personalize:ListDatasetGroups", "personalize:ListDatasetImportJobs", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "personalize:ListTagsForResource", "quicksight:ListTemplates", "refactor-spaces:GetEnvironment", "refactor-spaces:GetService", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", "s3:GetAccessPointPolicyStatusForObjectLambda", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeFeatureGroup", "sagemaker:ListDeviceFleets", "sagemaker:ListFeatureGroups", "sagemaker:ListModels", and "transfer:ListTagsForResource" | This policy now supports additional permissions for AWS Amplify, Amazon Connect, AWS App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, AWS Batch, AWS CloudFormation, AWS CloudTrail, AWS CodeArtifact, Amazon CodeGuru, AWS Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, AWS Organizations,Amazon Forecast, AWS IoT Greengrass, AWS Ground Station, AWS Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon Quick, AWS Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, AWS Transfer Family. | June 13, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, GetInstanceTypesFromInstanceRequirement ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations | This policy now supports additional permissions for Amazon Managed Workflows for AWS Amplify, AWS App Mesh, AWS App Runner, Amazon CloudFront, AWS CodeArtifact, Amazon Elastic Compute Cloud, Amazon Kendra, Amazon Macie, Amazon Route 53, Amazon SageMaker AI, AWS Transfer Family, Amazon Pinpoint, AWS Migration Hub, AWS Resilience Hub, Amazon CloudWatch, AWS Directory Service, and AWS WAF. | April 13, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, ec2:GetInstanceTypesFromInstanceRequirement, ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations | This policy now supports additional permissions for Amazon Managed Workflows for AWS Amplify, AWS App Mesh, AWS App Runner, Amazon CloudFront, AWS CodeArtifact, Amazon Elastic Compute Cloud, Amazon Kendra, Amazon Macie, Amazon Route 53, Amazon SageMaker AI, AWS Transfer Family, Amazon Pinpoint, AWS Migration Hub, AWS Resilience Hub, Amazon CloudWatch, AWS Directory Service, and AWS WAF. | April 13, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudfront:GetResponseHeadersPolicy, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions | This policy now supports additional permissions for Amazon Managed Workflows for Amazon AppFlow, AWS App Runner, Amazon WorkSpaces Applications, Amazon CloudFront, Amazon CloudWatch, AWS CodeArtifact, AWS CodeCommit, AWS Device Farm, Amazon CloudWatch Evidently, Amazon Forecast, AWS Ground Station, AWS Identity and Access Management (IAM), AWS IoT, Amazon MemoryDB, Amazon Pinpoint, AWS Network Manager, AWS Panorama, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, and Amazon SageMaker AI. | March 30, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudformation:ListTypes, cloudfront:GetResponseHeadersPolicy, cloudfront:ListDistributions, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, ec2:DescribeTrafficMirrorFilters, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions | This policy now supports additional permissions for Amazon Managed Workflows for Amazon AppFlow, AWS App Runner, Amazon WorkSpaces Applications, AWS CloudFormation, Amazon CloudFront, Amazon CloudWatch, AWS CodeArtifact, AWS CodeCommit, AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, AWS Ground Station, AWS Identity and Access Management (IAM), AWS IoT, Amazon MemoryDB, Amazon Pinpoint, AWS Network Manager, AWS Panorama, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, and Amazon SageMaker AI. | March 30, 2023 |
| [AWSConfigRulesExecutionRole](#security-iam-awsmanpol-AWSConfigRulesExecutionRole) – AWS Config starts tracking changes for this AWS managed policy | This policy allow AWS Lambda functions to access the AWS Config API and the configuration snapshots that AWS Config delivers periodically to Amazon S3. This access is required by functions that evaluate configuration changes for AWS Custom Lambda rules. | March 7, 2023 |
| [AWSConfigRoleForOrganizations](#security-iam-awsmanpol-AWSConfigRoleForOrganizations) – AWS Config starts tracking changes for this AWS managed policy | This policy allows AWS Config to call read-only AWS Organizations APIs. | March 7, 2023 |
| [AWSConfigRemediationServiceRolePolicy](#security-iam-awsmanpol-AWSConfigRemediationServiceRolePolicy) – AWS Config starts tracking changes for this AWS managed policy | This policy allows AWS Config to remediate `NON_COMPLIANT` resources on your behalf. | March 7, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add auditmanager:GetAccountStatus | This policy now grants permission to return the registration status of an account in AWS Audit Manager. | March 3, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add auditmanager:GetAccountStatus | This policy now grants permission to return the registration status of an account in AWS Audit Manager. | March 3, 2023 |
| [AWSConfigMultiAccountSetupPolicy](#security-iam-awsmanpol-AWSConfigMultiAccountSetupPolicy) – AWS Config starts tracking changes for this AWS managed policy | This policy allows AWS Config to call AWS services and deploy AWS Config resources across an organization with AWS Organizations. | February 27, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, AWS IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, AWS HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, AWS Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs. | February 1, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, AWS IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, AWS HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, AWS Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs. | February 1, 2023 |
| [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – Update config:DescribeConfigRules | As a security best practice, this policy now removes broad resource-level permission for `config:DescribeConfigRules`. | January 12, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | This policy now supports additional permissions for Amazon Managed Service for Prometheus, AWS Audit Manager, AWS Device Farm, AWS Database Migration Service (AWS DMS), AWS Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), AWS Glue, AWS IoT, Amazon Lightsail, AWS Elemental MediaPackage, AWS Network Manager, Amazon Quick, AWS Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream. | Decemeber 15, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | This policy now supports additional permissions for Amazon Managed Service for Prometheus, AWS Audit Manager, AWS Device Farm, AWS Database Migration Service (AWS DMS), AWS Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), AWS Glue, AWS IoT, Amazon Lightsail, AWS Elemental MediaPackage, AWS Network Manager, Amazon Quick, AWS Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream. | Decemeber 15, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add cloudformation:ListStackResources and cloudformation:ListStacks | This policy now grants permission to return descriptions of all resources of a specified AWS CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter. | November 7, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add cloudformation:ListStackResources and cloudformation:ListStacks | This policy now grants permission to return descriptions of all resources of a specified AWS CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter. | November 7, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | This policy now supports additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service. | October 19, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | This policy now supports additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service. | October 19, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add Glue::GetTable | This policy now grants permission to retrieve the AWS Glue Table definition in a Data Catalog for a specified table. | September 14, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add Glue::GetTable | This policy now grants permission to retrieve the AWS Glue Table definition in a Data Catalog for a specified table. | September 14, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family. | September 7, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family | September 7, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, AWS IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, AWS HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, AWS Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs. | February 1, 2023 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, AWS IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, AWS HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), AWS Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, AWS Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs. | February 1, 2023 |
| [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – Update config:DescribeConfigRules | As a security best practice, this policy now removes broad resource-level permission for `config:DescribeConfigRules`. | January 12, 2023 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, AWS Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | This policy now supports additional permissions for Amazon Managed Service for Prometheus, AWS Audit Manager, AWS Device Farm, AWS Database Migration Service (AWS DMS), AWS Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), AWS Glue, AWS IoT, Amazon Lightsail, AWS Elemental MediaPackage, AWS Network Manager, Amazon Quick, AWS Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream. | Decemeber 15, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource | This policy now supports additional permissions for Amazon Managed Service for Prometheus, AWS Audit Manager, AWS Device Farm, AWS Database Migration Service (AWS DMS), AWS Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), AWS Glue, AWS IoT, Amazon Lightsail, AWS Elemental MediaPackage, AWS Network Manager, Amazon Quick, AWS Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream. | December 15, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add cloudformation:ListStackResources and cloudformation:ListStacks | This policy now grants permission to return descriptions of all resources of a specified AWS CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter. | November 7, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add cloudformation:ListStackResources and cloudformation:ListStacks | This policy now grants permission to return descriptions of all resources of a specified AWS CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter. | November 7, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | This policy now supports additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service. | October 19, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups | This policy now supports additional permissions for AWS Certificate Manager, Amazon Managed Workflows for Apache Airflow, AWS Amplify, AWS AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, AWS Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, AWS Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, AWS IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, OpsWorks, AWS Panorama, AWS Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, AWS RoboMaker, AWS Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), AWS Cloud Map, and AWS Security Token Service. | October 19, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add Glue::GetTable | This policy now grants permission to retrieve the AWS Glue Table definition in a Data Catalog for a specified table. | September 14, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add Glue::GetTable | This policy now grants permission to retrieve the AWS Glue Table definition in a Data Catalog for a specified table. | September 14, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family. | September 7, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource | This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, AWS AppConfig, AWS AppSync, AWS Auto Scaling, AWS Backup, AWS Budgets, AWS Cost Explorer, AWS Cloud9, AWS Directory Service, AWS DataSync, AWS Elemental MediaPackage, AWS Glue, AWS IoT, AWS IoT Analytics, AWS IoT Events, AWS IoT SiteWise, AWS IoT TwinMaker, AWS Lake Formation, AWS License Manager, AWS Resilience Hub, AWS Signer, and AWS Transfer Family | September 7, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists | This policy now grants permission to return a list of AWS DataSync agents, DataSync source and destination locations, and DataSync tasks in an AWS account; list summary information about the AWS Cloud Map namespaces and services that are associated with one or more specified namespaces in an AWS account; and list all the Amazon Simple Email Service (Amazon SES) contact lists available in AWS account. | August 22, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists | This policy now grants permission to return a list of AWS DataSync agents, DataSync source and destination locations, and DataSync tasks in an AWS account; list summary information about the AWS Cloud Map namespaces and services that are associated with one or more specified namespaces in an AWS account; and list all the Amazon Simple Email Service (Amazon SES) contact lists available in AWS account. | August 22, 2022 |
| [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – Add cloudwatch:PutMetricData | This policy now grants permission to publish metric data points to Amazon CloudWatch. | July 25, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet | This policy now supports additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Managed Service for Apache Flink, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon Quick, Amazon Rekognition, AWS RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), AWS Amplify, AWS AppConfig, AWS AppSync, AWS Billing Conductor, AWS DataSync, AWS Firewall Manager, AWS Glue, AWS IAM Identity Center (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing. | July 15, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet | This policy now supports additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Managed Service for Apache Flink, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon Quick, Amazon Rekognition, AWS RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), AWS Amplify, AWS AppConfig, AWS AppSync, AWS Billing Conductor, AWS DataSync, AWS Firewall Manager, AWS Glue, AWS IAM Identity Center (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing. | July 15, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource | This policy now grants permission to get a specified Amazon Athena data catalog, list the Athena data catalogs in an AWS account, and list tags associated with an Athena workgroup or data catalog resource; to get a list of Amazon Detective behavior graphs and list tags for a Detective behavior graph; get a list of resource metadata for a given list of AWS Glue development endpoint names, get information about a specified AWS Glue development endpoint, get all the AWS Glue development endpoints in an AWS account, retrieve a specified AWS Glue security configuration, get all AWS Glue security configurations, get a list of tags associated with an AWS Glue resource, get information about an AWS Glue workgroup with the specified name, retrieve the names of all AWS Glue crawler resources in an AWS account, get the names of all AWS Glue `DevEndpoint` resources in an AWS account, list the names of all AWS Glue job resources in an AWS account, get details about AWS Glue member accounts, list names of AWS Glue workflows created in an account, and list available AWS Glue workgroups for an account; to retrieve details about an Amazon GuardDuty filter, retrieve a GuardDuty IPSet, retrieve a GuardDuty ThreatIntelSet, retrieve GuardDuty member accounts, get a list of GuardDuty filters, get the IPSets of the GuardDuty service, retrieve tags for the GuardDuty Service, and get the ThreatIntelSets of the GuardDuty service; to get the current status and configuration settings for an Amazon Macie account; to retrieve the resource and principal associations for AWS Resource Access Manager (AWS RAM) resource shares and retrieve details about AWS RAM resource shares; to get information about an Amazon Simple Email Service (Amazon SES) existing configuration set, get a list of event destinations that are associated with an Amazon SES configuration set, and list all of the configuration sets associated with an Amazon SES account; and to get a list of Identity Center directory attributes, get the details of an AWS IAM Identity Center permission set, get the IAM managed policy that is attached to a specified IAM Identity Center permission set, get the permissions set for an IAM Identity Center instance, and get tags for IAM Identity Center resources. | May 31, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource | This policy now grants permission to get a specified Amazon Athena data catalog, list the Athena data catalogs in an AWS account, and list tags associated with an Athena workgroup or data catalog resource; to get a list of Amazon Detective behavior graphs and list tags for a Detective behavior graph; get a list of resource metadata for a given list of AWS Glue development endpoint names, get information about a specified AWS Glue development endpoint, get all the AWS Glue development endpoints in an AWS account, retrieve a specified AWS Glue security configuration, get all AWS Glue security configurations, get a list of tags associated with an AWS Glue resource, get information about an AWS Glue workgroup with the specified name, retrieve the names of all AWS Glue crawler resources in an AWS account, get the names of all AWS Glue `DevEndpoint` resources in an AWS account, list the names of all AWS Glue job resources in an AWS account, get details about AWS Glue member accounts, list names of AWS Glue workflows created in an account, and list available AWS Glue workgroups for an account; to retrieve details about an Amazon GuardDuty filter, retrieve a GuardDuty IPSet, retrieve a GuardDuty ThreatIntelSet, retrieve GuardDuty member accounts, get a list of GuardDuty filters, get the IPSets of the GuardDuty service, retrieve tags for the GuardDuty Service, and get the ThreatIntelSets of the GuardDuty service; to get the current status and configuration settings for an Amazon Macie account; to retrieve the resource and principal associations for AWS Resource Access Manager (AWS RAM) resource shares and retrieve details about AWS RAM resource shares; to get information about an Amazon Simple Email Service (Amazon SES) existing configuration set, get a list of event destinations that are associated with an Amazon SES configuration set, and list all of the configuration sets associated with an Amazon SES account; and to get a list of Identity Center directory attributes, get the details of an AWS IAM Identity Center permission set, get the IAM managed policy that is attached to a specified IAM Identity Center permission set, get the permissions set for an IAM Identity Center instance, and get tags for IAM Identity Center resources. | May 31, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies | This policy now grants permission to get information about all or a specified AWS CloudTrail event data store (EDS), get information about all or a specified AWS CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about AWS Database Migration Service (AWS DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an AWS Organizations of a specified type. | April 7, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies | This policy now grants permission to get information about all or a specified AWS CloudTrail event data store (EDS), get information about all or a specified AWS CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about AWS Database Migration Service (AWS DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an AWS Organizations of a specified type. | April 7, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces | This policy now supports additional permissions for AWS Backup, AWS Batch, DynamoDB Accelerator, AWS Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, AWS Key Management Service, AWS OpsWorks, Amazon Relational Database Service, AWS WAFV2, and Amazon WorkSpaces. | March 14, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces | This policy now supports additional permissions for AWS Backup, AWS Batch, DynamoDB Accelerator, AWS Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, AWS Key Management Service, AWS OpsWorks, Amazon Relational Database Service, AWS WAFV2, and Amazon WorkSpaces. | March 14, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies | This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an AWS account, retrieve information about an AWS Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived AWS Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account. | February 10, 2022 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies | This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an AWS account, retrieve information about an AWS Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived AWS Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account. | February 10, 2022 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent | This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams. | December 15, 2021 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent | This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams. | Decemeber 15, 2021 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots | This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots. | September 8, 2021 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots | This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots. | September 8, 2021 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for AWS resource types | This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker AI, Amazon Simple Notification Service, AWS Database Migration Service, AWS Global Accelerator, and AWS Storage Gateway. | July 28, 2021 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for AWS resource types | This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker AI, Amazon Simple Notification Service, AWS Database Migration Service, AWS Global Accelerator, and AWS Storage Gateway. | July 28, 2021 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add ssm:DescribeDocumentPermission and additional permissions for AWS resource types | This policy now grants permission to view the permissions of AWS Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional AWS resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, AWS Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the [lambda-inside-vpc](https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html) AWS Config managed rule. | June 8, 2021 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add ssm:DescribeDocumentPermission and additional permissions for AWS resource types | This policy now grants permission to view the permissions of AWS Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional AWS resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, AWS Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the [lambda-inside-vpc](https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html) AWS Config managed rule. | June 8, 2021 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs | This policy now grants permissions that allow AWS Config to make read-only GET calls to API Gateway to support a AWS Config Rule for API Gateway. The policy also adds permissions that allow AWS Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new `AWS::S3::AccessPoint` resource type. | May 10, 2021 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs | This policy now grants permissions that allow AWS Config to make read-only GET calls to API Gateway to support a AWS Config for API Gateway. The policy also adds permissions that allow AWS Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new `AWS::S3::AccessPoint` resource type. | May 10, 2021 |
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add ssm:ListDocuments permission and additional permissions for AWS resource types | This policy now grants permission to view information about AWS Systems Manager specified documents. This policy also now supports additional AWS resource types for AWS Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker AI, AWS Database Migration Service, and Amazon Route 53. These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. | April 1, 2021 |
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add ssm:ListDocuments permission and additional permissions for AWS resource types | This policy now grants permission to view information about AWS Systems Manager specified documents. This policy also now supports additional AWS resource types for AWS Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker AI, AWS Database Migration Service, and Amazon Route 53. These permission changes allow AWS Config to invoke the read-only APIs required to support these resource types. | April 1, 2021 |
| `AWSConfigRole` is deprecated | `AWSConfigRole` is deprecated. The replacement policy is `AWS_ConfigRole`. | April 1, 2021 |
| AWS Config started tracking changes | AWS Config started tracking changes for its AWS managed policies. | April 1, 2021 |
# Permissions for the IAM Role Assigned to AWS Config
An IAM role lets you define a set of permissions. AWS Config assumes the role that you assign to it to write to your S3 bucket, publish to your SNS topic, and make `Describe` or `List` API requests to get configuration details for your AWS resources. For more information about IAM roles, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html) in the *IAM User Guide*.
When you use the AWS Config console to create or update an IAM role, AWS Config automatically attaches the required permissions for you. For more information, see [Setting Up AWS Config with the Console](gs-console.md).
**Policies and compliance results**
[IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [other policies managed in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) can impact whether AWS Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use AWS Config.
**Contents**
+ [
## Creating IAM Role Policies
](#iam-role-policies)
+ [
### Adding an IAM Trust Policy to your Role
](#iam-trust-policy)
+ [
### IAM Role Policy for your S3 Bucket
](#iam-role-policies-S3-bucket)
+ [
### IAM Role Policy for KMS Key
](#iam-role-policies-S3-kms-key)
+ [
### IAM Role Policy for Amazon SNS Topic
](#iam-role-policies-sns-topic)
+ [
### IAM Role Policy for Getting Configuration Details
](#iam-role-policies-describe-apis)
+ [
### Managing Permissions for S3 Bucket Recording
](#troubleshooting-recording-s3-bucket-policy)
## Creating IAM Role Policies
When you use the AWS Config console to create an IAM role, AWS Config automatically attaches the required permissions to the role for you.
If you are using the AWS CLI to set up AWS Config or you are updating an existing IAM role, you must manually update the policy to allow AWS Config to access your S3 bucket, publish to your SNS topic, and get configuration details about your resources.
### Adding an IAM Trust Policy to your Role
You can create an IAM trust policy that enables AWS Config to assume a role and use it to track your resources. For more information about trust policies, see [Roles terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/d_roles_terms-and-concepts.html) in the* IAM User Guide*.
The following is an example trust policy for AWS Config roles:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
```
------
You can use the `AWS:SourceAccount` condition in the IAM Role Trust relationship above to restrict the Config service principal to only interact with the AWS IAM Role when performing operations on behalf of specific accounts.
AWS Config also supports the `AWS:SourceArn` condition which restricts the Config service principal to only assume the IAM Role when performing operations on behalf of the owning account. When using the AWS Config service principal, the `AWS:SourceArn` property will always be set to `arn:aws:config:sourceRegion:sourceAccountID:*` where `sourceRegion` is the region of the customer managed configuration recorder and `sourceAccountID` is the ID of the account containing the customer managed configuration recorder.
For example, add the following condition restrict the Config service principal to only assume the IAM Role only on behalf of a customer managed configuration recorder in the `us-east-1` region in the account `123456789012`: `"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`.
### IAM Role Policy for your S3 Bucket
The following example policy grants AWS Config permission to access your S3 bucket:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource":[
"arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/myAccountID/*"
],
"Condition":{
"StringLike":{
"s3:x-amz-acl":"bucket-owner-full-control"
}
}
},
{
"Effect":"Allow",
"Action":[
"s3:GetBucketAcl"
],
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket"
}
]
}
```
------
### IAM Role Policy for KMS Key
The following example policy grants AWS Config permission to use KMS-based encryption on new objects for S3 bucket delivery:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
}
]
}
```
------
### IAM Role Policy for Amazon SNS Topic
The following example policy grants AWS Config permission to access your SNS topic:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:123456789012:MyTopic"
}
]
}
```
------
If your SNS topic is encrypted for additional setup instructions, see [Configuring AWS KMS Permissions](https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sns-what-permissions-for-sse) in the *Amazon Simple Notification Service Developer Guide*.
### IAM Role Policy for Getting Configuration Details
It is recommended to use the AWS Config service-linked role: `AWSServiceRoleForConfig`. Service-linked roles are predefined and include all the permissions that AWS Config requires to call other AWS services. The AWS Config service-linked role is required for service-linked configuration recorders. For more information, see [Using Service-Linked Roles for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html).
If you create or update a role with the console, AWS Config attaches the **AWSServiceRoleForConfig** for you.
If you use the AWS CLI, use the `attach-role-policy` command and specify the Amazon Resource Name (ARN) for **AWSServiceRoleForConfig**:
```
$ aws iam attach-role-policy --role-name myConfigRole --policy-arn arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForConfig
```
### Managing Permissions for S3 Bucket Recording
AWS Config records and delivers notifications when an S3 bucket is created, updated, or deleted.
It is recommended to use the AWS Config service-linked role: `AWSServiceRoleForConfig`. Service-linked roles are predefined and include all the permissions that AWS Config requires to call other AWS services. The AWS Config service-linked role is required for service-linked configuration recorders. For more information, see [Using Service-Linked Roles for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/using-service-linked-roles.html).
# Updating the IAM Role for the customer managed configuration recorder
You can update the IAM role used by the customer managed configuration recorder. Before you update the IAM role, ensure that you have created a new role to replace the old one. You must attach policies to the new role that grant permissions to AWS Config to record configurations and deliver them to your delivery channel.
For information about creating an IAM role and attaching the required policies to the IAM role, see [Step 3: Creating an IAM Role](gs-cli-prereq.md#gs-cli-create-iamrole).
**Note**
To find the ARN of an existing IAM role, go to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). Choose **Roles** in the navigation pane. Then choose the name of the desired role and find the ARN at the top of the **Summary** page.
## Updating the IAM Role
You can update your IAM role using the AWS Management Console or the AWS CLI.
------
#### [ To update the IAM role (Console) ]
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. Choose **Settings** in the navigation pane.
1. On the **Customer managed recorder** tab, choose **Edit** on the Settings page.
1. In the **Data governance**, section, choose the IAM role for AWS Config:
+ **Use an existing AWS Config service-linked role** – AWS Config creates a role that has the required permissions.
+ **Choose a role from your account** – For **Existing roles**, choose an IAM role in your account.
1. Choose **Save**.
------
#### [ To update the IAM role (AWS CLI) ]
Use the [http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.aws.amazon.com/cli/latest/reference/configservice/put-configuration-recorder.html) command and specify the Amazon Resource Name (ARN) of the new role:
```
$ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole
```
------
# Permissions for the Amazon S3 Bucket for the AWS Config Delivery Channel
**Important**
This page is about setting up the Amazon S3 Bucket for the AWS Config delivery channel. This page is not about the `AWS::S3::Bucket` resource type that the AWS Config configuration recorder can record.
Amazon S3 buckets and objects are private by default. Only the AWS account that created the bucket (the resource owner) has access permissions. Resource owners can grant access to other resources and users by creating access policies.
When AWS Config automatically creates an S3 bucket for you, it adds the required permissions. However, if you specify an existing S3 bucket, you must add these permissions manually.
**Topics**
+ [When Using IAM Roles](#required-permissions-in-another-account)
+ [When Using Service-Linked Roles](#required-permissions-using-servicelinkedrole)
+ [Granting AWS Config access](#granting-access-in-another-account)
+ [Cross-Account Delivery](#required-permissions-cross-account)
## Required Permissions for the Amazon S3 Bucket When Using IAM Roles
AWS Config uses the IAM role you assigned to the configuration recorder to deliver configuration history and snapshots to S3 buckets in your account. For cross-account delivery, AWS Config first attempts to use the assigned IAM role. If the bucket policy doesn't grant `WRITE` access to the IAM role, AWS Config uses the `config.amazonaws.com` service principal. The bucket policy must grant `WRITE` access to `config.amazonaws.com` to complete the delivery. After successful delivery, AWS Config maintains ownership of all objects it delivers to the cross-account S3 bucket.
AWS Config calls the Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RESTBucketHEAD.html) API with the IAM role you assigned to the configuration recorder to confirm if the S3 bucket exists and its location. If you do not have the necessary permissions for AWS Config to confirm, you will see an `AccessDenied` error in your AWS CloudTrail logs. However, AWS Config can still deliver configuration history and snapshots even if AWS Config does not have the necessary permissions to confirm if the S3 bucket exists and its location.
**Minimum permissions**
The Amazon S3 `HeadBucket` API requires the `s3:ListBucket` action.
## Required Permissions for the Amazon S3 Bucket When Using Service-Linked Roles
The AWS Config service-linked role does not have permission to put objects to Amazon S3 buckets. If you set up AWS Config using a service-linked role, AWS Config will use the `config.amazonaws.com` service principal to deliver configuration history and snapshots. The S3 bucket policy in your account or cross-account destinations must include permissions for the AWS Config service principal to write objects.
## Granting AWS Config access to the Amazon S3 Bucket
Complete the following steps enable AWS Config to deliver configuration history and snapshots to an Amazon S3 bucket.
1. Sign in to the AWS Management Console using the account that has the S3 bucket.
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the bucket that you want AWS Config to use to deliver configuration items, and then choose **Properties**.
1. Choose **Permissions**.
1. Choose **Edit Bucket Policy**.
1. Copy the following policy into the **Bucket Policy Editor** window:
**Security best practices**
We strongly recommend that you restrict access in the bucket policy with the `AWS:SourceAccount` condition. This makes sure that AWS Config is granted access on behalf of expected users only.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
```
------
1. Substitute the following values in the bucket policy:
+ *amzn-s3-demo-bucket* – Name of the Amazon S3 bucket where AWS Config will deliver configuration history and snapshots.
+ *[optional] prefix* – An optional addition to the Amazon S3 object key that helps create a folder-like organization in the bucket.
+ *sourceAccountID* – ID of the account where AWS Config will deliver configuration history and snapshots.
1. Choose **Save** and then **Close**.
The `AWS:SourceAccount` condition restricts AWS Config operations to specified AWS accounts. For multi-account configurations within an organization delivering to a single S3 bucket, use IAM roles with AWS Organizations conditions keys instead of service-linked roles. For example, `AWS:PrincipalOrgID`. For more information, see [Managing access permissions for an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html) in the *AWS Organizations User guide*.
The `AWS:SourceArn` condition restricts AWS Config operations to specified delivery channels. The `AWS:SourceArn` format is as follows: `arn:aws:config:sourceRegion:123456789012`.
For example, to restrict S3 bucket access to a delivery channel in the US East (N. Virginia) Region for account 123456789012, add the following condition:
```
"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:"}
```
## Required Permissions for the Amazon S3 Bucket When Delivering Cross-Account
When AWS Config is configured to deliver configuration history and snapshots to an Amazon S3 bucket in a different account (cross-account setup), where the configuration recorder and the S3 bucket specified for delivery channel are in different AWS accounts, the following permissions are required:
+ The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation. This is because AWS Config calls the Amazon S3 [HeadBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_RESTBucketHEAD.html) API with this IAM role to determine the bucket location.
+ The S3 bucket policy must include permissions for the IAM role assigned to the configuration recorder.
The following is an example bucket policy configuration:
```
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"AWS": "IAM Role-Arn assigned to the configuration recorder"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
}
```
# Permissions for the KMS Key for the AWS Config Delivery Channel
Use the information in this topic if you want to create a policy for an AWS KMS key for your S3 bucket that allows you to use KMS-based encryption on objects delivered by AWS Config for S3 bucket delivery.
**Contents**
+ [
## Required Permissions for the KMS Key When Using IAM Roles (S3 Bucket Delivery)
](#required-permissions-s3-kms-key-using-iam-role)
+ [
## Required Permissions for the AWS KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)
](#required-permissions-s3-kms-key-using-servicelinkedrole)
+ [
## Granting AWS Config access to the AWS KMS Key
](#granting-access-s3-kms-key)
## Required Permissions for the KMS Key When Using IAM Roles (S3 Bucket Delivery)
If you set up AWS Config using an IAM role, you can attach the follow permission policy to the KMS Key:
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigKMSPolicy",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "*myKMSKeyARN*",
"Principal": {
"AWS": [
"account-id1",
"account-id2",
"account-id3"
]
}
}
]
}
```
**Note**
If the IAM role, Amazon S3 bucket policy, or AWS KMS key do not provide appropriate access to AWS Config, then AWS Config’s attempt to send configuration information to the Amazon S3 bucket will fail. In this event, AWS Config sends the information again, this time as the AWS Config service principal. For this case, you must attach a permission policy, mentioned below, to the AWS KMS key to grant AWS Config access to use the key when delivering information to the Amazon S3 bucket.
## Required Permissions for the AWS KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)
The AWS Config service-linked role does not have permission to access the AWS KMS key. So, if you set up AWS Config using a service-linked role, AWS Config will send information as the AWS Config service principal instead. You will need to attach an access policy, mentioned below, to the AWS KMS key to grant AWS Config access to use the AWS KMS key when delivering information to the Amazon S3 bucket.
## Granting AWS Config access to the AWS KMS Key
This policy allows AWS Config to use an AWS KMS key when delivering information to an Amazon S3 bucket
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigKMSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "myKMSKeyARN",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "sourceAccountID"
}
}
}
]
}
```
Substitute the following values in the key policy:
+ *myKMSKeyARN* – The ARN of the AWS KMS key used to encrypt data in the Amazon S3 bucket that AWS Config will deliver configuration items to.
+ *sourceAccountID* – The ID of the account for which AWS Config will deliver configuration items to.
You can use the `AWS:SourceAccount` condition in the AWS KMS key policy above to restrict the Config service principal to only interact with the AWS KMS key when performing operations on behalf of specific accounts.
AWS Config also supports the `AWS:SourceArn` condition which restricts the Config service principal to only interact with the Amazon S3 bucket when performing operations on behalf of specific AWS Config delivery channels. When using the AWS Config service principal, the `AWS:SourceArn` property will always be set to `arn:aws:config:sourceRegion:sourceAccountID:*` where `sourceRegion` is the region of the delivery channel and `sourceAccountID` is the ID of the account containing the delivery channel. For more information on AWS Config delivery channels, see [Managing the Delivery Channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html). For example, add the following condition to restrict the Config service principal to interact with your Amazon S3 bucket only on behalf of a delivery channel in the `us-east-1` region in the account `123456789012`: `"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`.
# Permissions for the Amazon SNS Topic
**Encrypted Amazon SNS not supported**
AWS Config does not support encrypted Amazon SNS topics.
This topic describes how to configure AWS Config to deliver Amazon SNS topics owned by a different account. AWS Config must have the required permissions to send notifications to an Amazon SNS topic.
When the AWS Config console creates a new Amazon SNS topic for you, AWS Config grants the necessary permissions. If you choose an existing Amazon SNS topic, makes sure that the Amazon SNS topic includes the required permissions and follows security best practices.
**Cross-Region Amazon SNS topics are not supported**
AWS Config currently supports only access within the same AWS Region and across accounts.
**Contents**
+ [
## Required Permissions for the Amazon SNS Topic When Using IAM Roles
](#required-permissions-snstopic-in-another-account)
+ [
## Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles
](#required-permissions-snstopic-using-servicelinkedrole)
+ [
## Granting AWS Config access to the Amazon SNS topic
](#granting-access-snstopic)
+ [
## Troubleshooting for the Amazon SNS Topic
](#troubleshooting-for-snstopic-using-servicelinkedrole)
## Required Permissions for the Amazon SNS Topic When Using IAM Roles
You can attach a permissions policy to the Amazon SNS topic owned by a different account. If you want to use an Amazon SNS topic from another account, make sure to attach the following policy to the existing Amazon SNS topic.
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigSNSPolicy",
"Action": [
"sns:Publish"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Principal": {
"AWS": [
"account-id1",
"account-id2",
"account-id3"
]
}
}
]
}
```
For the `Resource` key, *account-id* is the AWS account number of the topic owner. For *account-id1*, *account-id2*, and *account-id3*, use the AWS accounts that will send data to an Amazon SNS topic. You can substitute appropriate values for *region* and *myTopic*.
When AWS Config sends a notification to an Amazon SNS topic, it first attempts to use the IAM role, but this attempt fails if the role or AWS account does not have permission to publish to the topic. In this event, AWS Config sends the notification again, this time as an AWS Config service principal name (SPN). Before the publication can succeed, the access policy for the topic must grant `sns:Publish` access to the `config.amazonaws.com` principal name. You must attach an access policy, described in the next section, to the Amazon SNS topic to grant AWS Config access to the Amazon SNS topic if the IAM role does not have permission to publish to the topic.
## Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles
The AWS Config service-linked role does not have permission to access the Amazon SNS topic. So, if you set up AWS Config using a service-linked role (SLR), AWS Config will send information as the AWS Config service principal instead. You will need to attach an access policy, mentioned below, to the Amazon SNS topic to grant AWS Config access to send information to the Amazon SNS topic.
For same-account setup, when the Amazon SNS topic and SLR are in the same account and the Amazon SNS policy grants the SLR "`sns:Publish`" permission, you do not need to use the AWS Config SPN. The permissions policy below and security best practice recommendations are for cross-account setup.
## Granting AWS Config access to the Amazon SNS topic
This policy allows AWS Config to send a notification to an Amazon SNS topic. To grant AWS Config access to the Amazon SNS topic from another account, you will need to attach the following permissions policy.
**Note**
As a security best practice, it is strongly recommended to make sure AWS Config is accessing resources on behalf of expected users only by restricting access to the accounts listed in `AWS:SourceAccount` condition.
```
{
"Id": "Policy_ID",
"Statement": [
{
"Sid": "AWSConfigSNSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:region:account-id:myTopic",
"Condition" : {
"StringEquals": {
"AWS:SourceAccount": [
"account-id1",
"account-id2",
"account-id3"
]
}
}
}
]
}
```
For the `Resource` key, *account-id* is the AWS account number of the topic owner. For *account-id1*, *account-id2*, and *account-id3*, use the AWS accounts that will send data to an Amazon SNS topic. You can substitute appropriate values for *region* and *myTopic*.
You can use the `AWS:SourceAccount` condition in the previous Amazon SNS topic policy to restrict the AWS Config service principal name (SPN) to interact only with the Amazon SNS topic when performing operations on behalf of specific accounts.
AWS Config also supports the `AWS:SourceArn` condition which restricts the AWS Config service principal name (SPN) to only interact with the S3 bucket when performing operations on behalf of specific AWS Config delivery channels. When using the AWS Config service principal name (SPN), the `AWS:SourceArn` property will always be set to `arn:aws:config:sourceRegion:sourceAccountID:*` where `sourceRegion` is the Region of the delivery channel and `sourceAccountID` is the ID of the account containing the delivery channel. For more information about AWS Config delivery channels, see [Managing the Delivery Channel](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html). For example, add the following condition to restrict the AWS Config service principal name (SPN) to interact with your S3 bucket only on behalf of a delivery channel in the `us-east-1` Region in the account `123456789012`: `"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`.
## Troubleshooting for the Amazon SNS Topic
AWS Config must have permissions to send notifications to an Amazon SNS topic. If an Amazon SNS topic cannot receive notifications, verify that the IAM role that AWS Config was assuming has the required `sns:Publish` permissions.
# Troubleshooting AWS Config identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with AWS Config and IAM.
**Topics**
+ [
## I am not authorized to perform an action in AWS Config
](#security_iam_troubleshoot-no-permissions)
+ [
## I am not authorized to perform iam:PassRole
](#security_iam_troubleshoot-passrole)
+ [
## I want to allow people outside of my AWS account to access my AWS Config resources
](#security_iam_troubleshoot-cross-account-access)
## I am not authorized to perform an action in AWS Config
If you receive an error that you're not authorized to perform an action, your policies must be updated to allow you to perform the action.
The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but does not have the fictional `config:GetWidget` permissions.
```
User: arn:aws:iam::123456789012:user/mateojackson is not authorized to perform: config:GetWidget on resource: my-example-widget
```
In this case, Mateo's policy must be updated to allow him to access the `my-example-widget` resource using the `config:GetWidget` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I am not authorized to perform iam:PassRole
If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to AWS Config.
Some AWS services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.
The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in AWS Config. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.
```
User: arn:aws:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```
In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.
If you need help, contact your AWS administrator. Your administrator is the person who provided you with your sign-in credentials.
## I want to allow people outside of my AWS account to access my AWS Config resources
You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.
To learn more, consult the following:
+ To learn whether AWS Config supports these features, see [How AWS Config works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across AWS accounts that you own, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party AWS accounts, see [Providing access to AWS accounts owned by third parties](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
# Using Service-Linked Roles for AWS Config
AWS Config uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to AWS Config. Service-linked roles are predefined by AWS Config and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up AWS Config easier because you don’t have to manually add the necessary permissions. AWS Config defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Config can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-Linked Role Permissions for AWS Config
AWS Config uses the service-linked role named **AwsServiceRoleForConfig** – AWS Config uses this service-linked role to call other AWS services on your behalf. To view the latest updates, see [AWS Config updates to AWS managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).
The **AwsServiceRoleForConfig** service-linked role trusts the `config.amazonaws.com` service to assume the role.
The permissions policy for the `AwsServiceRoleForConfig` role contains read-only and write-only permissions for AWS Config resources and read-only permissions for resources in other services that AWS Config supports. To view the managed policy for **AwsServiceRoleForConfig**, see [AWS managed policies for AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSConfigServiceRolePolicy).
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
To use a service-linked role with AWS Config, you must configure permissions on your Amazon S3 bucket and Amazon SNS topic. For more information, see [Required Permissions for the Amazon S3 Bucket When Using Service-Linked RolesRequired Permissions for the Amazon S3 Bucket When Delivering Cross-Account](s3-bucket-policy.md#required-permissions-using-servicelinkedrole), [Required Permissions for the AWS KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)](s3-kms-key-policy.md#required-permissions-s3-kms-key-using-servicelinkedrole), and [Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles](sns-topic-policy.md#required-permissions-snstopic-using-servicelinkedrole).
## Creating a Service-Linked Role for AWS Config
In the IAM CLI or the IAM API, create a service-linked role with the `config.amazonaws.com` service name. For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a Service-Linked Role for AWS Config
AWS Config does not allow you to edit the **AwsServiceRoleForConfig** service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a Service-Linked Role for AWS Config
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the AWS Config service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To delete AWS Config resources used by the **AwsServiceRoleForConfig****
Ensure that you do not have `ConfigurationRecorders` using the service-linked role. You can use the AWS Config console to stop the configuration recorder. To stop recording, under **Recording is on**, choose **Turn off**.
You can delete the `ConfigurationRecorder` using AWS Config API. To delete, use the `delete-configuration-recorder` command.
```
$ aws configservice delete-configuration-recorder --configuration-recorder-name default
```
**To manually delete the service-linked role using IAM**
Use the IAM console, the IAM CLI, or the IAM API to delete the AwsServiceRoleForConfig service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.