From 0f4ce9d7b9619b4689fd410ded683467ed6a7708 Mon Sep 17 00:00:00 2001 From: Alina Buzachis Date: Fri, 11 Aug 2023 00:23:06 +0200 Subject: [PATCH] Refactor policies to decrease their length (#290) * Refactor policies to decrease their length Signed-off-by: Alina Buzachis * Revision Signed-off-by: Alina Buzachis * Revision * Yet another revision Signed-off-by: Alina Buzachis * Apply suggestions Signed-off-by: Alina Buzachis * Remove duplicate Signed-off-by: Alina Buzachis --------- Signed-off-by: Alina Buzachis --- aws/policy/application-security.yaml | 44 ++----------- aws/policy/application-services.yaml | 95 +++++++++------------------- aws/policy/compute.yaml | 8 +-- aws/policy/data-services.yaml | 34 ++++------ aws/policy/networking.yaml | 19 +----- aws/policy/paas.yaml | 19 ++---- aws/policy/security-services.yaml | 28 +++----- aws/policy/storage-services.yaml | 23 ++----- 8 files changed, 76 insertions(+), 194 deletions(-) diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml index c09055c7..05067ce6 100644 --- a/aws/policy/application-security.yaml +++ b/aws/policy/application-security.yaml @@ -4,28 +4,15 @@ Statement: - Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees Effect: Allow Action: - - wafv2:ListRuleGroups - - wafv2:ListWebACLs - wafv2:AssociateWebACL - wafv2:DeleteRuleGroup - wafv2:CreateRuleGroup - wafv2:PutFirewallManagerRuleGroups - - wafv2:GetWebACLForResource - - wafv2:GetLoggingConfiguration - wafv2:DeleteWebACL - - wafv2:GetRateBasedStatementManagedKeys - - wafv2:ListLoggingConfigurations - - wafv2:GetIPSet - wafv2:CreateWebACL - - wafv2:ListIPSets - - wafv2:GetWebACL - - wafv2:GetRuleGroup - wafv2:CreateIPSet - - wafv2:ListAvailableManagedRuleGroups - wafv2:DeleteIPSet - - wafv2:DescribeManagedRuleGroup - wafv2:CheckCapacity - - wafv2:ListResourcesForWebACL - wafv2:DeleteLoggingConfiguration - wafv2:PutLoggingConfiguration - wafv2:DisassociateWebACL @@ -40,22 +27,15 @@ Statement: - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: - - inspector:ListAssessmentTargets + - inspector:List* - inspector:CreateResourceGroup - inspector:CreateAssessmentTarget - - inspector:DescribeAssessmentTargets - - inspector:DescribeResourceGroups + - inspector:Describe* - inspector:UpdateAssessmentTarget - inspector:DeleteAssessmentTarget - - inspector:ListAssessmentTemplates - - inspector:ListRulesPackages - - inspector:DescribeRulesPackages - inspector:CreateAssessmentTemplate - inspector:DeleteAssessmentTemplate - inspector:SetTagsForResource - - inspector:DescribeAssessmentTemplates - - inspector:ListTagsForResource - - inspector:ListEventSubscriptions - waf:CreateByteMatchSet - waf:CreateGeoMatchSet - waf:CreateIPSet @@ -80,21 +60,7 @@ Statement: - waf:DeleteSqlInjectionMatchSet - waf:DeleteWebACL - waf:DeleteXssMatchSet - - waf:GetByteMatchSet - - waf:GetChangeToken - - waf:GetChangeTokenStatus - - waf:GetGeoMatchSet - - waf:GetIPSet - - waf:GetRateBasedRule - - waf:GetRateBasedRuleManagedKeys - - waf:GetRegexMatchSet - - waf:GetRegexPatternSet - - waf:GetRule - - waf:GetRuleGroup - - waf:GetSizeConstraintSet - - waf:GetSqlInjectionMatchSet - - waf:GetWebACL - - waf:GetXssMatchSet + - waf:Get* - waf:List* - waf:TagResource - waf:UntagResource @@ -109,7 +75,9 @@ Statement: - waf:UpdateSqlInjectionMatchSet - waf:UpdateWebACL - waf:UpdateXssMatchSet - - wafv2:ListTagsForResource + - wafv2:Describe* + - wafv2:Get* + - wafv2:List* - wafv2:TagResource - wafv2:UntagResource Resource: "*" diff --git a/aws/policy/application-services.yaml b/aws/policy/application-services.yaml index e9429d27..25197e99 100644 --- a/aws/policy/application-services.yaml +++ b/aws/policy/application-services.yaml @@ -9,47 +9,41 @@ Statement: - cloudformation:CancelResourceRequest - cloudformation:CreateResource - cloudformation:DeleteResource - - cloudformation:DescribeStacks - - cloudformation:DescribeType - - cloudformation:GetResource - - cloudformation:GetResourceRequestStatus + - cloudformation:Describe* + - cloudformation:Get* - cloudformation:List* - cloudformation:UpdateResource ### + - cloudwatch:Describe* - codebuild:BatchGetProjects - codebuild:List* + - codecommit:Get* - codecommit:List* - - codepipeline:GetPipeline + - codepipeline:Get* - codepipeline:List* - ec2messages:AcknowledgeMessage - ec2messages:DeleteMessage - ec2messages:FailMessage - - ec2messages:GetEndpoint - - ec2messages:GetMessages + - ec2messages:Get* - ec2messages:SendReply - events:CreateRule - events:DeleteRule - - events:DescribeRule + - events:Describe* - events:List* - events:PutRule - events:PutTargets - events:RemoveTargets - - glue:GetConnections - - glue:GetCrawlers - - glue:GetJobs - - kinesis:DescribeStream + - glue:Get* + - kinesis:Describe* - kinesis:List* - - mq:ListBrokers + - mq:Describe* + - mq:List* - ses:CreateReceiptRuleSet - ses:DeleteIdentity - ses:DeleteIdentityPolicy - ses:DeleteReceiptRuleSet - - ses:DescribeActiveReceiptRuleSet - - ses:DescribeReceiptRuleSet - - ses:GetIdentityDkimAttributes - - ses:GetIdentityNotificationAttributes - - ses:GetIdentityPolicies - - ses:GetIdentityVerificationAttributes + - ses:Describe* + - ses:Get* - ses:List* - ses:PutIdentityPolicy - ses:SetActiveReceiptRuleSet @@ -62,35 +56,32 @@ Statement: - ses:VerifyEmailIdentity - sqs:CreateQueue - sqs:DeleteQueue - - sqs:GetQueueAttributes - - sqs:GetQueueUrl + - sqs:Get* - sqs:List* - sqs:SetQueueAttributes - sqs:TagQueue - sqs:UntagQueue - ssm:AddTagsToResource - - ssm:DescribeAssociation - - ssm:DescribeDocument - - ssm:DescribeParameters - - ssm:GetDeployablePatchSnapshotForInstance - - ssm:GetDocument - - ssm:GetInventory - - ssm:GetManifest + - ssm:Describe* + - ssm:Get* - ssm:List* - - ssmmessages:CreateControlChannel - - ssmmessages:CreateDataChannel - - ssmmessages:OpenControlChannel - - ssmmessages:OpenDataChannel - ssm:PutComplianceItems - ssm:PutConfigurePackageResult - ssm:PutInventory - ssm:RemoveTagsFromResource - ssm:StartSession - - ssm:DescribeSessions - ssm:TerminateSession - ssm:UpdateAssociationStatus - ssm:UpdateInstanceAssociationStatus - ssm:UpdateInstanceInformation + - ssmmessages:CreateControlChannel + - ssmmessages:CreateDataChannel + - ssmmessages:OpenControlChannel + - ssmmessages:OpenDataChannel + - SNS:Get* + - SNS:List* + - states:Describe* + - states:List* Resource: "*" - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees @@ -102,50 +93,33 @@ Statement: - cloudformation:CreateStack - cloudformation:DeleteChangeSet - cloudformation:DeleteStack - - cloudformation:DescribeChangeSet - - cloudformation:DescribeStackEvents - - cloudformation:DescribeStacks - - cloudformation:GetStackPolicy - - cloudformation:GetTemplate - - cloudformation:List* - cloudformation:SetStackPolicy - cloudformation:UpdateStack - cloudformation:UpdateTerminationProtection - cloudwatch:DeleteAlarms - - cloudwatch:DescribeAlarms - cloudwatch:PutMetricAlarm - codebuild:CreateProject - codebuild:DeleteProject - codebuild:UpdateProject - codecommit:CreateRepository - codecommit:DeleteRepository - - codecommit:GetRepository - codecommit:UpdateRepositoryDescription - codepipeline:CreatePipeline - codepipeline:DeletePipeline - codepipeline:UpdatePipeline - glue:DeleteCrawler - glue:DeleteJob - - glue:GetCrawler - - glue:GetJob - - glue:GetTags - glue:TagResource - glue:UntagResource - glue:UpdateCrawler - glue:UpdateJob - kinesis:AddTagsToStream - - kinesis:List* - kinesis:RemoveTagsFromStream - kinesis:StartStreamEncryption - kinesis:StopStreamEncryption - - mq:DescribeBroker - - mq:DescribeBrokerEngineTypes - mq:CreateTags - SNS:CreateTopic - SNS:DeleteTopic - - SNS:GetSubscriptionAttributes - - SNS:GetTopicAttributes - - SNS:List* - SNS:TagResource - SNS:SetSubscriptionAttributes - SNS:SetTopicAttributes @@ -153,14 +127,8 @@ Statement: - SNS:Unsubscribe - SNS:UntagResource - ssm:DeleteParameter - - ssm:GetParameter - - ssm:GetParameters - - ssm:GetParametersByPath - ssm:PutParameter - states:DeleteStateMachine - - states:DescribeExecution - - states:DescribeStateMachine - - states:List* - states:TagResource - states:UntagResource Resource: @@ -175,7 +143,6 @@ Statement: - 'arn:aws:kinesis:{{ aws_region }}:{{ aws_account_id }}:stream/*' - 'arn:aws:mq:{{ aws_region }}:{{ aws_account_id }}:*' - 'arn:aws:sns:{{ aws_region }}:{{ aws_account_id }}:*' - - 'arn:aws:sqs:{{ aws_region }}:{{ aws_account_id }}:*' - 'arn:aws:ssm:{{ aws_region }}:{{ aws_account_id }}:parameter/*' - 'arn:aws:ssm:{{ aws_region }}::parameter/aws/service/*' - 'arn:aws:states:{{ aws_region }}:{{ aws_account_id }}:*' @@ -183,11 +150,8 @@ Statement: - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees Effect: Allow Action: - - states:CreateStateMachine - - states:StartExecution - - states:StopExecution - - states:UpdateStateMachine - - SNS:Publish + - glue:CreateCrawler + - glue:CreateJob - kinesis:CreateStream - kinesis:DecreaseStreamRetentionPeriod - kinesis:DeleteStream @@ -195,8 +159,11 @@ Statement: - kinesis:UpdateShardCount - mq:CreateBroker - mq:DeleteBroker - - glue:CreateCrawler - - glue:CreateJob + - SNS:Publish + - states:CreateStateMachine + - states:StartExecution + - states:StopExecution + - states:UpdateStateMachine Resource: - 'arn:aws:sns:{{ aws_region }}:{{ aws_account_id }}:*' - 'arn:aws:states:{{ aws_region }}:{{ aws_account_id }}:*' diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index cf4df451..5c7a085c 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -63,11 +63,9 @@ Statement: - ec2:DeleteSnapshot - ec2:DeleteTags - ec2:DeregisterImage - - ec2:Describe* - ec2:DetachVolume - ec2:DisassociateIamInstanceProfile - - ec2:GetLaunchTemplateData - - ec2:GetInstanceUefiData + - ec2:Get* - ec2:ImportKeyPair - ec2:ModifyImageAttribute - ec2:ModifyInstanceAttribute @@ -108,7 +106,7 @@ Statement: Effect: Allow Action: - autoscaling:Describe* - - ec2:DescribeAvailabilityZones + - ec2:Describe* - elasticloadbalancing:DeleteRule - elasticloadbalancing:DeleteListener - elasticloadbalancing:Describe* @@ -184,6 +182,6 @@ Statement: - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:launchConfiguration:*' - 'arn:aws:autoscaling:{{ aws_region }}:{{ aws_account_id }}:autoScalingGroup:*' - 'arn:aws:ec2:{{ aws_region }}:{{ aws_account_id }}:volume/*' - - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:*' - 'arn:aws:elasticfilesystem:{{ aws_region }}:{{ aws_account_id }}:file-system/*' - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:targetgroup/*' + - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:loadbalancer/*' diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml index d78fbe36..fcc20bb6 100644 --- a/aws/policy/data-services.yaml +++ b/aws/policy/data-services.yaml @@ -3,20 +3,23 @@ Statement: - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: - - dms:DescribeReplicationSubnetGroups - dms:CreateEndpoint - - dms:DescribeEndpoints + - dms:Describe* + - dms:List* + - dynamodb:Get* + - dynamodb:Describe* + - dynamodb:List* - dynamodb:Scan - - dynamodb:ListTables - - dynamodb:DescribeTable - - dynamodb:ListTagsOfResource - - glue:GetConnection + - elasticache:Describe* + - elasticache:List* + - glacier:List* + - glue:Get* - glue:CreateConnection - glue:DeleteConnection - glue:UpdateConnection - - glue:GetConnections - - rds:DescribeDB* + - rds:Describe* - rds:List* + - redshift:Describe* Resource: "*" - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees Effect: Allow @@ -25,15 +28,12 @@ Statement: - dms:CreateReplicationSubnetGroup - dms:DeleteEndpoint - dms:DeleteReplicationSubnetGroup - - dms:ListTagsForResource - dms:ModifyEndpoint - dms:ModifyReplicationSubnetGroup - dms:RemoveTagsFromResource - dynamodb:CreateTable - dynamodb:DeleteItem - dynamodb:DeleteTable - - dynamodb:DescribeContinuousBackups - - dynamodb:GetItem - dynamodb:PutItem - dynamodb:TagResource - dynamodb:UntagResource @@ -46,18 +46,12 @@ Statement: - elasticache:DeleteCacheCluster - elasticache:DeleteCacheSecurityGroup - elasticache:DeleteCacheSubnetGroup - - elasticache:DescribeCache* - - elasticache:DescribeEngineDefaultParameters - - elasticache:DescribeUpdateActions - - elasticache:ListTagsForResource - elasticache:ModifyCacheCluster - elasticache:ModifyCacheParameterGroup - elasticache:ModifyCacheSubnetGroup - elasticache:RemoveTagsFromResource - - glacier:ListVaults - glacier:CreateVault - glacier:DeleteVault - - glacier:ListTagsForVault - glacier:AddTagsToVault - glacier:RemoveTagsFromVault - redshift:CreateClusterSubnetGroup @@ -65,9 +59,6 @@ Statement: - redshift:DeleteCluster - redshift:DeleteClusterSubnetGroup - redshift:DeleteTags - - redshift:DescribeClusters - - redshift:DescribeClusterSubnetGroups - - redshift:DescribeTags - redshift:ModifyCluster - redshift:ModifyClusterSubnetGroup - redshift:RebootCluster @@ -93,13 +84,11 @@ Statement: - rds:PromoteReadReplica - rds:RebootDBCluster - rds:RebootDBInstance - - rds:ListTagsForResource - rds:ModifyDBCluster - rds:ModifyDBParameterGroup - rds:ModifyDBClusterParameterGroup - rds:ModifyDBSubnetGroup - rds:RemoveTagsFromResource - - rds:DescribeOptionGroups - rds:CreateOptionGroup - rds:ModifyOptionGroup - rds:DeleteOptionGroup @@ -108,7 +97,6 @@ Statement: - rds:CreateDBSnapshot - rds:DeleteDBSnapshot - rds:CopyDBSnapshot - - rds:DescribeExportTasks - rds:StartExportTask - rds:CancelExportTask - rds:RestoreDBClusterToPointInTime diff --git a/aws/policy/networking.yaml b/aws/policy/networking.yaml index 63264020..b20c909d 100644 --- a/aws/policy/networking.yaml +++ b/aws/policy/networking.yaml @@ -4,26 +4,17 @@ Statement: Effect: Allow Action: - route53:ChangeResourceRecordSets - - route53:ListResourceRecordSets - - route53:ListHostedZones* + - route53:List* - route53:CreateHostedZone - - route53:GetHostedZone + - route53:Get* - route53:DeleteHostedZone - route53:UpdateHostedZoneComment - route53:AssociateVPCWithHostedZone - route53:ChangeTagsForResource - - route53:ListTagsForResource - - route53:ListTagsForResources - route53:CreateHealthCheck - route53:DeleteHealthCheck - - route53:GetHealthCheck - - route53:GetHealthCheckStatus - - route53:GetHealthCheckLastFailureReason - - route53:ListHealthChecks - route53:UpdateHealthCheck - - network-firewall:ListFirewallPolicies - - network-firewall:ListFirewalls - - network-firewall:ListRuleGroups + - network-firewall:List* - network-firewall:Describe* Resource: "*" @@ -88,9 +79,6 @@ Statement: - ec2:DeleteTransitGateway - ec2:DeleteTransitGatewayPeeringAttachment - ec2:DeleteTransitGatewayVpcAttachment - - ec2:DescribeSubnets - - ec2:DescribeVpcs - - ec2:DescribeSecurityGroups - ec2:DetachInternetGateway - ec2:DetachNetworkInterface - ec2:DetachVpnGateway @@ -132,7 +120,6 @@ Statement: - network-firewall:DeleteFirewallPolicy - network-firewall:DeleteResourcePolicy - network-firewall:DeleteRuleGroup - - network-firewall:ListTagsForResource - network-firewall:PutResourcePolicy - network-firewall:TagResource - network-firewall:UntagResource diff --git a/aws/policy/paas.yaml b/aws/policy/paas.yaml index 42b97027..0bd19699 100644 --- a/aws/policy/paas.yaml +++ b/aws/policy/paas.yaml @@ -41,19 +41,13 @@ Statement: - ecr:PutImageScanningConfiguration - ecr:PutLifecyclePolicy - ecr:SetRepositoryPolicy - - ecr:DescribeImages - - ecr:ListImages - ecr:BatchDeleteImages - ecr:BatchCheckLayerAvailability - eks:DeleteCluster - - eks:DescribeCluster - - eks:ListClusters + - eks:Describe* + - eks:List* - eks:CreateFargateProfile - eks:DeleteFargateProfile - - eks:DescribeFargateProfile - - eks:ListFargateProfiles - - eks:ListNodegroups - - eks:ListTagsForResource - eks:TagResource - eks:UntagResource - eks:DescribeNodegroup @@ -61,7 +55,7 @@ Statement: - eks:DeleteNodegroup - elasticbeanstalk:CreateApplication - elasticbeanstalk:DeleteApplication - - elasticbeanstalk:DescribeApplications + - elasticbeanstalk:Describe* - elasticbeanstalk:UpdateApplication - lambda:AddPermission - lambda:CreateAlias @@ -125,9 +119,12 @@ Statement: Effect: Allow Action: - cloudfront:CreateCloudFrontOriginAccessIdentity + - cloudfront:Get* + - cloudfront:List* - ecr:GetAuthorizationToken - ecr:CreateRepository - - ecr:DescribeRepositories + - ecr:Describe* + - ecr:List* - ecr:PutImageTagMutability - lambda:GetEventSourceMapping - lambda:ListAliases @@ -135,8 +132,6 @@ Statement: - lambda:ListFunctions - lambda:ListLayers - lambda:ListVersionsByFunction - - cloudfront:Get* - - cloudfront:List* Resource: - "*" diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index d926273d..b8398b8c 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -38,8 +38,7 @@ Statement: Effect: Allow Action: - iam:GetUser - - acm:ListCertificates - - acm:ListTagsForCertificate + - acm:List* Resource: "*" Condition: StringEquals: @@ -70,14 +69,12 @@ Statement: - kms:CreateAlias - kms:CreateGrant - kms:DeleteAlias - - kms:DescribeKey + - kms:Describe* - kms:DisableKey - kms:DisableKeyRotation - kms:EnableKey - kms:EnableKeyRotation - - kms:GetKeyPolicy - - kms:GetKeyRotationStatus - - kms:GetPublicKey + - kms:Get* - kms:List* - kms:PutKeyPolicy - kms:RetireGrant @@ -86,9 +83,9 @@ Statement: - kms:UntagResource - kms:UpdateGrant - kms:UpdateKeyDescription - - logs:ListLogDeliveries - - secretsmanager:DescribeSecret - - secretsmanager:ListSecrets + - logs:List* + - secretsmanager:Describe* + - secretsmanager:List* Resource: "*" - Sid: AllowGlobalRestrictedResourceActionsWhichIncurFees @@ -98,12 +95,11 @@ Statement: - iam:UploadServerCertificate - secretsmanager:CreateSecret - secretsmanager:DeleteSecret - - secretsmanager:GetSecretValue + - secretsmanager:Get* - secretsmanager:RotateSecret - secretsmanager:TagResource - secretsmanager:UntagResource - secretsmanager:UpdateSecret - - secretsmanager:GetResourcePolicy - secretsmanager:PutResourcePolicy - secretsmanager:DeleteResourcePolicy - secretsmanager:RemoveRegionsFromReplication @@ -116,11 +112,9 @@ Statement: Action: - acm:AddTagsToCertificate - acm:DeleteCertificate - - acm:DescribeCertificate - - acm:GetCertificate + - acm:Describe* + - acm:Get* - acm:ImportCertificate - - acm:ListCertificates - - acm:ListTagsForCertificate - acm:RemoveTagsFromCertificate - acm:RenewCertificate - acm:RequestCertificate @@ -143,10 +137,8 @@ Statement: - logs:CreateLogGroup - logs:DeleteLogGroup - logs:DeleteMetricFilter - - logs:DescribeLogGroups - - logs:DescribeMetricFilters + - logs:Describe* - logs:DisassociateKmsKey - - logs:ListTagsLogGroup - logs:PutMetricFilter - logs:PutRetentionPolicy - logs:TagLogGroup diff --git a/aws/policy/storage-services.yaml b/aws/policy/storage-services.yaml index 6e8344b1..f8faa449 100644 --- a/aws/policy/storage-services.yaml +++ b/aws/policy/storage-services.yaml @@ -12,22 +12,10 @@ Statement: - s3:DeleteObjects - s3:DeleteObjectTagging - s3:DeleteObjectVersionTagging - - s3:GetAccessPoint* - - s3:GetBucket* - - s3:GetEncryptionConfiguration - - s3:GetLifecycleConfiguration - - s3:GetMetricsConfiguration - - s3:GetObject - - s3:GetObject* - - s3:GetPublicAccessBlock + - s3:Get* - s3:HeadBucket - s3:HeadObject - - s3:ListAccessPoints* - - s3:ListAllMyBuckets - - s3:ListBucket - - s3:ListBucketVersions - - s3:ListBuckets - - s3:ListObjectsV2 + - s3:List* - s3:PutBucketAcl - s3:PutBucketLogging - s3:PutBucketNotification @@ -51,7 +39,7 @@ Statement: - elasticfilesystem:DeleteFileSystem - elasticfilesystem:DeleteMountTarget - elasticfilesystem:Describe* - - elasticfilesystem:ListTagsForResource + - elasticfilesystem:List* - elasticfilesystem:PutLifecycleConfiguration - elasticfilesystem:TagResource - elasticfilesystem:UntagResource @@ -62,9 +50,8 @@ Statement: - backup:DeleteBackupPlan - backup:DeleteBackupSelection - backup:DeleteBackupVault - - backup:DescribeBackupVault - - backup:GetBackupPlan - - backup:GetBackupSelection + - backup:Describe* + - backup:GetBackup* - backup:List* - backup:TagResource - backup:UntagResource