Stax Roles - AWS Permissions

User permissions within AWS

On This Page
AdminUserReadOnly

The AWS roles within Stax and their respective IAM policies that govern the access to Stax AWS accounts are listed below.

Admin

The AWS Admin role provides a User with access to all AWS resources, except resources restricted by the account's Service Control Policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

User

The AWS User role provides a User with access to most AWS resources, except Identity and Access Management and resources restricted by the account's Service Control Policies.

{
    "Statement": [
        {
            "Action": [
                "acm:Describe*",
                "acm:Get*",
                "acm:List*",
                "acm:Request*",
                "acm:Resend*",
                "autoscaling:*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:ListPublicKeys",
                "cloudtrail:ListTags",
                "cloudtrail:LookupEvents",
                "cloudtrail:StartLogging",
                "cloudtrail:StopLogging",
                "cloudwatch:*",
                "codecommit:BatchGetRepositories",
                "codecommit:CreateBranch",
                "codecommit:CreateRepository",
                "codecommit:Get*",
                "codecommit:GitPull",
                "codecommit:GitPush",
                "codecommit:List*",
                "codecommit:Put*",
                "codecommit:Test*",
                "codecommit:Update*",
                "codedeploy:*",
                "codepipeline:*",
                "config:*",
                "ds:*",
                "ec2:Allocate*",
                "ec2:AssignPrivateIpAddresses*",
                "ec2:Associate*",
                "ec2:Allocate*",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AttachVpnGateway",
                "ec2:Bundle*",
                "ec2:Cancel*",
                "ec2:Copy*",
                "ec2:CreateCustomerGateway",
                "ec2:CreateDhcpOptions",
                "ec2:CreateFlowLogs",
                "ec2:CreateImage",
                "ec2:CreateInstanceExportTask",
                "ec2:CreateInternetGateway",
                "ec2:CreateKeyPair",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreatePlacementGroup",
                "ec2:CreateReservedInstancesListing",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSnapshot",
                "ec2:CreateSpotDatafeedSubscription",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:CreateVpnConnection",
                "ec2:CreateVpnConnectionRoute",
                "ec2:CreateVpnGateway",
                "ec2:DeleteFlowLogs",
                "ec2:DeleteKeyPair",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeletePlacementGroup",
                "ec2:DeleteSnapshot",
                "ec2:DeleteSpotDatafeedSubscription",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteVpc",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeleteVpnConnection",
                "ec2:DeleteVpnConnectionRoute",
                "ec2:DeleteVpnGateway",
                "ec2:DeregisterImage",
                "ec2:Describe*",
                "ec2:DetachInternetGateway",
                "ec2:DetachNetworkInterface",
                "ec2:DetachVpnGateway",
                "ec2:DisableVgwRoutePropagation",
                "ec2:DisableVpcClassicLinkDnsSupport",
                "ec2:DisassociateAddress",
                "ec2:DisassociateRouteTable",
                "ec2:EnableVgwRoutePropagation",
                "ec2:EnableVolumeIO",
                "ec2:EnableVpcClassicLinkDnsSupport",
                "ec2:GetConsoleOutput",
                "ec2:GetHostReservationPurchasePreview",
                "ec2:GetPasswordData",
                "ec2:Import*",
                "ec2:Modify*",
                "ec2:MonitorInstances",
                "ec2:MoveAddressToVpc",
                "ec2:Purchase*",
                "ec2:RegisterImage",
                "ec2:Release*",
                "ec2:Replace*",
                "ec2:ReportInstanceStatus",
                "ec2:Request*",
                "ec2:Reset*",
                "ec2:RestoreAddressToClassic",
                "ec2:RunScheduledInstances",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:UnmonitorInstances",
                "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
                "elasticloadbalancing:*",
                "events:*",
                "iam:GetAccount*",
                "iam:GetContextKeys*",
                "iam:GetCredentialReport",
                "iam:ListAccountAliases",
                "iam:ListGroups",
                "iam:ListOpenIDConnectProviders",
                "iam:ListPolicies",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListRoles",
                "iam:ListSAMLProviders",
                "iam:ListServerCertificates",
                "iam:Simulate*",
                "iam:UpdateServerCertificate",
                "iam:UpdateSigningCertificate",
                "kinesis:ListStreams",
                "kinesis:PutRecord",
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:Describe*",
                "kms:GenerateRandom",
                "kms:Get*",
                "kms:List*",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "lambda:Create*",
                "lambda:Delete*",
                "lambda:Get*",
                "lambda:InvokeFunction",
                "lambda:List*",
                "lambda:PublishVersion",
                "lambda:Update*",
                "logs:*",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "route53:*",
                "route53domains:*",
                "ses:*",
                "sns:*",
                "sqs:*",
                "trustedadvisor:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "ec2:AcceptVpcPeeringConnection",
                "ec2:AttachClassicLinkVpc",
                "ec2:AttachVolume",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateVpcPeeringConnection",
                "ec2:DeleteCustomerGateway",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNetworkAcl*",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVolume",
                "ec2:DeleteVpcPeeringConnection",
                "ec2:DetachClassicLinkVpc",
                "ec2:DetachVolume",
                "ec2:DisableVpcClassicLink",
                "ec2:EnableVpcClassicLink",
                "ec2:GetConsoleScreenshot",
                "ec2:RebootInstances",
                "ec2:RejectVpcPeeringConnection",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "iam:GetAccessKeyLastUsed",
                "iam:GetGroup*",
                "iam:GetInstanceProfile",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicy*",
                "iam:GetRole*",
                "iam:GetSAMLProvider",
                "iam:GetSSHPublicKey",
                "iam:GetServerCertificate",
                "iam:GetServiceLastAccessed*",
                "iam:GetUser*",
                "iam:ListAccessKeys",
                "iam:ListAttached*",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles*",
                "iam:ListMFADevices",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListSSHPublicKeys",
                "iam:ListSigningCertificates",
                "iam:ListUserPolicies",
                "iam:Upload*"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:ListRoles",
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:role/rds-monitoring-role",
                "arn:aws:iam::*:role/ec2-sysadmin-*",
                "arn:aws:iam::*:role/ecr-sysadmin-*",
                "arn:aws:iam::*:role/lambda-sysadmin-*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

ReadOnly

The AWS ReadOnly role provides a user with read access to all AWS resources, except resources restricted by the account's Service Control Policies.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "a4b:Get*",
                "a4b:List*",
                "a4b:Describe*",
                "a4b:Search*",
                "acm:Describe*",
                "acm:Get*",
                "acm:List*",
                "acm-pca:Describe*",
                "acm-pca:Get*",
                "acm-pca:List*",
                "amplify:GetApp",
                "amplify:GetBranch",
                "amplify:GetJob",
                "amplify:GetDomainAssociation",
                "amplify:ListApps",
                "amplify:ListBranches",
                "amplify:ListDomainAssociations",
                "amplify:ListJobs",
                "apigateway:GET",
                "application-autoscaling:Describe*",
                "appmesh:Describe*",
                "appmesh:List*",
                "appstream:Describe*",
                "appstream:Get*",
                "appstream:List*",
                "appsync:Get*",
                "appsync:List*",
                "autoscaling:Describe*",
                "autoscaling-plans:Describe*",
                "autoscaling-plans:GetScalingPlanResourceForecastData",
                "athena:List*",
                "athena:Batch*",
                "athena:Get*",
                "batch:List*",
                "batch:Describe*",
                "cloud9:Describe*",
                "cloud9:List*",
                "clouddirectory:List*",
                "clouddirectory:BatchRead",
                "clouddirectory:Get*",
                "clouddirectory:LookupPolicy",
                "cloudformation:Describe*",
                "cloudformation:Detect*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:Estimate*",
                "cloudformation:Preview*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "cloudhsm:List*",
                "cloudhsm:Describe*",
                "cloudhsm:Get*",
                "cloudsearch:Describe*",
                "cloudsearch:List*",
                "cloudtrail:Describe*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudtrail:LookupEvents",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "codebuild:BatchGet*",
                "codebuild:List*",
                "codecommit:BatchGet*",
                "codecommit:Describe*",
                "codecommit:Get*",
                "codecommit:GitPull",
                "codecommit:List*",
                "codedeploy:BatchGet*",
                "codedeploy:Get*",
                "codedeploy:List*",
                "codepipeline:List*",
                "codepipeline:Get*",
                "codestar:List*",
                "codestar:Describe*",
                "codestar:Get*",
                "codestar:Verify*",
                "cognito-identity:Describe*",
                "cognito-identity:Get*",
                "cognito-identity:List*",
                "cognito-identity:Lookup*",
                "cognito-sync:List*",
                "cognito-sync:Describe*",
                "cognito-sync:Get*",
                "cognito-sync:QueryRecords",
                "cognito-idp:AdminGet*",
                "cognito-idp:AdminList*",
                "cognito-idp:List*",
                "cognito-idp:Describe*",
                "cognito-idp:Get*",
                "config:Deliver*",
                "config:Describe*",
                "config:Get*",
                "config:List*",
                "connect:List*",
                "connect:Describe*",
                "connect:GetFederationToken",
                "datasync:Describe*",
                "datasync:List*",
                "datapipeline:Describe*",
                "datapipeline:EvaluateExpression",
                "datapipeline:Get*",
                "datapipeline:List*",
                "datapipeline:QueryObjects",
                "datapipeline:Validate*",
                "dax:BatchGetItem",
                "dax:Describe*",
                "dax:GetItem",
                "dax:ListTags",
                "dax:Query",
                "dax:Scan",
                "directconnect:Describe*",
                "devicefarm:List*",
                "devicefarm:Get*",
                "discovery:Describe*",
                "discovery:List*",
                "discovery:Get*",
                "dlm:Get*",
                "dms:Describe*",
                "dms:List*",
                "dms:Test*",
                "ds:Check*",
                "ds:Describe*",
                "ds:Get*",
                "ds:List*",
                "ds:Verify*",
                "dynamodb:BatchGet*",
                "dynamodb:Describe*",
                "dynamodb:Get*",
                "dynamodb:List*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "ec2:Describe*",
                "ec2:Get*",
                "ec2:SearchTransitGatewayRoutes",
                "ec2messages:Get*",
                "ecr:BatchCheck*",
                "ecr:BatchGet*",
                "ecr:Describe*",
                "ecr:Get*",
                "ecr:List*",
                "ecs:Describe*",
                "ecs:List*",
                "eks:DescribeCluster",
                "eks:DescribeUpdates",
                "eks:ListClusters",
                "eks:ListUpdates",
                "elasticache:Describe*",
                "elasticache:List*",
                "elasticbeanstalk:Check*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:Request*",
                "elasticbeanstalk:Retrieve*",
                "elasticbeanstalk:Validate*",
                "elasticfilesystem:Describe*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:List*",
                "elasticmapreduce:View*",
                "elastictranscoder:List*",
                "elastictranscoder:Read*",
                "es:Describe*",
                "es:List*",
                "es:Get*",
                "es:ESHttpGet",
                "es:ESHttpHead",
                "events:Describe*",
                "events:List*",
                "events:Test*",
                "firehose:Describe*",
                "firehose:List*",
                "fsx:Describe*",
                "fsx:List*",
                "gamelift:List*",
                "gamelift:Get*",
                "gamelift:Describe*",
                "gamelift:RequestUploadCredentials",
                "gamelift:ResolveAlias",
                "gamelift:Search*",
                "glacier:List*",
                "glacier:Describe*",
                "glacier:Get*",
                "globalaccelerator:Describe*",
                "globalaccelerator:List*",
                "glue:BatchGetPartition",
                "glue:GetCatalogImportStatus",
                "glue:GetClassifier",
                "glue:GetClassifiers",
                "glue:GetCrawler",
                "glue:GetCrawlers",
                "glue:GetCrawlerMetrics",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetDataCatalogEncryptionSettings",
                "glue:GetDataflowGraph",
                "glue:GetDevEndpoint",
                "glue:GetDevEndpoints",
                "glue:GetJob",
                "glue:GetJobs",
                "glue:GetJobRun",
                "glue:GetJobRuns",
                "glue:GetMapping",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:GetPlan",
                "glue:GetResourcePolicy",
                "glue:GetSecurityConfiguration",
                "glue:GetSecurityConfigurations",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetTableVersion",
                "glue:GetTableVersions",
                "glue:GetTags",
                "glue:GetTrigger",
                "glue:GetTriggers",
                "glue:GetUserDefinedFunction",
                "glue:GetUserDefinedFunctions",
                "greengrass:Get*",
                "greengrass:List*",
                "guardduty:Get*",
                "guardduty:List*",
                "health:Describe*",
                "health:Get*",
                "health:List*",
                "iam:Generate*",
                "iam:Get*",
                "iam:List*",
                "iam:Simulate*",
                "importexport:Get*",
                "importexport:List*",
                "inspector:Describe*",
                "inspector:Get*",
                "inspector:List*",
                "inspector:Preview*",
                "inspector:LocalizeText",
                "iot:Describe*",
                "iot:Get*",
                "iot:List*",
                "iotanalytics:Describe*",
                "iotanalytics:List*",
                "iotanalytics:Get*",
                "iotanalytics:SampleChannelData",
                "kafka:Describe*",
                "kafka:List*",
                "kafka:Get*",
                "kinesisanalytics:Describe*",
                "kinesisanalytics:Discover*",
                "kinesisanalytics:Get*",
                "kinesisanalytics:List*",
                "kinesisvideo:Describe*",
                "kinesisvideo:Get*",
                "kinesisvideo:List*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "lambda:List*",
                "lambda:Get*",
                "lex:Get*",
                "lightsail:GetActiveNames",
                "lightsail:GetBlueprints",
                "lightsail:GetBundles",
                "lightsail:GetCloudFormationStackRecords",
                "lightsail:GetDisk",
                "lightsail:GetDisks",
                "lightsail:GetDiskSnapshot",
                "lightsail:GetDiskSnapshots",
                "lightsail:GetDomain",
                "lightsail:GetDomains",
                "lightsail:GetExportSnapshotRecords",
                "lightsail:GetInstance",
                "lightsail:GetInstanceMetricData",
                "lightsail:GetInstancePortStates",
                "lightsail:GetInstances",
                "lightsail:GetInstanceSnapshot",
                "lightsail:GetInstanceSnapshots",
                "lightsail:GetInstanceState",
                "lightsail:GetKeyPair",
                "lightsail:GetKeyPairs",
                "lightsail:GetLoadBalancer",
                "lightsail:GetLoadBalancerMetricData",
                "lightsail:GetLoadBalancers",
                "lightsail:GetLoadBalancerTlsCertificates",
                "lightsail:GetOperation",
                "lightsail:GetOperations",
                "lightsail:GetOperationsForResource",
                "lightsail:GetRegions",
                "lightsail:GetRelationalDatabase",
                "lightsail:GetRelationalDatabaseBlueprints",
                "lightsail:GetRelationalDatabaseBundles",
                "lightsail:GetRelationalDatabaseEvents",
                "lightsail:GetRelationalDatabaseLogEvents",
                "lightsail:GetRelationalDatabaseLogStreams",
                "lightsail:GetRelationalDatabaseMetricData",
                "lightsail:GetRelationalDatabaseParameters",
                "lightsail:GetRelationalDatabases",
                "lightsail:GetRelationalDatabaseSnapshot",
                "lightsail:GetRelationalDatabaseSnapshots",
                "lightsail:GetResources",
                "lightsail:GetStaticIp",
                "lightsail:GetStaticIps",
                "lightsail:GetTagKeys",
                "lightsail:GetTagValues",
                "lightsail:Is*",
                "lightsail:List*",
                "logs:Describe*",
                "logs:Get*",
                "logs:FilterLogEvents",
                "logs:ListTagsLogGroup",
                "logs:StartQuery",
                "logs:TestMetricFilter",
                "machinelearning:Describe*",
                "machinelearning:Get*",
                "mgh:Describe*",
                "mgh:List*",
                "mobileanalytics:Get*",
                "mobilehub:Describe*",
                "mobilehub:Export*",
                "mobilehub:Generate*",
                "mobilehub:Get*",
                "mobilehub:List*",
                "mobilehub:Validate*",
                "mobilehub:Verify*",
                "mobiletargeting:Get*",
                "mq:Describe*",
                "mq:List*",
                "opsworks:Describe*",
                "opsworks:Get*",
                "opsworks-cm:Describe*",
                "organizations:Describe*",
                "organizations:List*",
                "pi:DescribeDimensionKeys",
                "pi:GetResourceMetrics",
                "polly:Describe*",
                "polly:Get*",
                "polly:List*",
                "polly:SynthesizeSpeech",
                "rekognition:CompareFaces",
                "rekognition:Detect*",
                "rekognition:List*",
                "rekognition:Search*",
                "rds:Describe*",
                "rds:List*",
                "rds:Download*",
                "redshift:Describe*",
                "redshift:GetReservedNodeExchangeOfferings",
                "redshift:View*",
                "resource-groups:Describe*",
                "resource-groups:Get*",
                "resource-groups:List*",
                "resource-groups:Search*",
                "robomaker:BatchDescribe*",
                "robomaker:Describe*",
                "robomaker:List*",
                "route53:Get*",
                "route53:List*",
                "route53:Test*",
                "route53domains:Check*",
                "route53domains:Get*",
                "route53domains:List*",
                "route53domains:View*",
                "route53resolver:Get*",
                "route53resolver:List*",
                "s3:Get*",
                "s3:List*",
                "s3:Head*",
                "sagemaker:Describe*",
                "sagemaker:List*",
                "sdb:Get*",
                "sdb:List*",
                "sdb:Select*",
                "secretsmanager:List*",
                "secretsmanager:Describe*",
                "secretsmanager:GetResourcePolicy",
                "securityhub:Get*",
                "securityhub:List*",
                "serverlessrepo:List*",
                "serverlessrepo:Get*",
                "serverlessrepo:SearchApplications",
                "servicecatalog:List*",
                "servicecatalog:Scan*",
                "servicecatalog:Search*",
                "servicecatalog:Describe*",
                "servicediscovery:Get*",
                "servicediscovery:List*",
                "servicequotas:GetAssociationForServiceQuotaTemplate",
                "servicequotas:GetAWSDefaultServiceQuota",
                "servicequotas:GetRequestedServiceQuotaChange",
                "servicequotas:GetServiceQuota",
                "servicequotas:GetServiceQuotaIncreaseRequestFromTemplate",
                "servicequotas:ListAWSDefaultServiceQuotas",
                "servicequotas:ListRequestedServiceQuotaChangeHistory",
                "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota",
                "servicequotas:ListServices",
                "servicequotas:ListServiceQuotas",
                "servicequotas:ListServiceQuotaIncreaseRequestsInTemplate",
                "ses:Get*",
                "ses:List*",
                "ses:Describe*",
                "shield:Describe*",
                "shield:Get*",
                "shield:List*",
                "snowball:Get*",
                "snowball:Describe*",
                "snowball:List*",
                "sns:Get*",
                "sns:List*",
                "sns:Check*",
                "sqs:Get*",
                "sqs:List*",
                "sqs:Receive*",
                "ssm:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "states:List*",
                "states:Describe*",
                "states:GetExecutionHistory",
                "storagegateway:Describe*",
                "storagegateway:List*",
                "sts:Get*",
                "swf:Count*",
                "swf:Describe*",
                "swf:Get*",
                "swf:List*",
                "tag:Get*",
                "transfer:Describe*",
                "transfer:List*",
                "transfer:TestIdentityProvider",
                "transcribe:Get*",
                "transcribe:List*",
                "trustedadvisor:Describe*",
                "waf:Get*",
                "waf:List*",
                "waf-regional:List*",
                "waf-regional:Get*",
                "workdocs:Describe*",
                "workdocs:Get*",
                "workdocs:CheckAlias",
                "worklink:Describe*",
                "worklink:List*",
                "workmail:Describe*",
                "workmail:Get*",
                "workmail:List*",
                "workmail:Search*",
                "workspaces:Describe*",
                "xray:BatchGet*",
                "xray:Get*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}