From 86d2ce78814365f7fbaad36f35a65ff34227784e Mon Sep 17 00:00:00 2001 From: nheijmans Date: Wed, 11 Sep 2019 21:32:55 +0200 Subject: [PATCH 1/6] Added Athena basic query policy template Added a template where a Athena workgroup can be queried and the results retrieved. By default the workgroup "primary" will be used but with the parameter a user can change it to the desired workgroup --- .../policy_templates.json | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index a2f1b85665..1da8d89eb7 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1795,6 +1795,39 @@ } ] } + }, + "AthenaQueryPolicy": { + "Description": "Gives permissions to execute Athena queries", + "Parameters": { + "WorkGroupName": { + "Description": "Name of the Athena Workgroup", + "Default": "primary" + } + }, + "Definition": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "athena:GetWorkGroup", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:StopQueryExecution", + "athena:GetQueryResults" + ], + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + } } } } From 9f5338ed0dd62c2b13c51ba22730d5bf3654d77a Mon Sep 17 00:00:00 2001 From: nheijmans Date: Wed, 11 Sep 2019 21:43:32 +0200 Subject: [PATCH 2/6] Added Athena query policy template Added the template policy for Athena to execute queries on a workgroup. Workgroup can be named with the parameter --- samtranslator/policy_templates_data/policy_templates.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 1da8d89eb7..ebd936b415 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1800,8 +1800,7 @@ "Description": "Gives permissions to execute Athena queries", "Parameters": { "WorkGroupName": { - "Description": "Name of the Athena Workgroup", - "Default": "primary" + "Description": "Name of the Athena Workgroup" } }, "Definition": { @@ -1817,7 +1816,7 @@ ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:${workgroupName}", + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", { "workgroupName": { "Ref": "WorkGroupName" From 7754f252b45cdc684b22accbe4ada6dbb96f00a0 Mon Sep 17 00:00:00 2001 From: Shreya Gangishetty Date: Fri, 11 Oct 2019 18:35:21 -0700 Subject: [PATCH 3/6] updated test case --- .../input/all_policy_templates.yaml | 5 +- .../output/all_policy_templates.json | 1186 ++++++++-------- .../output/aws-cn/all_policy_templates.json | 1187 ++++++++-------- .../aws-us-gov/all_policy_templates.json | 1188 +++++++++-------- 4 files changed, 1824 insertions(+), 1742 deletions(-) diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml index ebf5b2c7ab..b8213e5220 100644 --- a/tests/translator/input/all_policy_templates.yaml +++ b/tests/translator/input/all_policy_templates.yaml @@ -155,4 +155,7 @@ Resources: RepositoryName: name - KMSEncryptPolicy: - KeyId: keyId \ No newline at end of file + KeyId: keyId + + - AthenaQueryPolicy: + WorkGroupName: name diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index 03a860632b..f648baeb58 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1,998 +1,1007 @@ { "Resources": { "KitchenSinkFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "hello.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "hello.zip" - }, - "Handler": "hello.handler", + }, "Role": { "Fn::GetAtt": [ - "KitchenSinkFunctionRole", + "KitchenSinkFunctionRole", "Arn" ] - }, - "Runtime": "python2.7", + }, + "Runtime": "python2.7", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] } - }, + }, "KitchenSinkFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ], + ], "Policies": [ { - "PolicyName": "KitchenSinkFunctionRolePolicy0", + "PolicyName": "KitchenSinkFunctionRolePolicy0", "PolicyDocument": { "Statement": [ { "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", - "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", - "sqs:GetQueueAttributes", + "sqs:ChangeMessageVisibility", + "sqs:ChangeMessageVisibilityBatch", + "sqs:DeleteMessage", + "sqs:DeleteMessageBatch", + "sqs:GetQueueAttributes", "sqs:ReceiveMessage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", + "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy1", + "PolicyName": "KitchenSinkFunctionRolePolicy1", "PolicyDocument": { "Statement": [ { "Action": [ "lambda:InvokeFunction" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", + "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy2", + "PolicyName": "KitchenSinkFunctionRolePolicy2", "PolicyDocument": { "Statement": [ { "Action": [ "cloudwatch:DescribeAlarmHistory" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy3", + "PolicyName": "KitchenSinkFunctionRolePolicy3", "PolicyDocument": { "Statement": [ { "Action": [ "cloudwatch:PutMetricData" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy4", + "PolicyName": "KitchenSinkFunctionRolePolicy4", "PolicyDocument": { "Statement": [ { "Action": [ - "ec2:DescribeRegions", + "ec2:DescribeRegions", "ec2:DescribeInstances" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy5", + "PolicyName": "KitchenSinkFunctionRolePolicy5", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:GetItem", - "dynamodb:DeleteItem", - "dynamodb:PutItem", - "dynamodb:Scan", - "dynamodb:Query", - "dynamodb:UpdateItem", - "dynamodb:BatchWriteItem", - "dynamodb:BatchGetItem", - "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:PutItem", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:UpdateItem", + "dynamodb:BatchWriteItem", + "dynamodb:BatchGetItem", + "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", - { - "tableName": "name" - } + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", + { + "tableName": "name" + } ] } - ], - + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy6", + "PolicyName": "KitchenSinkFunctionRolePolicy6", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:GetItem", - "dynamodb:Scan", - "dynamodb:Query", - "dynamodb:BatchGetItem", + "dynamodb:GetItem", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:BatchGetItem", "dynamodb:DescribeTable" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", - { - "tableName": "name" - } + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", + { + "tableName": "name" + } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy7", + "PolicyName": "KitchenSinkFunctionRolePolicy7", "PolicyDocument": { "Statement": [ { "Action": [ "ses:SendBounce" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy8", + "PolicyName": "KitchenSinkFunctionRolePolicy8", "PolicyDocument": { "Statement": [ { "Action": [ - "es:ESHttpPost", + "es:ESHttpPost", "es:ESHttpPut" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", + "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy9", + "PolicyName": "KitchenSinkFunctionRolePolicy9", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetObjectVersion", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy10", + "PolicyName": "KitchenSinkFunctionRolePolicy10", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:GetLifecycleConfiguration", - "s3:PutLifecycleConfiguration", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetLifecycleConfiguration", + "s3:PutLifecycleConfiguration", "s3:DeleteObject" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy11", + "PolicyName": "KitchenSinkFunctionRolePolicy11", "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeImages" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy12", + "PolicyName": "KitchenSinkFunctionRolePolicy12", "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStacks" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy13", + "PolicyName": "KitchenSinkFunctionRolePolicy13", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CompareFaces", - "rekognition:DetectFaces", - "rekognition:DetectLabels", + "rekognition:CompareFaces", + "rekognition:DetectFaces", + "rekognition:DetectLabels", "rekognition:DetectModerationLabels" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy14", + "PolicyName": "KitchenSinkFunctionRolePolicy14", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:ListCollections", - "rekognition:ListFaces", - "rekognition:SearchFaces", + "rekognition:ListCollections", + "rekognition:ListFaces", + "rekognition:SearchFaces", "rekognition:SearchFacesByImage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy15", + "PolicyName": "KitchenSinkFunctionRolePolicy15", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CreateCollection", + "rekognition:CreateCollection", "rekognition:IndexFaces" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy16", + "PolicyName": "KitchenSinkFunctionRolePolicy16", "PolicyDocument": { "Statement": [ { "Action": [ "sqs:SendMessage*" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", + "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy17", + "PolicyName": "KitchenSinkFunctionRolePolicy17", "PolicyDocument": { "Statement": [ { "Action": [ "sns:Publish" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", + "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy18", + "PolicyName": "KitchenSinkFunctionRolePolicy18", "PolicyDocument": { "Statement": [ { "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy19", + "PolicyName": "KitchenSinkFunctionRolePolicy19", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:DescribeStream", - "dynamodb:GetRecords", + "dynamodb:DescribeStream", + "dynamodb:GetRecords", "dynamodb:GetShardIterator" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { - "streamName": "name", + "streamName": "name", "tableName": "name" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ "dynamodb:ListStreams" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy20", + "PolicyName": "KitchenSinkFunctionRolePolicy20", "PolicyDocument": { "Statement": [ { "Action": [ - "kinesis:ListStreams", + "kinesis:ListStreams", "kinesis:DescribeLimits" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "kinesis:DescribeStream", - "kinesis:DescribeStreamSummary", - "kinesis:GetRecords", + "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", + "kinesis:GetRecords", "kinesis:GetShardIterator" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", + "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy21", + "PolicyName": "KitchenSinkFunctionRolePolicy21", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:GetIdentityVerificationAttributes", - "ses:SendEmail", - "ses:SendRawEmail", + "ses:GetIdentityVerificationAttributes", + "ses:SendEmail", + "ses:SendRawEmail", "ses:VerifyEmailIdentity" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy22", + "PolicyName": "KitchenSinkFunctionRolePolicy22", "PolicyDocument": { "Statement": [ { "Action": [ - "sns:ListSubscriptionsByTopic", - "sns:CreateTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", + "sns:ListSubscriptionsByTopic", + "sns:CreateTopic", + "sns:SetTopicAttributes", + "sns:Subscribe", "sns:Publish" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", + "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy23", + "PolicyName": "KitchenSinkFunctionRolePolicy23", "PolicyDocument": { "Statement": [ { "Action": [ - "kinesis:AddTagsToStream", - "kinesis:CreateStream", - "kinesis:DecreaseStreamRetentionPeriod", - "kinesis:DeleteStream", - "kinesis:DescribeStream", - "kinesis:DescribeStreamSummary", - "kinesis:GetShardIterator", - "kinesis:IncreaseStreamRetentionPeriod", - "kinesis:ListTagsForStream", - "kinesis:MergeShards", - "kinesis:PutRecord", - "kinesis:PutRecords", - "kinesis:SplitShard", + "kinesis:AddTagsToStream", + "kinesis:CreateStream", + "kinesis:DecreaseStreamRetentionPeriod", + "kinesis:DeleteStream", + "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", + "kinesis:GetShardIterator", + "kinesis:IncreaseStreamRetentionPeriod", + "kinesis:ListTagsForStream", + "kinesis:MergeShards", + "kinesis:PutRecord", + "kinesis:PutRecords", + "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", + "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy24", + "PolicyName": "KitchenSinkFunctionRolePolicy24", "PolicyDocument": { "Statement": [ { - "Action": "kms:Decrypt", + "Action": "kms:Decrypt", "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": "keyId" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy25", + "PolicyName": "KitchenSinkFunctionRolePolicy25", "PolicyDocument": { "Statement": [ { "Action": [ - "polly:GetLexicon", + "polly:GetLexicon", "polly:DeleteLexicon" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", + "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": "name" } ] } - ], + ], "Effect": "Allow" - }, + }, { "Action": [ - "polly:DescribeVoices", - "polly:ListLexicons", - "polly:PutLexicon", + "polly:DescribeVoices", + "polly:ListLexicons", + "polly:PutLexicon", "polly:SynthesizeSpeech" - ], + ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy26", + "PolicyName": "KitchenSinkFunctionRolePolicy26", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersionTagging", - "s3:GetObjectTagging", - "s3:GetObjectVersionTagging", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersionTagging", + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" - }, + }, { "Action": [ - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetLifecycleConfiguration", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy27", + "PolicyName": "KitchenSinkFunctionRolePolicy27", "PolicyDocument": { "Statement": [ { "Action": [ - "codepipeline:PutJobSuccessResult", + "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy28", + "PolicyName": "KitchenSinkFunctionRolePolicy28", "PolicyDocument": { "Statement": [ { "Action": [ - "serverlessrepo:CreateApplication", - "serverlessrepo:CreateApplicationVersion", - "serverlessrepo:UpdateApplication", - "serverlessrepo:GetApplication", - "serverlessrepo:ListApplications", - "serverlessrepo:ListApplicationVersions", + "serverlessrepo:CreateApplication", + "serverlessrepo:CreateApplicationVersion", + "serverlessrepo:UpdateApplication", + "serverlessrepo:GetApplication", + "serverlessrepo:ListApplications", + "serverlessrepo:ListApplicationVersions", "serverlessrepo:ListApplicationDependencies" - ], + ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy29", + "PolicyName": "KitchenSinkFunctionRolePolicy29", "PolicyDocument": { "Statement": [ { "Action": [ "ec2:CopyImage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy30", + "PolicyName": "KitchenSinkFunctionRolePolicy30", "PolicyDocument": { "Statement": [ { "Action": [ "codepipeline:ListPipelineExecutions" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", + "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": "pipeline" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy31", + "PolicyName": "KitchenSinkFunctionRolePolicy31", "PolicyDocument": { "Statement": [ { "Action": [ - "cloudwatch:GetDashboard", - "cloudwatch:ListDashboards", - "cloudwatch:PutDashboard", + "cloudwatch:GetDashboard", + "cloudwatch:ListDashboards", + "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy32", + "PolicyName": "KitchenSinkFunctionRolePolicy32", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CompareFaces", + "rekognition:CompareFaces", "rekognition:DetectFaces" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy33", + "PolicyName": "KitchenSinkFunctionRolePolicy33", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:DetectLabels", + "rekognition:DetectLabels", "rekognition:DetectModerationLabels" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy34", + "PolicyName": "KitchenSinkFunctionRolePolicy34", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:CreateBackup", + "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "table" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "dynamodb:DeleteBackup", - "dynamodb:DescribeBackup", + "dynamodb:DeleteBackup", + "dynamodb:DescribeBackup", "dynamodb:ListBackups" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": "table" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy35", + "PolicyName": "KitchenSinkFunctionRolePolicy35", "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:RestoreTableFromBackup" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": "table" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "dynamodb:PutItem", - "dynamodb:UpdateItem", - "dynamodb:DeleteItem", - "dynamodb:GetItem", - "dynamodb:Query", - "dynamodb:Scan", + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:Query", + "dynamodb:Scan", "dynamodb:BatchWriteItem" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "table" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy36", + "PolicyName": "KitchenSinkFunctionRolePolicy36", "PolicyDocument": { "Statement": [ { "Action": [ - "comprehend:BatchDetectKeyPhrases", - "comprehend:DetectDominantLanguage", - "comprehend:DetectEntities", - "comprehend:BatchDetectEntities", - "comprehend:DetectKeyPhrases", - "comprehend:DetectSentiment", - "comprehend:BatchDetectDominantLanguage", + "comprehend:BatchDetectKeyPhrases", + "comprehend:DetectDominantLanguage", + "comprehend:DetectEntities", + "comprehend:BatchDetectEntities", + "comprehend:DetectKeyPhrases", + "comprehend:DetectSentiment", + "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy37", + "PolicyName": "KitchenSinkFunctionRolePolicy37", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "secretsmanager:DescribeSecret", - "secretsmanager:GetSecretValue", - "secretsmanager:PutSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" - }, + }, + "Effect": "Allow", "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ - "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", + "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": "function" } @@ -1000,451 +1009,468 @@ } } } - }, + }, { - "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" - ], - "Resource": "*" + ], + "Resource": "*", + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy38", + "PolicyName": "KitchenSinkFunctionRolePolicy38", "PolicyDocument": { "Statement": [ { "Action": [ "mobileanalytics:PutEvents" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy39", + "PolicyName": "KitchenSinkFunctionRolePolicy39", "PolicyDocument": { "Statement": [ { "Action": [ - "mobiletargeting:GetEndpoint", - "mobiletargeting:UpdateEndpoint", + "mobiletargeting:GetEndpoint", + "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", + "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy40", + "PolicyName": "KitchenSinkFunctionRolePolicy40", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:DetectFaces", - "rekognition:DetectText", - "rekognition:DetectLabels", - "rekognition:DetectModerationLabels" - ], - "Resource": "*", + "rekognition:DetectFaces", + "rekognition:DetectLabels", + "rekognition:DetectModerationLabels", + "rekognition:DetectText" + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy41", + "PolicyName": "KitchenSinkFunctionRolePolicy41", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:IndexFaces", - "rekognition:DeleteFaces", - "rekognition:SearchFaces", - "rekognition:SearchFacesByImage", + "rekognition:IndexFaces", + "rekognition:DeleteFaces", + "rekognition:SearchFaces", + "rekognition:SearchFacesByImage", "rekognition:ListFaces" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "collection" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy42", + "PolicyName": "KitchenSinkFunctionRolePolicy42", "PolicyDocument": { "Statement": [ { "Action": [ - "eks:DescribeCluster", + "eks:DescribeCluster", "eks:ListClusters" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy43", + "PolicyName": "KitchenSinkFunctionRolePolicy43", "PolicyDocument": { - "Statement": [{ - "Effect": "Allow", - "Action": [ - "ce:GetCostAndUsage", - "ce:GetDimensionValues", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetTags" - ], - "Resource": "*" - }] + "Statement": [ + { + "Action": [ + "ce:GetCostAndUsage", + "ce:GetDimensionValues", + "ce:GetReservationCoverage", + "ce:GetReservationPurchaseRecommendation", + "ce:GetReservationUtilization", + "ce:GetTags" + ], + "Resource": "*", + "Effect": "Allow" + } + ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy44", + "PolicyName": "KitchenSinkFunctionRolePolicy44", "PolicyDocument": { "Statement": [ { "Action": [ "organizations:ListAccounts" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy45", + "PolicyName": "KitchenSinkFunctionRolePolicy45", "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:UpdateTable" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy46", + "PolicyName": "KitchenSinkFunctionRolePolicy46", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:GetIdentityVerificationAttributes", - "ses:SendEmail", - "ses:SendRawEmail", - "ses:SendTemplatedEmail", - "ses:SendBulkTemplatedEmail", + "ses:GetIdentityVerificationAttributes", + "ses:SendEmail", + "ses:SendRawEmail", + "ses:SendTemplatedEmail", + "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy47", + "PolicyName": "KitchenSinkFunctionRolePolicy47", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:CreateTemplate", - "ses:GetTemplate", - "ses:ListTemplates", - "ses:UpdateTemplate", - "ses:DeleteTemplate", + "ses:CreateTemplate", + "ses:GetTemplate", + "ses:ListTemplates", + "ses:UpdateTemplate", + "ses:DeleteTemplate", "ses:TestRenderTemplate" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy48", + "PolicyName": "KitchenSinkFunctionRolePolicy48", "PolicyDocument": { "Statement": [ { "Action": [ "logs:FilterLogEvents" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", + "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy49", + "PolicyName": "KitchenSinkFunctionRolePolicy49", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ "ssm:DescribeParameters" - ], - "Resource": "*" - }, + ], + "Resource": "*", + "Effect": "Allow" + }, { - "Effect": "Allow", "Action": [ - "ssm:GetParameters", - "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameter", "ssm:GetParametersByPath" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", + "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy50", + "PolicyName": "KitchenSinkFunctionRolePolicy50", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ "states:StartExecution" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", + "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy51", + "PolicyName": "KitchenSinkFunctionRolePolicy51", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "codecommit:GitPull", - "codecommit:GitPush", - "codecommit:CreateBranch", - "codecommit:DeleteBranch", - "codecommit:GetBranch", - "codecommit:ListBranches", - "codecommit:MergeBranchesByFastForward", - "codecommit:MergeBranchesBySquash", - "codecommit:MergeBranchesByThreeWay", - "codecommit:UpdateDefaultBranch", - "codecommit:BatchDescribeMergeConflicts", - "codecommit:CreateUnreferencedMergeCommit", - "codecommit:DescribeMergeConflicts", - "codecommit:GetMergeCommit", - "codecommit:GetMergeOptions", - "codecommit:BatchGetPullRequests", - "codecommit:CreatePullRequest", - "codecommit:DescribePullRequestEvents", - "codecommit:GetCommentsForPullRequest", - "codecommit:GetCommitsFromMergeBase", - "codecommit:GetMergeConflicts", - "codecommit:GetPullRequest", - "codecommit:ListPullRequests", - "codecommit:MergePullRequestByFastForward", - "codecommit:MergePullRequestBySquash", - "codecommit:MergePullRequestByThreeWay", - "codecommit:PostCommentForPullRequest", - "codecommit:UpdatePullRequestDescription", - "codecommit:UpdatePullRequestStatus", - "codecommit:UpdatePullRequestTitle", - "codecommit:DeleteFile", - "codecommit:GetBlob", - "codecommit:GetFile", - "codecommit:GetFolder", - "codecommit:PutFile", - "codecommit:DeleteCommentContent", - "codecommit:GetComment", - "codecommit:GetCommentsForComparedCommit", - "codecommit:PostCommentForComparedCommit", - "codecommit:PostCommentReply", - "codecommit:UpdateComment", - "codecommit:BatchGetCommits", - "codecommit:CreateCommit", - "codecommit:GetCommit", - "codecommit:GetCommitHistory", - "codecommit:GetDifferences", - "codecommit:GetObjectIdentifier", - "codecommit:GetReferences", - "codecommit:GetTree", - "codecommit:GetRepository", - "codecommit:UpdateRepositoryDescription", - "codecommit:ListTagsForResource", - "codecommit:TagResource", - "codecommit:UntagResource", - "codecommit:GetRepositoryTriggers", - "codecommit:PutRepositoryTriggers", - "codecommit:TestRepositoryTriggers", - "codecommit:GetBranch", - "codecommit:GetCommit", - "codecommit:UploadArchive", - "codecommit:GetUploadArchiveStatus", + "codecommit:GitPull", + "codecommit:GitPush", + "codecommit:CreateBranch", + "codecommit:DeleteBranch", + "codecommit:GetBranch", + "codecommit:ListBranches", + "codecommit:MergeBranchesByFastForward", + "codecommit:MergeBranchesBySquash", + "codecommit:MergeBranchesByThreeWay", + "codecommit:UpdateDefaultBranch", + "codecommit:BatchDescribeMergeConflicts", + "codecommit:CreateUnreferencedMergeCommit", + "codecommit:DescribeMergeConflicts", + "codecommit:GetMergeCommit", + "codecommit:GetMergeOptions", + "codecommit:BatchGetPullRequests", + "codecommit:CreatePullRequest", + "codecommit:DescribePullRequestEvents", + "codecommit:GetCommentsForPullRequest", + "codecommit:GetCommitsFromMergeBase", + "codecommit:GetMergeConflicts", + "codecommit:GetPullRequest", + "codecommit:ListPullRequests", + "codecommit:MergePullRequestByFastForward", + "codecommit:MergePullRequestBySquash", + "codecommit:MergePullRequestByThreeWay", + "codecommit:PostCommentForPullRequest", + "codecommit:UpdatePullRequestDescription", + "codecommit:UpdatePullRequestStatus", + "codecommit:UpdatePullRequestTitle", + "codecommit:DeleteFile", + "codecommit:GetBlob", + "codecommit:GetFile", + "codecommit:GetFolder", + "codecommit:PutFile", + "codecommit:DeleteCommentContent", + "codecommit:GetComment", + "codecommit:GetCommentsForComparedCommit", + "codecommit:PostCommentForComparedCommit", + "codecommit:PostCommentReply", + "codecommit:UpdateComment", + "codecommit:BatchGetCommits", + "codecommit:CreateCommit", + "codecommit:GetCommit", + "codecommit:GetCommitHistory", + "codecommit:GetDifferences", + "codecommit:GetObjectIdentifier", + "codecommit:GetReferences", + "codecommit:GetTree", + "codecommit:GetRepository", + "codecommit:UpdateRepositoryDescription", + "codecommit:ListTagsForResource", + "codecommit:TagResource", + "codecommit:UntagResource", + "codecommit:GetRepositoryTriggers", + "codecommit:PutRepositoryTriggers", + "codecommit:TestRepositoryTriggers", + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:UploadArchive", + "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", + "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy52", + "PolicyName": "KitchenSinkFunctionRolePolicy52", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "codecommit:GitPull", - "codecommit:GetBranch", - "codecommit:ListBranches", - "codecommit:BatchDescribeMergeConflicts", - "codecommit:DescribeMergeConflicts", - "codecommit:GetMergeCommit", - "codecommit:GetMergeOptions", - "codecommit:BatchGetPullRequests", - "codecommit:DescribePullRequestEvents", - "codecommit:GetCommentsForPullRequest", - "codecommit:GetCommitsFromMergeBase", - "codecommit:GetMergeConflicts", - "codecommit:GetPullRequest", - "codecommit:ListPullRequests", - "codecommit:GetBlob", - "codecommit:GetFile", - "codecommit:GetFolder", - "codecommit:GetComment", - "codecommit:GetCommentsForComparedCommit", - "codecommit:BatchGetCommits", - "codecommit:GetCommit", - "codecommit:GetCommitHistory", - "codecommit:GetDifferences", - "codecommit:GetObjectIdentifier", - "codecommit:GetReferences", - "codecommit:GetTree", - "codecommit:GetRepository", - "codecommit:ListTagsForResource", - "codecommit:GetRepositoryTriggers", - "codecommit:TestRepositoryTriggers", - "codecommit:GetBranch", - "codecommit:GetCommit", + "codecommit:GitPull", + "codecommit:GetBranch", + "codecommit:ListBranches", + "codecommit:BatchDescribeMergeConflicts", + "codecommit:DescribeMergeConflicts", + "codecommit:GetMergeCommit", + "codecommit:GetMergeOptions", + "codecommit:BatchGetPullRequests", + "codecommit:DescribePullRequestEvents", + "codecommit:GetCommentsForPullRequest", + "codecommit:GetCommitsFromMergeBase", + "codecommit:GetMergeConflicts", + "codecommit:GetPullRequest", + "codecommit:ListPullRequests", + "codecommit:GetBlob", + "codecommit:GetFile", + "codecommit:GetFolder", + "codecommit:GetComment", + "codecommit:GetCommentsForComparedCommit", + "codecommit:BatchGetCommits", + "codecommit:GetCommit", + "codecommit:GetCommitHistory", + "codecommit:GetDifferences", + "codecommit:GetObjectIdentifier", + "codecommit:GetReferences", + "codecommit:GetTree", + "codecommit:GetRepository", + "codecommit:ListTagsForResource", + "codecommit:GetRepositoryTriggers", + "codecommit:TestRepositoryTriggers", + "codecommit:GetBranch", + "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", + "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy53", + "PolicyName": "KitchenSinkFunctionRolePolicy53", "PolicyDocument": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": "kms:Encrypt", "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": "keyId" } ] - }, + }, "Effect": "Allow" } ] } - } - ], - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + }, + { + "PolicyName": "KitchenSinkFunctionRolePolicy54", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:GetWorkGroup", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:StopQueryExecution", + "athena:GetQueryResults" + ], + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": "name" + } + ] + }, + "Effect": "Allow" + } + ] } - ] - } + } + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } } diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index c5e399e198..76ff5dab8f 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1,997 +1,1007 @@ { "Resources": { "KitchenSinkFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "hello.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "hello.zip" - }, - "Handler": "hello.handler", + }, "Role": { "Fn::GetAtt": [ - "KitchenSinkFunctionRole", + "KitchenSinkFunctionRole", "Arn" ] - }, - "Runtime": "python2.7", + }, + "Runtime": "python2.7", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] } - }, + }, "KitchenSinkFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, "ManagedPolicyArns": [ "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ], + ], "Policies": [ { - "PolicyName": "KitchenSinkFunctionRolePolicy0", + "PolicyName": "KitchenSinkFunctionRolePolicy0", "PolicyDocument": { "Statement": [ { "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", - "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", - "sqs:GetQueueAttributes", + "sqs:ChangeMessageVisibility", + "sqs:ChangeMessageVisibilityBatch", + "sqs:DeleteMessage", + "sqs:DeleteMessageBatch", + "sqs:GetQueueAttributes", "sqs:ReceiveMessage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", + "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy1", + "PolicyName": "KitchenSinkFunctionRolePolicy1", "PolicyDocument": { "Statement": [ { "Action": [ "lambda:InvokeFunction" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", + "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy2", + "PolicyName": "KitchenSinkFunctionRolePolicy2", "PolicyDocument": { "Statement": [ { "Action": [ "cloudwatch:DescribeAlarmHistory" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy3", + "PolicyName": "KitchenSinkFunctionRolePolicy3", "PolicyDocument": { "Statement": [ { "Action": [ "cloudwatch:PutMetricData" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy4", + "PolicyName": "KitchenSinkFunctionRolePolicy4", "PolicyDocument": { "Statement": [ { "Action": [ - "ec2:DescribeRegions", + "ec2:DescribeRegions", "ec2:DescribeInstances" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy5", + "PolicyName": "KitchenSinkFunctionRolePolicy5", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:GetItem", - "dynamodb:DeleteItem", - "dynamodb:PutItem", - "dynamodb:Scan", - "dynamodb:Query", - "dynamodb:UpdateItem", - "dynamodb:BatchWriteItem", - "dynamodb:BatchGetItem", - "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:PutItem", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:UpdateItem", + "dynamodb:BatchWriteItem", + "dynamodb:BatchGetItem", + "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", - { - "tableName": "name" - } + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", + { + "tableName": "name" + } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy6", + "PolicyName": "KitchenSinkFunctionRolePolicy6", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:GetItem", - "dynamodb:Scan", - "dynamodb:Query", - "dynamodb:BatchGetItem", + "dynamodb:GetItem", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:BatchGetItem", "dynamodb:DescribeTable" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", - { - "tableName": "name" - } + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", + { + "tableName": "name" + } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy7", + "PolicyName": "KitchenSinkFunctionRolePolicy7", "PolicyDocument": { "Statement": [ { "Action": [ "ses:SendBounce" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy8", + "PolicyName": "KitchenSinkFunctionRolePolicy8", "PolicyDocument": { "Statement": [ { "Action": [ - "es:ESHttpPost", + "es:ESHttpPost", "es:ESHttpPut" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", + "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy9", + "PolicyName": "KitchenSinkFunctionRolePolicy9", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetObjectVersion", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy10", + "PolicyName": "KitchenSinkFunctionRolePolicy10", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:GetLifecycleConfiguration", - "s3:PutLifecycleConfiguration", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetLifecycleConfiguration", + "s3:PutLifecycleConfiguration", "s3:DeleteObject" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy11", + "PolicyName": "KitchenSinkFunctionRolePolicy11", "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeImages" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy12", + "PolicyName": "KitchenSinkFunctionRolePolicy12", "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStacks" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy13", + "PolicyName": "KitchenSinkFunctionRolePolicy13", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CompareFaces", - "rekognition:DetectFaces", - "rekognition:DetectLabels", + "rekognition:CompareFaces", + "rekognition:DetectFaces", + "rekognition:DetectLabels", "rekognition:DetectModerationLabels" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy14", + "PolicyName": "KitchenSinkFunctionRolePolicy14", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:ListCollections", - "rekognition:ListFaces", - "rekognition:SearchFaces", + "rekognition:ListCollections", + "rekognition:ListFaces", + "rekognition:SearchFaces", "rekognition:SearchFacesByImage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy15", + "PolicyName": "KitchenSinkFunctionRolePolicy15", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CreateCollection", + "rekognition:CreateCollection", "rekognition:IndexFaces" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy16", + "PolicyName": "KitchenSinkFunctionRolePolicy16", "PolicyDocument": { "Statement": [ { "Action": [ "sqs:SendMessage*" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", + "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy17", + "PolicyName": "KitchenSinkFunctionRolePolicy17", "PolicyDocument": { "Statement": [ { "Action": [ "sns:Publish" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", + "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy18", + "PolicyName": "KitchenSinkFunctionRolePolicy18", "PolicyDocument": { "Statement": [ { "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy19", + "PolicyName": "KitchenSinkFunctionRolePolicy19", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:DescribeStream", - "dynamodb:GetRecords", + "dynamodb:DescribeStream", + "dynamodb:GetRecords", "dynamodb:GetShardIterator" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { - "streamName": "name", + "streamName": "name", "tableName": "name" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ "dynamodb:ListStreams" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy20", + "PolicyName": "KitchenSinkFunctionRolePolicy20", "PolicyDocument": { "Statement": [ { "Action": [ - "kinesis:ListStreams", + "kinesis:ListStreams", "kinesis:DescribeLimits" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "kinesis:DescribeStream", - "kinesis:DescribeStreamSummary", - "kinesis:GetRecords", + "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", + "kinesis:GetRecords", "kinesis:GetShardIterator" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", + "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy21", + "PolicyName": "KitchenSinkFunctionRolePolicy21", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:GetIdentityVerificationAttributes", - "ses:SendEmail", - "ses:SendRawEmail", + "ses:GetIdentityVerificationAttributes", + "ses:SendEmail", + "ses:SendRawEmail", "ses:VerifyEmailIdentity" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy22", + "PolicyName": "KitchenSinkFunctionRolePolicy22", "PolicyDocument": { "Statement": [ { "Action": [ - "sns:ListSubscriptionsByTopic", - "sns:CreateTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", + "sns:ListSubscriptionsByTopic", + "sns:CreateTopic", + "sns:SetTopicAttributes", + "sns:Subscribe", "sns:Publish" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", + "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy23", + "PolicyName": "KitchenSinkFunctionRolePolicy23", "PolicyDocument": { "Statement": [ { "Action": [ - "kinesis:AddTagsToStream", - "kinesis:CreateStream", - "kinesis:DecreaseStreamRetentionPeriod", - "kinesis:DeleteStream", - "kinesis:DescribeStream", - "kinesis:DescribeStreamSummary", - "kinesis:GetShardIterator", - "kinesis:IncreaseStreamRetentionPeriod", - "kinesis:ListTagsForStream", - "kinesis:MergeShards", - "kinesis:PutRecord", - "kinesis:PutRecords", - "kinesis:SplitShard", + "kinesis:AddTagsToStream", + "kinesis:CreateStream", + "kinesis:DecreaseStreamRetentionPeriod", + "kinesis:DeleteStream", + "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", + "kinesis:GetShardIterator", + "kinesis:IncreaseStreamRetentionPeriod", + "kinesis:ListTagsForStream", + "kinesis:MergeShards", + "kinesis:PutRecord", + "kinesis:PutRecords", + "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", + "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy24", + "PolicyName": "KitchenSinkFunctionRolePolicy24", "PolicyDocument": { "Statement": [ { - "Action": "kms:Decrypt", + "Action": "kms:Decrypt", "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": "keyId" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy25", + "PolicyName": "KitchenSinkFunctionRolePolicy25", "PolicyDocument": { "Statement": [ { "Action": [ - "polly:GetLexicon", + "polly:GetLexicon", "polly:DeleteLexicon" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", + "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": "name" } ] } - ], + ], "Effect": "Allow" - }, + }, { "Action": [ - "polly:DescribeVoices", - "polly:ListLexicons", - "polly:PutLexicon", + "polly:DescribeVoices", + "polly:ListLexicons", + "polly:PutLexicon", "polly:SynthesizeSpeech" - ], + ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy26", + "PolicyName": "KitchenSinkFunctionRolePolicy26", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersionTagging", - "s3:GetObjectTagging", - "s3:GetObjectVersionTagging", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersionTagging", + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" - }, + }, { "Action": [ - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetLifecycleConfiguration", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy27", + "PolicyName": "KitchenSinkFunctionRolePolicy27", "PolicyDocument": { "Statement": [ { "Action": [ - "codepipeline:PutJobSuccessResult", + "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy28", + "PolicyName": "KitchenSinkFunctionRolePolicy28", "PolicyDocument": { "Statement": [ { "Action": [ - "serverlessrepo:CreateApplication", - "serverlessrepo:CreateApplicationVersion", - "serverlessrepo:UpdateApplication", - "serverlessrepo:GetApplication", - "serverlessrepo:ListApplications", - "serverlessrepo:ListApplicationVersions", + "serverlessrepo:CreateApplication", + "serverlessrepo:CreateApplicationVersion", + "serverlessrepo:UpdateApplication", + "serverlessrepo:GetApplication", + "serverlessrepo:ListApplications", + "serverlessrepo:ListApplicationVersions", "serverlessrepo:ListApplicationDependencies" - ], + ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy29", + "PolicyName": "KitchenSinkFunctionRolePolicy29", "PolicyDocument": { "Statement": [ { "Action": [ "ec2:CopyImage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy30", + "PolicyName": "KitchenSinkFunctionRolePolicy30", "PolicyDocument": { "Statement": [ { "Action": [ "codepipeline:ListPipelineExecutions" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", + "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": "pipeline" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy31", + "PolicyName": "KitchenSinkFunctionRolePolicy31", "PolicyDocument": { "Statement": [ { "Action": [ - "cloudwatch:GetDashboard", - "cloudwatch:ListDashboards", - "cloudwatch:PutDashboard", + "cloudwatch:GetDashboard", + "cloudwatch:ListDashboards", + "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy32", + "PolicyName": "KitchenSinkFunctionRolePolicy32", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CompareFaces", + "rekognition:CompareFaces", "rekognition:DetectFaces" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy33", + "PolicyName": "KitchenSinkFunctionRolePolicy33", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:DetectLabels", + "rekognition:DetectLabels", "rekognition:DetectModerationLabels" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy34", + "PolicyName": "KitchenSinkFunctionRolePolicy34", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:CreateBackup", + "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "table" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "dynamodb:DeleteBackup", - "dynamodb:DescribeBackup", + "dynamodb:DeleteBackup", + "dynamodb:DescribeBackup", "dynamodb:ListBackups" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": "table" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy35", + "PolicyName": "KitchenSinkFunctionRolePolicy35", "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:RestoreTableFromBackup" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": "table" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "dynamodb:PutItem", - "dynamodb:UpdateItem", - "dynamodb:DeleteItem", - "dynamodb:GetItem", - "dynamodb:Query", - "dynamodb:Scan", + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:Query", + "dynamodb:Scan", "dynamodb:BatchWriteItem" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "table" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy36", + "PolicyName": "KitchenSinkFunctionRolePolicy36", "PolicyDocument": { "Statement": [ { "Action": [ - "comprehend:BatchDetectKeyPhrases", - "comprehend:DetectDominantLanguage", - "comprehend:DetectEntities", - "comprehend:BatchDetectEntities", - "comprehend:DetectKeyPhrases", - "comprehend:DetectSentiment", - "comprehend:BatchDetectDominantLanguage", + "comprehend:BatchDetectKeyPhrases", + "comprehend:DetectDominantLanguage", + "comprehend:DetectEntities", + "comprehend:BatchDetectEntities", + "comprehend:DetectKeyPhrases", + "comprehend:DetectSentiment", + "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy37", + "PolicyName": "KitchenSinkFunctionRolePolicy37", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "secretsmanager:DescribeSecret", - "secretsmanager:GetSecretValue", - "secretsmanager:PutSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" - }, + }, + "Effect": "Allow", "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ - "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", + "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": "function" } @@ -999,452 +1009,469 @@ } } } - }, + }, { - "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" - ], - "Resource": "*" + ], + "Resource": "*", + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy38", + "PolicyName": "KitchenSinkFunctionRolePolicy38", "PolicyDocument": { "Statement": [ { "Action": [ "mobileanalytics:PutEvents" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy39", + "PolicyName": "KitchenSinkFunctionRolePolicy39", "PolicyDocument": { "Statement": [ { "Action": [ - "mobiletargeting:GetEndpoint", - "mobiletargeting:UpdateEndpoint", + "mobiletargeting:GetEndpoint", + "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", + "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy40", + "PolicyName": "KitchenSinkFunctionRolePolicy40", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:DetectFaces", - "rekognition:DetectText", - "rekognition:DetectLabels", - "rekognition:DetectModerationLabels" - ], - "Resource": "*", + "rekognition:DetectFaces", + "rekognition:DetectLabels", + "rekognition:DetectModerationLabels", + "rekognition:DetectText" + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy41", + "PolicyName": "KitchenSinkFunctionRolePolicy41", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:IndexFaces", - "rekognition:DeleteFaces", - "rekognition:SearchFaces", - "rekognition:SearchFacesByImage", + "rekognition:IndexFaces", + "rekognition:DeleteFaces", + "rekognition:SearchFaces", + "rekognition:SearchFacesByImage", "rekognition:ListFaces" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "collection" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy42", + "PolicyName": "KitchenSinkFunctionRolePolicy42", "PolicyDocument": { "Statement": [ { "Action": [ - "eks:DescribeCluster", + "eks:DescribeCluster", "eks:ListClusters" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy43", + "PolicyName": "KitchenSinkFunctionRolePolicy43", "PolicyDocument": { - "Statement": [{ - "Effect": "Allow", - "Action": [ - "ce:GetCostAndUsage", - "ce:GetDimensionValues", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetTags" - ], - "Resource": "*" - }] + "Statement": [ + { + "Action": [ + "ce:GetCostAndUsage", + "ce:GetDimensionValues", + "ce:GetReservationCoverage", + "ce:GetReservationPurchaseRecommendation", + "ce:GetReservationUtilization", + "ce:GetTags" + ], + "Resource": "*", + "Effect": "Allow" + } + ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy44", + "PolicyName": "KitchenSinkFunctionRolePolicy44", "PolicyDocument": { "Statement": [ { "Action": [ "organizations:ListAccounts" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy45", + "PolicyName": "KitchenSinkFunctionRolePolicy45", "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:UpdateTable" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy46", + "PolicyName": "KitchenSinkFunctionRolePolicy46", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:GetIdentityVerificationAttributes", - "ses:SendEmail", - "ses:SendRawEmail", - "ses:SendTemplatedEmail", - "ses:SendBulkTemplatedEmail", + "ses:GetIdentityVerificationAttributes", + "ses:SendEmail", + "ses:SendRawEmail", + "ses:SendTemplatedEmail", + "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy47", + "PolicyName": "KitchenSinkFunctionRolePolicy47", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:CreateTemplate", - "ses:GetTemplate", - "ses:ListTemplates", - "ses:UpdateTemplate", - "ses:DeleteTemplate", + "ses:CreateTemplate", + "ses:GetTemplate", + "ses:ListTemplates", + "ses:UpdateTemplate", + "ses:DeleteTemplate", "ses:TestRenderTemplate" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy48", + "PolicyName": "KitchenSinkFunctionRolePolicy48", "PolicyDocument": { "Statement": [ { "Action": [ "logs:FilterLogEvents" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", + "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy49", + "PolicyName": "KitchenSinkFunctionRolePolicy49", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ "ssm:DescribeParameters" - ], - "Resource": "*" - }, + ], + "Resource": "*", + "Effect": "Allow" + }, { - "Effect": "Allow", "Action": [ - "ssm:GetParameters", - "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameter", "ssm:GetParametersByPath" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", + "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy50", + "PolicyName": "KitchenSinkFunctionRolePolicy50", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ "states:StartExecution" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", + "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy51", + "PolicyName": "KitchenSinkFunctionRolePolicy51", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "codecommit:GitPull", - "codecommit:GitPush", - "codecommit:CreateBranch", - "codecommit:DeleteBranch", - "codecommit:GetBranch", - "codecommit:ListBranches", - "codecommit:MergeBranchesByFastForward", - "codecommit:MergeBranchesBySquash", - "codecommit:MergeBranchesByThreeWay", - "codecommit:UpdateDefaultBranch", - "codecommit:BatchDescribeMergeConflicts", - "codecommit:CreateUnreferencedMergeCommit", - "codecommit:DescribeMergeConflicts", - "codecommit:GetMergeCommit", - "codecommit:GetMergeOptions", - "codecommit:BatchGetPullRequests", - "codecommit:CreatePullRequest", - "codecommit:DescribePullRequestEvents", - "codecommit:GetCommentsForPullRequest", - "codecommit:GetCommitsFromMergeBase", - "codecommit:GetMergeConflicts", - "codecommit:GetPullRequest", - "codecommit:ListPullRequests", - "codecommit:MergePullRequestByFastForward", - "codecommit:MergePullRequestBySquash", - "codecommit:MergePullRequestByThreeWay", - "codecommit:PostCommentForPullRequest", - "codecommit:UpdatePullRequestDescription", - "codecommit:UpdatePullRequestStatus", - "codecommit:UpdatePullRequestTitle", - "codecommit:DeleteFile", - "codecommit:GetBlob", - "codecommit:GetFile", - "codecommit:GetFolder", - "codecommit:PutFile", - "codecommit:DeleteCommentContent", - "codecommit:GetComment", - "codecommit:GetCommentsForComparedCommit", - "codecommit:PostCommentForComparedCommit", - "codecommit:PostCommentReply", - "codecommit:UpdateComment", - "codecommit:BatchGetCommits", - "codecommit:CreateCommit", - "codecommit:GetCommit", - "codecommit:GetCommitHistory", - "codecommit:GetDifferences", - "codecommit:GetObjectIdentifier", - "codecommit:GetReferences", - "codecommit:GetTree", - "codecommit:GetRepository", - "codecommit:UpdateRepositoryDescription", - "codecommit:ListTagsForResource", - "codecommit:TagResource", - "codecommit:UntagResource", - "codecommit:GetRepositoryTriggers", - "codecommit:PutRepositoryTriggers", - "codecommit:TestRepositoryTriggers", - "codecommit:GetBranch", - "codecommit:GetCommit", - "codecommit:UploadArchive", - "codecommit:GetUploadArchiveStatus", + "codecommit:GitPull", + "codecommit:GitPush", + "codecommit:CreateBranch", + "codecommit:DeleteBranch", + "codecommit:GetBranch", + "codecommit:ListBranches", + "codecommit:MergeBranchesByFastForward", + "codecommit:MergeBranchesBySquash", + "codecommit:MergeBranchesByThreeWay", + "codecommit:UpdateDefaultBranch", + "codecommit:BatchDescribeMergeConflicts", + "codecommit:CreateUnreferencedMergeCommit", + "codecommit:DescribeMergeConflicts", + "codecommit:GetMergeCommit", + "codecommit:GetMergeOptions", + "codecommit:BatchGetPullRequests", + "codecommit:CreatePullRequest", + "codecommit:DescribePullRequestEvents", + "codecommit:GetCommentsForPullRequest", + "codecommit:GetCommitsFromMergeBase", + "codecommit:GetMergeConflicts", + "codecommit:GetPullRequest", + "codecommit:ListPullRequests", + "codecommit:MergePullRequestByFastForward", + "codecommit:MergePullRequestBySquash", + "codecommit:MergePullRequestByThreeWay", + "codecommit:PostCommentForPullRequest", + "codecommit:UpdatePullRequestDescription", + "codecommit:UpdatePullRequestStatus", + "codecommit:UpdatePullRequestTitle", + "codecommit:DeleteFile", + "codecommit:GetBlob", + "codecommit:GetFile", + "codecommit:GetFolder", + "codecommit:PutFile", + "codecommit:DeleteCommentContent", + "codecommit:GetComment", + "codecommit:GetCommentsForComparedCommit", + "codecommit:PostCommentForComparedCommit", + "codecommit:PostCommentReply", + "codecommit:UpdateComment", + "codecommit:BatchGetCommits", + "codecommit:CreateCommit", + "codecommit:GetCommit", + "codecommit:GetCommitHistory", + "codecommit:GetDifferences", + "codecommit:GetObjectIdentifier", + "codecommit:GetReferences", + "codecommit:GetTree", + "codecommit:GetRepository", + "codecommit:UpdateRepositoryDescription", + "codecommit:ListTagsForResource", + "codecommit:TagResource", + "codecommit:UntagResource", + "codecommit:GetRepositoryTriggers", + "codecommit:PutRepositoryTriggers", + "codecommit:TestRepositoryTriggers", + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:UploadArchive", + "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", + "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy52", + "PolicyName": "KitchenSinkFunctionRolePolicy52", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "codecommit:GitPull", - "codecommit:GetBranch", - "codecommit:ListBranches", - "codecommit:BatchDescribeMergeConflicts", - "codecommit:DescribeMergeConflicts", - "codecommit:GetMergeCommit", - "codecommit:GetMergeOptions", - "codecommit:BatchGetPullRequests", - "codecommit:DescribePullRequestEvents", - "codecommit:GetCommentsForPullRequest", - "codecommit:GetCommitsFromMergeBase", - "codecommit:GetMergeConflicts", - "codecommit:GetPullRequest", - "codecommit:ListPullRequests", - "codecommit:GetBlob", - "codecommit:GetFile", - "codecommit:GetFolder", - "codecommit:GetComment", - "codecommit:GetCommentsForComparedCommit", - "codecommit:BatchGetCommits", - "codecommit:GetCommit", - "codecommit:GetCommitHistory", - "codecommit:GetDifferences", - "codecommit:GetObjectIdentifier", - "codecommit:GetReferences", - "codecommit:GetTree", - "codecommit:GetRepository", - "codecommit:ListTagsForResource", - "codecommit:GetRepositoryTriggers", - "codecommit:TestRepositoryTriggers", - "codecommit:GetBranch", - "codecommit:GetCommit", + "codecommit:GitPull", + "codecommit:GetBranch", + "codecommit:ListBranches", + "codecommit:BatchDescribeMergeConflicts", + "codecommit:DescribeMergeConflicts", + "codecommit:GetMergeCommit", + "codecommit:GetMergeOptions", + "codecommit:BatchGetPullRequests", + "codecommit:DescribePullRequestEvents", + "codecommit:GetCommentsForPullRequest", + "codecommit:GetCommitsFromMergeBase", + "codecommit:GetMergeConflicts", + "codecommit:GetPullRequest", + "codecommit:ListPullRequests", + "codecommit:GetBlob", + "codecommit:GetFile", + "codecommit:GetFolder", + "codecommit:GetComment", + "codecommit:GetCommentsForComparedCommit", + "codecommit:BatchGetCommits", + "codecommit:GetCommit", + "codecommit:GetCommitHistory", + "codecommit:GetDifferences", + "codecommit:GetObjectIdentifier", + "codecommit:GetReferences", + "codecommit:GetTree", + "codecommit:GetRepository", + "codecommit:ListTagsForResource", + "codecommit:GetRepositoryTriggers", + "codecommit:TestRepositoryTriggers", + "codecommit:GetBranch", + "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", + "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy53", + "PolicyName": "KitchenSinkFunctionRolePolicy53", "PolicyDocument": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": "kms:Encrypt", "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": "keyId" } ] - }, + }, "Effect": "Allow" } ] } - } - ], - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + }, + { + "PolicyName": "KitchenSinkFunctionRolePolicy54", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:GetWorkGroup", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:StopQueryExecution", + "athena:GetQueryResults" + ], + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": "name" + } + ] + }, + "Effect": "Allow" + } + ] } - ] - } + } + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } } -} +} \ No newline at end of file diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index 5626139fe0..5b30497a41 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1,997 +1,1007 @@ { "Resources": { "KitchenSinkFunction": { - "Type": "AWS::Lambda::Function", + "Type": "AWS::Lambda::Function", "Properties": { + "Handler": "hello.handler", "Code": { - "S3Bucket": "sam-demo-bucket", + "S3Bucket": "sam-demo-bucket", "S3Key": "hello.zip" - }, - "Handler": "hello.handler", + }, "Role": { "Fn::GetAtt": [ - "KitchenSinkFunctionRole", + "KitchenSinkFunctionRole", "Arn" ] - }, - "Runtime": "python2.7", + }, + "Runtime": "python2.7", "Tags": [ { - "Value": "SAM", + "Value": "SAM", "Key": "lambda:createdBy" } ] } - }, + }, "KitchenSinkFunctionRole": { - "Type": "AWS::IAM::Role", + "Type": "AWS::IAM::Role", "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ] + }, "ManagedPolicyArns": [ "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ], - "Tags": [ - { - "Key": "lambda:createdBy", - "Value": "SAM" - } - ], + ], "Policies": [ { - "PolicyName": "KitchenSinkFunctionRolePolicy0", + "PolicyName": "KitchenSinkFunctionRolePolicy0", "PolicyDocument": { "Statement": [ { "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:ChangeMessageVisibilityBatch", - "sqs:DeleteMessage", - "sqs:DeleteMessageBatch", - "sqs:GetQueueAttributes", + "sqs:ChangeMessageVisibility", + "sqs:ChangeMessageVisibilityBatch", + "sqs:DeleteMessage", + "sqs:DeleteMessageBatch", + "sqs:GetQueueAttributes", "sqs:ReceiveMessage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", + "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy1", + "PolicyName": "KitchenSinkFunctionRolePolicy1", "PolicyDocument": { "Statement": [ { "Action": [ "lambda:InvokeFunction" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", + "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy2", + "PolicyName": "KitchenSinkFunctionRolePolicy2", "PolicyDocument": { "Statement": [ { "Action": [ "cloudwatch:DescribeAlarmHistory" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy3", + "PolicyName": "KitchenSinkFunctionRolePolicy3", "PolicyDocument": { "Statement": [ { "Action": [ "cloudwatch:PutMetricData" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy4", + "PolicyName": "KitchenSinkFunctionRolePolicy4", "PolicyDocument": { "Statement": [ { "Action": [ - "ec2:DescribeRegions", + "ec2:DescribeRegions", "ec2:DescribeInstances" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy5", + "PolicyName": "KitchenSinkFunctionRolePolicy5", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:GetItem", - "dynamodb:DeleteItem", - "dynamodb:PutItem", - "dynamodb:Scan", - "dynamodb:Query", - "dynamodb:UpdateItem", - "dynamodb:BatchWriteItem", - "dynamodb:BatchGetItem", - "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:DeleteItem", + "dynamodb:PutItem", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:UpdateItem", + "dynamodb:BatchWriteItem", + "dynamodb:BatchGetItem", + "dynamodb:DescribeTable", "dynamodb:ConditionCheckItem" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", - { - "tableName": "name" - } + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", + { + "tableName": "name" + } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy6", + "PolicyName": "KitchenSinkFunctionRolePolicy6", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:GetItem", - "dynamodb:Scan", - "dynamodb:Query", - "dynamodb:BatchGetItem", + "dynamodb:GetItem", + "dynamodb:Scan", + "dynamodb:Query", + "dynamodb:BatchGetItem", "dynamodb:DescribeTable" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", - { - "tableName": "name" - } + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*", + { + "tableName": "name" + } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy7", + "PolicyName": "KitchenSinkFunctionRolePolicy7", "PolicyDocument": { "Statement": [ { "Action": [ "ses:SendBounce" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy8", + "PolicyName": "KitchenSinkFunctionRolePolicy8", "PolicyDocument": { "Statement": [ { "Action": [ - "es:ESHttpPost", + "es:ESHttpPost", "es:ESHttpPut" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", + "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*", { "domainName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy9", + "PolicyName": "KitchenSinkFunctionRolePolicy9", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetObjectVersion", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy10", + "PolicyName": "KitchenSinkFunctionRolePolicy10", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:GetLifecycleConfiguration", - "s3:PutLifecycleConfiguration", + "s3:GetObject", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetLifecycleConfiguration", + "s3:PutLifecycleConfiguration", "s3:DeleteObject" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] - }, + }, { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy11", + "PolicyName": "KitchenSinkFunctionRolePolicy11", "PolicyDocument": { "Statement": [ { "Action": [ "ec2:DescribeImages" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy12", + "PolicyName": "KitchenSinkFunctionRolePolicy12", "PolicyDocument": { "Statement": [ { "Action": [ "cloudformation:DescribeStacks" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy13", + "PolicyName": "KitchenSinkFunctionRolePolicy13", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CompareFaces", - "rekognition:DetectFaces", - "rekognition:DetectLabels", + "rekognition:CompareFaces", + "rekognition:DetectFaces", + "rekognition:DetectLabels", "rekognition:DetectModerationLabels" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy14", + "PolicyName": "KitchenSinkFunctionRolePolicy14", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:ListCollections", - "rekognition:ListFaces", - "rekognition:SearchFaces", + "rekognition:ListCollections", + "rekognition:ListFaces", + "rekognition:SearchFaces", "rekognition:SearchFacesByImage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy15", + "PolicyName": "KitchenSinkFunctionRolePolicy15", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CreateCollection", + "rekognition:CreateCollection", "rekognition:IndexFaces" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy16", + "PolicyName": "KitchenSinkFunctionRolePolicy16", "PolicyDocument": { "Statement": [ { "Action": [ "sqs:SendMessage*" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", + "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy17", + "PolicyName": "KitchenSinkFunctionRolePolicy17", "PolicyDocument": { "Statement": [ { "Action": [ "sns:Publish" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", + "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy18", + "PolicyName": "KitchenSinkFunctionRolePolicy18", "PolicyDocument": { "Statement": [ { "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DeleteNetworkInterface", - "ec2:DescribeNetworkInterfaces", + "ec2:CreateNetworkInterface", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy19", + "PolicyName": "KitchenSinkFunctionRolePolicy19", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:DescribeStream", - "dynamodb:GetRecords", + "dynamodb:DescribeStream", + "dynamodb:GetRecords", "dynamodb:GetShardIterator" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/${streamName}", { - "streamName": "name", + "streamName": "name", "tableName": "name" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ "dynamodb:ListStreams" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/stream/*", { "tableName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy20", + "PolicyName": "KitchenSinkFunctionRolePolicy20", "PolicyDocument": { "Statement": [ { "Action": [ - "kinesis:ListStreams", + "kinesis:ListStreams", "kinesis:DescribeLimits" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "kinesis:DescribeStream", - "kinesis:DescribeStreamSummary", - "kinesis:GetRecords", + "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", + "kinesis:GetRecords", "kinesis:GetShardIterator" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", + "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy21", + "PolicyName": "KitchenSinkFunctionRolePolicy21", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:GetIdentityVerificationAttributes", - "ses:SendEmail", - "ses:SendRawEmail", + "ses:GetIdentityVerificationAttributes", + "ses:SendEmail", + "ses:SendRawEmail", "ses:VerifyEmailIdentity" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy22", + "PolicyName": "KitchenSinkFunctionRolePolicy22", "PolicyDocument": { "Statement": [ { "Action": [ - "sns:ListSubscriptionsByTopic", - "sns:CreateTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", + "sns:ListSubscriptionsByTopic", + "sns:CreateTopic", + "sns:SetTopicAttributes", + "sns:Subscribe", "sns:Publish" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", + "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy23", + "PolicyName": "KitchenSinkFunctionRolePolicy23", "PolicyDocument": { "Statement": [ { "Action": [ - "kinesis:AddTagsToStream", - "kinesis:CreateStream", - "kinesis:DecreaseStreamRetentionPeriod", - "kinesis:DeleteStream", - "kinesis:DescribeStream", - "kinesis:DescribeStreamSummary", - "kinesis:GetShardIterator", - "kinesis:IncreaseStreamRetentionPeriod", - "kinesis:ListTagsForStream", - "kinesis:MergeShards", - "kinesis:PutRecord", - "kinesis:PutRecords", - "kinesis:SplitShard", + "kinesis:AddTagsToStream", + "kinesis:CreateStream", + "kinesis:DecreaseStreamRetentionPeriod", + "kinesis:DeleteStream", + "kinesis:DescribeStream", + "kinesis:DescribeStreamSummary", + "kinesis:GetShardIterator", + "kinesis:IncreaseStreamRetentionPeriod", + "kinesis:ListTagsForStream", + "kinesis:MergeShards", + "kinesis:PutRecord", + "kinesis:PutRecords", + "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", + "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy24", + "PolicyName": "KitchenSinkFunctionRolePolicy24", "PolicyDocument": { "Statement": [ { - "Action": "kms:Decrypt", + "Action": "kms:Decrypt", "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": "keyId" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy25", + "PolicyName": "KitchenSinkFunctionRolePolicy25", "PolicyDocument": { "Statement": [ { "Action": [ - "polly:GetLexicon", + "polly:GetLexicon", "polly:DeleteLexicon" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", + "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": "name" } ] } - ], + ], "Effect": "Allow" - }, + }, { "Action": [ - "polly:DescribeVoices", - "polly:ListLexicons", - "polly:PutLexicon", + "polly:DescribeVoices", + "polly:ListLexicons", + "polly:PutLexicon", "polly:SynthesizeSpeech" - ], + ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy26", + "PolicyName": "KitchenSinkFunctionRolePolicy26", "PolicyDocument": { "Statement": [ { "Action": [ - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectVersion", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersionTagging", - "s3:GetObjectTagging", - "s3:GetObjectVersionTagging", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectVersion", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersionTagging", + "s3:GetObjectTagging", + "s3:GetObjectVersionTagging", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}/*", + "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" - }, + }, { "Action": [ - "s3:ListBucket", - "s3:GetBucketLocation", - "s3:GetLifecycleConfiguration", + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" - ], + ], "Resource": [ { "Fn::Sub": [ - "arn:${AWS::Partition}:s3:::${bucketName}", + "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": "name" } ] } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy27", + "PolicyName": "KitchenSinkFunctionRolePolicy27", "PolicyDocument": { "Statement": [ { "Action": [ - "codepipeline:PutJobSuccessResult", + "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy28", + "PolicyName": "KitchenSinkFunctionRolePolicy28", "PolicyDocument": { "Statement": [ { "Action": [ - "serverlessrepo:CreateApplication", - "serverlessrepo:CreateApplicationVersion", - "serverlessrepo:UpdateApplication", - "serverlessrepo:GetApplication", - "serverlessrepo:ListApplications", - "serverlessrepo:ListApplicationVersions", + "serverlessrepo:CreateApplication", + "serverlessrepo:CreateApplicationVersion", + "serverlessrepo:UpdateApplication", + "serverlessrepo:GetApplication", + "serverlessrepo:ListApplications", + "serverlessrepo:ListApplicationVersions", "serverlessrepo:ListApplicationDependencies" - ], + ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } - ], + ], "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy29", + "PolicyName": "KitchenSinkFunctionRolePolicy29", "PolicyDocument": { "Statement": [ { "Action": [ "ec2:CopyImage" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", + "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": "id" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy30", + "PolicyName": "KitchenSinkFunctionRolePolicy30", "PolicyDocument": { "Statement": [ { "Action": [ "codepipeline:ListPipelineExecutions" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", + "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${pipelinename}", { "pipelinename": "pipeline" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy31", + "PolicyName": "KitchenSinkFunctionRolePolicy31", "PolicyDocument": { "Statement": [ { "Action": [ - "cloudwatch:GetDashboard", - "cloudwatch:ListDashboards", - "cloudwatch:PutDashboard", + "cloudwatch:GetDashboard", + "cloudwatch:ListDashboards", + "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy32", + "PolicyName": "KitchenSinkFunctionRolePolicy32", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:CompareFaces", + "rekognition:CompareFaces", "rekognition:DetectFaces" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy33", + "PolicyName": "KitchenSinkFunctionRolePolicy33", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:DetectLabels", + "rekognition:DetectLabels", "rekognition:DetectModerationLabels" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy34", + "PolicyName": "KitchenSinkFunctionRolePolicy34", "PolicyDocument": { "Statement": [ { "Action": [ - "dynamodb:CreateBackup", + "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "table" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "dynamodb:DeleteBackup", - "dynamodb:DescribeBackup", + "dynamodb:DeleteBackup", + "dynamodb:DescribeBackup", "dynamodb:ListBackups" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": "table" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy35", + "PolicyName": "KitchenSinkFunctionRolePolicy35", "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:RestoreTableFromBackup" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": "table" } ] - }, + }, "Effect": "Allow" - }, + }, { "Action": [ - "dynamodb:PutItem", - "dynamodb:UpdateItem", - "dynamodb:DeleteItem", - "dynamodb:GetItem", - "dynamodb:Query", - "dynamodb:Scan", + "dynamodb:PutItem", + "dynamodb:UpdateItem", + "dynamodb:DeleteItem", + "dynamodb:GetItem", + "dynamodb:Query", + "dynamodb:Scan", "dynamodb:BatchWriteItem" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "table" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy36", + "PolicyName": "KitchenSinkFunctionRolePolicy36", "PolicyDocument": { "Statement": [ { "Action": [ - "comprehend:BatchDetectKeyPhrases", - "comprehend:DetectDominantLanguage", - "comprehend:DetectEntities", - "comprehend:BatchDetectEntities", - "comprehend:DetectKeyPhrases", - "comprehend:DetectSentiment", - "comprehend:BatchDetectDominantLanguage", + "comprehend:BatchDetectKeyPhrases", + "comprehend:DetectDominantLanguage", + "comprehend:DetectEntities", + "comprehend:BatchDetectEntities", + "comprehend:DetectKeyPhrases", + "comprehend:DetectSentiment", + "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy37", + "PolicyName": "KitchenSinkFunctionRolePolicy37", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "secretsmanager:DescribeSecret", - "secretsmanager:GetSecretValue", - "secretsmanager:PutSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue", + "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" - ], + ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" - }, + }, + "Effect": "Allow", "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ - "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", + "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": "function" } @@ -999,453 +1009,469 @@ } } } - }, + }, { - "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" - ], - "Resource": "*" + ], + "Resource": "*", + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy38", + "PolicyName": "KitchenSinkFunctionRolePolicy38", "PolicyDocument": { "Statement": [ { "Action": [ "mobileanalytics:PutEvents" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy39", + "PolicyName": "KitchenSinkFunctionRolePolicy39", "PolicyDocument": { "Statement": [ { "Action": [ - "mobiletargeting:GetEndpoint", - "mobiletargeting:UpdateEndpoint", + "mobiletargeting:GetEndpoint", + "mobiletargeting:UpdateEndpoint", "mobiletargeting:UpdateEndpointsBatch" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", + "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": "id" } ] - } - , + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy40", + "PolicyName": "KitchenSinkFunctionRolePolicy40", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:DetectFaces", - "rekognition:DetectText", - "rekognition:DetectLabels", - "rekognition:DetectModerationLabels" - ], - "Resource": "*", + "rekognition:DetectFaces", + "rekognition:DetectLabels", + "rekognition:DetectModerationLabels", + "rekognition:DetectText" + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy41", + "PolicyName": "KitchenSinkFunctionRolePolicy41", "PolicyDocument": { "Statement": [ { "Action": [ - "rekognition:IndexFaces", - "rekognition:DeleteFaces", - "rekognition:SearchFaces", - "rekognition:SearchFacesByImage", + "rekognition:IndexFaces", + "rekognition:DeleteFaces", + "rekognition:SearchFaces", + "rekognition:SearchFacesByImage", "rekognition:ListFaces" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", + "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": "collection" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy42", + "PolicyName": "KitchenSinkFunctionRolePolicy42", "PolicyDocument": { "Statement": [ { "Action": [ - "eks:DescribeCluster", + "eks:DescribeCluster", "eks:ListClusters" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy43", + "PolicyName": "KitchenSinkFunctionRolePolicy43", "PolicyDocument": { - "Statement": [{ - "Effect": "Allow", - "Action": [ - "ce:GetCostAndUsage", - "ce:GetDimensionValues", - "ce:GetReservationCoverage", - "ce:GetReservationPurchaseRecommendation", - "ce:GetReservationUtilization", - "ce:GetTags" - ], - "Resource": "*" - }] + "Statement": [ + { + "Action": [ + "ce:GetCostAndUsage", + "ce:GetDimensionValues", + "ce:GetReservationCoverage", + "ce:GetReservationPurchaseRecommendation", + "ce:GetReservationUtilization", + "ce:GetTags" + ], + "Resource": "*", + "Effect": "Allow" + } + ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy44", + "PolicyName": "KitchenSinkFunctionRolePolicy44", "PolicyDocument": { "Statement": [ { "Action": [ "organizations:ListAccounts" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy45", + "PolicyName": "KitchenSinkFunctionRolePolicy45", "PolicyDocument": { "Statement": [ { "Action": [ "dynamodb:UpdateTable" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", + "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy46", + "PolicyName": "KitchenSinkFunctionRolePolicy46", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:GetIdentityVerificationAttributes", - "ses:SendEmail", - "ses:SendRawEmail", - "ses:SendTemplatedEmail", - "ses:SendBulkTemplatedEmail", + "ses:GetIdentityVerificationAttributes", + "ses:SendEmail", + "ses:SendRawEmail", + "ses:SendTemplatedEmail", + "ses:SendBulkTemplatedEmail", "ses:VerifyEmailIdentity" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", + "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy47", + "PolicyName": "KitchenSinkFunctionRolePolicy47", "PolicyDocument": { "Statement": [ { "Action": [ - "ses:CreateTemplate", - "ses:GetTemplate", - "ses:ListTemplates", - "ses:UpdateTemplate", - "ses:DeleteTemplate", + "ses:CreateTemplate", + "ses:GetTemplate", + "ses:ListTemplates", + "ses:UpdateTemplate", + "ses:DeleteTemplate", "ses:TestRenderTemplate" - ], - "Resource": "*", + ], + "Resource": "*", "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy48", + "PolicyName": "KitchenSinkFunctionRolePolicy48", "PolicyDocument": { "Statement": [ { "Action": [ "logs:FilterLogEvents" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", + "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${logGroupName}:log-stream:*", { "logGroupName": "name" } ] - }, + }, "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy49", + "PolicyName": "KitchenSinkFunctionRolePolicy49", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ "ssm:DescribeParameters" - ], - "Resource": "*" - }, + ], + "Resource": "*", + "Effect": "Allow" + }, { - "Effect": "Allow", "Action": [ - "ssm:GetParameters", - "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameter", "ssm:GetParametersByPath" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", + "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${parameterName}", { "parameterName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy50", + "PolicyName": "KitchenSinkFunctionRolePolicy50", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ "states:StartExecution" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", + "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}", { "stateMachineName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy51", + "PolicyName": "KitchenSinkFunctionRolePolicy51", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "codecommit:GitPull", - "codecommit:GitPush", - "codecommit:CreateBranch", - "codecommit:DeleteBranch", - "codecommit:GetBranch", - "codecommit:ListBranches", - "codecommit:MergeBranchesByFastForward", - "codecommit:MergeBranchesBySquash", - "codecommit:MergeBranchesByThreeWay", - "codecommit:UpdateDefaultBranch", - "codecommit:BatchDescribeMergeConflicts", - "codecommit:CreateUnreferencedMergeCommit", - "codecommit:DescribeMergeConflicts", - "codecommit:GetMergeCommit", - "codecommit:GetMergeOptions", - "codecommit:BatchGetPullRequests", - "codecommit:CreatePullRequest", - "codecommit:DescribePullRequestEvents", - "codecommit:GetCommentsForPullRequest", - "codecommit:GetCommitsFromMergeBase", - "codecommit:GetMergeConflicts", - "codecommit:GetPullRequest", - "codecommit:ListPullRequests", - "codecommit:MergePullRequestByFastForward", - "codecommit:MergePullRequestBySquash", - "codecommit:MergePullRequestByThreeWay", - "codecommit:PostCommentForPullRequest", - "codecommit:UpdatePullRequestDescription", - "codecommit:UpdatePullRequestStatus", - "codecommit:UpdatePullRequestTitle", - "codecommit:DeleteFile", - "codecommit:GetBlob", - "codecommit:GetFile", - "codecommit:GetFolder", - "codecommit:PutFile", - "codecommit:DeleteCommentContent", - "codecommit:GetComment", - "codecommit:GetCommentsForComparedCommit", - "codecommit:PostCommentForComparedCommit", - "codecommit:PostCommentReply", - "codecommit:UpdateComment", - "codecommit:BatchGetCommits", - "codecommit:CreateCommit", - "codecommit:GetCommit", - "codecommit:GetCommitHistory", - "codecommit:GetDifferences", - "codecommit:GetObjectIdentifier", - "codecommit:GetReferences", - "codecommit:GetTree", - "codecommit:GetRepository", - "codecommit:UpdateRepositoryDescription", - "codecommit:ListTagsForResource", - "codecommit:TagResource", - "codecommit:UntagResource", - "codecommit:GetRepositoryTriggers", - "codecommit:PutRepositoryTriggers", - "codecommit:TestRepositoryTriggers", - "codecommit:GetBranch", - "codecommit:GetCommit", - "codecommit:UploadArchive", - "codecommit:GetUploadArchiveStatus", + "codecommit:GitPull", + "codecommit:GitPush", + "codecommit:CreateBranch", + "codecommit:DeleteBranch", + "codecommit:GetBranch", + "codecommit:ListBranches", + "codecommit:MergeBranchesByFastForward", + "codecommit:MergeBranchesBySquash", + "codecommit:MergeBranchesByThreeWay", + "codecommit:UpdateDefaultBranch", + "codecommit:BatchDescribeMergeConflicts", + "codecommit:CreateUnreferencedMergeCommit", + "codecommit:DescribeMergeConflicts", + "codecommit:GetMergeCommit", + "codecommit:GetMergeOptions", + "codecommit:BatchGetPullRequests", + "codecommit:CreatePullRequest", + "codecommit:DescribePullRequestEvents", + "codecommit:GetCommentsForPullRequest", + "codecommit:GetCommitsFromMergeBase", + "codecommit:GetMergeConflicts", + "codecommit:GetPullRequest", + "codecommit:ListPullRequests", + "codecommit:MergePullRequestByFastForward", + "codecommit:MergePullRequestBySquash", + "codecommit:MergePullRequestByThreeWay", + "codecommit:PostCommentForPullRequest", + "codecommit:UpdatePullRequestDescription", + "codecommit:UpdatePullRequestStatus", + "codecommit:UpdatePullRequestTitle", + "codecommit:DeleteFile", + "codecommit:GetBlob", + "codecommit:GetFile", + "codecommit:GetFolder", + "codecommit:PutFile", + "codecommit:DeleteCommentContent", + "codecommit:GetComment", + "codecommit:GetCommentsForComparedCommit", + "codecommit:PostCommentForComparedCommit", + "codecommit:PostCommentReply", + "codecommit:UpdateComment", + "codecommit:BatchGetCommits", + "codecommit:CreateCommit", + "codecommit:GetCommit", + "codecommit:GetCommitHistory", + "codecommit:GetDifferences", + "codecommit:GetObjectIdentifier", + "codecommit:GetReferences", + "codecommit:GetTree", + "codecommit:GetRepository", + "codecommit:UpdateRepositoryDescription", + "codecommit:ListTagsForResource", + "codecommit:TagResource", + "codecommit:UntagResource", + "codecommit:GetRepositoryTriggers", + "codecommit:PutRepositoryTriggers", + "codecommit:TestRepositoryTriggers", + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:UploadArchive", + "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", + "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy52", + "PolicyName": "KitchenSinkFunctionRolePolicy52", "PolicyDocument": { "Statement": [ { - "Effect": "Allow", "Action": [ - "codecommit:GitPull", - "codecommit:GetBranch", - "codecommit:ListBranches", - "codecommit:BatchDescribeMergeConflicts", - "codecommit:DescribeMergeConflicts", - "codecommit:GetMergeCommit", - "codecommit:GetMergeOptions", - "codecommit:BatchGetPullRequests", - "codecommit:DescribePullRequestEvents", - "codecommit:GetCommentsForPullRequest", - "codecommit:GetCommitsFromMergeBase", - "codecommit:GetMergeConflicts", - "codecommit:GetPullRequest", - "codecommit:ListPullRequests", - "codecommit:GetBlob", - "codecommit:GetFile", - "codecommit:GetFolder", - "codecommit:GetComment", - "codecommit:GetCommentsForComparedCommit", - "codecommit:BatchGetCommits", - "codecommit:GetCommit", - "codecommit:GetCommitHistory", - "codecommit:GetDifferences", - "codecommit:GetObjectIdentifier", - "codecommit:GetReferences", - "codecommit:GetTree", - "codecommit:GetRepository", - "codecommit:ListTagsForResource", - "codecommit:GetRepositoryTriggers", - "codecommit:TestRepositoryTriggers", - "codecommit:GetBranch", - "codecommit:GetCommit", + "codecommit:GitPull", + "codecommit:GetBranch", + "codecommit:ListBranches", + "codecommit:BatchDescribeMergeConflicts", + "codecommit:DescribeMergeConflicts", + "codecommit:GetMergeCommit", + "codecommit:GetMergeOptions", + "codecommit:BatchGetPullRequests", + "codecommit:DescribePullRequestEvents", + "codecommit:GetCommentsForPullRequest", + "codecommit:GetCommitsFromMergeBase", + "codecommit:GetMergeConflicts", + "codecommit:GetPullRequest", + "codecommit:ListPullRequests", + "codecommit:GetBlob", + "codecommit:GetFile", + "codecommit:GetFolder", + "codecommit:GetComment", + "codecommit:GetCommentsForComparedCommit", + "codecommit:BatchGetCommits", + "codecommit:GetCommit", + "codecommit:GetCommitHistory", + "codecommit:GetDifferences", + "codecommit:GetObjectIdentifier", + "codecommit:GetReferences", + "codecommit:GetTree", + "codecommit:GetRepository", + "codecommit:ListTagsForResource", + "codecommit:GetRepositoryTriggers", + "codecommit:TestRepositoryTriggers", + "codecommit:GetBranch", + "codecommit:GetCommit", "codecommit:GetUploadArchiveStatus" - ], + ], "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", + "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${repositoryName}", { "repositoryName": "name" } ] - } + }, + "Effect": "Allow" } ] } - }, + }, { - "PolicyName": "KitchenSinkFunctionRolePolicy53", + "PolicyName": "KitchenSinkFunctionRolePolicy53", "PolicyDocument": { "Statement": [ { - "Action": "kms:Encrypt", + "Action": "kms:Encrypt", "Resource": { "Fn::Sub": [ - "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", + "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": "keyId" } ] - }, + }, "Effect": "Allow" } ] } - } - ], - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow", - "Principal": { - "Service": [ - "lambda.amazonaws.com" - ] - } + }, + { + "PolicyName": "KitchenSinkFunctionRolePolicy54", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:GetWorkGroup", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:StopQueryExecution", + "athena:GetQueryResults" + ], + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": "name" + } + ] + }, + "Effect": "Allow" + } + ] } - ] - } + } + ], + "Tags": [ + { + "Value": "SAM", + "Key": "lambda:createdBy" + } + ] } } } -} +} \ No newline at end of file From 3bbf23b04952674138177af299ac89d8d974f764 Mon Sep 17 00:00:00 2001 From: nheijmans Date: Sun, 27 Oct 2019 08:19:58 +0100 Subject: [PATCH 4/6] Update policy_templates.json Added the additional access needed as per referenced document https://docs.aws.amazon.com/athena/latest/ug/example-policies-workgroup.html#example1-full-access-all-wkgs excluding the deletion part which I think is a bit much for SAM --- .../policy_templates.json | 27 ++++++++++++++++--- .../input/all_policy_templates.yaml | 2 +- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index ebd936b415..f0fd9880c0 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1808,11 +1808,32 @@ { "Effect": "Allow", "Action": [ - "athena:GetWorkGroup", - "athena:GetQueryExecution", + "athena:ListWorkGroups", + "athena:GetExecutionEngine", + "athena:GetExecutionEngines", + "athena:GetNamespace", + "athena:GetCatalogs", + "athena:GetNamespaces", + "athena:GetTables", + "athena:GetTable" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", "athena:StopQueryExecution", - "athena:GetQueryResults" + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution" ], "Resource": { "Fn::Sub": [ diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml index b8213e5220..cab96b6b93 100644 --- a/tests/translator/input/all_policy_templates.yaml +++ b/tests/translator/input/all_policy_templates.yaml @@ -156,6 +156,6 @@ Resources: - KMSEncryptPolicy: KeyId: keyId - + - AthenaQueryPolicy: WorkGroupName: name From f29d4b341f0526a1bf5e5d6ccd7e60c9c1982318 Mon Sep 17 00:00:00 2001 From: Keeton Hodgson Date: Mon, 9 Dec 2019 15:26:49 -0800 Subject: [PATCH 5/6] Add athena:GetWorkGroup to policy https://docs.aws.amazon.com/athena/latest/ug/example-policies-workgroup.html --- samtranslator/policy_templates_data/policy_templates.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index f0fd9880c0..87705d22f9 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1833,7 +1833,8 @@ "athena:CreateNamedQuery", "athena:GetQueryExecution", "athena:BatchGetNamedQuery", - "athena:BatchGetQueryExecution" + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [ From 3bf60489ccb28fb3fde8bb87f4e0df390f3bf82c Mon Sep 17 00:00:00 2001 From: Keeton Hodgson Date: Mon, 9 Dec 2019 15:27:22 -0800 Subject: [PATCH 6/6] Fix formatting --- samtranslator/policy_templates_data/policy_templates.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 87705d22f9..a253a80736 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -1834,7 +1834,7 @@ "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution", - "athena:GetWorkGroup" + "athena:GetWorkGroup" ], "Resource": { "Fn::Sub": [