Access permissions for Amazon AWS desired state templates in VMware Tanzu Guardrails

As a Cloud Operations administrator, to use the desired state templates in Tanzu Guardrails for governing the compliance policies in your Amazon AWS infrastructure, you must understand the minimum level of AWS IAM access permissions required.

The desired state templates support a number of use cases for AWS, and requires specific sets of IAM permissions for those use cases. The information you need to know about AWS permissions is organized into several sections.

  • What to do before you run the desired state templates
  • Account discovery
  • Required IAM policy for member account privileges
  • Required IAM policy for organizational minimum privileges
  • Read-only permissions for dry running and testing your policy
  • Minimum access permissions for AWS

Before you run the desired state templates

You must follow the steps for onboarding your account, including the steps for setting up the event stream.

For those steps, refer to Add an Amazon Web Services account to VMware Aria Hub.

Account discovery use case

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "organizations:ListTagsForResource",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListAccounts",
                "organizations:ListRoots",
                "organizations:DescribeOrganization"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Required IAM policy for member account permissions

The required IAM policy for member accounts is provided as a reference for all users of the desired state templates.

To use the required IAM policy for the member account, you must have:

  • Write permissions to the desired state template.
  • Read-only permissions to the desired state template if you are dry running and testing your policy.
Note

Be aware that AWS has a limit of 6144 characters for non-white space characters. As a result, the required IAM policy for member accounts appears in two parts.

Required IAM policy for member account permissions

Member Account Required IAM Policy part 1 Member Account Required IAM Policy part 2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "budgets:CreateBudgetAction",
                "budgets:DescribeBudgetAction",
                "budgets:ExecuteBudgetAction",
                "budgets:ModifyBudget",
                "budgets:UpdateBudgetAction",
                "budgets:ViewBudget",
                "ce:CreateAnomalyMonitor",
                "ce:CreateAnomalySubscription",
                "ce:CreateCostCategoryDefinition",
                "ce:DescribeCostCategoryDefinition",
                "ce:GetAnomalyMonitors",
                "ce:GetAnomalySubscriptions",
                "ce:GetCostCategories",
                "ce:ListCostCategoryDefinitions",
                "ce:TagResource",
                "ce:UntagResource",
                "ce:UpdateAnomalyMonitor",
                "ce:UpdateAnomalySubscription",
                "ce:UpdateCostAllocationTagsStatus",
                "ce:UpdateCostCategoryDefinition",
                "cloudtrail:UpdateTrail",
                "cloudtrail:RemoveTags",
                "cloudtrail:CreateTrail",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListTags",
                "cloudtrail:ListTrails",
                "cloudtrail:StartLogging",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricData",
                "cloudwatch:ListTagsForResource",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:PutMetricData",
                "cloudwatch:TagResource",
                "cloudwatch:UntagResource",
                "cloudtrail:AddTags",
                "config:DescribeConfigRules",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeDeliveryChannels",
                "config:GetComplianceDetailsByConfigRule",
                "config:ListDiscoveredResources",
                "config:ListTagsForResource",
                "config:PutAggregationAuthorization",
                "config:PutConfigRule",
                "config:PutConfigurationRecorder",
                "config:PutDeliveryChannel",
                "config:PutEvaluations",
                "config:StartConfigurationRecorder",
                "config:StopConfigurationRecorder",
                "config:TagResource",
                "config:UntagResource",
                "ec2:AttachInternetGateway",
                "ec2:CreateFleet",
                "ec2:CreateInternetGateway",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DeregisterImage",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:GetConsoleOutput",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ecs:ListClusters",
                "eks:AccessKubernetesApi",
                "eks:CreateCluster",
                "eks:CreateNodegroup",
                "eks:DescribeAddonVersions",
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:ListAddons",
                "eks:ListClusters",
                "eks:ListFargateProfiles",
                "eks:ListIdentityProviderConfigs",
                "eks:ListNodegroups",
                "eks:UpdateNodegroupConfig",
                "events:DescribeRule",
                "events:ListRules",
                "events:ListTagsForResource",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:TagResource",
                "guardduty:CreateDetector",
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
                "guardduty:TagResource",
                "guardduty:UpdateDetector"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AddUserToGroup",
                "iamAttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:CreateAccessKey",
                "iam:CreateGroup",
                "iam:CreateInstanceProfile",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetGroup",
                "iam:GetGroupPolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:GetUser",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupPolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListPolicyTags",
                "iam:ListRolePolicies",
                "iam:ListRoleTags",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:UntagPolicy",
                "iam:UntagRole",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateGroup",
                "iam:UpdateRole",
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DescribeKey",
                "kms:EnableKeyRotation",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "kms:PutKeyPolicy",
                "kms:ScheduleKeyDeletion",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:UpdateAlias",
                "kms:UpdateKeyDescription",
                "logs:DescribeLogGroups",
                "logs:ListTagsLogGroup",
                "logs:PutRetentionPolicy",
                "s3:GetReplicationConfiguration",
                "s3:PutReplicationConfiguration",
                "s3:GetBucketVersioning",
                "s3:PutBucketTagging",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "s3:PutObjectTagging",
                "s3:PutBucketAcl",
                "s3:CreateBucket",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification", 
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetLifecycleConfiguration",
                "s3:GetStorageLensConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:ListMultiRegionAccessPoints",
                "s3:PutBucketLogging",
                "s3:PutBucketObjectLockConfiguration",
                "s3:PutBucketOwnershipControls",
                "s3:PutBucketNotification",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketVersioning",
                "s3:PutLifecycleConfiguration",
                "sns:CreateTopic",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTagsForResource",
                "sns:ListTopics",
                "sns:SetTopicAttributes",
                "sns:Subscribe",
                "sns:TagResource",
                "sns:Unsubscribe",
                "sns:UntagResource",
                "sns:ListSubscriptionsByTopic",
                "sns:Publish",
                "sts:AssumeRole",
                "wafv2:AssociateWebACL",
                "wafv2:CreateIPSet",
                "wafv2:CreateWebACL",
                "wafv2:GetIPSet",
                "wafv2:GetWebACL",
                "wafv2:GetWebACLForResource",
                "wafv2:ListIPSets",
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:ListWebACLs",
                "wafv2:PutManagedRuleSetVersions",
                "wafv2:TagResource",
                "wafv2:UntagResource",
                "wafv2:UpdateIPSet",
                "wafv2:UpdateWebACL"
                "apigateway:SetWebACL",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Read-only privileges for dry running and testing the member account

Member Account dry run and testing mode read-only privileges

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "budgets:DescribeBudgetAction",
                "budgets:ViewBudget",
                "ce:DescribeCostCategoryDefinition",
                "ce:GetAnomalyMonitors",
                "ce:GetAnomalySubscriptions",
                "ce:GetCostCategories",
                "ce:ListCostCategoryDefinitions",
                "ce:GetRightsizingRecommendation",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListTags",
                "cloudtrail:ListTrails",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricData",
                "cloudwatch:ListTagsForResource",
                "config:DescribeConfigRules",
                "config:DescribeConfigurationRecorderStatus",
                "config:DescribeConfigurationRecorders",
                "config:DescribeDeliveryChannels",
                "config:GetComplianceDetailsByConfigRule",
                "config:ListDiscoveredResources",
                "config:ListTagsForResource",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:GetConsoleOutput",
                "ecs:ListClusters",
                "eks:AccessKubernetesApi",
                "eks:DescribeAddonVersions",
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:ListAddons",
                "eks:ListClusters",
                "eks:ListFargateProfiles",
                "eks:ListIdentityProviderConfigs",
                "eks:ListNodegroups",
                "events:DescribeRule",
                "events:ListRules",
                "events:ListTagsForResource",
                "events:ListTargetsByRule",
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetGroup",
                "iam:GetGroupPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:GetUser",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListPolicyTags",
                "iam:ListRolePolicies",
                "iam:ListRoleTags",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:PassRole",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "logs:DescribeLogGroups",
                "logs:ListTagsLogGroup",
                "s3:GetReplicationConfiguration",
                "s3:GetBucketVersioning",
                "s3:GetEncryptionConfiguration",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetLifecycleConfiguration",
                "s3:GetStorageLensConfiguration",
                "s3:ListAccessPoints",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:ListMultiRegionAccessPoints",
                "sns:GetSubscriptionAttributes",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptions",
                "sns:ListTagsForResource",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sts:AssumeRole",
                "wafv2:AssociateWebACL",
                "wafv2:GetIPSet",
                "wafv2:GetWebACL",
                "wafv2:GetWebACLForResource",
                "wafv2:ListIPSets",
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:ListWebACLs"
                
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Required IAM policy for organizational minimum permissions

The required IAM policy for organizational minimum privileges is provided as a reference for all users of the desired state templates.

To use the required IAM policy for the organizational minimum privileges, you must have:

  • Write permissions to the desired state template.
  • Read-only permissions to the desired state template if you are dry running and testing your policy.

Write and read-only permissions for organizational required IAM policy

Organizational write permissions Organizational read-only permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "organizations:AttachPolicy",
                "organizations:CreateAccount",
                "organizations:CreateOrganizationalUnit",
                "organizations:CreatePolicy",
                "organizations:DescribeAccount",
                "organizations:DescribeCreateAccountStatus",
                "organizations:DescribeEffectivePolicy",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:DetachPolicy",
                "organizations:EnablePolicyType",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListParents",
                "organizations:ListPolicies",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListTagsForResource",
                "organizations:ListTargetsForPolicy",
                "organizations:MoveAccount",
                "organizations:RemoveAccountFromOrganization",
                "organizations:TagResource",
                "organizations:UntagResource",
                "organizations:UpdatePolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeAccount",
                "organizations:DescribeCreateAccountStatus",
                "organizations:DescribeEffectivePolicy",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListAWSServiceAccessForOrganization",
                "organizations:ListAccounts",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListParents",
                "organizations:ListPolicies",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListTagsForResource",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Access privilege matrix for minimum permissions of AWS use cases

The following table lists the minimum permission set required for each AWS use case.

Note

Prerequisite: Verify that the credentials for your account profile have this access privilege: “Action”: “organizations:DescribeOrganization”.

Access privileges and IAM policy code for AWS use cases

Reference desired state template Prerequisites Minimum read-only privileges Minimum write privileges
Create or verify AWS Organizational Unit Desired state can only be applied from the AWS master account.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AriaGuardrails0",
      "Effect": "Allow",
      "Action": [               
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeOrganization",
"organizations:ListTagsForResource",
"organizations:ListParents",
"organizations:ListOrganizationalUnitsForParent",
"organizations:ListRoots",
"organizations:DescribeCreateAccountStatus"
],
      "Resource": "<RESOURCE_SELECTION_CRITERIA>"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AriaGuardrails0",
      "Effect": "Allow",
      "Action": "organizations:CreateOrganizationalUnit",
"organizations:ListParents",
"organizations:ListTagsForResource",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit"
],
      "Resource": "<RESOURCE_SELECTION_CRITERIA>"
    }
  ]
}

Create or verify AWS account Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
"organizations:DescribeOrganizationalUnit",
              "organizations:DescribeOrganization",
               "organizations:ListTagsForResource",
                "organizations:DescribeAccount",
                "organizations:DescribePolicy",
                "organizations:DetachPolicy",
             "organizations:ListPoliciesForTarget",
                "organizations:ListParents",
                "organizations:ListAccounts",
              "organizations:ListTargetsForPolicy",
                "organizations:ListPolicies",
           "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
            "organizations:DescribeCreateAccountStatus"
],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
"organizations:CreateAccount",
"iam:CreateServiceLinkedRole"
],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS member Account baseline configuration

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:ListRoles",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyTags",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:ListInstanceProfilesForRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },{
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
               "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource":"<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:UpdateRole",
                "iam:ListPolicyTags",
                "iam:CreatePolicyVersion",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UntagPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UntagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:CreateTrail",
                "cloudtrail:StartLogging",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetBucketAcl",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
                "guardduty:CreateDetector",
                "guardduty:TagResource",
                "guardduty:UpdateDetector"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
{
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
               "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource":"<RESOURCE_SELECTION_CRITERIA>"
        }
        
    ]
}  

Create or verify AWS Web ACL to block malicious ip set

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListWebACLs",
                "wafv2:AssociateWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:GetWebACLForResource",
                "wafv2:GetIPSet",
                "wafv2:ListIPSets",
                "wafv2:GetWebACL"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "wafv2:TagResource",
                "wafv2:ListResourcesForWebACL",
                "wafv2:PutManagedRuleSetVersions",
                "wafv2:ListWebACLs",
                "wafv2:AssociateWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:GetWebACLForResource",
                "wafv2:UpdateWebACL",
                "wafv2:GetIPSet",
                "wafv2:ListIPSets",
                "wafv2:GetWebACL",
                "wafv2:CreateWebACL",
                "wafv2:CreateIPSet",
                "wafv2:UntagResource",
                "wafv2:UpdateIPSet"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify strongly recommended AWS Config Rules To apply desired state, Config service Recorder must be enabled before running this desired state template.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "AriaGuardrails0",
        "Effect": "Allow",
        "Action": [
        "config:DescribeConfigRules",
        "config:ListTagsForResource"
        ],
        "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "AriaGuardrails0",
        "Effect": "Allow",
        "Action": [
        "config:DescribeConfigRules",
        "config:PutConfigurationRecorder",
        "config:PutConfigRule",
        "config:PutEvaluations",
        "config:PutAggregationAuthorization",
        "config:ListTagsForResource",
        "iam:PassRole",
        "config:TagResource",
        "config:UntagResource"
        ],
        "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS SCP policies - AWS recommended elective Guardrails Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "organizations:ListPoliciesForTarget",
                "organizations:DescribeEffectivePolicy",,
                "organizations:DescribePolicy",
                "organizations:ListPolicies"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AriaGuardrails0",
        "Effect": "Allow",
        "Action": [
            "organizations:ListPoliciesForTarget",
            "organizations:DescribeEffectivePolicy",
            "organizations:TagResource",
            "organizations:UpdatePolicy",
            "organizations:EnablePolicyType",
            "organizations:AttachPolicy",
            "organizations:UntagResource",
            "organizations:DescribePolicy",
            "organizations:CreatePolicy",
            "organizations:ListPolicies"
        ],
        "Resource": "<RESOURCE_SELECTION_CRITERIA>"
    }
]

}

Create or verify elective AWS Config Rules To apply desired state, Config service Recorder must be enabled before running this desired state template.

{
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "config:DescribeConfigRules",
            "config:ListDiscoveredResources",
            "config:GetComplianceDetailsByConfigRule",
            "config:ListTagsForResource"
    ],
    "Resource": "<RESOURCE_SELECTION_CRITERIA>"
    }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
        "config:PutEvaluations",
        "config:DescribeConfigRules",
            "config:ListDiscoveredResources",
            "config:GetComplianceDetailsByConfigRule",
            "config:ListTagsForResource",
            "config:PutConfigRule"
    ],
    "Resource": "<RESOURCE_SELECTION_CRITERIA>"
    }
    ]
}

Enables or verifies AWS GuardDuty in multiple regions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
{
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
               "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource":"<RESOURCE_SELECTION_CRITERIA>"
        }
        
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "guardduty:GetDetector",
                "guardduty:ListDetectors",
                "guardduty:CreateDetector",
                "guardduty:TagResource",
                "guardduty:UpdateDetector"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
{
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
               "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource":"<RESOURCE_SELECTION_CRITERIA>"
        }
        
    ]
}

Create or verify Anomaly Monitor in AWS Cost Explorer for all AWS services

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "ce:GetAnomalyMonitors"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "ce:GetAnomalySubscriptions",
                "ce:CreateAnomalySubscription",
                "ce:GetAnomalyMonitors",
                "ce:CreateAnomalyMonitor"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS CloudWatch metric alarm to monitor and update EC2 instances

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricData",
                "cloudwatch:ListTagsForResource",
                "cloudwatch:DescribeAlarms"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:TagResource",
                "cloudwatch:PutMetricData",
                "cloudwatch:GetMetricData",
                "cloudwatch:ListTagsForResource",
                "cloudwatch:DescribeAlarms",
                "iam:CreateServiceLinkedRole",
                "cloudwatch:UntagResource"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify Anomaly Monitor in AWS Cost Explorer for a linked account Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ce:GetAnomalyMonitors"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ce:UpdateAnomalyMonitor",
                "ce:GetAnomalyMonitors",
                "ce:CreateAnomalyMonitor"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify Cost Category in AWS Cost Explorer Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "ce:DescribeCostCategoryDefinition",
                "ce:GetCostCategories",
                "ce:ListCostCategoryDefinitions"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ce:DescribeCostCategoryDefinition",
                "ce:UpdateCostCategoryDefinition",
                "ce:TagResource",
                "ce:UntagResource",
                "ce:GetCostCategories",
                "ce:CreateCostCategoryDefinition",
                "ce:ListCostCategoryDefinitions"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS cost budget with notification, subscription and action Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "budgets:ViewBudget",
                "budgets:DescribeBudgetAction"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "budgets:ViewBudget",
                "budgets:ExecuteBudgetAction",
                "budgets:DescribeBudgetAction",
                "budgets:CreateBudgetAction",
                "budgets:UpdateBudgetAction",
                "budgets:ModifyBudget"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify Anomaly Subscription in AWS Cost Explorer

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
            "ce:GetAnomalySubscriptions",
                "ce:GetAnomalyMonitors"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
            
            "ce:GetAnomalySubscriptions",
                "ce:UpdateAnomalySubscription",
                "ce:CreateAnomalySubscription",
                "ce:GetAnomalyMonitors"

            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify IAM role for SecOps

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:ListRoles",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyTags",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:ListInstanceProfilesForRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:UpdateRole",
                "iam:ListPolicyTags",
                "iam:CreatePolicyVersion",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UntagPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UntagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Secure or verify AWS S3 bucket used for AWS CloudTrail Desired state can be applied by using existing S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:ListAccessPoints",
                "s3:ListBucket",
                "s3:ListMultiRegionAccessPoints",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
            "s3:GetBucketObjectLockConfiguration",
                "s3:GetStorageLensConfiguration",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketLocation"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketTagging",
                "s3:PutBucketPublicAccessBlock",
                "s3:GetBucketWebsite",
                "s3:ListAccessPoints",
                "s3:PutBucketOwnershipControls",
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:ListMultiRegionAccessPoints",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetStorageLensConfiguration",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:PutBucketPolicy",
                "s3:GetBucketOwnershipControls",
                "s3:PutBucketObjectLockConfiguration",
                "s3:GetBucketLocation",
                "s3:PutBucketVersioning"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS CloudTrail and security policy on S3 bucket - Organization trail or member account Desired state can be applied by using existing S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails3",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAWSServiceAccessForOrganization"            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:CreateTrail",
                "cloudtrail:StartLogging",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetBucketAcl",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails3",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAWSServiceAccessForOrganization"            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify IAM role for Operator

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails3",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAWSServiceAccessForOrganization"            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:UpdateRole",
                "iam:ListPolicyTags",
                "iam:CreatePolicyVersion",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UntagPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UntagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify IAM role for ReadOnly

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:ListRoles",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyTags",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:ListInstanceProfilesForRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:UpdateRole",
                "iam:ListPolicyTags",
                "iam:CreatePolicyVersion",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UntagPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UntagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify IAM role for Power user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:ListRoles",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyTags",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:ListInstanceProfilesForRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicyVersion",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:UpdateRole",
                "iam:ListPolicyTags",
                "iam:CreatePolicyVersion",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:UntagPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UntagRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify IAM role with administrative access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRoles"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:UpdateRole",
                "iam:UntagRole",
                "iam:DetachRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRoles"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS SCP to deny creation of large EC2 instances in a specified organization unit Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "organizations:DescribePolicy",
            "organizations:ListTagsForResource",
            "organizations:ListPoliciesForTarget",
                "organizations:ListPolicies",
            "organizations:ListTargetsForPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribePolicy",
                "organizations:ListTagsForResource",
                "organizations:UpdatePolicy",
                "organizations:ListPoliciesForTarget",
                "organizations:CreatePolicy",
                "organizations:AttachPolicy",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify tag governance across resources in AWS accounts in an organizational unit Desired state can only be applied from the AWS master account. Tag policies must be enabled.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribePolicy",
                "organizations:ListTagsForResource",
                "organizations:ListPoliciesForTarget",
                "organizations:ListTargetsForPolicy",
                "organizations:ListPolicies"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribePolicy",
                "organizations:ListTagsForResource",
                "organizations:ListPoliciesForTarget",
                "organizations:ListTargetsForPolicy",
                "organizations:ListPolicies",
                "organizations:DetachPolicy",
                "organizations:UpdatePolicy",
                "organizations:CreatePolicy",
                "organizations:AttachPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Enable or verify strong IAM password policy in an AWS account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
} 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:UpdateAccountPasswordPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}  

Create or verify AWS CloudTrail - Organization trail or member account Desired state can be applied by using existing S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetBucketAcl",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails3",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAWSServiceAccessForOrganization"            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "cloudtrail:GetTrailStatus",
                "cloudtrail:GetEventSelectors",
                "cloudtrail:ListTags",
                "cloudtrail:GetInsightSelectors",
                "cloudtrail:GetTrail",
                "cloudtrail:CreateTrail",
                "cloudtrail:StartLogging",
                "cloudtrail:ListTrails",
                "cloudtrail:DescribeTrails"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails1",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:GetBucketAcl",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails2",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        },
        {
            "Sid": "AriaGuardrails3",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAWSServiceAccessForOrganization"            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify AWS SCP policies - AWS recommended mandatory and strongly Recommended Guardrails Desired state can only be applied from the AWS master account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribePolicy",
                "organizations:ListTagsForResource",
                
            "organizations:ListPoliciesForTarget",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}      

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribePolicy",
                "organizations:UpdatePolicy",
            "organizations:ListTagsForResource",
            "organizations:ListPoliciesForTarget",
                "organizations:CreatePolicy",
                "organizations:AttachPolicy",
                "organizations:ListPolicies",
            "organizations:ListTargetsForPolicy"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}     

Create or verify AWS Web ACL - Associate web ACL to an ARN

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListWebACLs",
                "wafv2:AssociateWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:GetWebACLForResource",
                "wafv2:GetIPSet",
                "wafv2:ListIPSets",
                "wafv2:GetWebACL"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "wafv2:ListResourcesForWebACL",
                "wafv2:ListWebACLs",
                "wafv2:AssociateWebACL",
                "wafv2:ListTagsForResource",
                "wafv2:GetWebACLForResource",
                "wafv2:GetIPSet",
                "wafv2:ListIPSets",
                "wafv2:GetWebACL",
                "wafv2:TagResource",
                "wafv2:AssociateWebACL",
                "wafv2:UntagResource",
                "apigateway:SetWebACL",
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Create or verify IAM role and policy setup using Logz.IO SIEM

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRoles"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AriaGuardrails0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:UpdateRole",
                "iam:UntagRole",
                "iam:DetachRolePolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRoles"
            ],
            "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Enable or verify AWS Config service Desired state can be applied by using existing S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "AriaGuardrails0",
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketTagging",
            "s3:GetBucketOwnershipControls",
            "s3:GetBucketPublicAccessBlock",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketObjectLockConfiguration",
            "s3:ListAllMyBuckets",
            "s3:GetBucketAcl",
            "s3:GetBucketTagging",
            "s3:ListBucket",
            "iam:GetRole",
            "iam:GetServiceLinkedRoleDeletionStatus",
            "config:DescribeConfigurationRecorderStatus",
            "config:DescribeDeliveryChannels",
            "config:DescribeConfigRules",
            "config:DescribeConfigurationRecorders",
            "config:ListTagsForResource",
            "config:StopConfigurationRecorder",
            "config:ListDiscoveredResources",
            "config:GetComplianceDetailsByConfigRule",
            "kms:DescribeKey",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus",
            "kms:ListAliases",
            "kms:ListKeys",
            "kms:ListResourceTags",
            "kms:TagResource"
        ],
        "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "AriaGuardrails0",
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketTagging",
            "s3:GetBucketOwnershipControls",
            "s3:GetBucketPublicAccessBlock",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:GetBucketObjectLockConfiguration",
            "s3:ListAllMyBuckets",
            "s3:PutBucketPublicAccessBlock",
            "s3:PutBucketPolicy",
            "s3:CreateBucket",
            "s3:GetBucketAcl",
            "s3:GetBucketTagging",
            "s3:ListBucket",
            "iam:GetRole",
            "iam:GetServiceLinkedRoleDeletionStatus",
            "iam:TagRole",
            "iam:UntagRole",
            "iam:CreateServiceLinkedRole",
            "iam:PassRole",
            "config:DescribeConfigurationRecorderStatus",
            "config:DescribeDeliveryChannels",
            "config:DescribeConfigRules",
            "config:DescribeConfigurationRecorders",
            "config:ListTagsForResource",
            "config:StopConfigurationRecorder",
            "config:PutDeliveryChannel",
            "config:PutConfigurationRecorder",
            "config:UntagResource",
            "config:TagResource",
            "config:PutConfigRule",
            "config:PutEvaluations",
            "config:ListDiscoveredResources",
            "config:GetComplianceDetailsByConfigRule",
            "config:StartConfigurationRecorder",
            "kms:CreateAlias",
            "kms:CreateKey",
            "kms:DescribeKey",
            "kms:EnableKeyRotation",
            "kms:GetKeyPolicy",
            "kms:GetKeyRotationStatus",
            "kms:ListAliases",
            "kms:ListKeys",
            "kms:ListResourceTags",
            "kms:PutKeyPolicy",
            "kms:ScheduleKeyDeletion",
            "kms:TagResource",
            "kms:UntagResource",
            "kms:UpdateAlias",
            "kms:UpdateKeyDescription"
        ],
        "Resource": "<RESOURCE_SELECTION_CRITERIA>"
        }
    ]
}

Install or verify VMware Aria Automation for Secure Hosts minion on AWS EC2 instance

{
    "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [                 "ec2:AssociateIamInstanceProfile",
    "ec2:DescribeIamInstanceProfileAssociations",
    "ec2:ReplaceIamInstanceProfileAssociation",
    "iam:AddRoleToInstanceProfile",
    "iam:AttachRolePolicy",
    "iam:CreateInstanceProfile",
    "iam:CreateRole",
    "iam:GetRole",
    "iam:GetInstanceProfile",
    "iam:ListAttachedRolePolicies",
    "iam:PassRole",
    "ssm:ListCommandInvocations",
    "ssm:SendCommand"             ],
                "Resource": "<RESOURCE_SELECTION_CRITERIA>"
            }
        ]
}  

{
    "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [                 "ec2:DescribeIamInstanceProfileAssociations",
    "iam:GetRole",
    "iam:GetInstanceProfile",
    "iam:ListAttachedRolePolicies",
    "ssm:ListCommandInvocations"             ],
                "Resource": "<RESOURCE_SELECTION_CRITERIA>"
            }
        ]
}  

More information

For more information about the desired state templates, refer to:

Parent topic:Accessing permissions needed on public cloud to run desired state templates in VMware Tanzu Guardrails

check-circle-line exclamation-circle-line close-line
Scroll to top icon