# Identity and Access Management for Amazon Config
<a name="security-iam"></a>

Amazon Identity and Access Management (IAM) is an Amazon Web Services service that helps an administrator securely control access to Amazon resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Amazon Config resources. IAM is an Amazon Web Services service that you can use with no additional charge.

**Topics**
+ [Audience](#security_iam_audience)
+ [Authenticating with identities](#security_iam_authentication)
+ [Managing access using policies](#security_iam_access-manage)
+ [How Amazon Config works with IAM](security_iam_service-with-iam.md)
+ [Identity-based policy examples](security_iam_id-based-policy-examples.md)
+ [Amazon managed policies](security-iam-awsmanpol.md)
+ [Permissions for the IAM Role](iamrole-permissions.md)
+ [Updating the IAM Role](update-iam-role.md)
+ [Permissions for the Amazon S3 Bucket](s3-bucket-policy.md)
+ [Permissions for the KMS Key](s3-kms-key-policy.md)
+ [Permissions for the Amazon SNS Topic](sns-topic-policy.md)
+ [Troubleshooting](security_iam_troubleshoot.md)
+ [Using Service-Linked Roles](using-service-linked-roles.md)

## Audience
<a name="security_iam_audience"></a>

How you use Amazon Identity and Access Management (IAM) differs based on your role:
+ **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting Amazon Config identity and access](security_iam_troubleshoot.md))
+ **Service administrator** - determine user access and submit permission requests (see [How Amazon Config works with IAM](security_iam_service-with-iam.md))
+ **IAM administrator** - write policies to manage access (see [Identity-based policy examples for Amazon Config](security_iam_id-based-policy-examples.md))

## Authenticating with identities
<a name="security_iam_authentication"></a>

Authentication is how you sign in to Amazon using your identity credentials. You must be authenticated as the Amazon Web Services account root user, an IAM user, or by assuming an IAM role.

For programmatic access, Amazon provides an SDK and CLI to cryptographically sign requests. For more information, see [Amazon Signature Version 4 for API requests](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.

### Amazon Web Services account root user
<a name="security_iam_authentication-rootuser"></a>

 When you create an Amazon Web Services account, you begin with one sign-in identity called the Amazon Web Services account *root user* that has complete access to all Amazon Web Services services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. 

### Federated identity
<a name="security_iam_authentication-federated"></a>

As a best practice, require human users to use federation with an identity provider to access Amazon Web Services services using temporary credentials.

A *federated identity* is a user from your enterprise directory, web identity provider, or Amazon Directory Service that accesses Amazon Web Services services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.

### IAM users and groups
<a name="security_iam_authentication-iamuser"></a>

An *[IAM user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access Amazon using temporary credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.

An [https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups.html](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.

### IAM roles
<a name="security_iam_authentication-iamrole"></a>

An *[IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an Amazon CLI or Amazon API operation. For more information, see [Methods to assume a role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.

IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.

## Managing access using policies
<a name="security_iam_access-manage"></a>

You control access in Amazon by creating policies and attaching them to Amazon identities or resources. A policy defines permissions when associated with an identity or resource. Amazon evaluates these policies when a principal makes a request. Most policies are stored in Amazon as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*.

Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**.

By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation.

### Identity-based policies
<a name="security_iam_access-manage-id-based-policies"></a>

Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.

Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*.

### Resource-based policies
<a name="security_iam_access-manage-resource-based-policies"></a>

Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy.

Resource-based policies are inline policies that are located in that service. You can't use Amazon managed policies from IAM in a resource-based policy.

### Other policy types
<a name="security_iam_access-manage-other-policies"></a>

Amazon supports additional policy types that can set the maximum permissions granted by more common policy types:
+ **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*.
+ **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in Amazon Organizations. For more information, see [Service control policies](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *Amazon Organizations User Guide*.
+ **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *Amazon Organizations User Guide*.
+ **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*.

### Multiple policy types
<a name="security_iam_access-manage-multiple-policies"></a>

When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how Amazon determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*.

# How Amazon Config works with IAM
<a name="security_iam_service-with-iam"></a>

Before you use IAM to manage access to Amazon Config, learn what IAM features are available to use with Amazon Config.






**IAM features you can use with Amazon Config**  

| IAM feature | Amazon Config support | 
| --- | --- | 
|  [Identity-based policies](#security_iam_service-with-iam-id-based-policies)  |   Yes  | 
|  [Resource-based policies](#security_iam_service-with-iam-resource-based-policies)  |   No   | 
|  [Policy actions](#security_iam_service-with-iam-id-based-policies-actions)  |   Yes  | 
|  [Policy resources](#security_iam_service-with-iam-id-based-policies-resources)  |   Yes  | 
|  [Policy condition keys (service-specific)](#security_iam_service-with-iam-id-based-policies-conditionkeys)  |   Yes  | 
|  [ACLs](#security_iam_service-with-iam-acls)  |   No   | 
|  [ABAC (tags in policies)](#security_iam_service-with-iam-tags)  |   Yes  | 
|  [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds)  |   Yes  | 
|  [Forward access sessions (FAS)](#security_iam_service-with-iam-principal-permissions)  |   Yes  | 
|  [Service roles](#security_iam_service-with-iam-roles-service)  |   Yes  | 
|  [Service-linked roles](#security_iam_service-with-iam-roles-service-linked)  |   Yes  | 

To get a high-level view of how Amazon Config and other Amazon services work with most IAM features, see [Amazon services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.

## Identity-based policies for Amazon Config
<a name="security_iam_service-with-iam-id-based-policies"></a>

**Supports identity-based policies:** Yes

Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*.

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*.

### Identity-based policy examples for Amazon Config
<a name="security_iam_service-with-iam-id-based-policies-examples"></a>



To view examples of Amazon Config identity-based policies, see [Identity-based policy examples for Amazon Config](security_iam_id-based-policy-examples.md).

## Resource-based policies within Amazon Config
<a name="security_iam_service-with-iam-resource-based-policies"></a>

**Supports resource-based policies:** No 

Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or Amazon Web Services services.

To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.

## Policy actions for Amazon Config
<a name="security_iam_service-with-iam-id-based-policies-actions"></a>

**Supports policy actions:** Yes

Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation.



To see a list of Amazon Config actions, see [Actions defined by Amazon Config](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions) in the *Service Authorization Reference*.

Policy actions in Amazon Config use the following prefix before the action:

```
config
```

To specify multiple actions in a single statement, separate them with commas.

```
"Action": [
      "config:action1",
      "config:action2"
         ]
```





You can specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Describe`, include the following action:

```
"Action": "config:Describe*"
```

To view examples of Amazon Config identity-based policies, see [Identity-based policy examples for Amazon Config](security_iam_id-based-policy-examples.md).

## Policy resources for Amazon Config
<a name="security_iam_service-with-iam-id-based-policies-resources"></a>

**Supports policy resources:** Yes

Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources.

```
"Resource": "*"
```

To see a list of Amazon Config resource types and their ARNs, see [Resources defined by Amazon Config](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsconfig.html#your_service-resources-for-iam-policies) in the *Service Authorization Reference*. To learn with which actions you can specify the ARN of each resource, see [Actions defined by Amazon Config](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions).





To view examples of Amazon Config identity-based policies, see [Identity-based policy examples for Amazon Config](security_iam_id-based-policy-examples.md).

## Policy condition keys for Amazon Config
<a name="security_iam_service-with-iam-id-based-policies-conditionkeys"></a>

**Supports service-specific policy condition keys:** Yes

Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**.

The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all Amazon global condition keys, see [Amazon global condition context keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.

To see a list of Amazon Config condition keys, see [Condition keys for Amazon Config](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsconfig.html#your_service-policy-keys) in the *Service Authorization Reference*. To learn with which actions and resources you can use a condition key, see [Actions defined by Amazon Config](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsconfig.html#your_service-actions-as-permissions).

To view examples of Amazon Config identity-based policies, see [Identity-based policy examples for Amazon Config](security_iam_id-based-policy-examples.md).

## ACLs in Amazon Config
<a name="security_iam_service-with-iam-acls"></a>

**Supports ACLs:** No 

Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.

## ABAC with Amazon Config
<a name="security_iam_service-with-iam-tags"></a>

**Supports ABAC (tags in policies):** Yes

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and Amazon resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource.

To control access based on tags, you provide tag information in the [condition element](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys.

If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**.

For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.amazonaws.cn/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*.

For more information about tagging Amazon Config resources, see [Tagging Your Amazon Config Resources](tagging.md).

## Using temporary credentials with Amazon Config
<a name="security_iam_service-with-iam-roles-tempcreds"></a>

**Supports temporary credentials:** Yes

Temporary credentials provide short-term access to Amazon resources and are automatically created when you use federation or switch roles. Amazon recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp.html) and [Amazon Web Services services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*.

## Forward access sessions for Amazon Config
<a name="security_iam_service-with-iam-principal-permissions"></a>

**Supports forward access sessions (FAS):** Yes

 Forward access sessions (FAS) use the permissions of the principal calling an Amazon Web Services service, combined with the requesting Amazon Web Services service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_forward_access_sessions.html). 

## Service roles for Amazon Config
<a name="security_iam_service-with-iam-roles-service"></a>

**Supports service roles:** Yes

 A service role is an [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an Amazon Web Services service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. 

**Warning**  
Changing the permissions for a service role might break Amazon Config functionality. Edit service roles only when Amazon Config provides guidance to do so.

## Service-linked roles for Amazon Config
<a name="security_iam_service-with-iam-roles-service-linked"></a>

**Supports service-linked roles:** Yes

 A service-linked role is a type of service role that is linked to an Amazon Web Services service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your Amazon Web Services account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. 

For details about creating or managing Amazon Config service-linked roles, see [Using Service-Linked Roles for Amazon Config](using-service-linked-roles.md).

For details about creating or managing service-linked roles, see [Amazon services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). Find a service in the table that includes a `Yes` in the **Service-linked role** column. Choose the **Yes** link to view the service-linked role documentation for that service.

# Identity-based policy examples for Amazon Config
<a name="security_iam_id-based-policy-examples"></a>

By default, users and roles don't have permission to create or modify Amazon Config resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies.

To learn how to create an IAM identity-based policy by using these example JSON policy documents, see [Create IAM policies (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create-console.html) in the *IAM User Guide*.

For details about actions and resource types defined by Amazon Config, including the format of the ARNs for each of the resource types, see [Actions, resources, and condition keys for Amazon Config](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsconfig.html) in the *Service Authorization Reference*.

**Topics**
+ [Policy best practices](#security_iam_service-with-iam-policy-best-practices)
+ [Sign up for an Amazon Web Services account](#sign-up-for-aws)
+ [Secure IAM users](#secure-an-admin)
+ [Using the console](#security_iam_id-based-policy-examples-console)
+ [Allow users to view their own permissions](#security_iam_id-based-policy-examples-view-own-permissions)
+ [Read-only access to Amazon Config](#read-only-config-permission)
+ [Full access to Amazon Config](#full-config-permission)
+ [Controlling Access to Amazon Config Rules](#supported-resource-level-permissions)
+ [Controlling Access to Aggregated Data](#resource-level-permission)

## Policy best practices
<a name="security_iam_service-with-iam-policy-best-practices"></a>

Identity-based policies determine whether someone can create, access, or delete Amazon Config resources in your account. These actions can incur costs for your Amazon Web Services account. When you create or edit identity-based policies, follow these guidelines and recommendations:
+ **Get started with Amazon managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *Amazon managed policies* that grant permissions for many common use cases. They are available in your Amazon Web Services account. We recommend that you reduce permissions further by defining Amazon customer managed policies that are specific to your use cases. For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [Amazon managed policies for job functions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
+ **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
+ **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific Amazon Web Services service, such as Amazon CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
+ **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.amazonaws.cn/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*.
+ **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your Amazon Web Services account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*.

For more information about best practices in IAM, see [Security best practices in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.

## Sign up for an Amazon Web Services account
<a name="sign-up-for-aws"></a>

If you do not have an Amazon Web Services account, use the following procedure to create one.

**To sign up for Amazon Web Services**

1. Open [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choose **Sign Up**.

1. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choosing **My Account**.

## Secure IAM users
<a name="secure-an-admin"></a>

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see [Enable a virtual MFA device for an IAM user (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user) in the *IAM User Guide*.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the *IAM User Guide*: 
+ [Creating an IAM user in your Amazon Web Services account](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_create.html)
+ [Access management for Amazon resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html)
+ [Example IAM identity-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_examples.html)

## Using the Amazon Config console
<a name="security_iam_id-based-policy-examples-console"></a>

To access the Amazon Config console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Amazon Config resources in your Amazon Web Services account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy.

You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon API. Instead, allow access to only the actions that match the API operation that they're trying to perform.

To ensure that users and roles can still use the Amazon Config console, also attach the Amazon Config `AWSConfigUserAccess` Amazon managed policy to the entities. For more information, see [Adding permissions to a user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

You must give users permissions to interact with Amazon Config. For users who need full access to Amazon Config, use the [Full access to Amazon Config](https://docs.amazonaws.cn/config/latest/developerguide/security_iam_id-based-policy-examples.html#full-config-permission) managed policy.

To provide access, add permissions to your users, groups, or roles:
+ Users managed in IAM through an identity provider:

  Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
  + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
  + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.

## Allow users to view their own permissions
<a name="security_iam_id-based-policy-examples-view-own-permissions"></a>

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the Amazon CLI or Amazon API.

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ViewOwnUserInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:GetUser"
            ],
            "Resource": ["arn:aws-cn:iam::*:user/${aws:username}"]
        },
        {
            "Sid": "NavigateInConsole",
            "Effect": "Allow",
            "Action": [
                "iam:GetGroupPolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListPolicyVersions",
                "iam:ListPolicies",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}
```

## Read-only access to Amazon Config
<a name="read-only-config-permission"></a>

The following example shows an Amazon managed policy, `AWSConfigUserAccess` that grants read-only access to Amazon Config.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "config:Get*",
        "config:Describe*",
        "config:Deliver*",
        "config:List*",
        "config:Select*",
        "tag:GetResources",
        "tag:GetTagKeys",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:LookupEvents"
      ],
      "Resource": "*"
    }
  ]
}
```

------

In the policy statements, the `Effect` element specifies whether the actions are allowed or denied. The `Action` element lists the specific actions that the user is allowed to perform. The `Resource` element lists the Amazon resources the user is allowed to perform those actions on. For policies that control access to Amazon Config actions, the `Resource` element is always set to `*`, a wildcard that means "all resources." 

The values in the `Action` element correspond to the APIs that the services support. The actions are preceded by `config:` to indicate that they refer to Amazon Config actions. You can use the `*` wildcard character in the `Action` element, such as in the following examples:
+ `"Action": ["config:*ConfigurationRecorder"]`

  This allows all Amazon Config actions that end with "ConfigurationRecorder" (`StartConfigurationRecorder`, `StopConfigurationRecorder`).
+ `"Action": ["config:*"]`

  This allows all Amazon Config actions, but not actions for other Amazon services.
+ `"Action": ["*"]`

  This allows all Amazon actions. This permission is suitable for a user who acts as an Amazon administrator for your account.

The read-only policy doesn't grant user permission for the actions such as `StartConfigurationRecorder`, `StopConfigurationRecorder`, and `DeleteConfigurationRecorder`. Users with this policy are not allowed to start configuration recorder, stop configuration recorder, or delete configuration recorder. For the list of Amazon Config actions, see the [Amazon Config API Reference](https://docs.amazonaws.cn/config/latest/APIReference/).

## Full access to Amazon Config
<a name="full-config-permission"></a>

The following example shows a policy that grants full access to Amazon Config. It grants users the permission to perform all Amazon Config actions. It also lets users manage files in Amazon S3 buckets and manage Amazon SNS topics in the account that the user is associated with.

**Important**  
This policy grants broad permissions. Before granting full access, consider starting with a minimum set of permissions and granting additional permissions as necessary. Doing so is better practice than starting with permissions that are too lenient and then trying to tighten them later.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:AddPermission",
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:GetTopicAttributes",
                "sns:ListPlatformApplications",
                "sns:ListTopics",
                "sns:SetTopicAttributes"
            ],
            "Resource": "*"   
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketVersioning",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:PutBucketPolicy"
            ],
            "Resource": "arn:aws-cn:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "config.amazonaws.com",
                        "ssm.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:LookupEvents"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "config:*",
                "tag:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeDocument",
                "ssm:GetDocument",
                "ssm:DescribeAutomationExecutions",
                "ssm:GetAutomationExecution",
                "ssm:ListDocuments",
                "ssm:StartAutomationExecution"
            ],
            "Resource": "*"
        }
        
    ]
}
```

------

## Supported Resource-Level Permissions for Amazon Config Rule API Actions
<a name="supported-resource-level-permissions"></a>

Resource-level permissions refers to the ability to specify which resources users are allowed to perform actions on. Amazon Config supports resource-level permissions for certain Amazon Config rule API actions. This means that for certain Amazon Config rule actions, you can control the conditions under which when users are allowed to use those actions. These conditions can be actions that must be fulfilled, or specific resources that users are allowed to use. 

The following table describes the Amazon Config rule API actions that currently support resource-level permissions. It also describes the supported resources and their ARNs for each action. When specifying an ARN, you can use the \$1 wildcard in your paths; for example, when you cannot or do not want to specify exact resource IDs. 

**Important**  
If an Amazon Config rule API action is not listed in this table, then it does not support resource-level permissions. If an Amazon Config rule action does not support resource-level permissions, you can grant users permissions to use the action, but you have to specify a \$1 for the resource element of your policy statement. 


****  

| API Action | Resources | 
| --- | --- | 
| DeleteConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| DeleteEvaluationResults | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| DescribeComplianceByConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| DescribeConfigRuleEvaluationStatus | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| GetComplianceDetailsByConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| PutConfigRule | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| StartConfigRulesEvaluation | Config Rule arn:aws:config:*region:accountID*:config-rule/config-rule-*ID* | 
| PutRemediationConfigurations | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* | 
| DescribeRemediationConfigurations | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* | 
| DeleteRemediationConfiguration | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* | 
| PutRemediationExceptions | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* | 
| DescribeRemediationExceptions | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* | 
| DeleteRemediationExceptions | Remediation Configuration arn:aws:config:*region:accountId*:remediation-configuration/*config rule name/remediation configuration id* | 

For example, you want to allow read access and deny write access to specific rules to specific users.

In the first policy, you allow the Amazon Config rule read actions such as `DescribeConfigRuleEvaluationStatus` on the specified rules.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "config:StartConfigRulesEvaluation",
                "config:DescribeComplianceByConfigRule",
                "config:DescribeConfigRuleEvaluationStatus",
                "config:GetComplianceDetailsByConfigRule"
            ],
            "Resource": [
                "arn:aws-cn:config:us-east-1:123456789012:config-rule/config-rule-ID",
                "arn:aws-cn:config:us-east-1:123456789012:config-rule/config-rule-ID"
            ]
        }
    ]
}
```

------

In the second policy, you deny the Amazon Config rule write actions on the specific rule.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "config:PutConfigRule",
                "config:DeleteConfigRule",
                "config:DeleteEvaluationResults"
            ],
            "Resource": "arn:aws-cn:config:us-east-1:123456789012:config-rule/config-rule-ID"
        }
    ]
}
```

------

With resource-level permissions, you can allow read access and deny write access to perform specific actions on Amazon Config rule API actions. 

## Supported Resource-Level Permissions for Multi-Account Multi-Region Data Aggregation
<a name="resource-level-permission"></a>

You can use resource-level permissions to control a user's ability to perform specific actions on multi-account multi-region data aggregation. The following Amazon Config `Aggregator` APIs support resource level permissions:
+ [BatchGetAggregateResourceConfig](https://docs.amazonaws.cn/config/latest/APIReference/API_BatchGetAggregateResourceConfig.html)
+ [DeleteConfigurationAggregator](https://docs.amazonaws.cn/config/latest/APIReference/API_DeleteConfigurationAggregator.html)
+ [DescribeAggregateComplianceByConfigRules](https://docs.amazonaws.cn/config/latest/APIReference/API_DescribeAggregateComplianceByConfigRules.html)
+ [DescribeAggregateComplianceByConformancePacks](https://docs.amazonaws.cn/config/latest/APIReference/API_DescribeAggregateComplianceByConformancePacks.html)
+ [DescribeConfigurationAggregatorSourcesStatus](https://docs.amazonaws.cn/config/latest/APIReference/API_DescribeConfigurationAggregatorSourcesStatus.html)
+ [GetAggregateComplianceDetailsByConfigRule](https://docs.amazonaws.cn/config/latest/APIReference/API_GetAggregateComplianceDetailsByConfigRule.html)
+ [GetAggregateConfigRuleComplianceSummary](https://docs.amazonaws.cn/config/latest/APIReference/API_GetAggregateConfigRuleComplianceSummary.html)
+ [GetAggregateConformancePackComplianceSummary](https://docs.amazonaws.cn/config/latest/APIReference/API_GetAggregateConformancePackComplianceSummary.html)
+ [GetAggregateDiscoveredResourceCounts](https://docs.amazonaws.cn/config/latest/APIReference/API_GetAggregateDiscoveredResourceCounts.html)
+ [GetAggregateResourceConfig](https://docs.amazonaws.cn/config/latest/APIReference/API_GetAggregateResourceConfig.html)
+ [ListAggregateDiscoveredResources](https://docs.amazonaws.cn/config/latest/APIReference/API_ListAggregateDiscoveredResources.html)
+ [PutConfigurationAggregator](https://docs.amazonaws.cn/config/latest/APIReference/API_PutConfigurationAggregator.html)
+ [SelectAggregateResourceConfig](https://docs.amazonaws.cn/config/latest/APIReference/API_SelectAggregateResourceConfig.html)

For example, you can restrict access to resource data from specific users by creating two aggregators `AccessibleAggregator` and `InAccessibleAggregator` and attaching an IAM policy that allows access to `AccessibleAggregator` but denies access to `InAccessibleAggregator`.

**IAM Policy for AccessibleAggregator**

In this policy, you allow access to the supported aggregator actions for the Amazon Config Amazon Resource Name (ARN) that you specify. In this example, the Amazon Config ARN is `arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs`.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ConfigAllow",
            "Effect": "Allow",
            "Action": [
                "config:BatchGetAggregateResourceConfig",
                "config:DeleteConfigurationAggregator",
                "config:DescribeAggregateComplianceByConfigRules",
                "config:DescribeAggregateComplianceByConformancePacks",
                "config:DescribeConfigurationAggregatorSourcesStatus",
                "config:GetAggregateComplianceDetailsByConfigRule",
                "config:GetAggregateConfigRuleComplianceSummary",
                "config:GetAggregateConformancePackComplianceSummary",
                "config:GetAggregateDiscoveredResourceCounts",
                "config:GetAggregateResourceConfig",
                "config:ListAggregateDiscoveredResources",
                "config:PutConfigurationAggregator",
                "config:SelectAggregateResourceConfig"
            ],
            "Resource": "arn:aws-cn:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-mocpsqhs"
        }
    ]
}
```

------

**IAM Policy for InAccessibleAggregator**

In this policy, you deny access to the supported aggregator actions for the Amazon Config ARN that you specify. In this example, the Amazon Config ARN is `arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx`.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ConfigDeny",
            "Effect": "Deny",
            "Action": [
                "config:BatchGetAggregateResourceConfig",
                "config:DeleteConfigurationAggregator",
                "config:DescribeAggregateComplianceByConfigRules",
                "config:DescribeAggregateComplianceByConformancePacks",
                "config:DescribeConfigurationAggregatorSourcesStatus",
                "config:GetAggregateComplianceDetailsByConfigRule",
                "config:GetAggregateConfigRuleComplianceSummary",
                "config:GetAggregateConformancePackComplianceSummary",
                "config:GetAggregateDiscoveredResourceCounts",
                "config:GetAggregateResourceConfig",
                "config:ListAggregateDiscoveredResources",
                "config:PutConfigurationAggregator",
                "config:SelectAggregateResourceConfig"
            ],
            "Resource": "arn:aws-cn:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-pokxzldx"
        }
    ]
}
```

------

If a user of the developer group tries to perform any of these actions on the Amazon Config ARN that you specified, that user will get an access denied exception.

**Checking User Access Permissions**

To show the aggregators that you have created, run the following Amazon CLI command:

```
aws configservice describe-configuration-aggregators
```

When command has successfully completed, you will be able to see the details for all the aggregators associated with your account. In this example, those are `AccessibleAggregator` and `InAccessibleAggregator`:

```
{
    "ConfigurationAggregators": [
        {
            "ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-mocpsqhs",
            "CreationTime": 1517942461.442,
            "ConfigurationAggregatorName": "AccessibleAggregator",
            "AccountAggregationSources": [
                {
                    "AllAwsRegions": true,
                    "AccountIds": [
                        "AccountID1",
                        "AccountID2",
                        "AccountID3"
                    ]
                }
            ],
            "LastUpdatedTime": 1517942461.455
        },
        {
            "ConfigurationAggregatorArn": "arn:aws:config:ap-northeast-1:AccountID:config-aggregator/config-aggregator-pokxzldx",
            "CreationTime": 1517942461.442,
            "ConfigurationAggregatorName": "InAccessibleAggregator",
            "AccountAggregationSources": [
                {
                    "AllAwsRegions": true,
                    "AccountIds": [
                        "AccountID1",
                        "AccountID2",
                        "AccountID3"
                    ]
                }
            ],
            "LastUpdatedTime": 1517942461.455
        }
    ]
}
```

**Note**  
For `account-aggregation-sources` enter a comma-separated list of Amazon account IDs for which you want to aggregate data. Wrap the account IDs in square brackets, and be sure to escape quotation marks (for example, `"[{\"AccountIds\": [\"AccountID1\",\"AccountID2\",\"AccountID3\"],\"AllAwsRegions\": true}]"`).

Attach the following IAM policy to deny access to `InAccessibleAggregator`, or the aggregator to which you want to deny access.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ConfigDeny",
            "Effect": "Deny",
            "Action": [
                "config:BatchGetAggregateResourceConfig",
                "config:DeleteConfigurationAggregator",
                "config:DescribeAggregateComplianceByConfigRules",
                "config:DescribeAggregateComplianceByConformancePacks",
                "config:DescribeConfigurationAggregatorSourcesStatus",
                "config:GetAggregateComplianceDetailsByConfigRule",
                "config:GetAggregateConfigRuleComplianceSummary",
                "config:GetAggregateConformancePackComplianceSummary",
                "config:GetAggregateDiscoveredResourceCounts",
                "config:GetAggregateResourceConfig",
                "config:ListAggregateDiscoveredResources",
                "config:PutConfigurationAggregator",
                "config:SelectAggregateResourceConfig"
            ],
            "Resource": "arn:aws-cn:config:ap-northeast-1:111122223333:config-aggregator/config-aggregator-pokxzldx"
        }
    ]
}
```

------

Next, you can confirm that the IAM policy works for restricting access to rules for a specific aggregator:

```
aws configservice get-aggregate-compliance-details-by-config-rule --configuration-aggregator-name InAccessibleAggregator --config-rule-name rule name --account-id AccountID --aws-region AwsRegion
```

The command should return an access denied exception:

```
An error occurred (AccessDeniedException) when calling the GetAggregateComplianceDetailsByConfigRule operation: User: arn:aws:iam::AccountID:user/ is not 
authorized to perform: config:GetAggregateComplianceDetailsByConfigRule on resource: arn:aws:config:AwsRegion-1:AccountID:config-aggregator/config-aggregator-pokxzldx
```







# Amazon managed policies for Amazon Config
<a name="security-iam-awsmanpol"></a>

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.

For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

## Amazon managed policy: AWSConfigServiceRolePolicy
<a name="security-iam-awsmanpol-AWSConfigServiceRolePolicy"></a>

Amazon Config uses the service-linked role named **AWSServiceRoleForConfig** to call other Amazon services on your behalf. When you use the Amazon Web Services Management Console to set up Amazon Config, this SLR is automatically created by Amazon Config if you select the option to use the Amazon Config SLR instead of your own Amazon Identity and Access Management (IAM) service role.

The **AWSServiceRoleForConfig** SLR contains the managed policy `AWSConfigServiceRolePolicy`. This managed policy contains read-only and write-only permissions for Amazon Config resources and read-only permissions for resources in other services that Amazon Config supports. The policy provides comprehensive access to monitor and record configuration changes across your Amazon infrastructure, including permissions for over 100 Amazon services such as compute, storage, networking, security, analytics, and machine learning services.

The policy includes permissions for the following service categories:
+ `access-analyzer` – Allows principals to analyze access patterns and retrieve security findings.
+ `account` – Allows principals to retrieve account contact information.
+ `acm` and `acm-pca` – Allows principals to manage SSL/TLS certificates and private certificate authorities.
+ `airflow` – Allows principals to monitor managed Apache Airflow environments.
+ `amplify` and `amplifyuibuilder` – Allows principals to monitor web applications and UI components.
+ `aoss` – Allows principals to monitor OpenSearch Serverless collections and security configurations.
+ `app-integrations` – Allows principals to monitor application integration configurations.
+ `appconfig` – Allows principals to monitor application configuration deployments.
+ `appflow` – Allows principals to monitor data flow configurations between applications.
+ `application-autoscaling` and `application-signals` – Allows principals to monitor auto-scaling policies and application performance metrics.
+ `appmesh` – Allows principals to monitor service mesh configurations.
+ `apprunner` – Allows principals to monitor containerized web applications and services.
+ `appstream` – Allows principals to monitor application streaming configurations.
+ `appsync` – Allows principals to monitor GraphQL API configurations.
+ `aps` – Allows principals to monitor Prometheus monitoring configurations.
+ `apptest` – Allows principals to monitor application testing configurations.
+ `arc-zonal-shift` – Allows principals to monitor zonal shift configurations for availability.
+ `athena` – Allows principals to monitor query engine configurations and data catalogs.
+ `auditmanager` – Allows principals to monitor audit and compliance assessments.
+ `autoscaling` and `autoscaling-plans` – Allows principals to monitor auto-scaling groups and scaling plans.
+ `b2bi` – Allows principals to monitor business-to-business integration configurations.
+ `backup` and `backup-gateway` – Allows principals to monitor backup policies and gateway configurations.
+ `batch` – Allows principals to monitor batch computing environments and job queues.
+ `bcm-data-exports` – Allows principals to monitor billing and cost management data exports.
+ `bedrock` and `bedrock-agentcore` – Allows principals to monitor foundation models and AI agent configurations.
+ `billingconductor` – Allows principals to monitor billing group configurations.
+ `budgets` – Allows principals to monitor budget configurations and actions.
+ `cassandra` – Allows principals to query managed Cassandra database configurations.
+ `ce` – Allows principals to monitor cost and usage reporting configurations.
+ `cleanrooms` and `cleanrooms-ml` – Allows principals to monitor data collaboration and machine learning configurations.
+ `cloud9` – Allows principals to monitor cloud development environment configurations.
+ `cloudformation` – Allows principals to monitor infrastructure as code stack configurations.
+ `cloudfront` – Allows principals to monitor content delivery network configurations.
+ `cloudtrail` – Allows principals to monitor API logging and audit trail configurations.
+ `cloudwatch` – Allows principals to monitor metrics, alarms, and dashboard configurations.
+ `codeartifact` – Allows principals to monitor software package repository configurations.
+ `codebuild` – Allows principals to monitor build project configurations.
+ `codecommit` – Allows principals to monitor source code repository configurations.
+ `codeconnections` – Allows principals to monitor third-party source connections.
+ `codedeploy` – Allows principals to monitor application deployment configurations.
+ `codeguru-profiler` and `codeguru-reviewer` – Allows principals to monitor code analysis and profiling configurations.
+ `codepipeline` – Allows principals to monitor continuous integration and deployment pipeline configurations.
+ `codestar-connections` – Allows principals to monitor developer tool connections.
+ `cognito-identity` and `cognito-idp` – Allows principals to monitor identity and user pool configurations.
+ `comprehend` – Allows principals to monitor natural language processing configurations.
+ `config` – Allows principals to manage configuration recording and compliance monitoring.
+ `connect` – Allows principals to monitor contact center configurations.

For more information about supported resource types, see [Supported Resource Types for Amazon Config](resource-config-reference.md) and [Using Service-Linked Roles for Amazon Config](using-service-linked-roles.md).

To view more details about the policy, including the latest version of the JSON policy document, see [AWSConfigServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSConfigServiceRolePolicy.html) in the *Amazon Managed Policy Reference Guide*.

**Recommended: Use the Service-linked role**  
 It is recommended that you use the service-linked role unless you have a particular use case. A service-linked role adds all the necessary permissions for Amazon Config to run as expected. Some features such as service-linked configuration recorders require you to use the service-linked role.

## Amazon managed policy: AWS\$1ConfigRole
<a name="security-iam-awsmanpol-AWS_ConfigRole"></a>

To record your Amazon resource configurations, Amazon Config requires IAM permissions to get the configuration details about your resources. If you want to create an IAM role for Amazon Config, you can use the managed policy `AWS_ConfigRole` and attach it to your IAM role.

This IAM policy is updated each time Amazon Config adds support for an Amazon resource type. This means that Amazon Config will continue to have the required permissions to record configuration data of supported resource types as long as the **AWS\$1ConfigRole** role has this managed policy attached. The policy provides comprehensive access to monitor and record configuration changes across your Amazon infrastructure, including permissions for over 100 Amazon services such as compute, storage, networking, security, analytics, and machine learning services. For more information, see [Supported Resource Types for Amazon Config](resource-config-reference.md) and [Permissions for the IAM Role Assigned to Amazon Config](iamrole-permissions.md).

To view more details about the policy, including the latest version of the JSON policy document, see [AWS\$1ConfigRole](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWS_ConfigRole.html) in the *Amazon Managed Policy Reference Guide*.

## Amazon managed policy: AWSConfigUserAccess
<a name="security-iam-awsmanpol-AWSConfigUserAccess"></a>

This IAM policy provides access to use Amazon Config, including searching by tags on resources and reading all tags. This does not provide permission to configure Amazon Config, which requires administrative privileges.

View the policy: [AWSConfigUserAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSConfigUserAccess.html).

## Amazon managed policy: ConfigConformsServiceRolePolicy
<a name="security-iam-awsmanpol-ConfigConformsServiceRolePolicy"></a>

To deploy and manage conformance packs, Amazon Config requires IAM permissions and certain permissions from other Amazon services. These allow you to deploy and manage conformance packs with full functionality and are updated each time Amazon Config adds new functionality for conformance packs. For more information on conformance packs, see [Conformance packs](https://docs.amazonaws.cn/config/latest/developerguide/conformance-packs.html).

View the policy: [ConfigConformsServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/ConfigConformsServiceRolePolicy.html).

## Amazon managed policy: AWSConfigRulesExecutionRole
<a name="security-iam-awsmanpol-AWSConfigRulesExecutionRole"></a>

To deploy Amazon Custom Lambda Rules, Amazon Config requires IAM permissions and certain permissions from other Amazon services. These allow Amazon Lambda functions to access the Amazon Config API and the configuration snapshots that Amazon Config delivers periodically to Amazon S3. This access is required by functions that evaluate configuration changes for Amazon Custom Lambda rules and is updated each time Amazon Config adds new functionality. For more information on Amazon Custom Lambda Rules, see [Creating Amazon Config Custom Lambda Rules](https://docs.amazonaws.cn/config/latest/developerguide/evaluate-config_develop-rules_lambda-functions.html). For more information on configuration snapshots, see [Concepts \$1 Configuration Snapshot](https://docs.amazonaws.cn/config/latest/developerguide/config-concepts.html#config-snapshot). For more information on the delivery of configuration snapshots, see [Managing the Delivery Channel](https://docs.amazonaws.cn/config/latest/developerguide/manage-delivery-channel.html).

View the policy: [AWSConfigRulesExecutionRole](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSConfigRulesExecutionRole.html).

## Amazon managed policy: AWSConfigMultiAccountSetupPolicy
<a name="security-iam-awsmanpol-AWSConfigMultiAccountSetupPolicy"></a>

To centrally deploy, update, and delete Amazon Config rules and conformance packs across member accounts in an organization in Amazon Organizations, Amazon Config requires IAM permissions and certain permissions from other Amazon services. This managed policy is updated each time Amazon Config adds new functionality for multi-account setup. For more information, see [Managing Amazon Config Rules Across All Accounts in Your Organization](https://docs.amazonaws.cn/config/latest/developerguide/config-rule-multi-account-deployment.html) and [Managing Conformance Packs Across All Accounts in Your Organization](https://docs.amazonaws.cn/config/latest/developerguide/conformance-pack-organization-apis.html).

View the policy: [AWSConfigMultiAccountSetupPolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSConfigMultiAccountSetupPolicy.html).

## Amazon managed policy: AWSConfigRoleForOrganizations
<a name="security-iam-awsmanpol-AWSConfigRoleForOrganizations"></a>

To allow Amazon Config to call read-only Amazon Organizations APIs, Amazon Config requires IAM permissions and certain permissions from other Amazon services. This managed policy is updated each time Amazon Config adds new functionality for multi-account setup. For more information, see [Managing Amazon Config Rules Across All Accounts in Your Organization](https://docs.amazonaws.cn/config/latest/developerguide/config-rule-multi-account-deployment.html) and [Managing Conformance Packs Across All Accounts in Your Organization](https://docs.amazonaws.cn/config/latest/developerguide/conformance-pack-organization-apis.html).

View the policy: [AWSConfigRoleForOrganizations](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSConfigRoleForOrganizations.html).

## Amazon managed policy: AWSConfigRemediationServiceRolePolicy
<a name="security-iam-awsmanpol-AWSConfigRemediationServiceRolePolicy"></a>

To allow Amazon Config to remediate `NON_COMPLIANT` resources on your behalf, Amazon Config requires IAM permissions and certain permissions from other Amazon services. This managed policy is updated each time Amazon Config adds new functionality for remediation. For more information on remediation, see [Remediating Noncompliant Resources with Amazon Config Rules](https://docs.amazonaws.cn/config/latest/developerguide/remediation.html). For more information on the conditions that initiate the possible Amazon Config evaluation results, see [Concepts \$1 Amazon Config Rules](https://docs.amazonaws.cn/config/latest/developerguide/config-concepts.html#aws-config-rules).

View the policy: [AWSConfigRemediationServiceRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSConfigRemediationServiceRolePolicy.html).

## Amazon Config updates to Amazon managed policies
<a name="security-iam-awsmanpol-updates"></a>

View details about updates to Amazon managed policies for Amazon Config since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Config [Document history](https://docs.amazonaws.cn/config/latest/developerguide/DocumentHistory.html) page.


| Change | Description | Date | 
| --- | --- | --- | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Added permissions: auditmanager:GetAssessmentFramework, auditmanager:GetControl, auditmanager:ListAssessmentFrameworks, auditmanager:ListControls, bcm-dashboards:GetDashboard, bcm-dashboards:ListDashboards, bcm-dashboards:ListTagsForResource, bedrock:GetEvaluationJob, bedrock:ListEvaluationJobs, bedrock-agentcore:GetEvaluator, bedrock-agentcore:GetOnlineEvaluationConfig, bedrock-agentcore:GetPolicyEngine, bedrock-agentcore:ListEvaluators, bedrock-agentcore:ListOnlineEvaluationConfigs, bedrock-agentcore:ListPolicyEngines, chime:DescribeAppInstance, chime:ListAppInstances, chime:ListTagsForResource, dms:ListInstanceProfiles, emr-containers:DescribeManagedEndpoint, emr-containers:ListTagsForResource, gameliftstreams:GetApplication, gameliftstreams:GetStreamGroup, gameliftstreams:ListApplications, gameliftstreams:ListStreamGroups, gameliftstreams:ListTagsForResource, globalaccelerator:DescribeAcceleratorAttributes, glue:GetCatalog, glue:GetCatalogs, glue:GetSession, glue:ListSessions, lambda:ListCapacityProviders, medialive:DescribeNode, medialive:ListNodes, mediapackagev2:GetChannelPolicy, mediapackagev2:GetOriginEndpointPolicy, outposts:GetSite, outposts:ListSites, qbusiness:GetPolicy, redshift:DescribeDataShares, rtbfabric:GetInboundExternalLink, rtbfabric:GetLink, rtbfabric:GetOutboundExternalLink, rtbfabric:GetRequesterGateway, rtbfabric:GetResponderGateway, rtbfabric:ListLinks, rtbfabric:ListRequesterGateways, rtbfabric:ListResponderGateways, rtbfabric:ListTagsForResource, s3express:GetAccessPoint, s3express:GetAccessPointPolicy, s3express:GetAccessPointScope, s3express:ListAccessPointsForDirectoryBuckets, s3express:ListTagsForResource, s3vectors:GetVectorBucket, s3vectors:GetVectorBucketPolicy, s3vectors:ListTagsForResource, s3vectors:ListVectorBuckets, sagemaker:DescribeAutoMLJobV2, sagemaker:DescribeHyperParameterTuningJob, sagemaker:DescribePartnerApp, sagemaker:ListAutoMLJobs, sagemaker:ListHyperParameterTuningJobs, sagemaker:ListPartnerApps, servicecatalog:DescribeTagOption, servicecatalog:ListTagOptions, ssm-contacts:GetRotation, ssm-contacts:ListRotations, ssm-guiconnect:GetConnectionRecordingPreferences, sso:GetPermissionsBoundaryForPermissionSet, sso:ListCustomerManagedPolicyReferencesInPermissionSet, textract:GetAdapter, textract:ListAdapters, textract:ListTagsForResource, transfer:DescribeWebApp, transfer:DescribeWebAppCustomization, transfer:ListWebApps, wisdom:GetAIGuardrail, wisdom:ListAIGuardrails.   |  This policy now supports additional permissions for recording configuration changes across numerous Amazon services.  |  March 10, 2026  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Added permissions: auditmanager:GetAssessmentFramework, auditmanager:GetControl, auditmanager:ListAssessmentFrameworks, auditmanager:ListControls, bcm-dashboards:GetDashboard, bcm-dashboards:ListDashboards, bcm-dashboards:ListTagsForResource, bedrock:GetEvaluationJob, bedrock:ListEvaluationJobs, bedrock-agentcore:GetEvaluator, bedrock-agentcore:GetOnlineEvaluationConfig, bedrock-agentcore:GetPolicyEngine, bedrock-agentcore:ListEvaluators, bedrock-agentcore:ListOnlineEvaluationConfigs, bedrock-agentcore:ListPolicyEngines, chime:DescribeAppInstance, chime:ListAppInstances, chime:ListTagsForResource, dms:ListInstanceProfiles, emr-containers:DescribeManagedEndpoint, emr-containers:ListTagsForResource, gameliftstreams:GetApplication, gameliftstreams:GetStreamGroup, gameliftstreams:ListApplications, gameliftstreams:ListStreamGroups, gameliftstreams:ListTagsForResource, globalaccelerator:DescribeAcceleratorAttributes, glue:GetCatalog, glue:GetCatalogs, glue:GetSession, glue:ListSessions, lambda:ListCapacityProviders, medialive:DescribeNode, medialive:ListNodes, mediapackagev2:GetChannelPolicy, mediapackagev2:GetOriginEndpointPolicy, outposts:GetSite, outposts:ListSites, qbusiness:GetPolicy, redshift:DescribeDataShares, rtbfabric:GetInboundExternalLink, rtbfabric:GetLink, rtbfabric:GetOutboundExternalLink, rtbfabric:GetRequesterGateway, rtbfabric:GetResponderGateway, rtbfabric:ListLinks, rtbfabric:ListRequesterGateways, rtbfabric:ListResponderGateways, rtbfabric:ListTagsForResource, s3express:GetAccessPoint, s3express:GetAccessPointPolicy, s3express:GetAccessPointScope, s3express:ListAccessPointsForDirectoryBuckets, s3express:ListTagsForResource, s3vectors:GetVectorBucket, s3vectors:GetVectorBucketPolicy, s3vectors:ListTagsForResource, s3vectors:ListVectorBuckets, sagemaker:DescribeAutoMLJobV2, sagemaker:DescribeHyperParameterTuningJob, sagemaker:DescribePartnerApp, sagemaker:ListAutoMLJobs, sagemaker:ListHyperParameterTuningJobs, sagemaker:ListPartnerApps, servicecatalog:DescribeTagOption, servicecatalog:ListTagOptions, ssm-contacts:GetRotation, ssm-contacts:ListRotations, ssm-guiconnect:GetConnectionRecordingPreferences, sso:GetPermissionsBoundaryForPermissionSet, sso:ListCustomerManagedPolicyReferencesInPermissionSet, textract:GetAdapter, textract:ListAdapters, textract:ListTagsForResource, transfer:DescribeWebApp, transfer:DescribeWebAppCustomization, transfer:ListWebApps, wisdom:GetAIGuardrail, wisdom:ListAIGuardrails.   |  This policy now supports additional permissions for recording configuration changes across numerous Amazon services.  |  March 10, 2026  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Added permissions: application-autoscaling:DescribeScheduledActions, appsync:GetApiAssociation, cloudformation:DescribeStacks, cloudformation:GetStackPolicy, cloudformation:GetTemplate, cloudfront:GetKeyGroup, cloudfront:GetMonitoringSubscription, cloudfront:ListKeyGroups, connect:ListEvaluationFormVersions, cur:DescribeReportDefinitions, cur:ListTagsForResource, datazone:GetDomainUnit, datazone:GetEnvironmentAction, datazone:GetEnvironmentBlueprintConfiguration, datazone:GetEnvironmentProfile, datazone:GetGroupProfile, datazone:GetSubscriptionTarget, datazone:GetUserProfile, datazone:ListDomainUnitsForParent, datazone:ListEntityOwners, datazone:ListEnvironmentActions, datazone:ListEnvironmentBlueprintConfigurations, datazone:ListEnvironmentProfiles, datazone:ListPolicyGrants, datazone:ListProjectMemberships, datazone:ListSubscriptionTargets, datazone:SearchGroupProfiles, datazone:SearchUserProfiles, docdb-elastic:GetCluster, docdb-elastic:ListClusters, docdb-elastic:ListTagsForResource, ec2:GetRouteServerAssociations, ec2:GetRouteServerPropagations, ec2:SearchTransitGatewayRoutes, fis:ListTagsForResource, frauddetector:GetListElements, frauddetector:GetListsMetadata, guardduty:GetThreatEntitySet, guardduty:GetTrustedEntitySet, guardduty:ListThreatEntitySets, guardduty:ListTrustedEntitySets, iotfleetwise:GetCampaign, iotfleetwise:ListCampaigns, iotsitewise:DescribeComputationModel, iotsitewise:DescribeDataset, iotsitewise:ListComputationModels, iotsitewise:ListDatasets, iotwireless:GetWirelessDeviceImportTask, iotwireless:ListWirelessDeviceImportTasks, kendra:ListDataSources, logs:DescribeQueryDefinitions, logs:GetIntegration, logs:ListIntegrations, mediaconnect:ListRouterOutputs, medialive:DescribeMultiplex, medialive:DescribeSdiSource, medialive:GetCloudWatchAlarmTemplate, medialive:GetCloudWatchAlarmTemplateGroup, medialive:GetEventBridgeRuleTemplate, medialive:GetEventBridgeRuleTemplateGroup, medialive:ListCloudWatchAlarmTemplateGroups, medialive:ListCloudWatchAlarmTemplates, medialive:ListEventBridgeRuleTemplateGroups, medialive:ListEventBridgeRuleTemplates, medialive:ListSdiSources, medialive:ListSignalMaps, networkmanager:GetConnectAttachment, networkmanager:GetCoreNetwork, networkmanager:GetCoreNetworkPolicy, networkmanager:GetDirectConnectGatewayAttachment, networkmanager:GetSiteToSiteVpnAttachment, networkmanager:ListAttachments, networkmanager:ListCoreNetworks, notifications:GetEventRule, notifications:ListEventRules, notifications:ListManagedNotificationChannelAssociations, notifications:ListNotificationHubs, notifications:ListOrganizationalUnits, refactor-spaces:GetApplication, refactor-spaces:GetRoute, refactor-spaces:ListRoutes, resource-explorer-2:GetDefaultView, route53resolver:GetOutpostResolver, route53resolver:ListOutpostResolvers, securityhub:DescribeOrganizationConfiguration, securityhub:GetAggregatorV2, securityhub:GetAutomationRuleV2, securityhub:GetConfigurationPolicyAssociation, securityhub:GetFindingAggregator, securityhub:ListAggregatorsV2, securityhub:ListAutomationRulesV2, securityhub:ListConfigurationPolicyAssociations, securityhub:ListFindingAggregators, sms-voice:DescribeConfigurationSets, sms-voice:DescribeKeywords, sms-voice:DescribeProtectConfigurations, sms-voice:GetProtectConfigurationCountryRuleSet, sms-voice:ListPoolOriginationIdentities, sms-voice:ListTagsForResource, workspaces-web:GetTrustStore, workspaces-web:GetTrustStoreCertificate, workspaces-web:GetUserAccessLoggingSettings, workspaces-web:ListTagsForResource.   |  This policy now supports additional permissions for recording configuration changes across numerous Amazon services.  |  February 17, 2026  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Added permissions: application-autoscaling:DescribeScheduledActions, appsync:GetApiAssociation, cloudformation:DescribeStacks, cloudformation:GetStackPolicy, cloudformation:GetTemplate, cloudfront:GetKeyGroup, cloudfront:GetMonitoringSubscription, cloudfront:ListKeyGroups, connect:ListEvaluationFormVersions, cur:DescribeReportDefinitions, cur:ListTagsForResource, datazone:GetDomainUnit, datazone:GetEnvironmentAction, datazone:GetEnvironmentBlueprintConfiguration, datazone:GetEnvironmentProfile, datazone:GetGroupProfile, datazone:GetSubscriptionTarget, datazone:GetUserProfile, datazone:ListDomainUnitsForParent, datazone:ListEntityOwners, datazone:ListEnvironmentActions, datazone:ListEnvironmentBlueprintConfigurations, datazone:ListEnvironmentProfiles, datazone:ListPolicyGrants, datazone:ListProjectMemberships, datazone:ListSubscriptionTargets, datazone:SearchGroupProfiles, datazone:SearchUserProfiles, docdb-elastic:GetCluster, docdb-elastic:ListClusters, docdb-elastic:ListTagsForResource, ec2:GetRouteServerAssociations, ec2:GetRouteServerPropagations, ec2:SearchTransitGatewayRoutes, fis:ListTagsForResource, frauddetector:GetListElements, frauddetector:GetListsMetadata, guardduty:GetThreatEntitySet, guardduty:GetTrustedEntitySet, guardduty:ListThreatEntitySets, guardduty:ListTrustedEntitySets, iotfleetwise:GetCampaign, iotfleetwise:ListCampaigns, iotsitewise:DescribeComputationModel, iotsitewise:DescribeDataset, iotsitewise:ListComputationModels, iotsitewise:ListDatasets, iotwireless:GetWirelessDeviceImportTask, iotwireless:ListWirelessDeviceImportTasks, kendra:ListDataSources, logs:DescribeQueryDefinitions, logs:GetIntegration, logs:ListIntegrations, mediaconnect:ListRouterOutputs, medialive:DescribeMultiplex, medialive:DescribeSdiSource, medialive:GetCloudWatchAlarmTemplate, medialive:GetCloudWatchAlarmTemplateGroup, medialive:GetEventBridgeRuleTemplate, medialive:GetEventBridgeRuleTemplateGroup, medialive:ListCloudWatchAlarmTemplateGroups, medialive:ListCloudWatchAlarmTemplates, medialive:ListEventBridgeRuleTemplateGroups, medialive:ListEventBridgeRuleTemplates, medialive:ListSdiSources, medialive:ListSignalMaps, networkmanager:GetConnectAttachment, networkmanager:GetCoreNetwork, networkmanager:GetCoreNetworkPolicy, networkmanager:GetDirectConnectGatewayAttachment, networkmanager:GetSiteToSiteVpnAttachment, networkmanager:ListAttachments, networkmanager:ListCoreNetworks, notifications:GetEventRule, notifications:ListEventRules, notifications:ListManagedNotificationChannelAssociations, notifications:ListNotificationHubs, notifications:ListOrganizationalUnits, refactor-spaces:GetApplication, refactor-spaces:GetRoute, refactor-spaces:ListRoutes, resource-explorer-2:GetDefaultView, route53resolver:GetOutpostResolver, route53resolver:ListOutpostResolvers, securityhub:DescribeOrganizationConfiguration, securityhub:GetAggregatorV2, securityhub:GetAutomationRuleV2, securityhub:GetConfigurationPolicyAssociation, securityhub:GetFindingAggregator, securityhub:ListAggregatorsV2, securityhub:ListAutomationRulesV2, securityhub:ListConfigurationPolicyAssociations, securityhub:ListFindingAggregators, sms-voice:DescribeConfigurationSets, sms-voice:DescribeKeywords, sms-voice:DescribeProtectConfigurations, sms-voice:GetProtectConfigurationCountryRuleSet, sms-voice:ListPoolOriginationIdentities, sms-voice:ListTagsForResource, workspaces-web:GetTrustStore, workspaces-web:GetTrustStoreCertificate, workspaces-web:GetUserAccessLoggingSettings, workspaces-web:ListTagsForResource.   |  This policy now supports additional permissions for recording configuration changes across numerous Amazon services.  |  February 17, 2026  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Updated managed policy with comprehensive permissions for Amazon resource configuration recording across over 100 Amazon services including compute, storage, networking, security, analytics, and machine learning services.   |  This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all Amazon services that Amazon Config supports for configuration recording.  |  January 27, 2026  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Updated managed policy with comprehensive permissions for Amazon resource configuration recording across over 100 Amazon services including compute, storage, networking, security, analytics, and machine learning services.   |  This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all Amazon services that Amazon Config supports for configuration recording.  |  January 27, 2026  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – add "s3tables:ListTagsForResource", "s3tables:GetTableBucketMetricsConfiguration", "s3tables:GetTableBucketStorageClass"   |  This policy now supports additional permissions for S3Tables..  |  January 09, 2026  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – add "s3tables:ListTagsForResource", "s3tables:GetTableBucketMetricsConfiguration", "s3tables:GetTableBucketStorageClass"   |  This policy now supports additional permissions for S3Tables.  |  January 09, 2026  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – add "lightsail:GetActiveNames" "lightsail:GetOperations" "s3:GetBucketAbac"  |  This policy now supports additional permissions for Amazon Lightsail and Amazon Simple Storage Service (Amazon S3).  |  November 20, 2025  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – add "lightsail:GetActiveNames" "lightsail:GetOperations" "s3:GetBucketAbac"  |  This policy now supports additional permissions for Amazon Lightsail and Amazon Simple Storage Service (Amazon S3).  |  November 20, 2025  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Updated managed policy with comprehensive permissions for Amazon resource configuration recording across over 100 Amazon services including compute, storage, networking, security, analytics, and machine learning services.  |  This policy now provides enhanced documentation of service permissions and supports comprehensive monitoring across all Amazon services that Amazon Config supports for configuration recording.  |  November 11, 2025  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Updated managed policy with comprehensive permissions for Amazon resource configuration recording across multiple services including Amazon Identity and Access Management, Amazon Elastic Compute Cloud, Amazon Simple Storage Service, Amazon Lambda, Amazon Relational Database Service, and many others.  |  This policy now supports additional permissions for comprehensive Amazon resource configuration recording and monitoring across all supported Amazon services.  |  November 10, 2025  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint"  |  This policy now supports additional permissions for Amazon Amplify, Amazon AppSync, Amazon Bedrock, Amazon CloudTrail, Amazon CloudFormation, Amazon CodeArtifact, Amazon CodePipeline, Amazon Connect, Amazon Deadline Cloud, Amazon EC2, Amazon Entity Resolution, Amazon IoT SiteWise, Amazon IVS, Amazon Lambda, Amazon EventBridge, Amazon Quick, Amazon Redshift, Amazon Redshift Serverless, Amazon Identity and Access Management Roles Anywhere, Amazon SageMaker, Amazon Secrets Manager, Amazon Security Lake, Amazon Service Catalog, Amazon Shield, Amazon EC2 Systems Manager, and Amazon WAFV2.  |  October 1, 2025  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – add "amplify:GetDomainAssociation" "amplify:ListDomainAssociations" "amplify:ListTagsForResource" "appsync:GetSourceApiAssociation" "appsync:ListSourceApiAssociations" "bedrock:GetFlow" "bedrock:ListAgentCollaborators" "bedrock:ListFlows" "bedrock:ListPrompts" "cloudTrail:GetResourcePolicy" "cloudformation:DescribePublisher" "codeartifact:DescribePackageGroup" "codeartifact:ListAllowedRepositoriesForGroup" "codeartifact:ListPackageGroups" "codepipeline:ListActionTypes" "codepipeline:ListTagsForResource" "codepipeline:ListWebhooks" "connect:DescribeTrafficDistributionGroup" "connect:ListTrafficDistributionGroups" "deadline:ListFarms" "ec2:GetTransitGatewayRouteTablePropagations" "ec2:SearchLocalGatewayRoutes" "ec2:SearchTransitGatewayMulticastGroups" "entityresolution:GetMatchingWorkflow" "entityresolution:ListMatchingWorkflows" "iotsitewise:ListAssetModelCompositeModels" "iotsitewise:ListAssetModelProperties" "iotsitewise:ListAssetProperties" "iotsitewise:ListAssociatedAssets" "ivs:ListPublicKeys" "lambda:GetProvisionedConcurrencyConfig" "lambda:GetRuntimeManagementConfig" "lambda:ListFunctionEventInvokeConfigs" "lambda:ListFunctionUrlConfigs" "pipes:DescribePipe" "pipes:ListPipes" "quicksight:DescribeRefreshSchedule" "quicksight:ListRefreshSchedules" "redshift-serverless:ListSnapshotCopyConfigurations" "redshift:GetResourcePolicy" "rolesanywhere:GetCrl" "rolesanywhere:ListCrls" "sagemaker:DescribeApp" "sagemaker:DescribeUserProfile" "sagemaker:ListApps" "sagemaker:ListModelPackages" "sagemaker:ListUserProfiles" "secretsmanager:GetResourcePolicy" "securitylake:ListSubscribers" "securitylake:ListTagsForResource" "servicecatalog:DescribeServiceAction" "servicecatalog:ListApplications" "servicecatalog:ListAssociatedResources" "shield:ListProtectionGroups" "shield:ListTagsForResource" "ssm-incidents:GetReplicationSet" "ssm-incidents:ListReplicationSets" "ssm:DescribeAssociation" "ssm:DescribePatchBaselines" "ssm:GetDefaultPatchBaseline" "ssm:GetPatchBaseline" "ssm:GetResourcePolicies" "ssm:ListAssociations" "ssm:ListResourceDataSync" "wafv2:ListLoggingConfigurations" "bedrock-agentcore:ListCodeInterpreters" "bedrock-agentcore:GetCodeInterpreter" "bedrock-agentcore:ListBrowsers" "bedrock-agentcore:GetBrowser" "bedrock-agentcore:ListAgentRuntimes" "bedrock-agentcore:GetAgentRuntime" "bedrock-agentcore:ListAgentRuntimeEndpoints" "bedrock-agentcore:GetAgentRuntimeEndpoint"  |  This policy now supports additional permissions for Amazon Amplify, Amazon AppSync, Amazon Bedrock, Amazon CloudTrail, Amazon CloudFormation, Amazon CodeArtifact, Amazon CodePipeline, Amazon Connect, Amazon Deadline Cloud, Amazon EC2, Amazon Entity Resolution, Amazon IoT SiteWise, Amazon IVS, Amazon Lambda, Amazon EventBridge, Amazon Quick, Amazon Redshift, Amazon Redshift Serverless, Amazon Identity and Access Management Roles Anywhere, Amazon SageMaker, Amazon Secrets Manager, Amazon Security Lake, Amazon Service Catalog, Amazon Shield, Amazon EC2 Systems Manager, and Amazon WAFV2.  |  October 1, 2025  | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", "bedrock:GetModelInvocationLoggingConfiguration", "cloudtrail:GetEventConfiguration", "codeartifact:DescribeDomain", "codeartifact:GetDomainPermissionsPolicy", "deadline:GetFleet", "deadline:GetQueueFleetAssociation", "deadline:ListFleets", "deadline:ListQueueFleetAssociations", "deadline:ListTagsForResource", "dms:DescribeDataMigrations", "dms:ListMigrationProjects", "glue:GetDataCatalogEncryptionSettings", "kafkaconnect:DescribeCustomPlugin", "kafkaconnect:DescribeWorkerConfiguration", "kafkaconnect:ListCustomPlugins", "kafkaconnect:ListTagsForResource", "kafkaconnect:ListWorkerConfigurations", "lakeformation:DescribeLakeFormationIdentityCenterConfiguration", "medialive:DescribeMultiplexProgram", "medialive:ListMultiplexPrograms", "mediapackagev2:GetChannelGroup", "mediapackagev2:ListChannelGroups", "rds:DescribeEngineDefaultParameters", "rolesanywhere:GetProfile", "rolesanywhere:GetTrustAnchor", "rolesanywhere:ListProfiles", "rolesanywhere:ListTagsForResource", "rolesanywhere:ListTrustAnchors", "s3:GetAccessGrant", "s3:ListAccessGrants", "secretsmanager:DescribeSecret", "securitylake:ListDataLakeExceptions", "securitylake:ListDataLakes", "securitylake:ListLogSources", "servicecatalog:GetAttributeGroup", "servicecatalog:ListAttributeGroups", "servicecatalog:ListServiceActions", "servicecatalog:ListServiceActionsForProvisioningArtifact", "ses:GetTrafficPolicy", "ses:ListTagsForResource", "ses:ListTrafficPolicies", "xray:GetGroup", "xray:GetGroups", "xray:GetSamplingRules", "xray:ListResourcePolicies", "xray:ListTagsForResource"  |  This policy now supports additional permissions for Amazon ARC - Zonal Shift, Amazon Bedrock, Amazon CloudTrail, Amazon CodeArtifact, Amazon Deadline Cloud, Amazon Database Migration Service, Amazon Glue, Amazon Identity and Access Management, Amazon Managed Streaming for Apache Kafka, Amazon Lake Formation, Amazon CloudWatch Logs, AWS Elemental MediaLive, AWS Elemental MediaPackage, Amazon Relational Database Service, Amazon Simple Storage Service, Amazon Secrets Manager, Amazon Security Lake, Amazon Service Catalog, Amazon Simple Email Service, and Amazon X-Ray.  |  July 28, 2025  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "arc-zonal-shift:GetAutoshiftObserverNotificationStatus", "bedrock:GetModelInvocationLoggingConfiguration", "cloudtrail:GetEventConfiguration", "codeartifact:DescribeDomain", "codeartifact:GetDomainPermissionsPolicy", "deadline:GetFleet", "deadline:GetQueueFleetAssociation", "deadline:ListFleets", "deadline:ListQueueFleetAssociations", "deadline:ListTagsForResource", "dms:DescribeDataMigrations", "dms:ListMigrationProjects", "glue:GetDataCatalogEncryptionSettings", "iam:ListPolicies", "kafkaconnect:DescribeCustomPlugin", "kafkaconnect:DescribeWorkerConfiguration", "kafkaconnect:ListCustomPlugins", "kafkaconnect:ListTagsForResource", "kafkaconnect:ListWorkerConfigurations", "lakeformation:DescribeLakeFormationIdentityCenterConfiguration", "logs:DescribeIndexPolicies", "logs:ListTagsForResource", "medialive:DescribeMultiplexProgram", "medialive:ListMultiplexPrograms", "mediapackagev2:GetChannelGroup", "mediapackagev2:ListChannelGroups", "rds:DescribeEngineDefaultParameters", "rolesanywhere:GetProfile", "rolesanywhere:GetTrustAnchor", "rolesanywhere:ListProfiles", "rolesanywhere:ListTagsForResource", "rolesanywhere:ListTrustAnchors", "s3:GetAccessGrant", "s3:ListAccessGrants", "secretsmanager:DescribeSecret", "securitylake:ListDataLakeExceptions", "securitylake:ListDataLakes", "securitylake:ListLogSources", "servicecatalog:GetAttributeGroup", "servicecatalog:ListAttributeGroups", "servicecatalog:ListServiceActions", "servicecatalog:ListServiceActionsForProvisioningArtifact", "ses:GetTrafficPolicy", "ses:ListTagsForResource", "ses:ListTrafficPolicies", "xray:GetGroup", "xray:GetGroups", "xray:GetSamplingRules", "xray:ListResourcePolicies", "xray:ListTagsForResource", "arn:aws:apigateway:::/account", "arn:aws:apigateway:::/usageplans", "arn:aws:apigateway:::/usageplans/".  |  This policy now supports additional permissions for Amazon ARC - Zonal Shift, Amazon Bedrock, Amazon CloudTrail, Amazon CodeArtifact, Amazon Deadline Cloud, Amazon Database Migration Service, Amazon Glue, Amazon Identity and Access Management, Amazon Managed Streaming for Apache Kafka, Amazon Lake Formation, Amazon CloudWatch Logs, AWS Elemental MediaLive, AWS Elemental MediaPackage, Amazon Relational Database Service, Amazon Simple Storage Service, Amazon Secrets Manager, Amazon Security Lake, Amazon Service Catalog, Amazon Simple Email Service, Amazon X-Ray, and Amazon API Gateway.  |  July 28, 2025  | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "backup-gateway:GetHypervisor", "backup-gateway:ListHypervisors", "bcm-data-exports:GetExport", "bcm-data-exports:ListExports", "bcm-data-exports:ListTagsForResource", "bedrock:GetAgent", "bedrock:GetAgentActionGroup", "bedrock:GetAgentKnowledgeBase", "bedrock:GetDataSource", "bedrock:GetFlowAlias", "bedrock:GetFlowVersion", "bedrock:ListAgentActionGroups", "bedrock:ListAgentKnowledgeBases", "bedrock:ListDataSources", "bedrock:ListFlowAliases", "bedrock:ListFlowVersions", "cloudformation:BatchDescribeTypeConfigurations", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSet", "cloudformation:ListStackInstances", "cloudformation:ListStackSets", "cloudfront:GetPublicKey", "cloudfront:GetRealtimeLogConfig", "cloudfront:ListPublicKeys", "cloudfront:ListRealtimeLogConfigs", "entityresolution:GetIdMappingWorkflow", "entityresolution:GetSchemaMapping", "entityresolution:ListIdMappingWorkflows", "entityresolution:ListSchemaMappings", "entityresolution:ListTagsForResource", "iotdeviceadvisor:GetSuiteDefinition", "iotdeviceadvisor:ListSuiteDefinitions", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "mediapackagev2:GetChannel", "mediapackagev2:ListChannels", "networkmanager:GetTransitGatewayPeering", "networkmanager:ListPeerings", "pca-connector-ad:GetDirectoryRegistration", "pca-connector-ad:ListDirectoryRegistrations", "pca-connector-ad:ListTagsForResource", "rds:DescribeDBShardGroups", "rds:DescribeIntegrations", "redshift:DescribeIntegrations", "s3tables:GetTableBucket", "s3tables:GetTableBucketEncryption", "s3tables:GetTableBucketMaintenanceConfiguration", "s3tables:ListTableBuckets", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListConfigurationManagers"  |  This policy now supports additional permissions for Amazon Backup gateway, Amazon Billing and Cost Management, Amazon Bedrock, Amazon CloudFormation, Amazon CloudFront, Amazon Entity Resolution, Amazon IoT Core Device Advisor, Amazon Lambda, Amazon Network Manager, Amazon Private Certificate Authority, Amazon Relational Database Service, Amazon Redshift, Amazon S3 Tables, Amazon Systems Manager Quick Setup.  | June 18, 2025 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "backup-gateway:GetHypervisor", "backup-gateway:ListHypervisors", "bcm-data-exports:GetExport", "bcm-data-exports:ListExports", "bcm-data-exports:ListTagsForResource", "bedrock:GetAgent", "bedrock:GetAgentActionGroup", "bedrock:GetAgentKnowledgeBase", "bedrock:GetDataSource", "bedrock:GetFlowAlias", "bedrock:GetFlowVersion", "bedrock:ListAgentActionGroups", "bedrock:ListAgentKnowledgeBases", "bedrock:ListDataSources", "bedrock:ListFlowAliases", "bedrock:ListFlowVersions", "cloudformation:BatchDescribeTypeConfigurations", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSet", "cloudformation:ListStackInstances", "cloudformation:ListStackSets", "cloudfront:GetPublicKey", "cloudfront:GetRealtimeLogConfig", "cloudfront:ListPublicKeys", "cloudfront:ListRealtimeLogConfigs", "entityresolution:GetIdMappingWorkflow", "entityresolution:GetSchemaMapping", "entityresolution:ListIdMappingWorkflows", "entityresolution:ListSchemaMappings", "entityresolution:ListTagsForResource", "iotdeviceadvisor:GetSuiteDefinition", "iotdeviceadvisor:ListSuiteDefinitions", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "networkmanager:GetTransitGatewayPeering", "networkmanager:ListPeerings", "pca-connector-ad:GetDirectoryRegistration", "pca-connector-ad:ListDirectoryRegistrations", "pca-connector-ad:ListTagsForResource", "rds:DescribeDBShardGroups", "rds:DescribeIntegrations", "redshift:DescribeIntegrations", "s3tables:GetTableBucket", "s3tables:GetTableBucketEncryption", "s3tables:GetTableBucketMaintenanceConfiguration", "s3tables:ListTableBuckets", "ssm-quicksetup:GetConfigurationManager", "ssm-quicksetup:ListConfigurationManagers" |  This policy now supports additional permissions for Amazon Backup gateway, Amazon Billing and Cost Management, Amazon Bedrock, Amazon CloudFormation, Amazon CloudFront, Amazon Entity Resolution, Amazon IoT Core Device Advisor, Amazon Lambda, Amazon Network Manager, Amazon Private Certificate Authority, Amazon Relational Database Service, Amazon Redshift, Amazon S3 Tables, Amazon Systems Manager Quick Setup.  | June 18, 2025 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "bedrock:GetGuardrail", "bedrock:GetInferenceProfile", "bedrock:GetKnowledgeBase", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListTagsForResource"   |  This policy now supports additional permissions for Amazon Bedrock.  | May 27, 2025 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "bedrock:GetGuardrail", "bedrock:GetInferenceProfile", "bedrock:GetKnowledgeBase", "bedrock:ListGuardrails", "bedrock:ListInferenceProfiles", "bedrock:ListKnowledgeBases", "bedrock:ListTagsForResource"   |  This policy now supports additional permissions for Amazon Bedrock.  | May 27, 2025 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "b2bi:GetPartnership", "b2bi:GetProfile", "b2bi:ListPartnerships", "b2bi:ListProfiles", "bedrock:ListAgents", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetMembership", "cleanrooms:GetPrivacyBudgetTemplate", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMemberships", "cleanrooms:ListPrivacyBudgetTemplates", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListTagsForResource", "directconnect:DescribeConnections", "dms:DescribeReplicationConfigs", "logs:DescribeAccountPolicies", "logs:DescribeResourcePolicies", "macie2:ListAutomatedDiscoveryAccounts", "managedblockchain:GetAccessor", "managedblockchain:ListAccessors", "qbusiness:GetApplication", "qbusiness:ListApplications", "qbusiness:ListTagsForResource", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:ListAccessGrantsInstances", "s3:ListAccessGrantsLocations", "sagemaker:DescribeCluster", "sagemaker:DescribeMlflowTrackingServer", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:ListClusters", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListStudioLifecycleConfigs", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:ListContactChannels", "ssm-contacts:ListContacts", "ssm-incidents:GetResponsePlan", "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm:DescribeInstanceInformation"   |  This policy now supports additional permissions for Amazon B2B Data Interchange, Amazon Bedrock, Amazon Clean Rooms, Amazon CodeConnections, Amazon Direct Connect, Amazon Database Migration Service (Amazon DMS), Amazon CloudWatch Logs, Amazon Macie, Amazon Managed Blockchain, Amazon Q Business, Route 53 Profiles, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, Amazon Security Hub CSPM, and Amazon Systems Manager Incident Manager, Amazon Systems Manager Incident Manager Contacts, and Amazon Systems Manager.  | April 08, 2025 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "b2bi:GetPartnership", "b2bi:GetProfile", "b2bi:ListPartnerships", "b2bi:ListProfiles", "bedrock:ListAgents", "cleanrooms:GetConfiguredTable", "cleanrooms:GetConfiguredTableAnalysisRule", "cleanrooms:GetMembership", "cleanrooms:GetPrivacyBudgetTemplate", "cleanrooms:ListConfiguredTables", "cleanrooms:ListMemberships", "cleanrooms:ListPrivacyBudgetTemplates", "codeconnections:GetConnection", "codeconnections:ListConnections", "codeconnections:ListTagsForResource", "directconnect:DescribeConnections", "dms:DescribeReplicationConfigs", "logs:DescribeAccountPolicies", "logs:DescribeResourcePolicies", "macie2:ListAutomatedDiscoveryAccounts", "managedblockchain:GetAccessor", "managedblockchain:ListAccessors", "qbusiness:GetApplication", "qbusiness:ListApplications", "qbusiness:ListTagsForResource", "route53profiles:GetProfile", "route53profiles:GetProfileAssociation", "route53profiles:ListProfileAssociations", "route53profiles:ListProfiles", "route53profiles:ListTagsForResource", "s3:GetAccessGrantsInstance", "s3:GetAccessGrantsLocation", "s3:ListAccessGrantsInstances", "s3:ListAccessGrantsLocations", "sagemaker:DescribeCluster", "sagemaker:DescribeMlflowTrackingServer", "sagemaker:DescribeStudioLifecycleConfig", "sagemaker:ListClusters", "sagemaker:ListMlflowTrackingServers", "sagemaker:ListStudioLifecycleConfigs", "securityhub:DescribeStandardsControls", "securityhub:GetEnabledStandards", "ssm-contacts:GetContact", "ssm-contacts:GetContactChannel", "ssm-contacts:ListContactChannels", "ssm-contacts:ListContacts", "ssm-incidents:GetResponsePlan", "ssm-incidents:ListResponsePlans", "ssm-incidents:ListTagsForResource", "ssm:DescribeInstanceInformation"   |  This policy now supports additional permissions for Amazon B2B Data Interchange, Amazon Bedrock, Amazon Clean Rooms, Amazon CodeConnections, Amazon Direct Connect, Amazon Database Migration Service (Amazon DMS), Amazon CloudWatch Logs, Amazon Macie, Amazon Managed Blockchain, Amazon Q Business, Route 53 Profiles, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, Amazon Security Hub CSPM, and Amazon Systems Manager Incident Manager, Amazon Systems Manager Incident Manager Contacts, and Amazon Systems Manager. This policy also now supports permission to access all Amazon API Gateway domain names by including the resource pattern "`arn:aws:apigateway:::/domainnames/`".  | April 08, 2025 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "ec2:GetAllowedImagesSettings"   |  This policy now supports additional permissions for Amazon Elastic Compute Cloud (Amazon EC2).  | March 4, 2025 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "ec2:GetAllowedImagesSettings"   |  This policy now supports additional permissions for Amazon Elastic Compute Cloud (Amazon EC2).  | March 4, 2025 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:ListTrainingDatasets", "comprehend:DescribeFlywheel", "comprehend:ListFlywheels", "comprehend:ListTagsForResource", "ec2:GetSnapshotBlockPublicAccessState", "omics:GetAnnotationStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:ListAnnotationStores", "omics:ListRunGroups", "omics:ListSequenceStores", "omics:ListTagsForResource", "omics:ListVariantStores", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", and "ses:ListDedicatedIpPools"   |  This policy now supports additional permissions for Amazon Clean Rooms, Amazon Comprehend, Amazon Elastic Compute Cloud (Amazon EC2), Amazon HealthOmics, Amazon Simple Storage Service (Amazon S3), and Amazon Simple Email Service (Amazon SES).  | January 16, 2025 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "cleanrooms-ml:GetTrainingDataset", "cleanrooms-ml:ListTrainingDatasets", "comprehend:DescribeFlywheel", "comprehend:ListFlywheels", "comprehend:ListTagsForResource", "ec2:GetSnapshotBlockPublicAccessState", "omics:GetAnnotationStore", "omics:GetRunGroup", "omics:GetSequenceStore", "omics:GetVariantStore", "omics:ListAnnotationStores", "omics:ListRunGroups", "omics:ListSequenceStores", "omics:ListTagsForResource", "omics:ListVariantStores", "s3express:GetEncryptionConfiguration", "s3express:GetLifecycleConfiguration", "ses:GetDedicatedIpPool", "ses:GetDedicatedIps", and "ses:ListDedicatedIpPools"   |  This policy now supports additional permissions for Amazon Clean Rooms, Amazon Comprehend, Amazon Elastic Compute Cloud (Amazon EC2), Amazon HealthOmics, Amazon Simple Storage Service (Amazon S3), and Amazon Simple Email Service (Amazon SES).  | January 16, 2025 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "organizations:ListAWSServiceAccessForOrganization"   |  This policy now supports additional permissions for Amazon Organizations.  | December 18, 2024 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "app-integrations:GetApplication", "app-integrations:ListApplications", "app-integrations:ListTagsForResource", "appconfig:GetExtension", "appconfig:ListExtensions", "cloudtrail:GetInsightSelectors", "connect:DescribeQueue", "connect:DescribeRoutingProfile", "connect:DescribeSecurityProfile", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListSecurityProfileApplications", "connect:ListSecurityProfilePermissions", "connect:ListSecurityProfiles", "datazone:GetDomain", "datazone:ListDomains", "devops-guru:ListNotificationChannels", "glue:GetRegistry", "glue:ListRegistries", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" "identitystore:ListGroupMemberships", "identitystore:ListGroups", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:ListThingGroups", "iot:ListThingTypes", "iotfleetwise:GetDecoderManifest", "iotfleetwise:GetFleet", "iotfleetwise:GetModelManifest", "iotfleetwise:GetSignalCatalog", "iotfleetwise:GetVehicle", "iotfleetwise:ListDecoderManifestNetworkInterfaces", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListDecoderManifestSignals", "iotfleetwise:ListFleets", "iotfleetwise:ListModelManifestNodes", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogNodes", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListTagsForResource", "iotfleetwise:ListVehicles", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetWirelessGateway", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListWirelessGateways", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom" "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "logs:GetLogAnomalyDetector", "logs:ListLogAnomalyDetectors", "oam:GetSink" "oam:GetSinkPolicy", "oam:ListSinks", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:ListAliases", "payment-cryptography:ListKeys", "payment-cryptography:ListTagsForResource", "rds:DescribeDBProxyTargetGroups", "rds:DescribeDBProxyTargets", "rekognition:DescribeProjects", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:ListTagsForResource", "scheduler:GetScheduleGroup", "scheduler:ListScheduleGroups", "scheduler:ListTagsForResource", "ssm:GetServiceSetting", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetTargetGroup", "vpc-lattice:ListAccessLogSubscriptions", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTagsForResource", "vpc-lattice:ListTargetGroups", and "vpc-lattice:ListTargets"    |  This policy now supports additional permissions for Amazon AppConfig, Amazon CloudTrail, Amazon Connect, Amazon DataZone, Amazon DevOps Guru, Amazon Glue, Identity Store, Amazon IoT, Amazon IoT FleetWise, Amazon IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, Amazon Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, Amazon Systems Manager, and Amazon VPC Lattice.  | November 7, 2024 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "app-integrations:GetApplication", "app-integrations:ListApplications", "app-integrations:ListTagsForResource", "appconfig:GetExtension", "appconfig:ListExtensions", "cloudtrail:GetInsightSelectors", "connect:DescribeQueue", "connect:DescribeRoutingProfile", "connect:DescribeSecurityProfile", "connect:ListQueueQuickConnects", "connect:ListQueues", "connect:ListRoutingProfileQueues", "connect:ListRoutingProfiles", "connect:ListSecurityProfileApplications", "connect:ListSecurityProfilePermissions", "connect:ListSecurityProfiles", "datazone:GetDomain", "datazone:ListDomains", "devops-guru:ListNotificationChannels", "glue:GetRegistry", "glue:ListRegistries", "identitystore:DescribeGroup", "identitystore:DescribeGroupMembership" "identitystore:ListGroupMemberships", "identitystore:ListGroups", "iot:DescribeThingGroup", "iot:DescribeThingType", "iot:ListThingGroups", "iot:ListThingTypes", "iotfleetwise:GetDecoderManifest", "iotfleetwise:GetFleet", "iotfleetwise:GetModelManifest", "iotfleetwise:GetSignalCatalog", "iotfleetwise:GetVehicle", "iotfleetwise:ListDecoderManifestNetworkInterfaces", "iotfleetwise:ListDecoderManifests", "iotfleetwise:ListDecoderManifestSignals", "iotfleetwise:ListFleets", "iotfleetwise:ListModelManifestNodes", "iotfleetwise:ListModelManifests", "iotfleetwise:ListSignalCatalogNodes", "iotfleetwise:ListSignalCatalogs", "iotfleetwise:ListTagsForResource", "iotfleetwise:ListVehicles", "iotwireless:GetDestination", "iotwireless:GetDeviceProfile", "iotwireless:GetWirelessGateway", "iotwireless:ListDestinations", "iotwireless:ListDeviceProfiles", "iotwireless:ListWirelessGateways", "ivschat:GetLoggingConfiguration", "ivschat:GetRoom" "ivschat:ListLoggingConfigurations", "ivschat:ListRooms", "ivschat:ListTagsForResource", "logs:GetLogAnomalyDetector", "logs:ListLogAnomalyDetectors", "oam:GetSink" "oam:GetSinkPolicy", "oam:ListSinks", "payment-cryptography:GetAlias", "payment-cryptography:GetKey", "payment-cryptography:ListAliases", "payment-cryptography:ListKeys", "payment-cryptography:ListTagsForResource", "rds:DescribeDBProxyTargetGroups", "rds:DescribeDBProxyTargets", "rekognition:DescribeProjects", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:ListTagsForResource", "scheduler:GetScheduleGroup", "scheduler:ListScheduleGroups", "scheduler:ListTagsForResource", "ssm:GetServiceSetting", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:GetService", "vpc-lattice:GetServiceNetwork", "vpc-lattice:GetTargetGroup", "vpc-lattice:ListAccessLogSubscriptions", "vpc-lattice:ListServiceNetworks", "vpc-lattice:ListServices", "vpc-lattice:ListTagsForResource", "vpc-lattice:ListTargetGroups", and "vpc-lattice:ListTargets"    |  This policy now supports additional permissions for Amazon AppConfig, Amazon CloudTrail, Amazon Connect, Amazon DataZone, Amazon DevOps Guru, Amazon Glue, Identity Store, Amazon IoT, Amazon IoT FleetWise, Amazon IoT Wireless, Amazon Interactive Video Service (Amazon IVS), Amazon CloudWatch Logs, Amazon CloudWatch Observability Access Manager, Amazon Payment Cryptography, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon Simple Storage Service (Amazon S3), Amazon EventBridge Scheduler, Amazon Systems Manager, and Amazon VPC Lattice.  | November 7, 2024 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "aoss:BatchGetCollection," "aoss:BatchGetLifecyclePolicy," "aoss:BatchGetVpcEndpoint," "aoss:GetAccessPolicy," "aoss:GetSecurityConfig," "aoss:GetSecurityPolicy," "aoss:ListAccessPolicies," "aoss:ListCollections," "aoss:ListLifecyclePolicies," "aoss:ListSecurityConfigs," "aoss:ListSecurityPolicies," "aoss:ListVpcEndpoints," "appstream:DescribeAppBlockBuilders," "backup:GetRestoreTestingPlan," "backup:GetRestoreTestingSelection", "backup:ListRestoreTestingPlans," "backup:ListRestoreTestingSelections," "cloudTrail:GetChannel, "cloudTrail:ListChannels," "glue:GetTrigger," "glue:ListTriggers, "imagebuilder:GetLifecyclePolicy," "imagebuilder:ListLifecyclePolicies," "iot:DescribeBillingGroup," "iot:ListBillingGroups," "ivs:GetEncoderConfiguration," "ivs:GetPlaybackRestrictionPolicy," "ivs:GetStage," "ivs:GetStorageConfiguration," "ivs:ListEncoderConfigurations," "ivs:ListPlaybackRestrictionPolicies," "ivs:ListStages," "ivs:ListStorageConfigurations," "mediaconnect:DescribeBridge", "mediaconnect:DescribeGatewa," "mediaconnect:ListBridges," "mediaconnect:ListGateways", "mediatailor:DescribeChannel," "mediatailor:DescribeLiveSource," "mediatailor:DescribeSourceLocation," "mediatailor:DescribeVodSource", "mediatailor:ListChannels," "mediatailor:ListLiveSources", "mediatailor:ListSourceLocations," "mediatailor:ListVodSources," "omics:GetWorkflow," "omics:ListWorkflows," "scheduler:GetSchedule," and "scheduler:ListSchedules"    |  This policy now supports additional permissions for Amazon OpenSearch Service Severless, Amazon AppStream, Amazon Backup, Amazon CloudTrail, Amazon Glue, EC2 Image Builder, Amazon IoT, Amazon Interactive Video Service (Amazon IVS), AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon HealthOmics, and Amazon EventBridge Scheduler.  | September 16, 2024 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "aoss:BatchGetCollection," "aoss:BatchGetLifecyclePolicy," "aoss:BatchGetVpcEndpoint," "aoss:GetAccessPolicy," "aoss:GetSecurityConfig," "aoss:GetSecurityPolicy," "aoss:ListAccessPolicies," "aoss:ListCollections," "aoss:ListLifecyclePolicies," "aoss:ListSecurityConfigs," "aoss:ListSecurityPolicies," "aoss:ListVpcEndpoints," "appstream:DescribeAppBlockBuilders," "backup:GetRestoreTestingPlan," "backup:GetRestoreTestingSelection", "backup:ListRestoreTestingPlans," "backup:ListRestoreTestingSelections," "cloudTrail:GetChannel, "cloudTrail:ListChannels," "glue:GetTrigger," "glue:ListTriggers, "imagebuilder:GetLifecyclePolicy," "imagebuilder:ListLifecyclePolicies," "iot:DescribeBillingGroup," "iot:ListBillingGroups," "ivs:GetEncoderConfiguration," "ivs:GetPlaybackRestrictionPolicy," "ivs:GetStage," "ivs:GetStorageConfiguration," "ivs:ListEncoderConfigurations," "ivs:ListPlaybackRestrictionPolicies," "ivs:ListStages," "ivs:ListStorageConfigurations," "mediaconnect:DescribeBridge", "mediaconnect:DescribeGatewa," "mediaconnect:ListBridges," "mediaconnect:ListGateways", "mediatailor:DescribeChannel," "mediatailor:DescribeLiveSource," "mediatailor:DescribeSourceLocation," "mediatailor:DescribeVodSource", "mediatailor:ListChannels," "mediatailor:ListLiveSources", "mediatailor:ListSourceLocations," "mediatailor:ListVodSources," "omics:GetWorkflow," "omics:ListWorkflows," "scheduler:GetSchedule," and "scheduler:ListSchedules"    |  This policy now supports additional permissions for Amazon OpenSearch Service Severless, Amazon AppStream, Amazon Backup, Amazon CloudTrail, Amazon Glue, EC2 Image Builder, Amazon IoT, Amazon Interactive Video Service (Amazon IVS), AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon HealthOmics, and Amazon EventBridge Scheduler.  | September 16, 2024 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add "elasticfilesystem:DescribeTags," "redshift:DescribeTags," and "ssm-sap:ListTagsForResource"    |  This policy now supports additional permissions for Amazon Elastic File System (Amazon EFS), Amazon Redshift and Amazon Systems Manager for SAP.  | June 17, 2024 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "elasticfilesystem:DescribeTags," "redshift:DescribeTags," and "ssm-sap:ListTagsForResource"    |  This policy now supports additional permissions for Amazon Elastic File System (Amazon EFS), Amazon Redshift and Amazon Systems Manager for SAP.  | June 17, 2024 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "aps:DescribeAlertManagerDefinition," "cloudwatch:DescribeAlarmsForMetric," "cognito-identity:DescribeIdentityPool, "cognito-identity:GetPrincipalTagAttributeMap," "elasticache:DescribeCacheSecurityGroups," "elasticache:DescribeUserGroups," "elasticache:DescribeUsers," "elasticache:DescribeGlobalReplicationGroups," "fsx:DescribeDataRepositoryAssociations," "glue:GetDatabase," "glue:GetDatabases," "iam:ListUsers," "lambda:GetLayerVersion," "lambda:ListLayers," "lambda:ListLayerVersions," "ram:GetPermission," "ram:ListPermissionAssociations," "ram:ListPermissions," "ram:ListPermissionVersions," "redshift-serverless:GetNamespace," "redshift-serverless:GetWorkgroup," "redshift-serverless:ListNamespaces," "redshift-serverless:ListTagsForResource," "redshift-serverless:ListWorkgroups," "sagemaker:DescribeInferenceExperiment," "sagemaker:ListInferenceExperiments," and "sns:GetSMSSandboxAccountStatus"   |  This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon Cognito, Amazon ElastiCache, Amazon FSx, Amazon Glue, Amazon Identity and Access Management (IAM), Amazon Lambda, Amazon RAM, Amazon Redshift Serverless, Amazon SageMaker AI, and Amazon Simple Notification Service (Amazon SNS).  | February 22, 2024 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "aps:DescribeAlertManagerDefinition," "cloudwatch:DescribeAlarmsForMetric," "cognito-identity:DescribeIdentityPool, "cognito-identity:GetPrincipalTagAttributeMap," "elasticache:DescribeCacheSecurityGroups," "elasticache:DescribeUserGroups," "elasticache:DescribeUsers," "elasticache:DescribeGlobalReplicationGroups," "fsx:DescribeDataRepositoryAssociations," "glue:GetDatabase," "glue:GetDatabases," "iam:ListUsers," "lambda:GetLayerVersion," "lambda:ListLayers," "lambda:ListLayerVersions," "ram:GetPermission," "ram:ListPermissionAssociations," "ram:ListPermissions," "ram:ListPermissionVersions," "redshift-serverless:GetNamespace," "redshift-serverless:GetWorkgroup," "redshift-serverless:ListNamespaces," "redshift-serverless:ListTagsForResource," "redshift-serverless:ListWorkgroups," "sagemaker:DescribeInferenceExperiment," "sagemaker:ListInferenceExperiments," and "sns:GetSMSSandboxAccountStatus"   |  This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon CloudWatch, Amazon Cognito, Amazon ElastiCache, Amazon FSx, Amazon Glue, Amazon Identity and Access Management (IAM), Amazon Lambda, Amazon RAM, Amazon Redshift Serverless, Amazon SageMaker AI, and Amazon Simple Notification Service (Amazon SNS).  | February 22, 2024 | 
|  [AWSConfigUserAccess](#security-iam-awsmanpol-AWSConfigUserAccess) – Amazon Config starts tracking changes for this Amazon managed policy  |  This policy provides access to use Amazon Config, including searching by tags on resources and reading all tags. This does not provide permission to configure Amazon Config, which requires administrative privileges.  | February 22, 2024 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "appconfig:GetExtensionAssociation," "appconfig:ListExtensionAssociations," "aps:DescribeLoggingConfiguration," "dms:DescribeReplicationTaskAssessmentRuns," "iam:GetOpenIDConnectProvider," "iam:ListOpenIDConnectProviders," "kafka:DescribeVpcConnection," "kafka:GetClusterPolicy," "kafka:ListVpcConnections," "logs:DescribeMetricFilters," "organizations:ListDelegatedAdministrators," "s3:GetBucketPolicyStatus," "s3express:GetBucketPolicy," and "s3express:ListAllMyDirectoryBuckets"   |  This policy now supports additional permissions for Amazon AppConfig, Amazon Managed Service for Prometheus, Amazon Database Migration Service (Amazon DMS), (Amazon Identity and Access Management) IAM, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon CloudWatch Logs, Amazon Organizations, and Amazon Simple Storage Service (Amazon S3).  | Decemeber 5, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "appconfig:GetExtensionAssociation," "appconfig:ListExtensionAssociations," "aps:DescribeLoggingConfiguration," "dms:DescribeReplicationTaskAssessmentRuns," "iam:GetOpenIDConnectProvider," "iam:ListOpenIDConnectProviders," "kafka:DescribeVpcConnection," "kafka:GetClusterPolicy," "kafka:ListVpcConnections," "logs:DescribeMetricFilters," "organizations:ListDelegatedAdministrators," "s3:GetBucketPolicyStatus," "s3express:GetBucketPolicy," and "s3express:ListAllMyDirectoryBuckets"   |  This policy now supports additional permissions for Amazon AppConfig, Amazon Managed Service for Prometheus, Amazon Database Migration Service (Amazon DMS), (Amazon Identity and Access Management) IAM, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon CloudWatch Logs, Amazon Organizations, and Amazon Simple Storage Service (Amazon S3).  | December 5, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "backup:DescribeProtectedResource," "cognito-identity:GetIdentityPoolRoles," "cognito-identity:ListIdentityPools," "cognito-identity:ListTagsForResource," "cognito-idp:DescribeIdentityProvider," "cognito-idp:DescribeResourceServer," "cognito-idp:DescribeUserPool," "cognito-idp:DescribeUserPoolClient," "cognito-idp:DescribeUserPoolDomain," "cognito-idp:GetGroup," "cognito-idp:GetUserPoolMfaConfig," "cognito-idp:ListGroups," "cognito-idp:ListIdentityProviders," "cognito-idp:ListResourceServers," "cognito-idp:ListUserPoolClients," "cognito-idp:ListUserPools," "cognito-idp:ListTagsForResource," "connect:DescribeEvaluationForm," "connect:DescribeInstanceStorageConfig," "connect:DescribePrompt," "connect:DescribeRule," "connect:DescribeUser," "connect:GetTaskTemplate," "connect:ListApprovedOrigins," "connect:ListEvaluationForms," "connect:ListInstanceStorageConfigs," "connect:ListIntegrationAssociations," "connect:ListPrompts," "connect:ListRules," "connect:ListSecurityKeys," "connect:ListTagsForResource," "connect:ListTaskTemplates," "connect:ListUsers," "emr-containers:DescribeVirtualCluster," "emr-containers:ListVirtualClusters," "emr-serverless:GetApplication," "emr-serverless:ListApplications," "groundstation:GetDataflowEndpointGroup," "groundstation:ListDataflowEndpointGroups," "m2:GetEnvironment," "m2:ListEnvironments," "m2:ListTagsForResource," "memorydb:DescribeAcls," "memorydb:DescribeClusters," "memorydb:DescribeParameterGroups," "memorydb:DescribeParameters," "memorydb:DescribeSubnetGroups," "organizations:ListRoots," "quicksight:DescribeAccountSubscription," "quicksight:DescribeDataSetRefreshProperties," "rds:DescribeEngineDefaultClusterParameters," "redshift:DescribeEndpointAccess," "redshift:DescribeEndpointAuthorization," "route53:GetChange," "route53:ListCidrBlocks," "route53:ListCidrLocations," "serviceCatalog:DescribePortfolioShares," "transfer:DescribeProfile," and "transfer:ListProfiles"   |  This policy now supports additional permissions for Amazon Cognito, Amazon Connect, Amazon EMR, Amazon Ground Station, Amazon Mainframe Modernization, Amazon MemoryDB, Amazon Organizations, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, Amazon Service Catalog, and Amazon Transfer Family.  | November 17, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "Sid": "AWSConfigServiceRolePolicyStatementID," "Sid": "AWSConfigSLRLogStatementID," "Sid": "AWSConfigSLRLogEventStatementID," and "Sid": "AWSConfigSLRApiGatewayStatementID"   |  This policy now adds security identifiers (SID) for `AWSConfigServiceRolePolicyStatementID`, `AWSConfigSLRLogStatementID`, `AWSConfigSLRLogEventStatementID`, and `AWSConfigSLRApiGatewayStatementID`.  | November 17, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "backup:DescribeProtectedResource," "cognito-identity:GetIdentityPoolRoles," "cognito-identity:ListIdentityPools," "cognito-identity:ListTagsForResource," "cognito-idp:DescribeIdentityProvider," "cognito-idp:DescribeResourceServer," "cognito-idp:DescribeUserPool," "cognito-idp:DescribeUserPoolClient," "cognito-idp:DescribeUserPoolDomain," "cognito-idp:GetGroup," "cognito-idp:GetUserPoolMfaConfig," "cognito-idp:ListGroups," "cognito-idp:ListIdentityProviders," "cognito-idp:ListResourceServers," "cognito-idp:ListUserPoolClients," "cognito-idp:ListUserPools," "cognito-idp:ListTagsForResource," "connect:DescribeEvaluationForm," "connect:DescribeInstanceStorageConfig," "connect:DescribePrompt," "connect:DescribeRule," "connect:DescribeUser," "connect:GetTaskTemplate," "connect:ListApprovedOrigins," "connect:ListEvaluationForms," "connect:ListInstanceStorageConfigs," "connect:ListIntegrationAssociations," "connect:ListPrompts," "connect:ListRules," "connect:ListSecurityKeys," "connect:ListTagsForResource," "connect:ListTaskTemplates," "connect:ListUsers," "emr-containers:DescribeVirtualCluster," "emr-containers:ListVirtualClusters," "emr-serverless:GetApplication," "emr-serverless:ListApplications," "groundstation:GetDataflowEndpointGroup," "groundstation:ListDataflowEndpointGroups," "m2:GetEnvironment," "m2:ListEnvironments," "m2:ListTagsForResource," "memorydb:DescribeAcls," "memorydb:DescribeClusters," "memorydb:DescribeParameterGroups," "memorydb:DescribeParameters," "memorydb:DescribeSubnetGroups," "organizations:ListRoots," "quicksight:DescribeAccountSubscription," "quicksight:DescribeDataSetRefreshProperties," "rds:DescribeEngineDefaultClusterParameters," "redshift:DescribeEndpointAccess," "redshift:DescribeEndpointAuthorization," "route53:GetChange," "route53:ListCidrBlocks," "route53:ListCidrLocations," "serviceCatalog:DescribePortfolioShares," "transfer:DescribeProfile," and "transfer:ListProfiles"   |  This policy now supports additional permissions for Amazon Cognito, Amazon Connect, Amazon EMR, Amazon Ground Station, Amazon Mainframe Modernization, Amazon MemoryDB, Amazon Organizations, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Route 53, Amazon Service Catalog, and Amazon Transfer Family.  | November 17, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "Sid": "AWSConfigServiceRolePolicyStatementID," "Sid": "AWSConfigSLRLogStatementID," "Sid": "AWSConfigSLRLogEventStatementID," and "Sid": "AWSConfigSLRApiGatewayStatementID"   |  This policy now adds security identifiers (SID) for `AWSConfigServiceRolePolicyStatementID`, `AWSConfigSLRLogStatementID`, `AWSConfigSLRLogEventStatementID`, and `AWSConfigSLRApiGatewayStatementID`.  | November 17, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "acm-pca:GetCertificateAuthorityCertificate," "appmesh:DescribeMesh," "appmesh:ListGatewayRoutes," "connect:DescribeInstance," "connect:DescribeQuickConnect," "connect:ListQuickConnects," "ecs:DescribeCapacityProviders," "evidently:GetSegment," "evidently:ListSegments," "grafana:DescribeWorkspace," "grafana:DescribeWorkspaceAuthentication," "grafana:DescribeWorkspaceConfiguration," "grafana:DescribeWorkspaceConfiguration," "guardduty:GetMemberDetectors," "inspector2:BatchGetAccountStatus," "inspector2:GetDelegatedAdminAccount," "inspector2:ListMembers," "iot:DescribeCACertificate," "iot:ListCACertificates," "iot:ListTagsForResource," "iottwinmaker:GetSyncJob," "iottwinmaker:ListSyncJobs," "kafka:ListTagsForResource," "kafkaconnect:DescribeConnector," "kafkaconnect:ListConnectors," "lambda:GetCodeSigningConfig," "lambda:ListCodeSigningConfigs," "lambda:ListTags," "networkmanager:GetConnectPeer," "organizations:DescribeOrganization," "organizations:ListTargetsForPolicy," "sagemaker:DescribeDataQualityJob," "sagemaker:DescribeModelExplainabilityJob," "sagemaker:ListDataQualityJob," and "sagemaker:ExplainabilityJob"   |  This policy now supports additional permissions for Amazon Private CA, Amazon App Mesh, Amazon Connect, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, Amazon IoT, Amazon IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lambda, Amazon Network Manager, Amazon Organizations, and Amazon SageMaker AI.  | October 4, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "acm-pca:GetCertificateAuthorityCertificate," "appmesh:DescribeMesh," "appmesh:ListGatewayRoutes," "connect:DescribeInstance," "connect:DescribeQuickConnect," "connect:ListQuickConnects," "ecs:DescribeCapacityProviders," "evidently:GetSegment," "evidently:ListSegments," "grafana:DescribeWorkspace," "grafana:DescribeWorkspaceAuthentication," "grafana:DescribeWorkspaceConfiguration," "grafana:DescribeWorkspaceConfiguration," "guardduty:GetMemberDetectors," "inspector2:BatchGetAccountStatus," "inspector2:GetDelegatedAdminAccount," "inspector2:ListMembers," "iot:DescribeCACertificate," "iot:ListCACertificates," "iot:ListTagsForResource," "iottwinmaker:GetSyncJob," "iottwinmaker:ListSyncJobs," "kafka:ListTagsForResource," "kafkaconnect:DescribeConnector," "kafkaconnect:ListConnectors," "lambda:GetCodeSigningConfig," "lambda:ListCodeSigningConfigs," "lambda:ListTags," "networkmanager:GetConnectPeer," "organizations:DescribeOrganization," "organizations:ListTargetsForPolicy," "sagemaker:DescribeDataQualityJob," "sagemaker:DescribeModelExplainabilityJob," "sagemaker:ListDataQualityJob," and "sagemaker:ExplainabilityJob"   |  This policy now supports additional permissions for Amazon Private CA, Amazon App Mesh, Amazon Connect, Amazon Elastic Container Service (Amazon ECS), Amazon CloudWatch Evidently, Amazon Managed Grafana, Amazon GuardDuty, Amazon Inspector, Amazon IoT, Amazon IoT TwinMaker, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lambda, Amazon Network Manager, Amazon Organizations, and Amazon SageMaker AI.  | October 4, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Remove "ssm:GetParameter"  |  This policy now removes permissions for Amazon Systems Manager (Systems Manager).  | September 6, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "appmesh:DescribeGatewayRoute","appstream:DescribeStacks", "aps:ListTagsForResource", "cloudfront:GetFunction", "cloudfront:GetOriginAccessControl", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "codeartifact:ListPackages", "codeartifact:ListPackageVersions", "codebuild:BatchGetReportGroups", "codebuild:ListReportGroups", "connect:ListInstanceAttributes", "connect:ListInstances", "glue:GetPartition", "glue:GetPartitions", "guardduty:GetAdministratorAccount", "iam:ListInstanceProfileTags", "inspector2:ListFilters", "iot:DescribeJobTemplate", "iot:DescribeProvisioningTemplate", "iot:ListJobTemplates", "iot:ListProvisioningTemplates", "iottwinmaker:GetComponentType", "iottwinmaker:ListComponentTypes", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "kafka:ListScramSecrets", "macie2:ListTagsForResource", "mediaconnect:ListTagsForResource", "networkmanager:GetConnectPeer", "networkmanager:ListConnectPeers", "organizations:DescribeEffectivePolicy", "organizations:DescribeResourcePolicy", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListTagsForResource", "route53:ListCidrCollections", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", and "sns:GetDataProtectionPolicy"   |  This policy now supports additional permissions for Amazon App Mesh, Amazon CloudFormation, Amazon CloudFront Amazon CodeArtifact, Amazon CodeBuild, Amazon Connect, Amazon Glue, Amazon GuardDuty, Amazon Identity and Access Management (IAM), Amazon Inspector, Amazon IoT, Amazon IoT TwinMaker, Amazon IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, Amazon Network Manager, Amazon Organizations, Amazon Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), and Amazon Simple Notification Service (Amazon SNS).  | July 28, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add  "appmesh:DescribeGatewayRoute", "appstream:DescribeStacks", "aps:ListTagsForResource", "cloudfront:GetFunction", "cloudfront:GetOriginAccessControl", "cloudfront:ListFunctions", "cloudfront:ListOriginAccessControls", "codeartifact:ListPackages", "codeartifact:ListPackageVersions", "codebuild:BatchGetReportGroups", "codebuild:ListReportGroups", "connect:ListInstanceAttributes", "connect:ListInstances", "glue:GetPartition", "glue:GetPartitions", "guardduty:GetAdministratorAccount", "iam:ListInstanceProfileTags", "inspector2:ListFilters", "iot:DescribeJobTemplate", "iot:DescribeProvisioningTemplate", "iot:ListJobTemplates", "iot:ListProvisioningTemplates", "iottwinmaker:GetComponentType", "iottwinmaker:ListComponentTypes", "iotwireless:GetFuotaTask", "iotwireless:GetMulticastGroup", "iotwireless:ListFuotaTasks", "iotwireless:ListMulticastGroups", "kafka:ListScramSecrets", "macie2:ListTagsForResource", "mediaconnect:ListTagsForResource", "networkmanager:GetConnectPeer", "networkmanager:ListConnectPeers", "organizations:DescribeEffectivePolicy", "organizations:DescribeResourcePolicy", "resource-explorer-2:GetIndex", "resource-explorer-2:ListIndexes", "resource-explorer-2:ListTagsForResource", "route53:ListCidrCollections", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "sns:GetDataProtectionPolicy", "ssm:DescribeParameters", "ssm:GetParameter", and "ssm:ListTagsForResource"   |  This policy now supports additional permissions for Amazon App Mesh, Amazon WorkSpaces Applications, Amazon CloudFormation, Amazon CloudFront, Amazon CodeArtifact, Amazon CodeBuild, Amazon Connect, Amazon Glue, Amazon GuardDuty, Amazon Identity and Access Management (IAM), Amazon Inspector, Amazon IoT, Amazon IoT TwinMaker, Amazon IoT Wireless, Amazon Managed Streaming for Apache Kafka, Amazon Macie, AWS Elemental MediaConnect, Amazon Network Manager, Amazon Organizations, Amazon Resource Explorer, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service (Amazon SNS), and Amazon EC2 Systems Manager (SSM).   | July 28, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add  "amplify:GetBranch", "amplify:ListBranches", "app-integrations:GetEventIntegration", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", "appmesh:DescribeRoute", "appmesh:ListRoutes", "aps:ListRuleGroupsNamespaces", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "batch:DescribeSchedulingPolicies", "batch:ListSchedulingPolicies", "cloudformation:ListTypes", "cloudtrail:ListTrails", "codeartifact:ListDomains", "codeguru-profiler:DescribeProfilingGroup", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:ListProfilingGroups", "ds:DescribeDomainControllers", “dynamodb:DescribeTableReplicaAutoScaling" "dynamodb:DescribeTimeToLive", "ec2:DescribeTrafficMirrorFilters", "evidently:GetLaunch", "evidently:ListLaunches", "forecast:DescribeDatasetGroup", "forecast:ListDatasetGroups", "greengrass:DescribeComponent", "greengrass:GetComponent", "greengrass:ListComponents", "greengrass:ListComponentVersions", "groundstation:GetMissionProfile", "groundstation:ListMissionProfiles", "iam:ListGroups", "iam:ListRoles", "kafka:DescribeConfiguration", "kafka:DescribeConfigurationRevision", "kafka:ListConfigurations", "lightsail:GetRelationalDatabases" "logs:ListTagsLogGroup", "mediaconnect:DescribeFlow", "mediaconnect:ListFlows", "mediatailor:GetPlaybackConfiguration", "mediatailor:ListPlaybackConfigurations", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEmailTemplate", "mobiletargeting:GetEventStream", "mobiletargeting:ListTemplates", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetLinkAssociations", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", "personalize:DescribeSolution", "personalize:ListDatasetGroups", "personalize:ListDatasetImportJobs", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "personalize:ListTagsForResource", "quicksight:ListTemplates", "refactor-spaces:GetEnvironment", "refactor-spaces:GetService", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", "s3:GetAccessPointPolicyStatusForObjectLambda", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeFeatureGroup", "sagemaker:ListDeviceFleets", "sagemaker:ListFeatureGroups", "sagemaker:ListModels", and "transfer:ListTagsForResource"  |  This policy now supports additional permissions for Amazon Amplify, Amazon Connect, Amazon App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, Amazon Batch, Amazon CloudFormation, Amazon CloudTrail, Amazon CodeArtifact, Amazon CodeGuru, Amazon Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Organizations, Amazon Forecast, Amazon IoT Greengrass, Amazon Ground Station, Amazon Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon Quick, Amazon Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, Amazon Transfer Family.  | June 13, 2023 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add "amplify:GetBranch", "amplify:ListBranches", "app-integrations:GetEventIntegration", "app-integrations:ListEventIntegrationAssociations", "app-integrations:ListEventIntegrations", "appmesh:DescribeRoute", "appmesh:ListRoutes", "aps:ListRuleGroupsNamespaces", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "batch:DescribeSchedulingPolicies", "batch:ListSchedulingPolicies", "cloudformation:ListTypes", "cloudtrail:ListTrails", "codeartifact:ListDomains", "codeguru-profiler:DescribeProfilingGroup", "codeguru-profiler:GetNotificationConfiguration", "codeguru-profiler:GetPolicy", "codeguru-profiler:ListProfilingGroups", "ds:DescribeDomainControllers", "dynamodb:DescribeTableReplicaAutoScaling", "dynamodb:DescribeTimeToLive", "ec2:DescribeTrafficMirrorFilters", "evidently:GetLaunch", "evidently:ListLaunches", "forecast:DescribeDatasetGroup", "forecast:ListDatasetGroups", "greengrass:DescribeComponent", "greengrass:GetComponent", "greengrass:ListComponents", "greengrass:ListComponentVersions", "groundstation:GetMissionProfile", "groundstation:ListMissionProfiles", "iam:ListGroups", "iam:ListRoles", "kafka:DescribeConfiguration", "kafka:DescribeConfigurationRevision", "kafka:ListConfigurations", "lightsail:GetRelationalDatabases", "logs:ListTagsLogGroup", "mediaconnect:DescribeFlow", "mediaconnect:ListFlows", "mediatailor:GetPlaybackConfiguration", "mediatailor:ListPlaybackConfigurations", "mobiletargeting:GetApplicationSettings", "mobiletargeting:GetEmailTemplate", "mobiletargeting:GetEventStream", "mobiletargeting:ListTemplates", "networkmanager:GetCustomerGatewayAssociations", "networkmanager:GetLinkAssociations", "organizations:DescribeAccount", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent", "organizations:ListTagsForResource", "personalize:DescribeDataset", "personalize:DescribeDatasetGroup", "personalize:DescribeSchema", "personalize:DescribeSolution", "personalize:ListDatasetGroups", "personalize:ListDatasetImportJobs", "personalize:ListDatasets", "personalize:ListSchemas", "personalize:ListSolutions", "personalize:ListTagsForResource", "quicksight:ListTemplates", "refactor-spaces:GetEnvironment", "refactor-spaces:GetService", "refactor-spaces:ListApplications", "refactor-spaces:ListEnvironments", "refactor-spaces:ListServices", "s3:GetAccessPointPolicyStatusForObjectLambda", "sagemaker:DescribeDeviceFleet", "sagemaker:DescribeFeatureGroup", "sagemaker:ListDeviceFleets", "sagemaker:ListFeatureGroups", "sagemaker:ListModels", and "transfer:ListTagsForResource"  |  This policy now supports additional permissions for Amazon Amplify, Amazon Connect, Amazon App Mesh, Amazon Managed Service for Prometheus, Amazon Athena, Amazon Batch, Amazon CloudFormation, Amazon CloudTrail, Amazon CodeArtifact, Amazon CodeGuru, Amazon Directory Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Organizations,Amazon Forecast, Amazon IoT Greengrass, Amazon Ground Station, Amazon Identity and Access Management (IAM), Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Lightsail, Amazon CloudWatch Logs, AWS Elemental MediaConnect, AWS Elemental MediaTailor, Amazon Pinpoint, Amazon Virtual Private Cloud (Amazon VPC), Amazon Personalize, Amazon Quick, Amazon Migration Hub Refactor Spaces, Amazon Simple Storage Service (Amazon S3), Amazon SageMaker AI, Amazon Transfer Family.  | June 13, 2023 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, GetInstanceTypesFromInstanceRequirement ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations  |  This policy now supports additional permissions for Amazon Managed Workflows for Amazon Amplify, Amazon App Mesh, Amazon App Runner, Amazon CloudFront, Amazon CodeArtifact, Amazon Elastic Compute Cloud, Amazon Kendra, Amazon Macie, Amazon Route 53, Amazon SageMaker AI, Amazon Transfer Family, Amazon Pinpoint, Amazon Migration Hub, Amazon Resilience Hub, Amazon CloudWatch, Amazon Directory Service, and Amazon WAF.   | April 13, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add amplify:GetApp, amplify:ListApps, appmesh:DescribeVirtualGateway, appmesh:DescribeVirtualNode, appmesh:DescribeVirtualRouter, appmesh:DescribeVirtualService, appmesh:ListMeshes, appmesh:ListTagsForResource, appmesh:ListVirtualGateways, appmesh:ListVirtualNodes, appmesh:ListVirtualRouters, appmesh:ListVirtualServices, apprunner:DescribeVpcConnector, apprunner:ListVpcConnectors, cloudformation:ListTypes, cloudfront:ListResponseHeadersPolicies, codeartifact:ListRepositories, ds:DescribeEventTopics, ds:ListLogSubscriptions, ec2:GetInstanceTypesFromInstanceRequirement, ec2:GetManagedPrefixListEntries, kendra:DescribeIndex, kendra:ListIndices, kendra:ListTagsForResource, logs:DescribeDestinations, logs:GetDataProtectionPolicy, macie2:DescribeOrganizationConfiguration, macie2:GetAutomatedDiscoveryConfiguration, macie2:GetClassificationExportConfiguration, macie2:GetCustomDataIdentifier, macie2:GetFindingsPublicationConfiguration, macie2:ListCustomDataIdentifiers, mobiletargeting:GetEmailChannel, refactor-spaces:GetEnvironment, refactor-spaces:ListEnvironments, resiliencehub:ListTagsForResource, route53:GetDNSSEC, sagemaker:DescribeDomain, sagemaker:DescribeModelBiasJobDefinition, sagemaker:DescribeModelQualityJobDefinition, sagemaker:DescribePipeline, sagemaker:DescribeProject, sagemaker:ListDomains, sagemaker:ListModelBiasJobDefinitions, sagemaker:ListModelQualityJobDefinitions, sagemaker:ListPipelines, sagemaker:ListProjects, transfer:DescribeAgreement, transfer:DescribeCertificate, transfer:ListAgreements, transfer:ListCertificates, and waf-regional:ListLoggingConfigurations  |  This policy now supports additional permissions for Amazon Managed Workflows for Amazon Amplify, Amazon App Mesh, Amazon App Runner, Amazon CloudFront, Amazon CodeArtifact, Amazon Elastic Compute Cloud, Amazon Kendra, Amazon Macie, Amazon Route 53, Amazon SageMaker AI, Amazon Transfer Family, Amazon Pinpoint, Amazon Migration Hub, Amazon Resilience Hub, Amazon CloudWatch, Amazon Directory Service, and Amazon WAF.   | April 13, 2023 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudfront:GetResponseHeadersPolicy, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions  |  This policy now supports additional permissions for Amazon Managed Workflows for Amazon AppFlow, Amazon App Runner, Amazon WorkSpaces Applications, Amazon CloudFront, Amazon CloudWatch, Amazon CodeArtifact, Amazon CodeCommit, Amazon Device Farm, Amazon CloudWatch Evidently, Amazon Forecast, Amazon Ground Station, Amazon Identity and Access Management (IAM), Amazon IoT, Amazon MemoryDB, Amazon Pinpoint, Amazon Network Manager, Amazon Panorama, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, and Amazon SageMaker AI.   | March 30, 2023 | 
| [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add appflow:DescribeFlow, appflow:ListFlows, appflow:ListTagsForResource, apprunner:DescribeService, apprunner:ListServices, apprunner:ListTagsForResource, appstream:DescribeApplications, appstream:DescribeFleets, cloudformation:ListTypes, cloudfront:GetResponseHeadersPolicy, cloudfront:ListDistributions, cloudwatch:ListTagsForResource, codeartifact:DescribeRepository, codeartifact:GetRepositoryPermissionsPolicy, codeartifact:ListTagsForResource, codecommit:GetRepository, codecommit:GetRepositoryTriggers, codecommit:ListRepositories, codecommit:ListTagsForResource, devicefarm:GetInstanceProfile, devicefarm:ListInstanceProfiles, devicefarm:ListProjects, ec2:DescribeTrafficMirrorFilters, evidently:GetProject, evidently:ListProjects, evidently:ListTagsForResource, forecast:DescribeDataset, forecast:ListDatasets, forecast:ListTagsForResource, groundstation:GetConfig, groundstation:ListConfigs, groundstation:ListTagsForResource, iam:GetInstanceProfile, iam:GetSAMLProvider, iam:GetServerCertificate, iam:ListAccessKeys, iam:ListGroups, iam:ListInstanceProfiles, iam:ListMFADevices, iam:ListMFADeviceTags, iam:ListRoles, iam:ListSAMLProviders, iot:DescribeFleetMetric, iot:ListFleetMetrics, memorydb:DescribeUsers, memorydb:ListTags, mobiletargeting:GetApp, mobiletargeting:GetCampaigns, networkmanager:GetDevices, networkmanager:GetLinks, networkmanager:GetSites, panorama:ListNodes, rds:DescribeDBProxyEndpoints, redshift:DescribeScheduledActions, sagemaker:DescribeAppImageConfig, sagemaker:DescribeImage, sagemaker:DescribeImageVersion, sagemaker:ListAppImageConfigs, sagemaker:ListImages, and sagemaker:ListImageVersions |  This policy now supports additional permissions for Amazon Managed Workflows for Amazon AppFlow, Amazon App Runner, Amazon WorkSpaces Applications, Amazon CloudFormation, Amazon CloudFront, Amazon CloudWatch, Amazon CodeArtifact, Amazon CodeCommit, Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon CloudWatch Evidently, Amazon Forecast, Amazon Ground Station, Amazon Identity and Access Management (IAM), Amazon IoT, Amazon MemoryDB, Amazon Pinpoint, Amazon Network Manager, Amazon Panorama, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, and Amazon SageMaker AI.   | March 30, 2023 | 
|  [AWSConfigRulesExecutionRole](#security-iam-awsmanpol-AWSConfigRulesExecutionRole) – Amazon Config starts tracking changes for this Amazon managed policy  |  This policy allow Amazon Lambda functions to access the Amazon Config API and the configuration snapshots that Amazon Config delivers periodically to Amazon S3. This access is required by functions that evaluate configuration changes for Amazon Custom Lambda rules.  | March 7, 2023 | 
|  [AWSConfigRoleForOrganizations](#security-iam-awsmanpol-AWSConfigRoleForOrganizations) – Amazon Config starts tracking changes for this Amazon managed policy  |  This policy allows Amazon Config to call read-only Amazon Organizations APIs.  | March 7, 2023 | 
|  [AWSConfigRemediationServiceRolePolicy](#security-iam-awsmanpol-AWSConfigRemediationServiceRolePolicy) – Amazon Config starts tracking changes for this Amazon managed policy  |  This policy allows Amazon Config to remediate `NON_COMPLIANT` resources on your behalf.  | March 7, 2023 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add auditmanager:GetAccountStatus  |  This policy now grants permission to return the registration status of an account in Amazon Audit Manager.  | March 3, 2023 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add auditmanager:GetAccountStatus  |  This policy now grants permission to return the registration status of an account in Amazon Audit Manager.  | March 3, 2023 | 
|  [AWSConfigMultiAccountSetupPolicy](#security-iam-awsmanpol-AWSConfigMultiAccountSetupPolicy) – Amazon Config starts tracking changes for this Amazon managed policy  |  This policy allows Amazon Config to call Amazon services and deploy Amazon Config resources across an organization with Amazon Organizations.  | February 27, 2023 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries  |  This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, Amazon IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs.  | February 1, 2023 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries  |  This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, Amazon IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs.  | February 1, 2023 | 
|  [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – Update config:DescribeConfigRules  |  As a security best practice, this policy now removes broad resource-level permission for `config:DescribeConfigRules`.  | January 12, 2023 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, Amazon Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource  |  This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon Audit Manager, Amazon Device Farm, Amazon Database Migration Service (Amazon DMS), Amazon Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Glue, Amazon IoT, Amazon Lightsail, AWS Elemental MediaPackage, Amazon Network Manager, Amazon Quick, Amazon Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream.  | Decemeber 15, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource  |  This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon Audit Manager, Amazon Device Farm, Amazon Database Migration Service (Amazon DMS), Amazon Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Glue, Amazon IoT, Amazon Lightsail, AWS Elemental MediaPackage, Amazon Network Manager, Amazon Quick, Amazon Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream.  | Decemeber 15, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add cloudformation:ListStackResources and cloudformation:ListStacks  |  This policy now grants permission to return descriptions of all resources of a specified Amazon CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter.  | November 7, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add cloudformation:ListStackResources and cloudformation:ListStacks  |  This policy now grants permission to return descriptions of all resources of a specified Amazon CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter.  | November 7, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups  |  This policy now supports additional permissions for Amazon Certificate Manager, Amazon Managed Workflows for Apache Airflow, Amazon Amplify, Amazon AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, Amazon Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, Amazon Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, Amazon IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, Amazon OpsWorks, Amazon Panorama, Amazon Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon RoboMaker, Amazon Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Cloud Map, and Amazon Security Token Service.  | October 19, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups  |  This policy now supports additional permissions for Amazon Certificate Manager, Amazon Managed Workflows for Apache Airflow, Amazon Amplify, Amazon AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, Amazon Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, Amazon Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, Amazon IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, Amazon OpsWorks, Amazon Panorama, Amazon Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon RoboMaker, Amazon Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Cloud Map, and Amazon Security Token Service.  | October 19, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add Glue::GetTable  |  This policy now grants permission to retrieve the Amazon Glue Table definition in a Data Catalog for a specified table.  | September 14, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add Glue::GetTable  |  This policy now grants permission to retrieve the Amazon Glue Table definition in a Data Catalog for a specified table.  | September 14, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource  |  This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, Amazon AppConfig, Amazon AppSync, Amazon Auto Scaling, Amazon Backup, Amazon Budgets, Amazon Cost Explorer, Amazon Cloud9, Amazon Directory Service, Amazon DataSync, AWS Elemental MediaPackage, Amazon Glue, Amazon IoT, Amazon IoT Analytics, Amazon IoT Events, Amazon IoT SiteWise, Amazon IoT TwinMaker, Amazon Lake Formation, Amazon License Manager, Amazon Resilience Hub, Amazon Signer, and Amazon Transfer Family.  | September 7, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource  |  This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, Amazon AppConfig, Amazon AppSync, Amazon Auto Scaling, Amazon Backup, Amazon Budgets, Amazon Cost Explorer, Amazon Cloud9, Amazon Directory Service, Amazon DataSync, AWS Elemental MediaPackage, Amazon Glue, Amazon IoT, Amazon IoT Analytics, Amazon IoT Events, Amazon IoT SiteWise, Amazon IoT TwinMaker, Amazon Lake Formation, Amazon License Manager, Amazon Resilience Hub, Amazon Signer, and Amazon Transfer Family  | September 7, 2022 | 
| [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries | This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, Amazon IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs.  | February 1, 2023 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add airflow:ListTagsForResource, iot:ListCustomMetrics, iot:DescribeCustomMetric, appstream:DescribeDirectoryConfigs, appstream:ListTagsForResource, codeguru-reviewer:DescribeRepositoryAssociation, codeguru-reviewer:ListRepositoryAssociations, healthlake:ListFHIRDatastores, healthlake:DescribeFHIRDatastore, healthlake:ListTagsForResource, kinesisvideo:DescribeStream, kinesisvideo:ListStreams, kinesisvideo:ListTagsForStream, kinesisvideo:DescribeSignalingChannel, kinesisvideo:ListTagsForResource, kinesisvideo:ListSignalingChannels, route53-recovery-control-config:DescribeCluster, route53-recovery-control-config:DescribeRoutingControl, route53-recovery-control-config:DescribeSafetyRule, route53-recovery-control-config:ListClusters, route53-recovery-control-config:ListRoutingControls, route53-recovery-control-config:ListSafetyRules, devicefarm:GetTestGridProject, devicefarm:ListTestGridProjects, ec2:DescribeCapacityReservationFleets, ec2:DescribeIpamPools, ec2:DescribeIpams, ec2:GetInstanceTypesFromInstanceRequirement, mobiletargeting:GetApplicationSettings, mobiletargeting:ListTagsForResource, ecr:BatchGetRepositoryScanningConfiguration, iam:ListServerCertificates, guardduty:ListPublishingDestinations, guardduty:DescribePublishingDestination, logs:GetLogDelivery, and logs:ListLogDeliveries  |  This policy now supports additional permissions for Amazon Managed Workflows for Apache Airflow, Amazon IoT, Amazon WorkSpaces Applications, Amazon CodeGuru Reviewer, Amazon HealthLake, Amazon Kinesis Video Streams, Amazon Application Recovery Controller (ARC), Amazon Device Farm, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Pinpoint, Amazon Identity and Access Management (IAM), Amazon GuardDuty, and Amazon CloudWatch Logs.  | February 1, 2023 | 
|  [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – Update config:DescribeConfigRules  |  As a security best practice, this policy now removes broad resource-level permission for `config:DescribeConfigRules`.  | January 12, 2023 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, Amazon Transfer Family devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource  |  This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon Audit Manager, Amazon Device Farm, Amazon Database Migration Service (Amazon DMS), Amazon Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Glue, Amazon IoT, Amazon Lightsail, AWS Elemental MediaPackage, Amazon Network Manager, Amazon Quick, Amazon Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream.  | Decemeber 15, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add APS:DescribeRuleGroupsNamespace, APS:DescribeWorkspace, APS:ListWorkspaces, auditmanager:GetAssessment, auditmanager:ListAssessments, devicefarm:GetNetworkProfile, devicefarm:GetProject, devicefarm:ListNetworkProfiles, devicefarm:ListTagsForResource, dms:DescribeEndpoints, ds:ListTagsForResource, ec2:DescribeTags, ec2:DescribeTrafficMirrorSessions, ec2:DescribeTrafficMirrorTargets, ec2:GetIpamPoolAllocations, ec2:GetIpamPoolCidrs, glue:GetMLTransform, glue:GetMLTransforms, glue:ListMLTransforms, iot:DescribeScheduledAudit, iot:ListScheduledAudits, ivs:GetChannel, lightsail:GetRelationalDatabases, mediapackage-vod:DescribePackagingConfiguration, mediapackage-vod:ListPackagingConfigurations, networkmanager:DescribeGlobalNetworks, networkmanager:GetTransitGatewayRegistrations, networkmanager:ListTagsForResource, quicksight:DescribeDashboard, quicksight:DescribeDashboardPermissions, quicksight:DescribeTemplate, quicksight:DescribeTemplatePermissions, quicksight:ListDashboards, quicksight:ListTemplates, ram:ListResources, route53-recovery-control-config:DescribeControlPanel, route53-recovery-control-config:ListControlPanels, route53-recovery-control-config:ListTagsForResource, route53resolver:GetResolverQueryLogConfigAssociation, route53resolver:ListResolverQueryLogConfigAssociations, s3:GetAccessPointForObjectLambda, s3:GetAccessPointPolicyForObjectLambda, s3:GetAccessPointPolicyStatusForObjectLambda, s3:GetMultiRegionAccessPoint, s3:ListAccessPointsForObjectLambda, s3:ListMultiRegionAccessPoints, timestream:DescribeEndpoints, transfer:DescribeConnector, transfer:ListConnectors, and transfer:ListTagsForResource  |  This policy now supports additional permissions for Amazon Managed Service for Prometheus, Amazon Audit Manager, Amazon Device Farm, Amazon Database Migration Service (Amazon DMS), Amazon Directory Service, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Glue, Amazon IoT, Amazon Lightsail, AWS Elemental MediaPackage, Amazon Network Manager, Amazon Quick, Amazon Resource Access Manager, Amazon Application Recovery Controller (ARC), Amazon Simple Storage Service (Amazon S3), and Amazon Timestream.  | December 15, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add cloudformation:ListStackResources and cloudformation:ListStacks  |  This policy now grants permission to return descriptions of all resources of a specified Amazon CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter.  | November 7, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add cloudformation:ListStackResources and cloudformation:ListStacks  |  This policy now grants permission to return descriptions of all resources of a specified Amazon CloudFormation stack and return the summary information for stacks whose status matches the specified StackStatusFilter.  | November 7, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups  |  This policy now supports additional permissions for Amazon Certificate Manager, Amazon Managed Workflows for Apache Airflow, Amazon Amplify, Amazon AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, Amazon Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, Amazon Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, Amazon IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, Amazon OpsWorks, Amazon Panorama, Amazon Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon RoboMaker, Amazon Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Cloud Map, and Amazon Security Token Service.  | October 19, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add acm-pca:GetCertificateAuthorityCsr, acm-pca:ListCertificateAuthorities, acm-pca:ListTags, airflow:GetEnvironment, airflow:ListEnvironments, amplifyuibuilder:ListThemes, appconfig:ListConfigurationProfiles, appconfig:ListDeployments, appconfig:ListDeploymentStrategies, appconfig:ListEnvironments, appconfig:ListHostedConfigurationVersions, cassandra:Select, cloudwatch:DescribeAnomalyDetectors, cloudwatch:GetDashboard, cloudwatch:ListDashboards, connect:DescribePhoneNumber, connect:ListPhoneNumbers, connect:ListPhoneNumbersV2, connect:SearchAvailablePhoneNumbers, databrew:DescribeDataset, databrew:DescribeJob, databrew:DescribeProject, databrew:DescribeRecipe, databrew:DescribeRuleset, databrew:DescribeSchedule, databrew:ListDatasets, databrew:ListJobs, databrew:ListProjects, databrew:ListRecipes, databrew:ListRecipeVersions, databrew:ListRulesets, databrew:ListSchedules, ec2:DescribeRouteTables, eks:DescribeAddon, eks:DescribeIdentityProviderConfig, eks:ListAddons, eks:ListIdentityProviderConfigs, events:DescribeConnection, events:ListApiDestinations, events:ListConnections, fis:GetExperimentTemplate, fis:ListExperimentTemplates, frauddetector:GetRules, fsx:DescribeBackups, fsx:DescribeSnapshots, fsx:DescribeStorageVirtualMachines, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeVpcPeeringConnections, geo:ListGeofenceCollections, geo:ListPlaceIndexes, geo:ListRouteCalculators, geo:ListTrackers, iot:DescribeAccountAuditConfiguration, iot:DescribeAuthorizer, iot:DescribeDomainConfiguration, iot:DescribeMitigationAction, iot:ListAuthorizers, iot:ListDomainConfigurations, iot:ListMitigationActions, iotsitewise:DescribeAssetModel, iotsitewise:DescribeDashboard, iotsitewise:DescribeGateway, iotsitewise:DescribePortal, iotsitewise:DescribeProject, iotsitewise:ListAssetModels, iotsitewise:ListDashboards, iotsitewise:ListGateways, iotsitewise:ListPortals, iotsitewise:ListProjectAssets, iotsitewise:ListProjects, iotsitewise:ListTagsForResource, iotwireless:GetServiceProfile, iotwireless:GetWirelessDevice, iotwireless:GetWirelessGatewayTaskDefinition, iotwireless:ListServiceProfiles, iotwireless:ListTagsForResource, iotwireless:ListWirelessDevices, iotwireless:ListWirelessGatewayTaskDefinitions, lex:DescribeBotVersion, lex:ListBotVersions, lightsail:GetContainerServices, lightsail:GetDistributions, lightsail:GetRelationalDatabase, lightsail:GetRelationalDatabaseParameters, mobiletargeting:GetApps, mobiletargeting:GetCampaign, mobiletargeting:GetSegment, mobiletargeting:GetSegments, opsworks:DescribeInstances, opsworks:DescribeTimeBasedAutoScaling, opsworks:DescribeVolumes, panorama:DescribeApplicationInstance, panorama:DescribeApplicationInstanceDetails, panorama:DescribePackage, panorama:DescribePackageVersion, panorama:ListApplicationInstances, panorama:ListPackages, quicksight:ListDataSources, ram:ListResourceSharePermissions, rds:DescribeDBProxies, rds:DescribeGlobalClusters, rekognition:ListStreamProcessors, resource-groups:GetGroup, resource-groups:GetGroupConfiguration, resource-groups:GetGroupQuery, resource-groups:GetTags, resource-groups:ListGroupResources, resource-groups:ListGroups, robomaker:ListRobotApplications, robomaker:ListSimulationApplications, route53resolver:GetResolverDnssecConfig, route53resolver:ListResolverDnssecConfigs, s3:ListStorageLensConfigurations, schemas:GetResourcePolicy, servicediscovery:ListInstances, sts:GetCallerIdentity, synthetics:GetGroup, synthetics:ListAssociatedGroups, synthetics:ListGroupResources, and synthetics:ListGroups  |  This policy now supports additional permissions for Amazon Certificate Manager, Amazon Managed Workflows for Apache Airflow, Amazon Amplify, Amazon AppConfig, Amazon Keyspaces, Amazon CloudWatch, Amazon Connect, Amazon Glue DataBrew, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon EventBridge, Amazon Fault Injection Service, Amazon Fraud Detector, Amazon FSx, Amazon GameLift Servers, Amazon Location Service, Amazon IoT, Amazon Lex, Amazon Lightsail, Amazon Pinpoint, Amazon OpsWorks, Amazon Panorama, Amazon Resource Access Manager, Amazon Quick, Amazon Relational Database Service (Amazon RDS), Amazon Rekognition, Amazon RoboMaker, Amazon Resource Groups, Amazon Route 53, Amazon Simple Storage Service (Amazon S3), Amazon Cloud Map, and Amazon Security Token Service.  | October 19, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add Glue::GetTable  |  This policy now grants permission to retrieve the Amazon Glue Table definition in a Data Catalog for a specified table.  | September 14, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add Glue::GetTable  |  This policy now grants permission to retrieve the Amazon Glue Table definition in a Data Catalog for a specified table.  | September 14, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorFilters, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource  |  This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, Amazon AppConfig, Amazon AppSync, Amazon Auto Scaling, Amazon Backup, Amazon Budgets, Amazon Cost Explorer, Amazon Cloud9, Amazon Directory Service, Amazon DataSync, AWS Elemental MediaPackage, Amazon Glue, Amazon IoT, Amazon IoT Analytics, Amazon IoT Events, Amazon IoT SiteWise, Amazon IoT TwinMaker, Amazon Lake Formation, Amazon License Manager, Amazon Resilience Hub, Amazon Signer, and Amazon Transfer Family.  | September 7, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add appconfig:ListApplications, appflow:DescribeConnectorProfiles, appsync:GetApiCache, autoscaling-plans:DescribeScalingPlanResources, autoscaling-plans:DescribeScalingPlans, autoscaling-plans:GetScalingPlanResourceForecastData, autoscaling:DescribeWarmPool, backup:DescribeFramework, backup:DescribeReportPlan, backup:ListFrameworks, backup:ListReportPlans, budgets:DescribeBudgetAction, budgets:DescribeBudgetActionsForAccount, budgets:DescribeBudgetActionsForBudget, budgets:ViewBudget, ce:GetAnomalyMonitors, ce:GetAnomalySubscriptions, cloud9:DescribeEnvironmentMemberships, cloud9:DescribeEnvironments, cloud9:ListEnvironments, cloud9:ListTagsForResource, cloudwatch:GetMetricStream, cloudwatch:ListMetricStreams, datasync:DescribeLocationFsxWindows, devops-guru:GetResourceCollection, ds:DescribeDirectories, ec2:DescribeTrafficMirrorTargets, ec2:GetNetworkInsightsAccessScopeAnalysisFindings, ec2:GetNetworkInsightsAccessScopeContent, elasticmapreduce:DescribeStudio, elasticmapreduce:GetStudioSessionMapping, elasticmapreduce:ListStudios, elasticmapreduce:ListStudioSessionMappings, events:DescribeEndpoint, events:DescribeEventBus, events:DescribeRule, events:ListArchives, events:ListEndpoints, events:ListEventBuses, events:ListRules, events:ListTagsForResource, events:ListTargetsByRule, finspace:GetEnvironment, finspace:ListEnvironments, frauddetector:GetDetectors, frauddetector:GetDetectorVersion, frauddetector:GetEntityTypes, frauddetector:GetEventTypes, frauddetector:GetExternalModels, frauddetector:GetLabels, frauddetector:GetModels, frauddetector:GetOutcomes, frauddetector:GetVariables, frauddetector:ListTagsForResource, gamelift:DescribeAlias, gamelift:DescribeBuild, gamelift:DescribeFleetAttributes, gamelift:DescribeFleetCapacity, gamelift:DescribeFleetLocationAttributes, gamelift:DescribeFleetLocationCapacity, gamelift:DescribeFleetPortSettings, gamelift:DescribeGameServerGroup, gamelift:DescribeGameSessionQueues, gamelift:DescribeMatchmakingConfigurations, gamelift:DescribeMatchmakingRuleSets, gamelift:DescribeRuntimeConfiguration, gamelift:DescribeScript, gamelift:DescribeVpcPeeringAuthorizations, gamelift:ListAliases, gamelift:ListBuilds, gamelift:ListFleets, gamelift:ListGameServerGroups, gamelift:ListScripts, gamelift:ListTagsForResource, geo:ListMaps, glue:GetClassifier, glue:GetClassifiers, imagebuilder:GetContainerRecipe, imagebuilder:GetImage, imagebuilder:GetImagePipeline, imagebuilder:GetImageRecipe, imagebuilder:ListContainerRecipes, imagebuilder:ListImageBuildVersions, imagebuilder:ListImagePipelines, imagebuilder:ListImageRecipes, imagebuilder:ListImages, iot:DescribeCertificate, iot:DescribeDimension, iot:DescribeRoleAlias, iot:DescribeSecurityProfile, iot:GetPolicy, iot:GetTopicRule, iot:GetTopicRuleDestination, iot:ListCertificates, iot:ListDimensions, iot:ListPolicies, iot:ListRoleAliases, iot:ListSecurityProfiles, iot:ListSecurityProfilesForTarget, iot:ListTagsForResource, iot:ListTargetsForSecurityProfile, iot:ListTopicRuleDestinations, iot:ListTopicRules, iot:ListV2LoggingLevels, iot:ValidateSecurityProfileBehaviors, iotanalytics:DescribeChannel, iotanalytics:DescribeDataset, iotanalytics:DescribeDatastore, iotanalytics:DescribePipeline, iotanalytics:ListChannels, iotanalytics:ListDatasets, iotanalytics:ListDatastores, iotanalytics:ListPipelines, iotanalytics:ListTagsForResource, iotevents:DescribeAlarmModel, iotevents:DescribeDetectorModel, iotevents:DescribeInput, iotevents:ListAlarmModels, iotevents:ListDetectorModels, iotevents:ListInputs, iotevents:ListTagsForResource, iotsitewise:DescribeAccessPolicy, iotsitewise:DescribeAsset, iotsitewise:ListAccessPolicies, iotsitewise:ListAssets, iottwinmaker:GetEntity, iottwinmaker:GetScene, iottwinmaker:GetWorkspace, iottwinmaker:ListEntities, iottwinmaker:ListScenes, iottwinmaker:ListTagsForResource, iottwinmaker:ListWorkspaces, ivs:GetPlaybackKeyPair, ivs:GetRecordingConfiguration, ivs:GetStreamKey, ivs:ListChannels, ivs:ListPlaybackKeyPairs, ivs:ListRecordingConfigurations, ivs:ListStreamKeys, ivs:ListTagsForResource, kinesisanalytics:ListApplications, lakeformation:DescribeResource, lakeformation:GetDataLakeSettings, lakeformation:ListPermissions, lakeformation:ListResources, lex:DescribeBot, lex:DescribeBotAlias, lex:DescribeResourcePolicy, lex:ListBotAliases, lex:ListBotLocales, lex:ListBots, lex:ListTagsForResource, license-manager:GetGrant, license-manager:GetLicense, license-manager:ListDistributedGrants, license-manager:ListLicenses, license-manager:ListReceivedGrants, lightsail:GetAlarms, lightsail:GetBuckets, lightsail:GetCertificates, lightsail:GetDisk, lightsail:GetDisks, lightsail:GetInstance, lightsail:GetInstances, lightsail:GetKeyPair, lightsail:GetLoadBalancer, lightsail:GetLoadBalancers, lightsail:GetLoadBalancerTlsCertificates, lightsail:GetStaticIp, lightsail:GetStaticIps, lookoutequipment:DescribeInferenceScheduler, lookoutequipment:ListTagsForResource, lookoutmetrics:DescribeAlert, lookoutmetrics:DescribeAnomalyDetector, lookoutmetrics:ListAlerts, lookoutmetrics:ListAnomalyDetectors, lookoutmetrics:ListMetricSets, lookoutmetrics:ListTagsForResource, lookoutvision:DescribeProject, lookoutvision:ListProjects, managedblockchain:GetMember, managedblockchain:GetNetwork, managedblockchain:GetNode, managedblockchain:ListInvitations, managedblockchain:ListMembers, managedblockchain:ListNodes, mediapackage-vod:DescribePackagingGroup, mediapackage-vod:ListPackagingGroups, mediapackage-vod:ListTagsForResource, mobiletargeting:GetInAppTemplate, mobiletargeting:ListTemplates, mq:DescribeBroker, mq:ListBrokers, nimble:GetLaunchProfile, nimble:GetLaunchProfileDetails, nimble:GetStreamingImage, nimble:GetStudio, nimble:GetStudioComponent, nimble:ListLaunchProfiles, nimble:ListStreamingImages, nimble:ListStudioComponents, nimble:ListStudios, profile:GetDomain, profile:GetIntegration, profile:GetProfileObjectType, profile:ListDomains, profile:ListIntegrations, profile:ListProfileObjectTypes, profile:ListTagsForResource, quicksight:DescribeAnalysis, quicksight:DescribeAnalysisPermissions, quicksight:DescribeDataSet, quicksight:DescribeDataSetPermissions, quicksight:DescribeTheme, quicksight:DescribeThemePermissions, quicksight:ListAnalyses, quicksight:ListDataSets, quicksight:ListThemes, resiliencehub:DescribeApp, resiliencehub:DescribeAppVersionTemplate, resiliencehub:DescribeResiliencyPolicy, resiliencehub:ListApps, resiliencehub:ListAppVersionResourceMappings, resiliencehub:ListResiliencyPolicies, route53-recovery-readiness:GetCell, route53-recovery-readiness:GetReadinessCheck, route53-recovery-readiness:GetRecoveryGroup, route53-recovery-readiness:GetResourceSet, route53-recovery-readiness:ListCells, route53-recovery-readiness:ListReadinessChecks, route53-recovery-readiness:ListRecoveryGroups, route53-recovery-readiness:ListResourceSets, route53resolver:GetFirewallDomainList, route53resolver:GetFirewallRuleGroup, route53resolver:GetFirewallRuleGroupAssociation, route53resolver:GetResolverQueryLogConfig, route53resolver:ListFirewallDomainLists, route53resolver:ListFirewallDomains, route53resolver:ListFirewallRuleGroupAssociations, route53resolver:ListFirewallRuleGroups, route53resolver:ListFirewallRules, route53resolver:ListResolverQueryLogConfigs, rum:GetAppMonitor, rum:GetAppMonitorData, rum:ListAppMonitors, rum:ListTagsForResource, s3-outposts:GetAccessPoint, s3-outposts:GetAccessPointPolicy, s3-outposts:GetBucket, s3-outposts:GetBucketPolicy, s3-outposts:GetBucketTagging, s3-outposts:GetLifecycleConfiguration, s3-outposts:ListAccessPoints, s3-outposts:ListEndpoints, s3-outposts:ListRegionalBuckets, schemas:DescribeDiscoverer, schemas:DescribeRegistry, schemas:DescribeSchema, schemas:ListDiscoverers, schemas:ListRegistries, schemas:ListSchemas, sdb:GetAttributes, sdb:ListDomains, ses:ListEmailTemplates, ses:ListReceiptFilters, ses:ListReceiptRuleSets, ses:ListTemplates, signer:GetSigningProfile, signer:ListProfilePermissions, signer:ListSigningProfiles, synthetics:DescribeCanaries, synthetics:DescribeCanariesLastRun, synthetics:DescribeRuntimeVersions, synthetics:GetCanary, synthetics:GetCanaryRuns, synthetics:ListTagsForResource, timestream:DescribeDatabase, timestream:DescribeTable, timestream:ListDatabases, timestream:ListTables, timestream:ListTagsForResource, transfer:DescribeServer, transfer:DescribeUser, transfer:DescribeWorkflow, transfer:ListServers, transfer:ListUsers, transfer:ListWorkflows, voiceid:DescribeDomain, and voiceid:ListTagsForResource  |  This policy now supports additional permissions for Amazon AppFlow, Amazon CloudWatch, Amazon CloudWatch RUM, Amazon CloudWatch Synthetics, Amazon Connect Customer Profiles, Amazon Connect Voice ID, Amazon DevOps Guru, Amazon Elastic Compute Cloud (Amazon EC2), Amazon EC2 Auto Scaling, Amazon EMR, Amazon EventBridge, Amazon EventBridge Schemas, Amazon FinSpace, Amazon Fraud Detector, Amazon GameLift Servers, Amazon Interactive Video Service (Amazon IVS), Amazon Managed Service for Apache Flink, EC2 Image Builder, Amazon Lex, Amazon Lightsail, Amazon Location Service, Amazon Lookout for Equipment, Amazon Lookout for Metrics, Amazon Lookout for Vision, Amazon Managed Blockchain, Amazon MQ, Amazon Nimble StudioAmazon Pinpoint, Amazon Quick, Amazon Application Recovery Controller (ARC), Amazon Route 53 Resolver, Amazon Simple Storage Service (Amazon S3), Amazon SimpleDB, Amazon Simple Email Service (Amazon SES), Amazon Timestream, Amazon AppConfig, Amazon AppSync, Amazon Auto Scaling, Amazon Backup, Amazon Budgets, Amazon Cost Explorer, Amazon Cloud9, Amazon Directory Service, Amazon DataSync, AWS Elemental MediaPackage, Amazon Glue, Amazon IoT, Amazon IoT Analytics, Amazon IoT Events, Amazon IoT SiteWise, Amazon IoT TwinMaker, Amazon Lake Formation, Amazon License Manager, Amazon Resilience Hub, Amazon Signer, and Amazon Transfer Family  | September 7, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists  |  This policy now grants permission to return a list of Amazon DataSync agents, DataSync source and destination locations, and DataSync tasks in an Amazon Web Services account; list summary information about the Amazon Cloud Map namespaces and services that are associated with one or more specified namespaces in an Amazon Web Services account; and list all the Amazon Simple Email Service (Amazon SES) contact lists available in Amazon Web Services account.  | August 22, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add datasync:ListAgents, datasync:ListLocations, datasync:ListTasks, servicediscovery:ListNamespaces, servicediscovery:ListServices, and ses:ListContactLists  |  This policy now grants permission to return a list of Amazon DataSync agents, DataSync source and destination locations, and DataSync tasks in an Amazon Web Services account; list summary information about the Amazon Cloud Map namespaces and services that are associated with one or more specified namespaces in an Amazon Web Services account; and list all the Amazon Simple Email Service (Amazon SES) contact lists available in Amazon Web Services account.  | August 22, 2022 | 
|  [ConfigConformsServiceRolePolicy](#security-iam-awsmanpol-ConfigConformsServiceRolePolicy) – Add cloudwatch:PutMetricData  |  This policy now grants permission to publish metric data points to Amazon CloudWatch.  | July 25, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet   |  This policy now supports additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Managed Service for Apache Flink, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon Quick, Amazon Rekognition, Amazon RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), Amazon Amplify, Amazon AppConfig, Amazon AppSync, Amazon Billing Conductor, Amazon DataSync, Amazon Firewall Manager, Amazon Glue, Amazon IAM Identity Center (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing.  | July 15, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add amplifyuibuilder:ExportThemes, amplifyuibuilder:GetTheme, appconfig:GetApplication, appconfig:GetApplication, appconfig:GetConfigurationProfile, appconfig:GetConfigurationProfile, appconfig:GetDeployment, appconfig:GetDeploymentStrategy, appconfig:GetEnvironment, appconfig:GetHostedConfigurationVersion, appconfig:ListTagsForResource, appsync:GetGraphqlApi, appsync:ListGraphqlApis, billingconductor: ListPricingRulesAssociatedToPricingPlan, billingconductor:ListAccountAssociations, billingconductor:ListBillingGroups, billingconductor:ListCustomLineItems, billingconductor:ListPricingPlans, billingconductor:ListPricingRules, billingconductor:ListTagsForResource, datasync:DescribeAgent, datasync:DescribeLocationEfs, datasync:DescribeLocationFsxLustre, datasync:DescribeLocationHdfs, datasync:DescribeLocationNfs, datasync:DescribeLocationObjectStorage, datasync:DescribeLocationS3, datasync:DescribeLocationSmb, datasync:DescribeTask, datasync:ListTagsForResource, ecr:DescribePullThroughCacheRules, ecr:DescribeRegistry, ecr:GetRegistryPolicy, elasticache:DescribeCacheParameters, elasticloadbalancing:DescribeListenerCertificates, elasticloadbalancing:DescribeTargetGroupAttributes, elasticloadbalancing:DescribeTargetGroups, elasticloadbalancing:DescribeTargetHealth, events:DescribeApiDestination, events:DescribeArchive, fms:GetNotificationChannel, fms:GetPolicy, fms:ListPolicies, fms:ListTagsForResource, fsx:DescribeVolumes, geo:DescribeGeofenceCollection, geo:DescribeMap, geo:DescribePlaceIndex, geo:DescribeRouteCalculator, geo:DescribeTracker, geo:ListTrackerConsumers, glue:BatchGetJobs, glue:BatchGetWorkflows, glue:GetCrawler, glue:GetCrawlers, glue:GetJob, glue:GetJobs, glue:GetWorkflow, imagebuilder: GetComponent, imagebuilder: ListComponentBuildVersions, imagebuilder: ListComponents, imagebuilder:GetDistributionConfiguration, imagebuilder:GetInfrastructureConfiguration, imagebuilder:ListDistributionConfigurations, imagebuilder:ListInfrastructureConfigurations, kafka:DescribeClusterV2, kafka:ListClustersV2, kinesisanalytics:DescribeApplication, kinesisanalytics:ListTagsForResource, quicksight:DescribeDataSource, quicksight:DescribeDataSourcePermissions, quicksight:ListTagsForResource, rekognition:DescribeStreamProcessor, rekognition:ListTagsForResource, robomaker:DescribeRobotApplication, robomaker:DescribeSimulationApplication, s3:GetStorageLensConfiguration, s3:GetStorageLensConfigurationTagging, servicediscovery:GetInstance, servicediscovery:GetNamespace, servicediscovery:GetService, servicediscovery:ListTagsForResource, ses:DescribeReceiptRule, ses:DescribeReceiptRuleSet, ses:GetContactList, ses:GetEmailTemplate, ses:GetTemplate, and sso:GetInlinePolicyForPermissionSet  |  This policy now supports additional permissions for Amazon Elastic Container Service (Amazon ECS), Amazon ElastiCache, Amazon EventBridge, Amazon FSx, Amazon Managed Service for Apache Flink, Amazon Location Service, Amazon Managed Streaming for Apache Kafka, Amazon Quick, Amazon Rekognition, Amazon RoboMaker, Amazon Simple Storage Service (Amazon S3), Amazon Simple Email Service (Amazon SES), Amazon Amplify, Amazon AppConfig, Amazon AppSync, Amazon Billing Conductor, Amazon DataSync, Amazon Firewall Manager, Amazon Glue, Amazon IAM Identity Center (IAM Identity Center), EC2 Image Builder, and Elastic Load Balancing.  | July 15, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource  |  This policy now grants permission to get a specified Amazon Athena data catalog, list the Athena data catalogs in an Amazon Web Services account, and list tags associated with an Athena workgroup or data catalog resource; to get a list of Amazon Detective behavior graphs and list tags for a Detective behavior graph; get a list of resource metadata for a given list of Amazon Glue development endpoint names, get information about a specified Amazon Glue development endpoint, get all the Amazon Glue development endpoints in an Amazon Web Services account, retrieve a specified Amazon Glue security configuration, get all Amazon Glue security configurations, get a list of tags associated with an Amazon Glue resource, get information about an Amazon Glue workgroup with the specified name, retrieve the names of all Amazon Glue crawler resources in an Amazon account, get the names of all Amazon Glue `DevEndpoint` resources in an Amazon Web Services account, list the names of all Amazon Glue job resources in an Amazon Web Services account, get details about Amazon Glue member accounts, list names of Amazon Glue workflows created in an account, and list available Amazon Glue workgroups for an account; to retrieve details about an Amazon GuardDuty filter, retrieve a GuardDuty IPSet, retrieve a GuardDuty ThreatIntelSet, retrieve GuardDuty member accounts, get a list of GuardDuty filters, get the IPSets of the GuardDuty service, retrieve tags for the GuardDuty Service, and get the ThreatIntelSets of the GuardDuty service; to get the current status and configuration settings for an Amazon Macie account; to retrieve the resource and principal associations for Amazon Resource Access Manager (Amazon RAM) resource shares and retrieve details about Amazon RAM resource shares; to get information about an Amazon Simple Email Service (Amazon SES) existing configuration set, get a list of event destinations that are associated with an Amazon SES configuration set, and list all of the configuration sets associated with an Amazon SES account; and to get a list of Identity Center directory attributes, get the details of an Amazon IAM Identity Center permission set, get the IAM managed policy that is attached to a specified IAM Identity Center permission set, get the permissions set for an IAM Identity Center instance, and get tags for IAM Identity Center resources.  | May 31, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add athena:GetDataCatalog, athena:ListDataCatalogs, athena:ListTagsForResource, detective:ListGraphs, detective:ListTagsForResource, glue:BatchGetDevEndpoints, glue:GetDevEndpoint, glue:GetDevEndpoints, glue:GetSecurityConfiguration, glue:GetSecurityConfigurations, glue:GetTags glue:GetWorkGroup, glue:ListCrawlers, glue:ListDevEndpoints, glue:ListJobs, glue:ListMembers, glue:ListWorkflows, glue:ListWorkGroups, guardduty:GetFilter, guardduty:GetIPSet, guardduty:GetThreatIntelSet, guardduty:GetMembers, guardduty:ListFilters, guardduty:ListIPSets, guardduty:ListTagsForResource, guardduty:ListThreatIntelSets, macie:GetMacieSession, ram:GetResourceShareAssociations, ram:GetResourceShares, ses:GetConfigurationSet, ses:GetConfigurationSetEventDestinations, ses:ListConfigurationSets, sso:DescribeInstanceAccessControlAttributeConfiguration, sso:DescribePermissionSet, sso:ListManagedPoliciesInPermissionSet, sso:ListPermissionSets, and sso:ListTagsForResource  |  This policy now grants permission to get a specified Amazon Athena data catalog, list the Athena data catalogs in an Amazon Web Services account, and list tags associated with an Athena workgroup or data catalog resource; to get a list of Amazon Detective behavior graphs and list tags for a Detective behavior graph; get a list of resource metadata for a given list of Amazon Glue development endpoint names, get information about a specified Amazon Glue development endpoint, get all the Amazon Glue development endpoints in an Amazon Web Services account, retrieve a specified Amazon Glue security configuration, get all Amazon Glue security configurations, get a list of tags associated with an Amazon Glue resource, get information about an Amazon Glue workgroup with the specified name, retrieve the names of all Amazon Glue crawler resources in an Amazon account, get the names of all Amazon Glue `DevEndpoint` resources in an Amazon Web Services account, list the names of all Amazon Glue job resources in an Amazon Web Services account, get details about Amazon Glue member accounts, list names of Amazon Glue workflows created in an account, and list available Amazon Glue workgroups for an account; to retrieve details about an Amazon GuardDuty filter, retrieve a GuardDuty IPSet, retrieve a GuardDuty ThreatIntelSet, retrieve GuardDuty member accounts, get a list of GuardDuty filters, get the IPSets of the GuardDuty service, retrieve tags for the GuardDuty Service, and get the ThreatIntelSets of the GuardDuty service; to get the current status and configuration settings for an Amazon Macie account; to retrieve the resource and principal associations for Amazon Resource Access Manager (Amazon RAM) resource shares and retrieve details about Amazon RAM resource shares; to get information about an Amazon Simple Email Service (Amazon SES) existing configuration set, get a list of event destinations that are associated with an Amazon SES configuration set, and list all of the configuration sets associated with an Amazon SES account; and to get a list of Identity Center directory attributes, get the details of an Amazon IAM Identity Center permission set, get the IAM managed policy that is attached to a specified IAM Identity Center permission set, get the permissions set for an IAM Identity Center instance, and get tags for IAM Identity Center resources.  | May 31, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies  |  This policy now grants permission to get information about all or a specified Amazon CloudTrail event data store (EDS), get information about all or a specified Amazon CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about Amazon Database Migration Service (Amazon DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an Amazon Organizations of a specified type.  | April 7, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add cloudformation:GetResource, cloudformation:ListResources, cloudtrail:GetEventDataStore, cloudtrail:ListEventDataStores, dax:DescribeParameterGroups, dax:DescribeParameters, dax:DescribeSubnetGroups, DMS:DescribeReplicationTasks, and organizations:ListPolicies  |  This policy now grants permission to get information about all or a specified Amazon CloudTrail event data store (EDS), get information about all or a specified Amazon CloudFormation resource, get a list of a DynamoDB Accelerator (DAX) parameter group or subnet group, get information about Amazon Database Migration Service (Amazon DMS) replication tasks for your account in the current region being accessed, and get a list all policies in an Amazon Organizations of a specified type.  | April 7, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces  |  This policy now supports additional permissions for Amazon Backup, Amazon Batch, DynamoDB Accelerator, Amazon Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, Amazon Key Management Service, Amazon OpsWorks, Amazon Relational Database Service, Amazon WAFV2, and Amazon WorkSpaces.  | March 14, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add backup-gateway:ListTagsForResource, backup-gateway:ListVirtualMachines, batch:DescribeComputeEnvironments, batch:DescribeJobQueues, batch:ListTagsForResource, dax:ListTags, dms:DescribeCertificates, dynamodb:DescribeGlobalTable, dynamodb:DescribeGlobalTableSettings, ec2:DescribeClientVpnAuthorizationRules, ec2:DescribeClientVpnEndpoints, ec2:DescribeDhcpOptions, ec2:DescribeFleets, ec2:DescribeNetworkAcls, ec2:DescribePlacementGroups, ec2:DescribeSpotFleetRequests, ec2:DescribeVolumeAttribute, ec2:DescribeVolumes, eks:DescribeFargateProfile, eks:ListFargateProfiles, eks:ListTagsForResource, fsx:ListTagsForResource, guardduty:ListOrganizationAdminAccounts, kms:ListAliases, opsworks:DescribeLayers, opsworks:DescribeStacks, opsworks:ListTags, rds:DescribeDBClusterParameterGroups, rds:DescribeDBClusterParameters, states:DescribeActivity, states:ListActivities, wafv2:GetRuleGroup, wafv2:ListRuleGroups, wafv2:ListTagsForResource, workspaces:DescribeConnectionAliases, workspaces:DescribeTags, and workspaces:DescribeWorkspaces  |  This policy now supports additional permissions for Amazon Backup, Amazon Batch, DynamoDB Accelerator, Amazon Database Migration Service, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service, Amazon FSx, Amazon GuardDuty, Amazon Key Management Service, Amazon OpsWorks, Amazon Relational Database Service, Amazon WAFV2, and Amazon WorkSpaces.  | March 14, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies  |  This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an Amazon Web Services account, retrieve information about an Amazon Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived Amazon Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account.   | February 10, 2022 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add elasticbeanstalk:DescribeEnvironments, elasticbeanstalk:DescribeConfigurationSettings, account:GetAlternateContact, organizations:DescribePolicy, organizations:ListParents, organizations:ListPoliciesForTarget, es:GetCompatibleElasticsearchVersions, rds:DescribeOptionGroups, rds:DescribeOptionGroups, es:GetCompatibleVersions, codedeploy:GetDeploymentConfig, ecr-public:GetRepositoryPolicy, access-analyzer:GetArchiveRule, and ecs:ListTaskDefinitionFamilies  |  This policy now grants permission to get details about Elastic Beanstalk environments and a description of the settings for the specified Elastic Beanstalk configuration set, get a map of OpenSearch or Elasticsearch versions, describe the available Amazon RDS option groups for a database, and get information about a CodeDeploy deployment configuration. This policy also now grants permission to retrieve the specified alternate contact attached to an Amazon Web Services account, retrieve information about an Amazon Organizations policy, retrieve an Amazon ECR repository policy, retrieve information about an archived Amazon Config rule, retrieve a list of Amazon ECS task definition families, list the root or parent organizational units (OUs) of the specified child OU or account, and list the policies that are attached to the specified target root, organizational unit, or account.  | February 10, 2022 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent  |  This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams.  | December 15, 2021 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add logs:CreateLogStream, logs:CreateLogGroup, and logs:PutLogEvent  |  This policy now grants permission to create Amazon CloudWatch log groups and streams and to write logs to created log streams.  | Decemeber 15, 2021 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots  |  This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots.  | September 8, 2021 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add es:DescribeDomain, es:DescribeDomains, rds:DescribeDBParameters, and, elasticache:DescribeSnapshots  |  This policy now grants permission to get details about an Amazon OpenSearch Service (OpenSearch Service) domain/domains and to get a detailed parameter list for a particular Amazon Relational Database Service (Amazon RDS) DB parameter group. This policy also grants permission to get detais about Amazon ElastiCache snapshots.  | September 8, 2021 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for Amazon resource types  |  This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker AI, Amazon Simple Notification Service, Amazon Database Migration Service, Amazon Global Accelerator, and Amazon Storage Gateway.  | July 28, 2021 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add logs:ListTagsLogGroup, states:ListTagsForResource, states:ListStateMachines, states:DescribeStateMachine, and additional permissions for Amazon resource types  |  This policy now grants permission to list tags for a log group, list tags for a state machine, and list all state machines. This policy now grants permission to get details about a state machine. This policy also now supports additional permissions for Amazon EC2 Systems Manager (SSM), Amazon Elastic Container Registry, Amazon FSx, Amazon Data Firehose, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Relational Database Service (Amazon RDS), Amazon Route 53, Amazon SageMaker AI, Amazon Simple Notification Service, Amazon Database Migration Service, Amazon Global Accelerator, and Amazon Storage Gateway.  | July 28, 2021 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add ssm:DescribeDocumentPermission and additional permissions for Amazon resource types  |  This policy now grants permission to view the permissions of Amazon Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional Amazon resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, Amazon Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow Amazon Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the [lambda-inside-vpc](https://docs.amazonaws.cn/config/latest/developerguide/lambda-inside-vpc.html) Amazon Config managed rule.  | June 8, 2021 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add ssm:DescribeDocumentPermission and additional permissions for Amazon resource types  |  This policy now grants permission to view the permissions of Amazon Systems Manager documents and information about IAM Access Analyzer. This policy now supports additional Amazon resource types for Amazon Kinesis, Amazon ElastiCache, Amazon EMR, Amazon Network Firewall, Amazon Route 53, and Amazon Relational Database Service (Amazon RDS). These permission changes allow Amazon Config to invoke the read-only APIs required to support these resource types. This policy also now support filtering Lambda@Edge functions for the [lambda-inside-vpc](https://docs.amazonaws.cn/config/latest/developerguide/lambda-inside-vpc.html) Amazon Config managed rule.  | June 8, 2021 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs  |  This policy now grants permissions that allow Amazon Config to make read-only GET calls to API Gateway to support a Amazon Config Rule for API Gateway. The policy also adds permissions that allow Amazon Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new `AWS::S3::AccessPoint` resource type.   | May 10, 2021 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add apigateway:GET permission to make read-only GET calls to API Gateway and s3:GetAccessPointPolicy permission and s3:GetAccessPointPolicyStatus permission to invoke Amazon S3 read-only APIs  |  This policy now grants permissions that allow Amazon Config to make read-only GET calls to API Gateway to support a Amazon Config for API Gateway. The policy also adds permissions that allow Amazon Config to invoke Amazon Simple Storage Service (Amazon S3) read-only APIs, which are required to support the new `AWS::S3::AccessPoint` resource type.   | May 10, 2021 | 
|  [AWSConfigServiceRolePolicy](#security-iam-awsmanpol-AWSConfigServiceRolePolicy) – Add ssm:ListDocuments permission and additional permissions for Amazon resource types  |  This policy now grants permission to view information about Amazon Systems Manager specified documents. This policy also now supports additional Amazon resource types for Amazon Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker AI, Amazon Database Migration Service, and Amazon Route 53. These permission changes allow Amazon Config to invoke the read-only APIs required to support these resource types.   | April 1, 2021 | 
|  [AWS\$1ConfigRole](#security-iam-awsmanpol-AWS_ConfigRole) – Add ssm:ListDocuments permission and additional permissions for Amazon resource types  |  This policy now grants permission to view information about Amazon Systems Manager specified documents. This policy also now supports additional Amazon resource types for Amazon Backup, Amazon Elastic File System, Amazon ElastiCache, Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Kinesis, Amazon SageMaker AI, Amazon Database Migration Service, and Amazon Route 53. These permission changes allow Amazon Config to invoke the read-only APIs required to support these resource types.   | April 1, 2021 | 
|  `AWSConfigRole` is deprecated  |  `AWSConfigRole` is deprecated. The replacement policy is `AWS_ConfigRole`.  | April 1, 2021 | 
|  Amazon Config started tracking changes  |  Amazon Config started tracking changes for its Amazon managed policies.  | April 1, 2021 | 

# Permissions for the IAM Role Assigned to Amazon Config
<a name="iamrole-permissions"></a>

An IAM role lets you define a set of permissions. Amazon Config assumes the role that you assign to it to write to your S3 bucket, publish to your SNS topic, and make `Describe` or `List` API requests to get configuration details for your Amazon resources. For more information about IAM roles, see [IAM Roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/WorkingWithRoles.html) in the *IAM User Guide*.

When you use the Amazon Config console to create or update an IAM role, Amazon Config automatically attaches the required permissions for you. For more information, see [Setting Up Amazon Config with the Console](gs-console.md).

**Policies and compliance results**  
[IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) and [other policies managed in Amazon Organizations](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies.html) can impact whether Amazon Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Amazon Config.

**Contents**
+ [Creating IAM Role Policies](#iam-role-policies)
  + [Adding an IAM Trust Policy to your Role](#iam-trust-policy)
  + [IAM Role Policy for your S3 Bucket](#iam-role-policies-S3-bucket)
  + [IAM Role Policy for KMS Key](#iam-role-policies-S3-kms-key)
  + [IAM Role Policy for Amazon SNS Topic](#iam-role-policies-sns-topic)
  + [IAM Role Policy for Getting Configuration Details](#iam-role-policies-describe-apis)
  + [Managing Permissions for S3 Bucket Recording](#troubleshooting-recording-s3-bucket-policy)

## Creating IAM Role Policies
<a name="iam-role-policies"></a>

When you use the Amazon Config console to create an IAM role, Amazon Config automatically attaches the required permissions to the role for you. 

If you are using the Amazon CLI to set up Amazon Config or you are updating an existing IAM role, you must manually update the policy to allow Amazon Config to access your S3 bucket, publish to your SNS topic, and get configuration details about your resources.

### Adding an IAM Trust Policy to your Role
<a name="iam-trust-policy"></a>

You can create an IAM trust policy that enables Amazon Config to assume a role and use it to track your resources. For more information about trust policies, see [Roles terms and concepts](https://docs.amazonaws.cn/IAM/latest/UserGuide/d_roles_terms-and-concepts.html) in the* IAM User Guide*.

The following is an example trust policy for Amazon Config roles:

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": { 
        "StringEquals": {
          "AWS:SourceAccount": "sourceAccountID"
        }
      }
    }
  ]
}
```

------

You can use the `AWS:SourceAccount` condition in the IAM Role Trust relationship above to restrict the Config service principal to only interact with the Amazon IAM Role when performing operations on behalf of specific accounts.

Amazon Config also supports the `AWS:SourceArn` condition which restricts the Config service principal to only assume the IAM Role when performing operations on behalf of the owning account. When using the Amazon Config service principal, the `AWS:SourceArn` property will always be set to `arn:aws:config:sourceRegion:sourceAccountID:*` where `sourceRegion` is the region of the customer managed configuration recorder and `sourceAccountID` is the ID of the account containing the customer managed configuration recorder.

For example, add the following condition restrict the Config service principal to only assume the IAM Role only on behalf of a customer managed configuration recorder in the `us-east-1` region in the account `123456789012`: `"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`.

### IAM Role Policy for your S3 Bucket
<a name="iam-role-policies-S3-bucket"></a>

The following example policy grants Amazon Config permission to access your S3 bucket:

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource":[
        "arn:aws-cn:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/myAccountID/*"
      ],
      "Condition":{
        "StringLike":{
          "s3:x-amz-acl":"bucket-owner-full-control"
        }
      }
    },
    {
      "Effect":"Allow",
      "Action":[
        "s3:GetBucketAcl"
      ],
      "Resource":"arn:aws-cn:s3:::amzn-s3-demo-bucket"
    }
  ]
}
```

------

### IAM Role Policy for KMS Key
<a name="iam-role-policies-S3-kms-key"></a>

The following example policy grants Amazon Config permission to use KMS-based encryption on new objects for S3 bucket delivery:

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws-cn:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
        }
    ]
}
```

------

### IAM Role Policy for Amazon SNS Topic
<a name="iam-role-policies-sns-topic"></a>

The following example policy grants Amazon Config permission to access your SNS topic:

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": 
   [
     {
      "Effect":"Allow",
      "Action":"sns:Publish",
      "Resource":"arn:aws-cn:sns:us-east-1:123456789012:MyTopic"
     }
    ]
}
```

------

If your SNS topic is encrypted for additional setup instructions, see [Configuring Amazon KMS Permissions](https://docs.amazonaws.cn/sns/latest/dg/sns-server-side-encryption.html#sns-what-permissions-for-sse) in the *Amazon Simple Notification Service Developer Guide*.

### IAM Role Policy for Getting Configuration Details
<a name="iam-role-policies-describe-apis"></a>

It is recommended to use the Amazon Config service-linked role: `AWSServiceRoleForConfig`. Service-linked roles are predefined and include all the permissions that Amazon Config requires to call other Amazon Web Services services. The Amazon Config service-linked role is required for service-linked configuration recorders. For more information, see [Using Service-Linked Roles for Amazon Config](https://docs.amazonaws.cn/config/latest/developerguide/using-service-linked-roles.html).

If you create or update a role with the console, Amazon Config attaches the **AWSServiceRoleForConfig** for you.

If you use the Amazon CLI, use the `attach-role-policy` command and specify the Amazon Resource Name (ARN) for **AWSServiceRoleForConfig**:

```
$ aws iam attach-role-policy --role-name myConfigRole --policy-arn arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForConfig
```

### Managing Permissions for S3 Bucket Recording
<a name="troubleshooting-recording-s3-bucket-policy"></a>

Amazon Config records and delivers notifications when an S3 bucket is created, updated, or deleted.

It is recommended to use the Amazon Config service-linked role: `AWSServiceRoleForConfig`. Service-linked roles are predefined and include all the permissions that Amazon Config requires to call other Amazon Web Services services. The Amazon Config service-linked role is required for service-linked configuration recorders. For more information, see [Using Service-Linked Roles for Amazon Config](https://docs.amazonaws.cn/config/latest/developerguide/using-service-linked-roles.html).

# Updating the IAM Role for the customer managed configuration recorder
<a name="update-iam-role"></a>

You can update the IAM role used by the customer managed configuration recorder. Before you update the IAM role, ensure that you have created a new role to replace the old one. You must attach policies to the new role that grant permissions to Amazon Config to record configurations and deliver them to your delivery channel.

For information about creating an IAM role and attaching the required policies to the IAM role, see [Step 3: Creating an IAM Role](gs-cli-prereq.md#gs-cli-create-iamrole).

**Note**  
To find the ARN of an existing IAM role, go to the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/). Choose **Roles** in the navigation pane. Then choose the name of the desired role and find the ARN at the top of the **Summary** page.

## Updating the IAM Role
<a name="update-iam-role-console"></a>

You can update your IAM role using the Amazon Web Services Management Console or the Amazon CLI.

------
#### [ To update the IAM role (Console) ]

1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at [https://console.amazonaws.cn/config/home](https://console.amazonaws.cn/config/home).

1. Choose **Settings** in the navigation pane.

1. On the **Customer managed recorder** tab, choose **Edit** on the Settings page.

1. In the **Data governance**, section, choose the IAM role for Amazon Config:
   + **Use an existing Amazon Config service-linked role** – Amazon Config creates a role that has the required permissions.
   + **Choose a role from your account** – For **Existing roles**, choose an IAM role in your account.

1. Choose **Save**.

------
#### [ To update the IAM role (Amazon CLI) ]

Use the [http://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html](http://docs.amazonaws.cn/cli/latest/reference/configservice/put-configuration-recorder.html) command and specify the Amazon Resource Name (ARN) of the new role:

```
$ aws configservice put-configuration-recorder --configuration-recorder name=configRecorderName,roleARN=arn:aws:iam::012345678912:role/myConfigRole
```

------

# Permissions for the Amazon S3 Bucket for the Amazon Config Delivery Channel
<a name="s3-bucket-policy"></a>

**Important**  
This page is about setting up the Amazon S3 Bucket for the Amazon Config delivery channel. This page is not about the `AWS::S3::Bucket` resource type that the Amazon Config configuration recorder can record.

Amazon S3 buckets and objects are private by default. Only the Amazon Web Services account that created the bucket (the resource owner) has access permissions. Resource owners can grant access to other resources and users by creating access policies.

When Amazon Config automatically creates an S3 bucket for you, it adds the required permissions. However, if you specify an existing S3 bucket, you must add these permissions manually.

**Topics**
+ [When Using IAM Roles](#required-permissions-in-another-account)
+ [When Using Service-Linked Roles](#required-permissions-using-servicelinkedrole)
+ [Granting Amazon Config access](#granting-access-in-another-account)
+ [Cross-Account Delivery](#required-permissions-cross-account)

## Required Permissions for the Amazon S3 Bucket When Using IAM Roles
<a name="required-permissions-in-another-account"></a>

Amazon Config uses the IAM role you assigned to the configuration recorder to deliver configuration history and snapshots to S3 buckets in your account. For cross-account delivery, Amazon Config first attempts to use the assigned IAM role. If the bucket policy doesn't grant `WRITE` access to the IAM role, Amazon Config uses the `config.amazonaws.com` service principal. The bucket policy must grant `WRITE` access to `config.amazonaws.com` to complete the delivery. After successful delivery, Amazon Config maintains ownership of all objects it delivers to the cross-account S3 bucket.

Amazon Config calls the Amazon S3 [HeadBucket](https://docs.amazonaws.cn/AmazonS3/latest/API/API_RESTBucketHEAD.html) API with the IAM role you assigned to the configuration recorder to confirm if the S3 bucket exists and its location. If you do not have the necessary permissions for Amazon Config to confirm, you will see an `AccessDenied` error in your Amazon CloudTrail logs. However, Amazon Config can still deliver configuration history and snapshots even if Amazon Config does not have the necessary permissions to confirm if the S3 bucket exists and its location.

**Minimum permissions**  
The Amazon S3 `HeadBucket` API requires the `s3:ListBucket` action.

## Required Permissions for the Amazon S3 Bucket When Using Service-Linked Roles
<a name="required-permissions-using-servicelinkedrole"></a>

The Amazon Config service-linked role does not have permission to put objects to Amazon S3 buckets. If you set up Amazon Config using a service-linked role, Amazon Config will use the `config.amazonaws.com` service principal to deliver configuration history and snapshots. The S3 bucket policy in your account or cross-account destinations must include permissions for the Amazon Config service principal to write objects.

## Granting Amazon Config access to the Amazon S3 Bucket
<a name="granting-access-in-another-account"></a>

Complete the following steps enable Amazon Config to deliver configuration history and snapshots to an Amazon S3 bucket.

1. Sign in to the Amazon Web Services Management Console using the account that has the S3 bucket.

1. Open the Amazon S3 console at [https://console.amazonaws.cn/s3/](https://console.amazonaws.cn/s3/).

1. Select the bucket that you want Amazon Config to use to deliver configuration items, and then choose **Properties**. 

1. Choose **Permissions**.

1. Choose **Edit Bucket Policy**.

1. Copy the following policy into the **Bucket Policy Editor** window:
**Security best practices**  
We strongly recommend that you restrict access in the bucket policy with the `AWS:SourceAccount` condition. This makes sure that Amazon Config is granted access on behalf of expected users only.

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Sid": "AWSConfigBucketPermissionsCheck",
         "Effect": "Allow",
         "Principal": {
           "Service": "config.amazonaws.com"
         },
         "Action": "s3:GetBucketAcl",
         "Resource": "arn:aws-cn:s3:::amzn-s3-demo-bucket",
         "Condition": { 
           "StringEquals": {
             "AWS:SourceAccount": "sourceAccountID"
           }
         }
       },
       {
         "Sid": "AWSConfigBucketExistenceCheck",
         "Effect": "Allow",
         "Principal": {
           "Service": "config.amazonaws.com"
         },
         "Action": "s3:ListBucket",
         "Resource": "arn:aws-cn:s3:::amzn-s3-demo-bucket",
         "Condition": { 
           "StringEquals": {
             "AWS:SourceAccount": "sourceAccountID"
           }
         }
       },
       {
         "Sid": "AWSConfigBucketDelivery",
         "Effect": "Allow",
         "Principal": {
           "Service": "config.amazonaws.com"
         },
         "Action": "s3:PutObject",
         "Resource": "arn:aws-cn:s3:::amzn-s3-demo-bucket/[optional] prefix/AWSLogs/sourceAccountID/Config/*",
         "Condition": { 
           "StringEquals": { 
             "s3:x-amz-acl": "bucket-owner-full-control",
             "AWS:SourceAccount": "sourceAccountID"
           }
         }
       }
     ]
   }
   ```

------

1. Substitute the following values in the bucket policy:
   + *amzn-s3-demo-bucket* – Name of the Amazon S3 bucket where Amazon Config will deliver configuration history and snapshots.
   + *[optional] prefix* – An optional addition to the Amazon S3 object key that helps create a folder-like organization in the bucket.
   + *sourceAccountID* – ID of the account where Amazon Config will deliver configuration history and snapshots.

1. Choose **Save** and then **Close**.

The `AWS:SourceAccount` condition restricts Amazon Config operations to specified Amazon Web Services accounts. For multi-account configurations within an organization delivering to a single S3 bucket, use IAM roles with Amazon Organizations conditions keys instead of service-linked roles. For example, `AWS:PrincipalOrgID`. For more information, see [Managing access permissions for an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_permissions_overview.html) in the *Amazon Organizations User guide*.

The `AWS:SourceArn` condition restricts Amazon Config operations to specified delivery channels. The `AWS:SourceArn` format is as follows: `arn:aws:config:sourceRegion:123456789012`.

For example, to restrict S3 bucket access to a delivery channel in the US East (N. Virginia) Region for account 123456789012, add the following condition:

```
"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:"}
```

## Required Permissions for the Amazon S3 Bucket When Delivering Cross-Account
<a name="required-permissions-cross-account"></a>

When Amazon Config is configured to deliver configuration history and snapshots to an Amazon S3 bucket in a different account (cross-account setup), where the configuration recorder and the S3 bucket specified for delivery channel are in different Amazon Web Services accounts, the following permissions are required:
+ The IAM role you assign to the configuration recorder needs explicit permission to perform the `s3:ListBucket` operation. This is because Amazon Config calls the Amazon S3 [HeadBucket](https://docs.amazonaws.cn/AmazonS3/latest/API/API_RESTBucketHEAD.html) API with this IAM role to determine the bucket location.
+ The S3 bucket policy must include permissions for the IAM role assigned to the configuration recorder.

The following is an example bucket policy configuration:

```
{
      "Sid": "AWSConfigBucketExistenceCheck",
      "Effect": "Allow",
      "Principal": {
        "AWS": "IAM Role-Arn assigned to the configuration recorder"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
}
```

# Permissions for the KMS Key for the Amazon Config Delivery Channel
<a name="s3-kms-key-policy"></a>

Use the information in this topic if you want to create a policy for an Amazon KMS key for your S3 bucket that allows you to use KMS-based encryption on objects delivered by Amazon Config for S3 bucket delivery.

**Contents**
+ [Required Permissions for the KMS Key When Using IAM Roles (S3 Bucket Delivery)](#required-permissions-s3-kms-key-using-iam-role)
+ [Required Permissions for the Amazon KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)](#required-permissions-s3-kms-key-using-servicelinkedrole)
+ [Granting Amazon Config access to the Amazon KMS Key](#granting-access-s3-kms-key)

## Required Permissions for the KMS Key When Using IAM Roles (S3 Bucket Delivery)
<a name="required-permissions-s3-kms-key-using-iam-role"></a>

If you set up Amazon Config using an IAM role, you can attach the follow permission policy to the KMS Key:

```
{
    "Id": "Policy_ID",
    "Statement": [
        {
            "Sid": "AWSConfigKMSPolicy",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Effect": "Allow",
            "Resource": "*myKMSKeyARN*",
            "Principal": {
                "AWS": [
                    "account-id1",
                    "account-id2",
                    "account-id3"
                ]
            }
        }
    ]
}
```

**Note**  
If the IAM role, Amazon S3 bucket policy, or Amazon KMS key do not provide appropriate access to Amazon Config, then Amazon Config’s attempt to send configuration information to the Amazon S3 bucket will fail. In this event, Amazon Config sends the information again, this time as the Amazon Config service principal. For this case, you must attach a permission policy, mentioned below, to the Amazon KMS key to grant Amazon Config access to use the key when delivering information to the Amazon S3 bucket. 

## Required Permissions for the Amazon KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)
<a name="required-permissions-s3-kms-key-using-servicelinkedrole"></a>

The Amazon Config service-linked role does not have permission to access the Amazon KMS key. So, if you set up Amazon Config using a service-linked role, Amazon Config will send information as the Amazon Config service principal instead. You will need to attach an access policy, mentioned below, to the Amazon KMS key to grant Amazon Config access to use the Amazon KMS key when delivering information to the Amazon S3 bucket.

## Granting Amazon Config access to the Amazon KMS Key
<a name="granting-access-s3-kms-key"></a>

This policy allows Amazon Config to use an Amazon KMS key when delivering information to an Amazon S3 bucket

```
{
    "Id": "Policy_ID",
    "Statement": [
        {
            "Sid": "AWSConfigKMSPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "myKMSKeyARN",
            "Condition": { 
                "StringEquals": {
                    "AWS:SourceAccount": "sourceAccountID"
                }
            }
        }
    ]
}
```

Substitute the following values in the key policy:
+ *myKMSKeyARN* – The ARN of the Amazon KMS key used to encrypt data in the Amazon S3 bucket that Amazon Config will deliver configuration items to.
+ *sourceAccountID* – The ID of the account for which Amazon Config will deliver configuration items to.

You can use the `AWS:SourceAccount` condition in the Amazon KMS key policy above to restrict the Config service principal to only interact with the Amazon KMS key when performing operations on behalf of specific accounts.

Amazon Config also supports the `AWS:SourceArn` condition which restricts the Config service principal to only interact with the Amazon S3 bucket when performing operations on behalf of specific Amazon Config delivery channels. When using the Amazon Config service principal, the `AWS:SourceArn` property will always be set to `arn:aws:config:sourceRegion:sourceAccountID:*` where `sourceRegion` is the region of the delivery channel and `sourceAccountID` is the ID of the account containing the delivery channel. For more information on Amazon Config delivery channels, see [Managing the Delivery Channel](https://docs.amazonaws.cn/config/latest/developerguide/manage-delivery-channel.html). For example, add the following condition to restrict the Config service principal to interact with your Amazon S3 bucket only on behalf of a delivery channel in the `us-east-1` region in the account `123456789012`: `"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`.

# Permissions for the Amazon SNS Topic
<a name="sns-topic-policy"></a>

**Encrypted Amazon SNS not supported**  
Amazon Config does not support encrypted Amazon SNS topics.

This topic describes how to configure Amazon Config to deliver Amazon SNS topics owned by a different account. Amazon Config must have the required permissions to send notifications to an Amazon SNS topic.

When the Amazon Config console creates a new Amazon SNS topic for you, Amazon Config grants the necessary permissions. If you choose an existing Amazon SNS topic, makes sure that the Amazon SNS topic includes the required permissions and follows security best practices.

**Cross-Region Amazon SNS topics are not supported**  
 Amazon Config currently supports only access within the same Amazon Web Services Region and across accounts.

**Contents**
+ [Required Permissions for the Amazon SNS Topic When Using IAM Roles](#required-permissions-snstopic-in-another-account)
+ [Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles](#required-permissions-snstopic-using-servicelinkedrole)
+ [Granting Amazon Config access to the Amazon SNS topic](#granting-access-snstopic)
+ [Troubleshooting for the Amazon SNS Topic](#troubleshooting-for-snstopic-using-servicelinkedrole)

## Required Permissions for the Amazon SNS Topic When Using IAM Roles
<a name="required-permissions-snstopic-in-another-account"></a>

You can attach a permissions policy to the Amazon SNS topic owned by a different account. If you want to use an Amazon SNS topic from another account, make sure to attach the following policy to the existing Amazon SNS topic.

```
{
  "Id": "Policy_ID",
  "Statement": [
    {
      "Sid": "AWSConfigSNSPolicy",
      "Action": [
        "sns:Publish"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:region:account-id:myTopic",
      "Principal": {
        "AWS": [
          "account-id1",
          "account-id2",
          "account-id3"
        ]
      }
    }
  ]
}
```

For the `Resource` key, *account-id* is the Amazon account number of the topic owner. For *account-id1*, *account-id2*, and *account-id3*, use the Amazon Web Services accounts that will send data to an Amazon SNS topic. You can substitute appropriate values for *region* and *myTopic*.

When Amazon Config sends a notification to an Amazon SNS topic, it first attempts to use the IAM role, but this attempt fails if the role or Amazon Web Services account does not have permission to publish to the topic. In this event, Amazon Config sends the notification again, this time as an Amazon Config service principal name (SPN). Before the publication can succeed, the access policy for the topic must grant `sns:Publish` access to the `config.amazonaws.com` principal name. You must attach an access policy, described in the next section, to the Amazon SNS topic to grant Amazon Config access to the Amazon SNS topic if the IAM role does not have permission to publish to the topic.

## Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles
<a name="required-permissions-snstopic-using-servicelinkedrole"></a>

The Amazon Config service-linked role does not have permission to access the Amazon SNS topic. So, if you set up Amazon Config using a service-linked role (SLR), Amazon Config will send information as the Amazon Config service principal instead. You will need to attach an access policy, mentioned below, to the Amazon SNS topic to grant Amazon Config access to send information to the Amazon SNS topic.

For same-account setup, when the Amazon SNS topic and SLR are in the same account and the Amazon SNS policy grants the SLR "`sns:Publish`" permission, you do not need to use the Amazon Config SPN. The permissions policy below and security best practice recommendations are for cross-account setup.

## Granting Amazon Config access to the Amazon SNS topic
<a name="granting-access-snstopic"></a>

This policy allows Amazon Config to send a notification to an Amazon SNS topic. To grant Amazon Config access to the Amazon SNS topic from another account, you will need to attach the following permissions policy.

**Note**  
As a security best practice, it is strongly recommended to make sure Amazon Config is accessing resources on behalf of expected users only by restricting access to the accounts listed in `AWS:SourceAccount` condition.

```
{
"Id": "Policy_ID",
"Statement": [
  {
    "Sid": "AWSConfigSNSPolicy",
    "Effect": "Allow",
    "Principal": {
      "Service": "config.amazonaws.com"
    },
    "Action": "sns:Publish",
      "Resource": "arn:aws:sns:region:account-id:myTopic",
        "Condition" : {
        "StringEquals": {
          "AWS:SourceAccount": [
            "account-id1",
            "account-id2",
            "account-id3"
          ]
        }
      }
    }
  ]
}
```

For the `Resource` key, *account-id* is the Amazon account number of the topic owner. For *account-id1*, *account-id2*, and *account-id3*, use the Amazon Web Services accounts that will send data to an Amazon SNS topic. You can substitute appropriate values for *region* and *myTopic*.

You can use the `AWS:SourceAccount` condition in the previous Amazon SNS topic policy to restrict the Amazon Config service principal name (SPN) to interact only with the Amazon SNS topic when performing operations on behalf of specific accounts.

Amazon Config also supports the `AWS:SourceArn` condition which restricts the Amazon Config service principal name (SPN) to only interact with the S3 bucket when performing operations on behalf of specific Amazon Config delivery channels. When using the Amazon Config service principal name (SPN), the `AWS:SourceArn` property will always be set to `arn:aws:config:sourceRegion:sourceAccountID:*` where `sourceRegion` is the Region of the delivery channel and `sourceAccountID` is the ID of the account containing the delivery channel. For more information about Amazon Config delivery channels, see [Managing the Delivery Channel](https://docs.amazonaws.cn/config/latest/developerguide/manage-delivery-channel.html). For example, add the following condition to restrict the Amazon Config service principal name (SPN) to interact with your S3 bucket only on behalf of a delivery channel in the `us-east-1` Region in the account `123456789012`: `"ArnLike": {"AWS:SourceArn": "arn:aws:config:us-east-1:123456789012:*"}`.

## Troubleshooting for the Amazon SNS Topic
<a name="troubleshooting-for-snstopic-using-servicelinkedrole"></a>

Amazon Config must have permissions to send notifications to an Amazon SNS topic. If an Amazon SNS topic cannot receive notifications, verify that the IAM role that Amazon Config was assuming has the required `sns:Publish` permissions. 

# Troubleshooting Amazon Config identity and access
<a name="security_iam_troubleshoot"></a>

Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Config and IAM.

**Topics**
+ [I am not authorized to perform an action in Amazon Config](#security_iam_troubleshoot-no-permissions)
+ [I am not authorized to perform iam:PassRole](#security_iam_troubleshoot-passrole)
+ [I want to allow people outside of my Amazon Web Services account to access my Amazon Config resources](#security_iam_troubleshoot-cross-account-access)

## I am not authorized to perform an action in Amazon Config
<a name="security_iam_troubleshoot-no-permissions"></a>

If you receive an error that you're not authorized to perform an action, your policies must be updated to allow you to perform the action.

The following example error occurs when the `mateojackson` IAM user tries to use the console to view details about a fictional `my-example-widget` resource but does not have the fictional `config:GetWidget` permissions.

```
User: arn:aws-cn:iam::123456789012:user/mateojackson is not authorized to perform: config:GetWidget on resource: my-example-widget
```

In this case, Mateo's policy must be updated to allow him to access the `my-example-widget` resource using the `config:GetWidget` action.

If you need help, contact your Amazon administrator. Your administrator is the person who provided you with your sign-in credentials.

## I am not authorized to perform iam:PassRole
<a name="security_iam_troubleshoot-passrole"></a>

If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Amazon Config.

Some Amazon Web Services services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service.

The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Amazon Config. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service.

```
User: arn:aws-cn:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole
```

In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action.

If you need help, contact your Amazon administrator. Your administrator is the person who provided you with your sign-in credentials.

## I want to allow people outside of my Amazon Web Services account to access my Amazon Config resources
<a name="security_iam_troubleshoot-cross-account-access"></a>

You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources.

To learn more, consult the following:
+ To learn whether Amazon Config supports these features, see [How Amazon Config works with IAM](security_iam_service-with-iam.md).
+ To learn how to provide access to your resources across Amazon Web Services accounts that you own, see [Providing access to an IAM user in another Amazon Web Services account that you own](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.
+ To learn how to provide access to your resources to third-party Amazon Web Services accounts, see [Providing access to Amazon Web Services accounts owned by third parties](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*.
+ To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*.
+ To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.

# Using Service-Linked Roles for Amazon Config
<a name="using-service-linked-roles"></a>

Amazon Config uses Amazon Identity and Access Management (IAM)[ service-linked roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon Config. Service-linked roles are predefined by Amazon Config and include all the permissions that the service requires to call other Amazon services on your behalf. 

A service-linked role makes setting up Amazon Config easier because you don’t have to manually add the necessary permissions. Amazon Config defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon Config can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

For information about other services that support service-linked roles, see [Amazon Services That Work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-Linked Role Permissions for Amazon Config
<a name="slr-permissions"></a>

Amazon Config uses the service-linked role named **AwsServiceRoleForConfig** – Amazon Config uses this service-linked role to call other Amazon services on your behalf. To view the latest updates, see [Amazon Config updates to Amazon managed policies](security-iam-awsmanpol.md#security-iam-awsmanpol-updates).

The **AwsServiceRoleForConfig** service-linked role trusts the `config.amazonaws.com` service to assume the role.

The permissions policy for the `AwsServiceRoleForConfig` role contains read-only and write-only permissions for Amazon Config resources and read-only permissions for resources in other services that Amazon Config supports. To view the managed policy for **AwsServiceRoleForConfig**, see [Amazon managed policies for Amazon Config](https://docs.amazonaws.cn/config/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWSConfigServiceRolePolicy).

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.

To use a service-linked role with Amazon Config, you must configure permissions on your Amazon S3 bucket and Amazon SNS topic. For more information, see [Required Permissions for the Amazon S3 Bucket When Using Service-Linked RolesRequired Permissions for the Amazon S3 Bucket When Delivering Cross-Account](s3-bucket-policy.md#required-permissions-using-servicelinkedrole), [Required Permissions for the Amazon KMS Key When Using Service-Linked Roles (S3 Bucket Delivery)](s3-kms-key-policy.md#required-permissions-s3-kms-key-using-servicelinkedrole), and [Required Permissions for the Amazon SNS Topic When Using Service-Linked Roles](sns-topic-policy.md#required-permissions-snstopic-using-servicelinkedrole). 

## Creating a Service-Linked Role for Amazon Config
<a name="create-slr"></a>

In the IAM CLI or the IAM API, create a service-linked role with the `config.amazonaws.com` service name. For more information, see [Creating a Service-Linked Role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.

## Editing a Service-Linked Role for Amazon Config
<a name="edit-slr"></a>

Amazon Config does not allow you to edit the **AwsServiceRoleForConfig** service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Deleting a Service-Linked Role for Amazon Config
<a name="delete-slr"></a>

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. 

**Note**  
If the Amazon Config service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**To delete Amazon Config resources used by the **AwsServiceRoleForConfig****

Ensure that you do not have `ConfigurationRecorders` using the service-linked role. You can use the Amazon Config console to stop the configuration recorder. To stop recording, under **Recording is on**, choose **Turn off**.

You can delete the `ConfigurationRecorder` using Amazon Config API. To delete, use the `delete-configuration-recorder` command.

```
        $ aws configservice delete-configuration-recorder --configuration-recorder-name default
```

**To manually delete the service-linked role using IAM**

Use the IAM console, the IAM CLI, or the IAM API to delete the AwsServiceRoleForConfig service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.