ansible/hacking/aws_config/testing_policies/security-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GetGroup",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroups",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:ListUsers",
                "iam:ListAccountAliases"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "AllowReadOnlyIAMUse"
        },
        {
            "Sid": "AllowWAFusage",
            "Action": "waf:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowListingCloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
            ]
        },
        {
            "Sid": "AllowModifyingCloudwatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:PutRetentionPolicy",
                "logs:DeleteLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
            ]
        }
    ]
}