{"Version":"2012-10-17","Statement":[{"Sid":"CostExplorerReadOnly","Effect":"Allow","Action":["ce:GetCostAndUsage","ce:GetCostForecast","ce:GetDimensionValues","ce:GetTags","ce:GetReservationUtilization","ce:GetSavingsPlansUtilization","ce:GetSavingsPlansUtilizationDetails"],"Resource":"*"},{"Sid":"ResourceReadOnly","Effect":"Allow","Action":["ec2:DescribeInstances","ec2:DescribeVolumes","ec2:DescribeSnapshots","ec2:DescribeAddresses","ec2:DescribeRegions","ec2:DescribeImages","ec2:DescribeNatGateways","ec2:DescribeTags","ec2:DescribeVolumesModifications","ec2:DescribeReservedInstances","ec2:DescribeReservedInstancesOfferings","rds:DescribeDBInstances","rds:DescribeDBClusters","rds:ListTagsForResource","redshift:DescribeClusters","autoscaling:DescribeAutoScalingGroups","ecs:ListClusters","ecs:ListServices","ecs:DescribeServices","lambda:ListFunctions","lambda:GetFunction","lambda:ListTags","s3:ListAllMyBuckets","s3:ListBucket","s3:GetBucketLocation","s3:GetBucketVersioning","s3:GetLifecycleConfiguration","s3:GetBucketTagging","s3:GetEncryptionConfiguration","s3:GetIntelligentTieringConfiguration","s3:ListBucketMultipartUploads","elasticloadbalancing:DescribeLoadBalancers","elasticloadbalancing:DescribeTargetGroups","elasticloadbalancing:DescribeTargetHealth","elasticloadbalancing:DescribeLoadBalancerAttributes","elasticloadbalancing:DescribeListeners","elasticloadbalancing:DescribeTags","logs:DescribeLogGroups","cloudwatch:GetMetricStatistics","cloudwatch:GetMetricData","cloudwatch:ListMetrics","savingsplans:DescribeSavingsPlans","savingsplans:DescribeSavingsPlanRates","savingsplans:DescribeSavingsPlansOfferings","sts:GetCallerIdentity"],"Resource":"*"},{"Sid":"PricingAPI","Effect":"Allow","Action":["pricing:GetProducts","pricing:DescribeServices"],"Resource":"*"},{"Sid":"EC2StartStop","Effect":"Allow","Action":["ec2:StartInstances","ec2:StopInstances"],"Resource":"arn:aws:ec2:*:*:instance/*","Condition":{"StringNotEquals":{"ec2:ResourceTag/Protected":"true"}}},{"Sid":"RDSStartStop","Effect":"Allow","Action":["rds:StartDBInstance","rds:StopDBInstance"],"Resource":"arn:aws:rds:*:*:db:*","Condition":{"StringNotEquals":{"rds:db-tag/Protected":"true"}}},{"Sid":"RedshiftPauseResume","Effect":"Allow","Action":["redshift:PauseCluster","redshift:ResumeCluster"],"Resource":"arn:aws:redshift:*:*:cluster:*","Condition":{"StringNotEquals":{"redshift:ResourceTag/Protected":"true"}}},{"Sid":"AutoScalingUpdate","Effect":"Allow","Action":["autoscaling:UpdateAutoScalingGroup"],"Resource":"arn:aws:autoscaling:*:*:autoScalingGroup:*","Condition":{"StringNotEquals":{"autoscaling:ResourceTag/Protected":"true"}}},{"Sid":"DocumentDBAndNeptuneStartStop","Effect":"Allow","Action":["rds:StartDBCluster","rds:StopDBCluster"],"Resource":["arn:aws:rds:*:*:cluster:*"],"Condition":{"StringNotEquals":{"rds:cluster-tag/Protected":"true"}}},{"Sid":"ECSUpdate","Effect":"Allow","Action":["ecs:UpdateService"],"Resource":"arn:aws:ecs:*:*:service/*/*","Condition":{"StringNotEquals":{"ecs:ResourceTag/Protected":"true"}}},{"Sid":"AutopilotLowRiskActions","Effect":"Allow","Action":["ec2:DeleteSnapshot","ec2:CreateSnapshot","ec2:CreateVolume","ec2:CreateTags","ec2:DeleteVolume","ec2:ReleaseAddress","lambda:DeleteFunction","lambda:CreateFunction"],"Resource":"*","Condition":{"StringNotEquals":{"aws:ResourceTag/Protected":"true"}}},{"Sid":"S3AutopilotActions","Effect":"Allow","Action":["s3:PutLifecycleConfiguration","s3:DeleteBucketLifecycle","s3:PutIntelligentTieringConfiguration","s3:DeleteIntelligentTieringConfiguration","s3:AbortMultipartUpload"],"Resource":"*","Condition":{"StringNotEquals":{"aws:ResourceTag/Protected":"true"}}},{"Sid":"DenyProductionResources","Effect":"Deny","Action":["ec2:StopInstances","ec2:TerminateInstances","rds:StopDBInstance","rds:DeleteDBInstance","redshift:PauseCluster","redshift:DeleteCluster","ec2:DeleteVolume","ec2:DeleteSnapshot","lambda:DeleteFunction","s3:PutLifecycleConfiguration","s3:DeleteBucketLifecycle","s3:PutIntelligentTieringConfiguration","s3:DeleteIntelligentTieringConfiguration","s3:AbortMultipartUpload"],"Resource":"*","Condition":{"StringLike":{"aws:ResourceTag/Environment":["production","prod"]}}},{"Sid":"DenyProtectedResources","Effect":"Deny","Action":"*","Resource":"*","Condition":{"StringEquals":{"aws:ResourceTag/Protected":"true"}}}]}