docs/source/_static/managed-policies/AWSSupplyChainFederationAdminAccess.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSSupplyChain",
"Effect": "Allow",
"Action": [
"scn:*"
],
"Resource": [
"arn:aws:scn:*:*:instance/*"
]
},
{
"Sid": "ChimeAppInstance",
"Effect": "Allow",
"Action": [
"chime:BatchCreateChannelMembership",
"chime:CreateAppInstanceUser",
"chime:CreateChannel",
"chime:CreateChannelMembership",
"chime:CreateChannelModerator",
"chime:Connect",
"chime:DeleteChannelMembership",
"chime:DeleteChannelModerator",
"chime:DescribeChannelMembershipForAppInstanceUser",
"chime:GetChannelMembershipPreferences",
"chime:ListChannelMemberships",
"chime:ListChannelMembershipsForAppInstanceUser",
"chime:ListChannelMessages",
"chime:ListChannelModerators",
"chime:TagResource",
"chime:PutChannelMembershipPreferences",
"chime:SendChannelMessage",
"chime:UpdateChannelReadMarker",
"chime:UpdateAppInstanceUser"
],
"Resource": [
"arn:aws:chime:*:*:app-instance/*"
],
"Condition": {
"StringLike": {
"aws:ResourceTag/SCNInstanceId": "*"
}
}
},
{
"Sid": "ChimeChannel",
"Effect": "Allow",
"Action": [
"chime:DescribeChannel"
],
"Resource": [
"arn:aws:chime:*:*:app-instance/*"
]
},
{
"Sid": "ChimeMessaging",
"Effect": "Allow",
"Action": [
"chime:GetMessagingSessionEndpoint"
],
"Resource": "*"
},
{
"Sid": "IAMIdentityCenter",
"Effect": "Allow",
"Action": [
"sso:GetManagedApplicationInstance",
"sso:ListDirectoryAssociations",
"sso:AssociateProfile",
"sso:DisassociateProfile",
"sso:ListProfiles",
"sso:GetProfile",
"sso:ListProfileAssociations"
],
"Resource": "*"
},
{
"Sid": "AppflowConnectorProfile",
"Effect": "Allow",
"Action": [
"appflow:CreateConnectorProfile",
"appflow:UseConnectorProfile",
"appflow:DeleteConnectorProfile",
"appflow:UpdateConnectorProfile"
],
"Resource": [
"arn:aws:appflow:*:*:connectorprofile/scn-*"
]
},
{
"Sid": "AppflowFlow",
"Effect": "Allow",
"Action": [
"appflow:CreateFlow",
"appflow:DeleteFlow",
"appflow:DescribeFlow",
"appflow:DescribeFlowExecutionRecords",
"appflow:ListFlows",
"appflow:StartFlow",
"appflow:StopFlow",
"appflow:UpdateFlow",
"appflow:TagResource",
"appflow:UntagResource"
],
"Resource": [
"arn:aws:appflow:*:*:flow/scn-*"
]
},
{
"Sid": "S3ListAllBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3ListSupplyChainBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::aws-supply-chain-data-*"
]
},
{
"Sid": "S3ReadWriteObject",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-supply-chain-data-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "SecretsManagerCreateSecret",
"Effect": "Allow",
"Action": "secretsmanager:CreateSecret",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringLike": {
"secretsmanager:Name": "appflow!*"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"appflow.amazonaws.com"
]
}
}
},
{
"Sid": "SecretsManagerPutResourcePolicy",
"Effect": "Allow",
"Action": [
"secretsmanager:PutResourcePolicy"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"appflow.amazonaws.com"
]
},
"StringEqualsIgnoreCase": {
"secretsmanager:ResourceTag/aws:secretsmanager:owningService": "appflow"
}
}
},
{
"Sid": "KMSListKeys",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "arn:aws:kms:*:*:key/*"
},
{
"Sid": "KMSListGrants",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListGrants"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringLike": {
"kms:ViaService": "appflow.*.amazonaws.com"
},
"StringEquals": {
"aws:ResourceTag/aws-supply-chain-access": "true"
}
}
},
{
"Sid": "KMSCreateGrant",
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "arn:aws:kms:*:*:key/*",
"Condition": {
"StringLike": {
"kms:ViaService": "appflow.*.amazonaws.com"
},
"Bool": {
"kms:GrantIsForAWSResource": "true"
},
"StringEquals": {
"aws:ResourceTag/aws-supply-chain-access": "true"
}
}
}
]
}