Skip to content

AWS Permission Sets

If you want to use a custom IAM policy, it must contain the minimum permissions SailPoint CIEM needs to read your AWS accounts. You'll use these permissions when configuring your AWS account.

If you are using AWS for Identity Center provisioning, you must add additional permissions to the IAM policy to display data about those resources in SailPoint CIEM.

After connecting AWS and SailPoint CIEM, you'll use these permissions when configuring your AWS account.

Minimum Permissions

The following IAM policy statements show the minimum permissions required to read from your Commercial or GovCloud AWS accounts. This includes support for collecting Amazon Bedrock data.

IAM policy statements 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
{
    "Version":"2012-10-17",
    "Statement":[
    {
        "Effect":"Allow",
        "Resource":"*",
        "Action":[
            "bedrock-agentcore:GetAgentRuntime",
            "bedrock-agentcore:GetGateway",
            "bedrock-agentcore:GetGatewayTarget",
            "bedrock-agentcore:ListAgentRuntimeEndpoints",
            "bedrock-agentcore:ListAgentRuntimes",
            "bedrock-agentcore:ListAgentRuntimeVersions",
            "bedrock-agentcore:ListGateways",
            "bedrock-agentcore:ListGatewayTargets",
            "bedrock:GetAgent",
            "bedrock:GetAgentAlias",
            "bedrock:GetKnowledgeBase",
            "bedrock:ListAgentActionGroups",
            "bedrock:ListAgentAliases",
            "bedrock:ListAgentKnowledgeBases",
            "bedrock:ListAgents",
            "bedrock:ListAgentVersions",
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetEventSelectors",
            "cloudtrail:GetTrailStatus",
            "cloudtrail:ListTags",
            "cloudtrail:LookupEvents",
            "cloudwatch:Describe*",
            "cloudwatch:ListTagsForResource",
            "config:BatchGetAggregateResourceConfig",
            "config:BatchGetResourceConfig",
            "config:Deliver*",
            "config:Describe*",
            "config:Get*",
            "config:List*",
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeGlobalTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListBackups",
            "dynamodb:ListGlobalTables",
            "dynamodb:ListStreams",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:Describe*",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeTransitGatewayMulticastDomains",
            "ec2:DescribeTransitGatewayPeeringAttachments",
            "ec2:DescribeTransitGatewayRouteTables",
            "ec2:DescribeTransitGatewayVpcAttachments",
            "ec2:DescribeTransitGateways",
            "ec2:GetManagedPrefixListAssociations",
            "ec2:GetManagedPrefixListEntries",
            "ec2:GetTransitGatewayAttachmentPropagations",
            "ec2:GetTransitGatewayMulticastDomainAssociations",
            "ec2:GetTransitGatewayPrefixListReferences",
            "ec2:GetTransitGatewayRouteTableAssociations",
            "ec2:GetTransitGatewayRouteTablePropagations",
            "elasticloadbalancing:Describe*",
            "es:Describe*",
            "es:ListDomainNames",
            "es:ListElasticsearchInstanceTypeDetails",
            "es:ListElasticsearchVersions",
            "es:ListTags",
            "events:Describe*",
            "events:List*",
            "events:TestEventPattern",
            "iam:GenerateCredentialReport",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:Get*",
            "iam:List*",
            "iam:SimulateCustomPolicy",
            "iam:SimulatePrincipalPolicy",
            "identitystore:ListUsers(1)",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "lambda:GetAccountSettings",
            "lambda:GetFunctionConfiguration",
            "lambda:GetFunctionEventInvokeConfig",
            "lambda:GetLayerVersionPolicy",
            "lambda:GetPolicy",
            "lambda:List*",
            "logs:Describe*",
            "logs:ListTagsLogGroup",
            "organizations:Describe*",
            "organizations:List*",
            "rds:Describe*",
            "rds:DownloadDBLogFilePortion",
            "rds:ListTagsForResource",
            "s3:GetAccelerateConfiguration",
            "s3:GetAccessPoint",
            "s3:GetAccessPointPolicy",
            "s3:GetAccessPointPolicyStatus",
            "s3:GetAccountPublicAccessBlock",
            "s3:GetAnalyticsConfiguration",
            "s3:GetBucket*",
            "s3:GetEncryptionConfiguration",
            "s3:GetInventoryConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetMetricsConfiguration",
            "s3:GetObjectAcl",
            "s3:GetObjectVersionAcl",
            "s3:GetReplicationConfiguration",
            "s3:ListAccessPoints",
            "s3:ListAllMyBuckets",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTagsForResource",
            "sns:ListTopics",
            "sqs:GetQueueAttributes",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:ListQueueTags",
            "sqs:ListQueues",
            "sso:DescribePermissionSet(2)",
            "sso:GetInlinePolicyForPermissionSet",
            "sso:GetPermissionsBoundaryForPermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListAccountsForProvisionedPermissionSet",
            "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
            "sso:ListInstances",
            "sso:ListManagedPoliciesInPermissionSet",
            "sso:ListPermissionSets", 
            "tag:GetResources",
            "tag:GetTagKeys"
        ]
    }
    ]
}
  1. Identity store permissions are related to AWS Identity Center.
  2. SSO permissions are related to AWS Identity Center.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
{
    "Version":"2012-10-17",
    "Statement":[
    {
        "Effect":"Allow",
        "Resource":"*",
        "Action":[
            "bedrock-agentcore:GetAgentRuntime",
            "bedrock-agentcore:GetGateway",
            "bedrock-agentcore:GetGatewayTarget",
            "bedrock-agentcore:ListAgentRuntimeEndpoints",
            "bedrock-agentcore:ListAgentRuntimes",
            "bedrock-agentcore:ListAgentRuntimeVersions",
            "bedrock-agentcore:ListGateways",
            "bedrock-agentcore:ListGatewayTargets",
            "bedrock:GetAgent",
            "bedrock:GetAgentAlias",
            "bedrock:GetKnowledgeBase",
            "bedrock:ListAgentActionGroups",
            "bedrock:ListAgentAliases",
            "bedrock:ListAgentKnowledgeBases",
            "bedrock:ListAgents",
            "bedrock:ListAgentVersions",
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetEventSelectors",
            "cloudtrail:GetTrailStatus",
            "cloudtrail:ListTags",
            "cloudtrail:LookupEvents",
            "cloudwatch:Describe*",
            "cloudwatch:ListTagsForResource",
            "config:BatchGetAggregateResourceConfig",
            "config:BatchGetResourceConfig",
            "config:Deliver*",
            "config:Describe*",
            "config:Get*",
            "config:List*",
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeGlobalTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListBackups",
            "dynamodb:ListGlobalTables",
            "dynamodb:ListStreams",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:Describe*",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeTransitGatewayMulticastDomains",
            "ec2:DescribeTransitGatewayPeeringAttachments",
            "ec2:DescribeTransitGatewayRouteTables",
            "ec2:DescribeTransitGatewayVpcAttachments",
            "ec2:DescribeTransitGateways",
            "ec2:GetManagedPrefixListAssociations",
            "ec2:GetManagedPrefixListEntries",
            "ec2:GetTransitGatewayAttachmentPropagations",
            "ec2:GetTransitGatewayMulticastDomainAssociations",
            "ec2:GetTransitGatewayPrefixListReferences",
            "ec2:GetTransitGatewayRouteTableAssociations",
            "ec2:GetTransitGatewayRouteTablePropagations",
            "elasticloadbalancing:Describe*",
            "es:Describe*",
            "es:ListDomainNames",
            "es:ListElasticsearchInstanceTypeDetails",
            "es:ListElasticsearchVersions",
            "es:ListTags",
            "events:Describe*",
            "events:List*",
            "events:TestEventPattern",
            "iam:GenerateCredentialReport",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:Get*",
            "iam:List*",
            "iam:SimulateCustomPolicy",
            "iam:SimulatePrincipalPolicy",
            "identitystore:ListUsers(1)",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "lambda:GetAccountSettings",
            "lambda:GetFunctionConfiguration",
            "lambda:GetFunctionEventInvokeConfig",
            "lambda:GetLayerVersionPolicy",
            "lambda:GetPolicy",
            "lambda:List*",
            "logs:Describe*",
            "logs:ListTagsLogGroup",
            "organizations:Describe*",
            "organizations:List*",
            "rds:Describe*",
            "rds:DownloadDBLogFilePortion",
            "rds:ListTagsForResource",
            "s3:GetAccelerateConfiguration",
            "s3:GetAccessPoint",
            "s3:GetAccessPointPolicy",
            "s3:GetAccessPointPolicyStatus",
            "s3:GetAccountPublicAccessBlock",
            "s3:GetAnalyticsConfiguration",
            "s3:GetBucket*",
            "s3:GetEncryptionConfiguration",
            "s3:GetInventoryConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetMetricsConfiguration",
            "s3:GetObjectAcl",
            "s3:GetObjectVersionAcl",
            "s3:GetReplicationConfiguration",
            "s3:ListAccessPoints",
            "s3:ListAllMyBuckets",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTagsForResource",
            "sns:ListTopics",
            "sqs:GetQueueAttributes",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:ListQueueTags",
            "sqs:ListQueues",
            "sso:DescribePermissionSet(2)",
            "sso:GetInlinePolicyForPermissionSet",
            "sso:GetPermissionsBoundaryForPermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListAccountsForProvisionedPermissionSet",
            "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
            "sso:ListInstances",
            "sso:ListManagedPoliciesInPermissionSet",
            "sso:ListPermissionSets", 
            "tag:GetResources",
            "tag:GetTagKeys"
        ]
    }
  ]
}
  1. Identity store permissions are related to AWS Identity Center.
  2. SSO permissions are related to AWS Identity Center.

Collecting Amazon Bedrock Data

The minimum permissions include support for collecting Amazon Bedrock and Amazon Bedrock AgentCore data and displaying the effective access and access paths for human identities to those agents, including who has read, write, and admin privileges to those resources.

Note

  • Amazon Bedrock permissions are not required for a successful test connection.
  • If you do not include the Amazon Bedrock permissions in your custom IAM policy, you might see errors on cloud scopes for Amazon Bedrock accounts.

Identity Center Provisioning Policy Requirements

To use AWS Identity Center for provisioning, SailPoint CIEM requires additional permissions. The following policy includes the minimum permissions and the Identity Center provisioning requirements. Permissions specific to the Identity Center are highlighted.

Use the Commercial or GovCloud tab to view the minimum permissions SailPoint CIEM requires to use Identity Center for provisioning your AWS Identity Center accounts.

Identity Center provisioning permissions 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "bedrock-agentcore:GetAgentRuntime",
        "bedrock-agentcore:GetGateway",
        "bedrock-agentcore:GetGatewayTarget",
        "bedrock-agentcore:ListAgentRuntimeEndpoints",
        "bedrock-agentcore:ListAgentRuntimes",
        "bedrock-agentcore:ListAgentRuntimeVersions",
        "bedrock-agentcore:ListGateways",
        "bedrock-agentcore:ListGatewayTargets",
        "bedrock:GetAgent",
        "bedrock:GetAgentAlias",
        "bedrock:GetKnowledgeBase",
        "bedrock:ListAgentActionGroups",
        "bedrock:ListAgentAliases",
        "bedrock:ListAgentKnowledgeBases",
        "bedrock:ListAgents",
        "bedrock:ListAgentVersions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTags",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:ListTagsForResource",
        "config:BatchGetAggregateResourceConfig",
        "config:BatchGetResourceConfig",
        "config:Deliver*",
        "config:Describe*",
        "config:Get*",
        "config:List*",
        "dynamodb:DescribeContinuousBackups",
        "dynamodb:DescribeGlobalTable",
        "dynamodb:DescribeTable",
        "dynamodb:DescribeTimeToLive",
        "dynamodb:ListBackups",
        "dynamodb:ListGlobalTables",
        "dynamodb:ListStreams",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ec2:DescribeTransitGatewayAttachments",
        "ec2:DescribeTransitGatewayMulticastDomains",
        "ec2:DescribeTransitGatewayPeeringAttachments",
        "ec2:DescribeTransitGatewayRouteTables",
        "ec2:DescribeTransitGatewayVpcAttachments",
        "ec2:DescribeTransitGateways",
        "ec2:GetManagedPrefixListAssociations",
        "ec2:GetManagedPrefixListEntries",
        "ec2:GetTransitGatewayAttachmentPropagations",
        "ec2:GetTransitGatewayMulticastDomainAssociations",
        "ec2:GetTransitGatewayPrefixListReferences",
        "ec2:GetTransitGatewayRouteTableAssociations",
        "ec2:GetTransitGatewayRouteTablePropagations",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:ListDomainNames",
        "es:ListElasticsearchInstanceTypeDetails",
        "es:ListElasticsearchVersions",
        "es:ListTags",
        "events:Describe*",
        "events:List*",
        "events:TestEventPattern",
        "iam:GenerateCredentialReport",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:Get*",
        "iam:List*",
        "iam:SimulateCustomPolicy",
        "iam:SimulatePrincipalPolicy",
        "identitystore:ListUsers(1)",
        "identitystore:ListGroupMemberships",
        "identitystore:ListGroups",
        "kms:Describe*",
        "kms:Get*",
        "kms:List*",
        "lambda:GetAccountSettings",
        "lambda:GetFunctionConfiguration",
        "lambda:GetFunctionEventInvokeConfig",
        "lambda:GetLayerVersionPolicy",
        "lambda:GetPolicy",
        "lambda:List*",
        "logs:Describe*",
        "logs:ListTagsLogGroup",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:DownloadDBLogFilePortion",
        "rds:ListTagsForResource",
        "s3:GetAccelerateConfiguration",
        "s3:GetAccessPoint",
        "s3:GetAccessPointPolicy",
        "s3:GetAccessPointPolicyStatus",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucket*",
        "s3:GetEncryptionConfiguration",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetObjectAcl",
        "s3:GetObjectVersionAcl",
        "s3:GetReplicationConfiguration",
        "s3:ListAccessPoints",
        "s3:ListAllMyBuckets",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sqs:GetQueueAttributes",
        "sqs:ListDeadLetterSourceQueues",
        "sqs:ListQueueTags",
        "sqs:ListQueues",
        "sso:DescribePermissionSet(2)",
        "sso:GetInlinePolicyForPermissionSet",
        "sso:GetPermissionsBoundaryForPermissionSet",
        "sso:ListAccountAssignments",
        "sso:ListAccountsForProvisionedPermissionSet",
        "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
        "sso:ListInstances",
        "sso:ListManagedPoliciesInPermissionSet",
        "sso:ListPermissionSets",
        "tag:GetResources",
        "tag:GetTagKeys"
      ]
    },
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "identitystore:GetGroupMembershipId",
        "identitystore:GetUserId",
        "identitystore:CreateGroupMembership",
        "identitystore:CreateUser",
        "identitystore:DeleteGroupMembership",
        "identitystore:DeleteUser",
        "identitystore:UpdateUser",
        "sso:CreateAccountAssignment",
        "sso:DeleteAccountAssignment",
        "sso:ProvisionPermissionSet",
        "iam:CreateSAMLProvider",
        "iam:GetSAMLProvider",
        "iam:UpdateSAMLProvider",
        "iam:DeleteSAMLProvider",
        "iam:PutRolePolicy"
      ]
    }
  ]
}
  1. Identity store permissions are related to AWS Identity Center.
  2. SSO permissions are related to AWS Identity Center.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "bedrock-agentcore:GetAgentRuntime",
        "bedrock-agentcore:GetGateway",
        "bedrock-agentcore:GetGatewayTarget",
        "bedrock-agentcore:ListAgentRuntimeEndpoints",
        "bedrock-agentcore:ListAgentRuntimes",
        "bedrock-agentcore:ListAgentRuntimeVersions",
        "bedrock-agentcore:ListGateways",
        "bedrock-agentcore:ListGatewayTargets",
        "bedrock:GetAgent",
        "bedrock:GetAgentAlias",
        "bedrock:GetKnowledgeBase",
        "bedrock:ListAgentActionGroups",
        "bedrock:ListAgentAliases",
        "bedrock:ListAgentKnowledgeBases",
        "bedrock:ListAgents",
        "bedrock:ListAgentVersions",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListTags",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:ListTagsForResource",
        "config:BatchGetAggregateResourceConfig",
        "config:BatchGetResourceConfig",
        "config:Deliver*",
        "config:Describe*",
        "config:Get*",
        "config:List*",
        "dynamodb:DescribeContinuousBackups",
        "dynamodb:DescribeGlobalTable",
        "dynamodb:DescribeTable",
        "dynamodb:DescribeTimeToLive",
        "dynamodb:ListBackups",
        "dynamodb:ListGlobalTables",
        "dynamodb:ListStreams",
        "dynamodb:ListTables",
        "dynamodb:ListTagsOfResource",
        "ec2:Describe*",
        "ec2:DescribeTransitGatewayAttachments",
        "ec2:DescribeTransitGatewayMulticastDomains",
        "ec2:DescribeTransitGatewayPeeringAttachments",
        "ec2:DescribeTransitGatewayRouteTables",
        "ec2:DescribeTransitGatewayVpcAttachments",
        "ec2:DescribeTransitGateways",
        "ec2:GetManagedPrefixListAssociations",
        "ec2:GetManagedPrefixListEntries",
        "ec2:GetTransitGatewayAttachmentPropagations",
        "ec2:GetTransitGatewayMulticastDomainAssociations",
        "ec2:GetTransitGatewayPrefixListReferences",
        "ec2:GetTransitGatewayRouteTableAssociations",
        "ec2:GetTransitGatewayRouteTablePropagations",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:ListDomainNames",
        "es:ListElasticsearchInstanceTypeDetails",
        "es:ListElasticsearchVersions",
        "es:ListTags",
        "events:Describe*",
        "events:List*",
        "events:TestEventPattern",
        "iam:GenerateCredentialReport",
        "iam:GenerateServiceLastAccessedDetails",
        "iam:Get*",
        "iam:List*",
        "iam:SimulateCustomPolicy",
        "iam:SimulatePrincipalPolicy",
        "identitystore:ListUsers(1)",
        "identitystore:ListGroupMemberships",
        "identitystore:ListGroups",
        "kms:Describe*",
        "kms:Get*",
        "kms:List*",
        "lambda:GetAccountSettings",
        "lambda:GetFunctionConfiguration",
        "lambda:GetFunctionEventInvokeConfig",
        "lambda:GetLayerVersionPolicy",
        "lambda:GetPolicy",
        "lambda:List*",
        "logs:Describe*",
        "logs:ListTagsLogGroup",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:DownloadDBLogFilePortion",
        "rds:ListTagsForResource",
        "s3:GetAccelerateConfiguration",
        "s3:GetAccessPoint",
        "s3:GetAccessPointPolicy",
        "s3:GetAccessPointPolicyStatus",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetAnalyticsConfiguration",
        "s3:GetBucket*",
        "s3:GetEncryptionConfiguration",
        "s3:GetInventoryConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetMetricsConfiguration",
        "s3:GetObjectAcl",
        "s3:GetObjectVersionAcl",
        "s3:GetReplicationConfiguration",
        "s3:ListAccessPoints",
        "s3:ListAllMyBuckets",
        "sns:GetTopicAttributes",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTagsForResource",
        "sns:ListTopics",
        "sqs:GetQueueAttributes",
        "sqs:ListDeadLetterSourceQueues",
        "sqs:ListQueueTags",
        "sqs:ListQueues",
        "sso:DescribePermissionSet(2)",
        "sso:GetInlinePolicyForPermissionSet",
        "sso:GetPermissionsBoundaryForPermissionSet",
        "sso:ListAccountAssignments",
        "sso:ListAccountsForProvisionedPermissionSet",
        "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
        "sso:ListInstances",
        "sso:ListManagedPoliciesInPermissionSet",
        "sso:ListPermissionSets",
        "tag:GetResources",
        "tag:GetTagKeys"
      ]
    },
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "identitystore:GetGroupMembershipId",
        "identitystore:GetUserId",
        "identitystore:CreateGroupMembership",
        "identitystore:CreateUser",
        "identitystore:DeleteGroupMembership",
        "identitystore:DeleteUser",
        "identitystore:UpdateUser",
        "sso:CreateAccountAssignment",
        "sso:DeleteAccountAssignment",
        "sso:ProvisionPermissionSet",
        "iam:CreateSAMLProvider",
        "iam:GetSAMLProvider",
        "iam:UpdateSAMLProvider",
        "iam:DeleteSAMLProvider",
        "iam:PutRolePolicy"
      ]
    }
  ]
}
  1. Identity store permissions are related to AWS Identity Center.
  2. SSO permissions are related to AWS Identity Center.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.