The access policy the CFN creates. Below is what the Subscriber role policy looks like. { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "STSAccumRole" }, { "Action": [ "lambda:Invoke", "lambda:InvokeFunction" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "InvokeLambda" }, { "Action": [ "iam:UpdateAssumeRolePolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "IAMActions" }, { "Action": [ "cloudformation:*" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "CloudFormationActions" }, { "Action": [ "ec2:*" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "EC2FullAccess" }, { "Action": [ "states:ListExecutions", "states:StartExecution" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "StateMachineActions" }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "Logs" }, { "Action": [ "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:DeleteObject" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "S3Actions" }, { "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteItem", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:GetRecords", "dynamodb:ListTables", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:TagResource", "dynamodb:UpdateItem", "dynamodb:UpdateTable" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "DynamoDbActions" }, { "Action": [ "sqs:ChangeMessageVisibility", "sqs:DeleteMessage", "sqs:GetQueueUrl", "sqs:ListQueues", "sqs:ReceiveMessage", "sqs:SendMessage" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SQSActions" }, { "Action": [ "sns:Publish" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "SNSACtions" } ] }
... View more