{
  "Statement": [
    {
      "Action": [
        "access-analyzer:GetAnalyzer",
        "access-analyzer:ListAnalyzers",
        "autoscaling:Describe*",
        "cloudformation:DescribeStack*",
        "cloudformation:GetTemplate",
        "cloudformation:ListStack*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudwatch:Describe*",
        "config:DeliverConfigSnapshot",
        "config:Describe*",
        "config:Get*",
        "config:ListDiscoveredResources",
        "cur:DescribeReportDefinitions",
        "directconnect:Describe*",
        "dynamodb:ListTables",
        "ec2:Describe*",
        "ec2:GetLaunchTemplateData",
        "ecs:Describe*",
        "ecs:List*",
        "elasticbeanstalk:Describe*",
        "elasticache:Describe*",
        "elasticfilesystem:DescribeFileSystems",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:DescribeJobFlows",
        "events:Describe*",
        "events:List*",
        "glacier:ListVaults",
        "guardduty:Get*",
        "guardduty:List*",
        "kinesis:Describe*",
        "kinesis:List*",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListAliases",
        "kms:ListGrants",
        "kms:ListKeys",
        "kms:ListKeyPolicies",
        "kms:ListResourceTags",
        "lambda:List*",
        "logs:Describe*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "redshift:Describe*",
        "route53:GetHostedZone",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "sdb:DomainMetadata",
        "sdb:ListDomains",
        "securityhub:DescribeHub",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:GetEndpointAttributes",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:GetBucket*",
        "s3:GetEncryptionConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetObjectAcl",
        "s3:GetObjectVersionAcl",
        "tag:GetResources",
        "tag:GetTagKeys",
        "workspaces:Describe*",
        "workspaces:List*"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "EnabledDiscoveryOfVariousAWSServices"
    },
    {
      "Action": [
        "iam:GetAccountSummary",
        "iam:ListAccessKeys",
        "iam:ListAccountAliases",
        "iam:ListAttachedGroupPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:ListAttachedUserPolicies",
        "iam:ListEntitiesForPolicy",
        "iam:ListGroupPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListPolicies",
        "iam:ListPoliciesGrantingServiceAccess",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:ListRoleTags",
        "iam:ListServerCertificates",
        "iam:ListServerCertificateTags",
        "iam:ListUserPolicies",
        "iam:ListUsers",
        "iam:ListUserTags",
        "iam:ListVirtualMFADevices",
        "iam:GenerateCredentialReport",
        "iam:GetAccountPasswordPolicy",
        "iam:GetCredentialReport",
        "iam:GetGroup",
        "iam:GetGroupPolicy",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:GetUser",
        "iam:GetUserPolicy"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "EnableInsightDiscovery"
    },
    {
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetEventSelectors",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:ListPublicKeys",
        "cloudtrail:ListTags",
        "cloudtrail:LookupEvents"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "LimitedCloudTrail"
    },
    {
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketPolicy",
        "s3:DeleteBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::outcomesbucket-*",
      "Sid": "CreateCloudTrailS3BucketIfCloudTrailsAreBeingSetupByAlertLogic"
    },
    {
      "Action": [
        "sns:CreateTopic",
        "sns:DeleteTopic"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:*:*:outcomestopic",
      "Sid": "CreateCloudTrailsTopicTfOneWasntAlreadySetupForCloudTrails"
    },
    {
      "Action": [
        "sns:AddPermission",
        "sns:GetTopicAttributes",
        "sns:ListTopics",
        "sns:SetTopicAttributes",
        "sns:Subscribe"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sns:*:*:*",
      "Sid": "MakeSureThatCloudTrailsSnsTopicIsSetupCorrectlyForCloudTrailPublishingAndSqsSubsription"
    },
    {
      "Action": [
        "sqs:CreateQueue",
        "sqs:DeleteQueue",
        "sqs:SetQueueAttributes",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues",
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueUrl"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:sqs:*:*:outcomesbucket*",
      "Sid": "CreateAlertLogicSqsQueueToSubscribeToCloudTrailsSnsTopicNotifications"
    },
    {
      "Action": [
        "ec2:CreateTags",
        "ec2:CreateSubnet",
        "ec2:CreateInternetGateway",
        "ec2:AttachInternetGateway",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:AssociateRouteTable",
        "ec2:CreateSecurityGroup",
        "ec2:CreateNetworkAclEntry"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "EnableAlertLogicSecurityInfrastructureDeployment"
    },
    {
      "Action": [
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteNetworkAclEntry",
        "ec2:DeleteRouteTable"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/AlertLogic": "Security"
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:route-table/*",
        "arn:aws:ec2:*:*:network-acl/*"
      ],
      "Sid": "ModifyNetworkSettingsToEnableNetworkVisibilityFromAlertLogicSecurityAppliance"
    },
    {
      "Action": [
        "ec2:DeleteSubnet"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "DeleteSecuritySubnet"
    },
    {
      "Action": [
        "ec2:RunInstances"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:key-pair/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:volume/*",
        "arn:aws:ec2:*::image/*"
      ],
      "Sid": "EnsureThatAlertLogicApplianceCanCreateNecessaryResources"
    },
    {
      "Action": [
        "ec2:RunInstances"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AlertLogic": "Security"
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:*:*:launch-template/*"
      ],
      "Sid": "EnsureThatAlertLogicCanManageSecurityLaunchTemplates"
    },
    {
      "Action": [
        "ec2:TerminateInstances",
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/AlertLogic": "Security"
        }
      },
      "Effect": "Allow",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Sid": "EnableAlertLogicApplianceStateManagement"
    },
    {
      "Action": [
        "autoscaling:CreateLaunchConfiguration",
        "autoscaling:DeleteLaunchConfiguration",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:DeleteAutoScalingGroup"
      ],
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "EnableAlertLogicAutoScalingGroup"
    },
    {
      "Sid": "EnableAlertLogicLaunchTemplateCreation",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:CreateLaunchTemplate"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/AlertLogic": "Security"
        }
      }
    },
    {
      "Sid": "EnableAlertLogicLaunchTemplateManagement",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:DeleteLaunchTemplate",
        "ec2:ModifyLaunchTemplate",
        "ec2:CreateLaunchTemplateVersion",
        "ec2:DeleteLaunchTemplateVersions"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/AlertLogic": "Security"
        }
      }
    }
  ],
  "Version": "2012-10-17"
}