Vocabulary
Attention
This is an early version of the package. The API might change when new features are implemented. Therefore make sure you use an exact version in your package.json/requirements.txt before it reaches 1.0.0.
IAM Floyd provides a fluid interface and enables you to define policy statements in a human readable and easy to understand phrase.
allow | deny (Effect)
The methods allow() and deny() control the Effect of the statement.
The default effect of any statement is Allow, so it’s not mandatory to add either of these methods to the method chain. Though it is recommended to improve readability:
const s1 = new Statement.Ec2() //
.allow()
.toStartInstances();
const s2 = new Statement.Ec2() //
.deny()
.toStopInstances();
{
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
}
{
"Action": "ec2:StopInstances",
"Resource": "*",
"Effect": "Deny"
}
to (Action)
Every available IAM action is represented by a distinct method. These methods start with to. You allow/deny to do something
new Statement.Ec2() //
.allow()
.toStartInstances()
.toStopInstances()
{
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Effect": "Allow"
}
In case of missing actions, you can just add any action key yourself via to():
new Statement.Ec2() //
.allow()
.to('missingAction')
{
"Action": "ec2:missingAction",
"Resource": "*",
"Effect": "Allow"
}
all (Action)
While methods starting with to add a single action to a statement, methods starting with all add multiple actions.
allActions
This method adds all actions of the related service to the statement, e.g. ec2:*
new Statement.Ec2() //
.allow()
.allActions()
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow"
}
allMatchingActions
Adds all actions matching regular expressions to the statement.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions that would match the regular expression, you need to re-generate the statements.
The regular expressions need to be in Perl/JavaScript literal style and need to be passed as strings:
new Statement.Ec2() //
.deny()
.allMatchingActions('/vpn/i')
{
"Action": [
"ec2:ApplySecurityGroupsToClientVpnTargetNetwork",
"ec2:AssociateClientVpnTargetNetwork",
"ec2:AttachVpnGateway",
"ec2:AuthorizeClientVpnIngress",
"ec2:CreateClientVpnEndpoint",
"ec2:CreateClientVpnRoute",
"ec2:CreateVpnConnection",
"ec2:CreateVpnConnectionRoute",
"ec2:CreateVpnGateway",
"ec2:DeleteClientVpnEndpoint",
"ec2:DeleteClientVpnRoute",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnConnectionRoute",
"ec2:DeleteVpnGateway",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeClientVpnRoutes",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:DetachVpnGateway",
"ec2:DisassociateClientVpnTargetNetwork",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:ExportClientVpnClientConfiguration",
"ec2:GetVpnConnectionDeviceSampleConfiguration",
"ec2:GetVpnConnectionDeviceTypes",
"ec2:GetVpnTunnelReplacementStatus",
"ec2:ImportClientVpnClientCertificateRevocationList",
"ec2:ModifyClientVpnEndpoint",
"ec2:ModifyVpnConnection",
"ec2:ModifyVpnConnectionOptions",
"ec2:ModifyVpnTunnelCertificate",
"ec2:ModifyVpnTunnelOptions",
"ec2:ReplaceVpnTunnel",
"ec2:RevokeClientVpnIngress",
"ec2:TerminateClientVpnConnections"
],
"Resource": "*",
"Effect": "Deny"
}
Access levels
To add all actions of a certain access level to the statement use the below methods.
Attention
The list of actions is compiled at run time. The generated statement object contains an exact list of actions that matched when you build it. If AWS later adds/removes actions or changes the level, you need to re-generate the statements.
Note
When working with access levels the policy size limits may be exceeded quickly, just because there are so many actions available for some services like EC2.
In these cases you should use the compact method, to compile the action list to a list of wildcard patterns.
allListActions
Adds all actions with access level list to the statement.
new Statement.S3() //
.allow()
.allListActions()
{
"Action": [
"s3:ListAccessGrants",
"s3:ListAccessGrantsInstances",
"s3:ListAccessGrantsLocations",
"s3:ListAccessPoints",
"s3:ListAccessPointsForObjectLambda",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListJobs",
"s3:ListMultiRegionAccessPoints",
"s3:ListMultipartUploadParts",
"s3:ListStorageLensConfigurations",
"s3:ListStorageLensGroups",
"s3:ListTagsForResource"
],
"Resource": "*",
"Effect": "Allow"
}
allReadActions
Adds all actions with access level read to the statement.
new Statement.S3() //
.allow()
.allReadActions()
{
"Action": [
"s3:DescribeJob",
"s3:DescribeMultiRegionAccessPointOperation",
"s3:GetAccelerateConfiguration",
"s3:GetAccessGrant",
"s3:GetAccessGrantsInstance",
"s3:GetAccessGrantsInstanceForPrefix",
"s3:GetAccessGrantsInstanceResourcePolicy",
"s3:GetAccessGrantsLocation",
"s3:GetAccessPoint",
"s3:GetAccessPointConfigurationForObjectLambda",
"s3:GetAccessPointForObjectLambda",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyForObjectLambda",
"s3:GetAccessPointPolicyStatus",
"s3:GetAccessPointPolicyStatusForObjectLambda",
"s3:GetAccountPublicAccessBlock",
"s3:GetAnalyticsConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetDataAccess",
"s3:GetEncryptionConfiguration",
"s3:GetIntelligentTieringConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetJobTagging",
"s3:GetLifecycleConfiguration",
"s3:GetMetricsConfiguration",
"s3:GetMultiRegionAccessPoint",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus",
"s3:GetMultiRegionAccessPointRoutes",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:GetStorageLensConfiguration",
"s3:GetStorageLensConfigurationTagging",
"s3:GetStorageLensDashboard",
"s3:GetStorageLensGroup"
],
"Resource": "*",
"Effect": "Allow"
}
allWriteActions
Adds all actions with access level write to the statement.
new Statement.S3() //
.allow()
.allWriteActions()
{
"Action": [
"s3:AbortMultipartUpload",
"s3:AssociateAccessGrantsIdentityCenter",
"s3:CreateAccessGrant",
"s3:CreateAccessGrantsInstance",
"s3:CreateAccessGrantsLocation",
"s3:CreateAccessPoint",
"s3:CreateAccessPointForObjectLambda",
"s3:CreateBucket",
"s3:CreateJob",
"s3:CreateMultiRegionAccessPoint",
"s3:CreateStorageLensGroup",
"s3:DeleteAccessGrant",
"s3:DeleteAccessGrantsInstance",
"s3:DeleteAccessGrantsInstanceResourcePolicy",
"s3:DeleteAccessGrantsLocation",
"s3:DeleteAccessPoint",
"s3:DeleteAccessPointForObjectLambda",
"s3:DeleteBucket",
"s3:DeleteBucketWebsite",
"s3:DeleteMultiRegionAccessPoint",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:DeleteStorageLensConfiguration",
"s3:DeleteStorageLensGroup",
"s3:DissociateAccessGrantsIdentityCenter",
"s3:InitiateReplication",
"s3:PutAccelerateConfiguration",
"s3:PutAccessGrantsInstanceResourcePolicy",
"s3:PutAccessPointConfigurationForObjectLambda",
"s3:PutAnalyticsConfiguration",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketObjectLockConfiguration",
"s3:PutBucketOwnershipControls",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutIntelligentTieringConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutMetricsConfiguration",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutReplicationConfiguration",
"s3:PutStorageLensConfiguration",
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:RestoreObject",
"s3:SubmitMultiRegionAccessPointRoutes",
"s3:UpdateAccessGrantsLocation",
"s3:UpdateJobPriority",
"s3:UpdateJobStatus",
"s3:UpdateStorageLensGroup"
],
"Resource": "*",
"Effect": "Allow"
}
allPermissionManagementActions
Adds all actions with access level permission management to the statement.
new Statement.S3() //
.allow()
.allPermissionManagementActions()
{
"Action": [
"s3:BypassGovernanceRetention",
"s3:DeleteAccessPointPolicy",
"s3:DeleteAccessPointPolicyForObjectLambda",
"s3:DeleteBucketPolicy",
"s3:ObjectOwnerOverrideToBucketOwner",
"s3:PutAccessPointPolicy",
"s3:PutAccessPointPolicyForObjectLambda",
"s3:PutAccessPointPublicAccessBlock",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutMultiRegionAccessPointPolicy",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "*",
"Effect": "Allow"
}
allTaggingActions
Adds all actions with access level tagging to the statement.
new Statement.S3() //
.allow()
.allTaggingActions()
{
"Action": [
"s3:DeleteJobTagging",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging",
"s3:DeleteStorageLensConfigurationTagging",
"s3:PutBucketTagging",
"s3:PutJobTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
"s3:PutStorageLensConfigurationTagging",
"s3:ReplicateTags",
"s3:TagResource",
"s3:UntagResource"
],
"Resource": "*",
"Effect": "Allow"
}
if (Condition)
Every available IAM condition key is represented by a distinct method. These methods start with if. You allow/deny something if a condition is met.
Every statement provider (e.g. Ec2) brings its unique conditions. Global condition context keys start with ifAws.
Note
Multiple conditions on a statement all have to be true.
When you have multiple values on a single condition, one of them has to be true.
Other than that, IAM has no concept of OR. You need to define multiple statements for each OR branch.
new Statement.Ec2()
.allow()
.toStartInstances()
.ifEncrypted()
.ifInstanceType(['t3.micro', 't3.nano'])
.ifAssociatePublicIpAddress(false)
.ifAwsRequestTag('Owner', 'John')
{
"Condition": {
"Bool": {
"ec2:Encrypted": "true",
"ec2:AssociatePublicIpAddress": "false"
},
"StringLike": {
"ec2:InstanceType": [
"t3.micro",
"t3.nano"
],
"aws:RequestTag/Owner": "John"
}
},
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
}
Every if method has a default operator. For instance, conditions which operate on strings usually have StringLike as default. Most methods allow you to pass an operator as last argument.
Note
Operators can be passed as string, though it is recommended to use the Operators provided by the package.
new Statement.Ec2()
.allow()
.toStartInstances()
.ifAwsRequestTag('TagWithSpecialChars', '*John*', 'StringEquals')
{
"Condition": {
"StringEquals": {
"aws:RequestTag/TagWithSpecialChars": "*John*"
}
},
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
}
In case of missing conditions, you can define just any condition yourself via if():
new Statement.Ec2()
.allow()
.toStartInstances()
.if('ec2:missingCondition', 'some-value')
{
"Condition": {
"StringLike": {
"ec2:missingCondition": "some-value"
}
},
"Action": "ec2:StartInstances",
"Resource": "*",
"Effect": "Allow"
}
on (Resource)
Every available IAM resources key is represented by a distinct method. These methods start with on. You allow/deny something on a specific resource (or pattern).
new Statement.S3()
.allow()
.allActions()
.onBucket('example-bucket')
.onObject('example-bucket', 'some/path/*')
{
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/some/path/*"
],
"Effect": "Allow"
}
In case of missing resources or if you already have an ARN ready, use the on() method:
new Statement.S3() //
.allow()
.allActions()
.on(
'arn:aws:s3:::example-bucket', //
'arn:aws:s3:::another-bucket',
)
{
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::another-bucket"
],
"Effect": "Allow"
}
Non-global resource ARNs contain the region and/or account. Generally all ARNs contain the partition. In cdk-iam-floyd the account, region and partition default to the values provided by the stack. In iam-floyd the partition defaults to aws and the account and region default to *.
The on*() methods take optional parameters to override the default values:
new Statement.Lambda()
.allow()
.toUpdateFunctionCode()
.onFunction('my-function', '098765432109', 'us-east-1', 'aws')
{
"Action": "lambda:UpdateFunctionCode",
"Resource": "arn:aws:lambda:us-east-1:098765432109:function:my-function",
"Effect": "Allow"
}
If you want to override the defaults for the whole statement, see in (ARN defaults).
in (ARN defaults)
The on* methods generate ARNs which contain partition and potentially region and account. The in()* methods can be used to override the defaults for all consecutively added resources. You allow/deny something on resources in a specific account, region and partition.
Note
The in*() methods do not by themselves modify the statement. They just set the defaults for the resource added consecutively to the statement. Therefore make sure to call the in*() methods before adding resources via on*().
new Statement.Lambda()
.allow()
.toUpdateFunctionCode()
.inAccount('098765432109')
.inRegion('us-east-1')
.inPartition('aws')
.onFunction('my-function-1')
.onFunction('my-function-2')
{
"Action": "lambda:UpdateFunctionCode",
"Resource": [
"arn:aws:lambda:us-east-1:098765432109:function:my-function-1",
"arn:aws:lambda:us-east-1:098765432109:function:my-function-2"
],
"Effect": "Allow"
}
There also is a shorthand function to set all defaults at once:
new Statement.Lambda()
.allow()
.toUpdateFunctionCode()
.in('098765432109', 'us-west-1', 'aws')
.onFunction('my-function-1')
.onFunction('my-function-2')
{
"Action": "lambda:UpdateFunctionCode",
"Resource": [
"arn:aws:lambda:us-west-1:098765432109:function:my-function-1",
"arn:aws:lambda:us-west-1:098765432109:function:my-function-2"
],
"Effect": "Allow"
}
Since these methods set defaults for consecutively added resources, you can also override the defaults for additional resource in the same statement:
new Statement.Lambda()
.allow()
.toUpdateFunctionCode()
.in('098765432109', 'us-west-1', 'aws')
.onFunction('my-function-1')
.in('123456789012', 'us-east-1', 'aws')
.onFunction('my-function-2')
{
"Action": "lambda:UpdateFunctionCode",
"Resource": [
"arn:aws:lambda:us-west-1:098765432109:function:my-function-1",
"arn:aws:lambda:us-east-1:123456789012:function:my-function-2"
],
"Effect": "Allow"
}
for (Principal)
Note
If you use the CDK variant of the package, don’t attempt to create an assume policy with this package. Assume policies have to be of type IPrincipal and can easily be created with the iam package.
Every possible principal is represented by a distinct method. These methods start with for. You allow/deny something for a specific principal.
const s1 = new Statement.Sts()
.allow()
.toAssumeRole()
.forAccount('1234567890');
const s2 = new Statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forService('lambda.amazonaws.com');
const s3 = new Statement.Sts()
.allow()
.toAssumeRole()
.forUser('1234567890', 'Bob');
const s4 = new Statement.Sts()
.allow()
.toAssumeRole()
.forRole('1234567890', 'role-name');
const s5 = new Statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forFederatedCognito();
const s6 = new Statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forFederatedAmazon();
const s7 = new Statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forFederatedGoogle();
const s8 = new Statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forFederatedFacebook();
const s9 = new Statement.Sts()
.allow()
.toAssumeRoleWithSAML()
.forSaml('1234567890', 'saml-provider');
const s10 = new Statement.Sts() //
.allow()
.toAssumeRole()
.forPublic();
const s11 = new Statement.Sts()
.allow()
.toAssumeRole()
.forAssumedRoleSession('123456789', 'role-name', 'session-name');
const s12 = new Statement.Sts()
.allow()
.toAssumeRole()
.forCanonicalUser('userID');
const s13 = new Statement.Sts() //
.allow()
.toAssumeRole()
.for('arn:foo:bar');
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root"
]
}
}
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/Bob"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:role/role-name"
]
}
}
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Principal": {
"Federated": [
"cognito-identity.amazonaws.com"
]
}
}
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Principal": {
"Federated": [
"www.amazon.com"
]
}
}
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Principal": {
"Federated": [
"accounts.google.com"
]
}
}
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Principal": {
"Federated": [
"graph.facebook.com"
]
}
}
{
"Action": "sts:AssumeRoleWithSAML",
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam::1234567890:saml-provider/saml-provider"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::123456789:assumed-role/role-name/session-name"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"CanonicalUser": [
"userID"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:foo:bar"
]
}
}
Some of the for* methods accept multiple values at once:
const s1 = new Statement.Sts()
.allow()
.toAssumeRole()
.forAccount('1234567890', '0987654321');
// when you already have a list:
const accounts = ['1234567890', '0987654321'];
const s2 = new Statement.Sts()
.allow()
.toAssumeRole()
.forAccount(...accounts);
const s3 = new Statement.Sts()
.allow()
.toAssumeRole()
.forUser('1234567890', 'Bob', 'John');
// when you already have a list:
const users = ['Bob', 'John'];
const s4 = new Statement.Sts()
.allow()
.toAssumeRole()
.forUser('1234567890', ...users);
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root",
"arn:aws:iam::0987654321:root"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:root",
"arn:aws:iam::0987654321:root"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/Bob",
"arn:aws:iam::1234567890:user/John"
]
}
}
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/Bob",
"arn:aws:iam::1234567890:user/John"
]
}
}
The CDK variant of the package has an additional method forCdkPrincipal, which takes any number of iam.IPrincipal objects:
new Statement.Sts()
.allow()
.toAssumeRole()
.forCdkPrincipal(
new iam.ServicePrincipal('sns.amazonaws.com'),
new iam.ServicePrincipal('lambda.amazonaws.com'),
)
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"${Token[sns.amazonaws.com.9]}",
"${Token[lambda.amazonaws.com.10]}"
]
}
}
not (notAction, notResource and notPrincipal)
Warning
Make sure, you well understand the concepts of notAction, notResource and notPrincipal. This is where things quickly go wrong, especially when used in combination.
notAction
Switches the policy provider to use NotAction.
new Statement.S3()
.allow()
.notAction()
.toDeleteBucket()
.onBucket('example-bucket')
{
"NotAction": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::example-bucket",
"Effect": "Allow"
}
notResource
Switches the policy provider to use NotResource.
new Statement.S3()
.allow()
.notResource()
.toDeleteBucket()
.onBucket('example-bucket')
{
"Action": "s3:DeleteBucket",
"NotResource": "arn:aws:s3:::example-bucket",
"Effect": "Allow"
}
notPrincipal
Switches the policy provider to use NotPrincipal.
new Statement.S3()
.deny()
.allActions()
.notPrincipal()
.forUser('1234567890', 'Bob')
.onObject('example-bucket', '*')
{
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::1234567890:user/Bob"
]
}
}
compact
This method can be used to convert a list of actions down to a list of wildcard patterns. This can be handy to reduce the policy size, especially when you work with Access levels.
Attention
When AWS later adds new actions, the patterns might match additional actions.
new Statement.Ec2() //
.allow()
.allReadActions()
.allListActions()
.compact()
{
"Action": [
"ec2:Describe*",
"ec2:ExportClientVpnClientC*",
"ec2:Get*",
"ec2:List*",
"ec2:SearchLocalGatewayRoutes",
"ec2:SearchTransitGateway*"
],
"Resource": "*",
"Effect": "Allow"
}