# AWS permission mapping

Category	Entity Create Level	Tessell Permission	Request Tag	Resource Tag	Constrained by Condition	Commentary on unconstrained permissions	Attached to Role(s)	Applicable Resources	Cloud Description	Applicable for Register Use Case	Feature Mapping	Applicable for only Private CP DP Use Case	Private CP DP Use Case
*		ec2:Describe*	N/A	N/A	NO	EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html	CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows describing EC2 resources.	Yes	Provisioning, Start, Stop, Clone, Resize, Refresh, Add Instance	No	Public CP DP, Private CP DP
*		ec2:Get*	N/A	N/A	NO	EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html	CrossAccountAccessRole	*	Allows getting EC2 resources.	Yes	Provisioning, Start, Stop, Clone, Resize, Refresh, Add Instance	No	Public CP DP, Private CP DP
*		ec2:List*	N/A	N/A	NO	EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html	CrossAccountAccessRole	*	Allows listing EC2 resources.	Yes	Provisioning	No	Public CP DP, Private CP DP
*		ec2:Search*	N/A	N/A	NO	EC2 Describe permissions doesn't support Request/Resource Tag based conditions. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html	CrossAccountAccessRole	*	Allows searching EC2 resources.	Yes	Provisioning, Delete Service	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	CloudWatchAgentServerPolicy	N/A	N/A	NO	Managed Policy from AWS	TessellDbVmMgmtRole	N/A	Allows the CloudWatch agent to collect and send metrics and logs to CloudWatch.	Yes	DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:DeleteLogGroup	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting CloudWatch log groups with the specified resource tag.	Yes	DB Deletion, DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:DeleteLogStream	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting log streams with the specified resource tag.	Yes	DB Deletion, DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:DescribeLogGroups	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing CloudWatch log groups.	Yes	Provisioning, DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:DescribeLogStreams	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing log streams within CloudWatch log groups.	Yes	Provisioning, DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:GetLogEvents	N/A	N/A	NO		CrossAccountAccessRole	*	Allows retrieving log events from CloudWatch logs.	Yes	Provisioning, DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:PutRetentionPolicy	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows setting retention policies on log groups with the specified resource tag.	Yes	DB Logs	No	Public CP DP, Private CP DP
CloudWatch	Log Group per DB Service	logs:TagLogGroup	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows tagging CloudWatch log groups with the specified resource tag.	Yes	Provisioning, DB Logs	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:ModifyInstanceAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying attributes of instances with the specified resource tag.	Yes	Add Tags	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:MonitorInstances	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows enabling detailed monitoring for instances with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:RebootInstances	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows rebooting instances with the specified resource tag.	Yes	provisioning, stop, start, patch, resize	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:RunInstances	N/A	N/A	NO		CrossAccountAccessRole	Network interfaces, security groups, subnets, volumes, etc.	Allows launching EC2 instances with access to specified resources.	Yes	Provisioning, Add-replica, Clone	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:RunInstances	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	Specific EC2 instances (arn:aws:ec2)	Allows launching EC2 instances with the specified request tag.	Yes	Provisioning, Add-replica, Clone	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:StartInstances	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows starting instances with the specified resource tag.	Yes	start service, resize, stop rollback	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:StopInstances	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows stopping instances with the specified resource tag.	Yes	stop service, resize, start rollback	No	Public CP DP, Private CP DP
EC2	Compute Resource	ec2:TerminateInstances	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows terminating instances with the specified resource tag.	Yes	Delete replica, delete service, provisioning rollback, add-replica rollback	No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:AddTags	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows adding tags to load balancer resources with the specified request tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:CreateListener	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating load balancer listeners with the specified request tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:CreateLoadBalancer	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating load balancers with the specified request tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:CreateTargetGroup	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating target groups with the specified request tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DeleteListener	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting load balancer listeners with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DeleteLoadBalancer	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting load balancers with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DeleteTargetGroup	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting target groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DeregisterTargets	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deregistering targets from target groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeListeners	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing load balancer listeners.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeLoadBalancerAttributes	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing attributes of load balancers.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeLoadBalancers	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing load balancers.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeTags	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing tags for load balancer resources.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeTargetGroupAttributes	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing attributes of target groups.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeTargetGroups	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing target groups.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:DescribeTargetHealth	N/A	N/A	NO		CrossAccountAccessRole	*	Allows describing the health of targets in a target group.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:ModifyListener	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying load balancer listeners with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:ModifyLoadBalancerAttributes	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying attributes of load balancers with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:ModifyTargetGroup	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying target groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:ModifyTargetGroupAttributes	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying attributes of target groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:RegisterTargets	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows registering targets with target groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:SetIpAddressType	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows setting IP address types for load balancers with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
ELB	VPC	elasticloadbalancing:SetSubnets	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows setting subnets for load balancers with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
IAM	Subscription	ec2:AssociateIamInstanceProfile	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows associating IAM instance profiles with instances that have the specified resource tag.	Yes	Provisioning, DP AWS Services Access	No	Public CP DP, Private CP DP
IAM	Subscription	ec2:DisassociateIamInstanceProfile	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows disassociating IAM instance profiles from instances with the specified resource tag.	Yes	DB Deletion, DP AWS Services Access	No	Public CP DP, Private CP DP
IAM	Subscription	iam:PassRole	N/A	N/A	NO		CrossAccountAccessRole	ARN of TessellDbVmMgmtRole	Allows passing the TessellDbVmMgmtRole to EC2 instances or other services.	Yes	Provisioning, DP AWS Services Access	No	Public CP DP, Private CP DP
IAM	Subscription	iam:CreateServiceLinkedRole	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	AWSServiceRoleForKeyManagementServiceMultiRegionKeys	Allows creating service-linked roles for KMS multi-region keys.	Yes		No	Public CP DP, Private CP DP
IAM	Subscription	iam:CreateServiceLinkedRole	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	AWSServiceRoleForElasticLoadBalancing	Allows creating service-linked roles for AWS services (e.g., ELB, KMS).	Yes		No	Public CP DP, Private CP DP
IP Address	Compute Resource	ec2:AllocateAddress	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows allocating Elastic IP addresses with the specified request tag.	Yes	Provisioning, Add-replica, Clone	No	Public CP DP, Private CP DP
IP Address	Compute Resource	ec2:AssignPrivateIpAddresses	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows assigning private IP addresses to network interfaces with the specified resource tag.	Yes	Provisioning, Add-replica, Clone	No	Public CP DP, Private CP DP
IP Address	Compute Resource	ec2:AssociateAddress	N/A	N/A	NO		CrossAccountAccessRole	*	Allows associating an Elastic IP address with an instance or network interface.	Yes	Provisioning, Add-replica, Clone	No	Public CP DP, Private CP DP
IP Address	Compute Resource	ec2:DisassociateAddress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows disassociating Elastic IP addresses from resources with the specified resource tag.	Yes	Delete service, Delete-replica	No	Public CP DP, Private CP DP
IP Address	Compute Resource	ec2:ReleaseAddress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows releasing Elastic IP addresses with the specified resource tag.	Yes	Delete service, Delete-replica	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:CancelKeyDeletion	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows canceling deletion of KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:CreateAlias	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	arn:aws:kms:::alias/*	Allows creating KMS aliases without any tag restrictions.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:CreateAlias	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows creating aliases for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:CreateGrant	N/A	ALLOW_IMPORT_TO_TESSELL = true	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true	Allows creating grants on KMS keys with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:CreateGrant	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows creating grants on KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:CreateKey	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows creating new KMS keys with the specified request tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:Decrypt	N/A	ALLOW_IMPORT_TO_TESSELL = true	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true	Allows decrypting data using KMS keys with the specified resource tag.	Yes	Clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:Decrypt	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows decrypting data using KMS keys tagged with the specified resource tag.	No	Clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:DeleteAlias	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	arn:aws:kms:::alias/*	Allows deleting KMS aliases without any tag restrictions.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:DeleteAlias	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows deleting aliases for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:DescribeKey	N/A	ALLOW_IMPORT_TO_TESSELL = true	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true	Allows describing KMS keys with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:DescribeKey	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows describing KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:DisableKey	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows disabling KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:DisableKeyRotation	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows disabling automatic key rotation for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:EnableKey	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows enabling KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:EnableKeyRotation	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows enabling automatic key rotation for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:Encrypt	N/A	ALLOW_IMPORT_TO_TESSELL = true	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true	Allows encrypting data using KMS keys with the specified resource tag.	Yes	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:Encrypt	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows encrypting data using KMS keys tagged with the specified resource tag.	No	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:GenerateDataKey*	N/A	ALLOW_IMPORT_TO_TESSELL = true	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true	Allows generating data keys using KMS keys with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:GenerateDataKey*	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows generating data keys using KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:GetKeyPolicy	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows retrieving key policies for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:GetKeyRotationStatus	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows getting rotation status of KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:GetParametersForImport	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows obtaining parameters for importing key material into KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ImportKeyMaterial	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows importing key material into KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ListAliases	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows listing all KMS aliases.	Yes		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ListAliases	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows listing aliases of KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ListKeys	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows listing all KMS keys.	Yes		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ListKeys	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows listing KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ListResourceTags	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows listing tags for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ReEncrypt*	N/A	ALLOW_IMPORT_TO_TESSELL = true	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	KMS keys tagged with ALLOW_IMPORT_TO_TESSELL=true	Allows re-encrypting data using KMS keys with the specified resource tag.	Yes	Clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ReEncrypt*	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows re-encrypting data using KMS keys tagged with the specified resource tag.	No	Clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ReplicateKey	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows replicating KMS keys tagged with the specified resource tag to other regions.	No	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:ScheduleKeyDeletion	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows scheduling deletion of KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:TagResource	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows tagging KMS resources with the specified request tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:UntagResource	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	Resources tagged with TESSELL_TENANT_ID = {{TenantName}}	Allows removing tags from KMS resources tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:UpdateAlias	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	arn:aws:kms:::alias/*	Allows updating KMS aliases without any tag restrictions.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:UpdateAlias	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows updating aliases for KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
KMS	Encryption Key	kms:UpdateKeyDescription	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	* (with resource tag condition)	Allows updating descriptions of KMS keys tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:AttachNetworkInterface	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows attaching network interfaces to instances with the specified resource tag.	Yes	Provisioning, add-replica, clone, resize	No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:CreateNetworkInterface	N/A	N/A	NO		CrossAccountAccessRole	*	Allows creating network interfaces.	Yes	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:CreateNetworkInterfacePermission	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows creating permissions for network interfaces with the specified resource tag.	Yes	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:DeleteNetworkInterface	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting network interfaces with the specified resource tag.	Yes	Delete service, Delete replica	No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:DeleteNetworkInterfacePermission	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting permissions for network interfaces with the specified resource tag.	Yes	Delete service, Delete replica	No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:DetachNetworkInterface	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows detaching network interfaces from instances with the specified resource tag.	Yes	Delete service, Delete replica, Resize	No	Public CP DP, Private CP DP
Network Interface	Compute Resource	ec2:ModifyNetworkInterfaceAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying attributes of network interfaces with the specified resource tag.	Yes	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
S3	Region	s3:CreateBucket	N/A	N/A	NO		CrossAccountAccessRole	BucketName/dblogstorage-*	Allows creating S3 buckets with the specified request tag.	No	Provisioning, add-replica, clone	No	Public CP DP, Private CP DP
S3	Region	s3:CreateJob	N/A	N/A	NO		CrossAccountAccessRole	arn:aws:s3:::job/*	Allows creating S3 Batch Operations jobs.	Yes	DAP	No	Public CP DP, Private CP DP
S3	Region	s3:DeleteBucket	N/A	N/A	NO		CrossAccountAccessRole	BucketName/dblogstorage-*	Allows deleting S3 buckets tagged with the specified resource tag.	No	Delete database, Delete replica	No	Public CP DP, Private CP DP
S3	Region	s3:DeleteBucketPolicy	N/A	N/A	NO		CrossAccountAccessRole	BucketName/dblogstorage-*	Allows deleting bucket policies from S3 buckets tagged with the specified resource tag.	No	Delete DAP	No	Public CP DP, Private CP DP
S3	Region	s3:DeleteBucketTagging	N/A	N/A	NO		CrossAccountAccessRole	BucketName/dblogstorage-*	Allows deleting tags from S3 buckets tagged with the specified resource tag.	No	Delete database, Delete replica	No	Public CP DP, Private CP DP
S3	Region	s3:DeleteObject*	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-/	Allows deleting objects from the specified S3 bucket.	Yes	AM SLA, Delete AM	No	Public CP DP, Private CP DP
S3	Region	s3:GetBucket*	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows getting bucket-level information on the specified S3 bucket.	Yes	Provisioning, add-replica, clone, DAP	No	Public CP DP, Private CP DP
S3	Region	s3:GetObject*	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-/	Allows getting objects from the specified S3 bucket.	Yes	Clone, DAP	No	Public CP DP, Private CP DP
S3	Region	s3:GetReplicationConfiguration	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows getting the replication configuration of the specified S3 bucket.	Yes	DAP	No	Public CP DP, Private CP DP
S3	Region	s3:InitiateReplication	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows initiating replication on the specified S3 bucket.	Yes	DAP	No	Public CP DP, Private CP DP
S3	Region	s3:ListBucket*	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows listing objects in the specified S3 bucket.	Yes	AM, DAP	No	Public CP DP, Private CP DP
S3	Region	s3:PauseReplication	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows pausing replication on the specified S3 bucket.	Yes	DAP	No	Public CP DP, Private CP DP
S3	Region	s3:PutBucket*	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows putting bucket-level configurations on the specified S3 bucket.	Yes	DAP	No	Public CP DP, Private CP DP
S3	Region	s3:PutObject*	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-/	Allows putting objects into the specified S3 bucket.	Yes		No	Public CP DP, Private CP DP
S3	Region	s3:PutReplicationConfiguration	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows setting replication configuration on the specified S3 bucket.	Yes		No	Public CP DP, Private CP DP
S3	Region	s3:ReplicateDelete	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows replicating delete markers to the specified S3 bucket.	Yes		No	Public CP DP, Private CP DP
S3	Region	s3:ReplicateObject	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows replicating objects to the specified S3 bucket.	Yes		No	Public CP DP, Private CP DP
S3	Region	s3:ReplicateTags	N/A	N/A	NO		CrossAccountAccessRole, TessellDbVmMgmtRole	BucketName/dblogstorage-*	Allows replicating tags to the specified S3 bucket.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:CancelRotateSecret	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows canceling secret rotation for secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:CreateSecret	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating secrets with the specified request tag.	Yes	Provisioning, Add-replica, Clone	No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:DeleteSecret	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:DescribeSecret	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows describing secrets with the specified resource tag.	Yes	Provisioning, Add-replica, Clone, Stop, Start, Snapshot	No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:GetSecretValue	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows retrieving secret values from secrets with the specified resource tag.	Yes	Provisioning, Add-replica, Clone, Stop, Start, Snapshot	No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:PutSecretValue	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows updating the secret value for secrets with the specified resource tag.	Yes	Reset password	No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:RemoveRegionsFromReplication	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows removing regions from secret replication for secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:ReplicateSecretToRegions	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows replicating secrets to other regions for secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:RestoreSecret	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows restoring deleted secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:RotateSecret	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows rotating secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:StopReplicationToReplica	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows stopping replication to replica secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:TagResource	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows tagging secrets with the specified request tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:UpdateSecret	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows updating secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Secrets Manager	Secret per DB Service	secretsmanager:UpdateSecretVersionStage	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows updating the version stage of secrets with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:AuthorizeSecurityGroupEgress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows authorizing egress rules on security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:AuthorizeSecurityGroupIngress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows authorizing ingress rules on security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:CreateSecurityGroup	N/A	N/A	NO		CrossAccountAccessRole	*	Allows creating security groups.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:DeleteSecurityGroup	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows deleting security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:ModifySecurityGroupRules	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying security group rules with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:RevokeSecurityGroupEgress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows revoking egress rules in security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:RevokeSecurityGroupIngress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows revoking ingress rules in security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:UpdateSecurityGroupRuleDescriptionsEgress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows updating egress rule descriptions in security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Security Group	Compute Resource	ec2:UpdateSecurityGroupRuleDescriptionsIngress	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows updating ingress rule descriptions in security groups with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ebs:GetSnapshotBlock	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows getting blocks from EBS snapshots with the specified resource tag.	Yes	AM	No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ebs:ListChangedBlocks	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows listing changed blocks between two EBS snapshots with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ebs:ListSnapshotBlocks	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows listing blocks in EBS snapshots with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:CopySnapshot	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows copying EBS snapshots with the specified request tag.	Yes	DAP	No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:CreateSnapshot	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	arn:aws:ec2:::volume/	Allows creating snapshots of volumes with the specified resource tag.	Yes	AM	No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:CreateSnapshot	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows creating snapshots with the specified request tag.	Yes	AM	No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:CreateSnapshots	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	arn:aws:ec2:::volume/	Allows creating EBS snapshots from volumes with the specified resource tag.	Yes	AM	No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:CreateSnapshots	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows creating EBS snapshots with the specified request tag.	Yes		No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:DeleteSnapshot	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows deleting snapshots with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:ModifySnapshotAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying attributes of EBS snapshots with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Snapshot	Snapshots per DB Service	ec2:ResetSnapshotAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows resetting attributes of EBS snapshots with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
STS	Subscription	sts:DecodeAuthorizationMessage	N/A	N/A	NO		CrossAccountAccessRole	*	Allows decoding authorization failure messages.	Yes		No	Public CP DP, Private CP DP
Tags	All Cloud Resources	ec2:CreateTags	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows creating tags on EC2 resources with the specified request tag.	Yes		No	Public CP DP, Private CP DP
Tags	All Cloud Resources	ec2:DeleteTags	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows deleting tags from EC2 resources with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Volume	DB Service	ec2:AttachVolume	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows attaching EBS volumes with the specified resource tag to instances.	Yes		No	Public CP DP, Private CP DP
Volume	DB Service	ec2:CreateVolume	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows creating EBS volumes with the specified request tag.	Yes		No	Public CP DP, Private CP DP
Volume	DB Service	ec2:DeleteVolume	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows deleting EBS volumes with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Volume	DB Service	ec2:DetachVolume	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows detaching EBS volumes with the specified resource tag from instances.	Yes		No	Public CP DP, Private CP DP
Volume	DB Service	ec2:ModifyVolume	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying EBS volumes with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
Volume	DB Service	ec2:ModifyVolumeAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole, TessellDbVmMgmtRole	*	Allows modifying attributes of EBS volumes with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC	VPC	arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess	N/A	N/A	NO		CrossAccountAccessRole	*	Gives Read Access to VPCs	Yes		No	Public CP DP, Private CP DP
VPC	VPC	ec2:AssociateRouteTable	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows associating route tables tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:AttachInternetGateway	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows attaching Internet Gateways tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateInternetGateway	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating Internet Gateways with the specified request tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateNatGateway	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows creating NAT Gateways associated with resources tagged with the specified resource tag.	No		No	Public CP DP,
VPC	VPC	ec2:CreateNatGateway	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating NAT Gateways with the specified request tag.	No		No	Public CP DP,
VPC	VPC	ec2:CreateRoute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows creating routes associated with resources tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateRoute	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating routes with the specified request tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateRouteTable	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows creating route tables associated with resources tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateRouteTable	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating route tables with the specified request tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateSubnet	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows creating subnets associated with resources tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateSubnet	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating subnets with the specified request tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:CreateVpc	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating VPCs with the specified request tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DeleteInternetGateway	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting Internet Gateways tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DeleteNatGateway	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting NAT Gateways tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DeleteRoute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting routes tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DeleteRouteTable	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting route tables tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DeleteSubnet	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting subnets tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DeleteVpc	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting VPCs tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DetachInternetGateway	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows detaching Internet Gateways tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:DisassociateRouteTable	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows disassociating route tables tagged with the specified resource tag.	No		No	Public CP DP, Private CP DP
VPC	VPC	ec2:ModifySubnetAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying subnet attributes with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC	VPC	ec2:ModifyVpcAttribute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying VPC attributes with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC	VPC	ec2:ReplaceRoute	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows replacing routes in route tables with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC Endpoint Service	VPC	ec2:CreateVpcEndpointServiceConfiguration	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating VPC endpoint service configurations with the specified request tag.	Yes		No	Public CP DP, Private CP DP
VPC Endpoint Service	VPC	ec2:DeleteVpcEndpointServiceConfigurations	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting VPC endpoint service configurations with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC Endpoint Service	VPC	ec2:ModifyVpcEndpointServiceConfiguration	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying VPC endpoint service configurations with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC Endpoint Service	VPC	ec2:ModifyVpcEndpointServicePermissions	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows modifying permissions for VPC endpoint services with the specified resource tag.	Yes		No	Public CP DP, Private CP DP
VPC Peering	VPC	ec2:CreateVpcPeeringConnection	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows creating VPC peering connections associated with resources tagged with the specified resource tag.	No	DR	No	Public CP DP, Private CP DP
VPC Peering	VPC	ec2:CreateVpcPeeringConnection	TESSELL_TENANT_ID = {{TenantName}}	N/A	YES		CrossAccountAccessRole	*	Allows creating VPC peering connections with the specified request tag.	No	DR	No	Public CP DP, Private CP DP
VPC Peering	VPC	ec2:AcceptVpcPeeringConnection	N/A	N/A	NO		CrossAccountAccessRole	arn:aws:ec2::${AWS::AccountId}:vpc-peering-connection/	Allows accepting VPC peering connections without tag conditions.	No	DR	No	Public CP DP, Private CP DP
VPC Peering	VPC	ec2:AcceptVpcPeeringConnection	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows accepting VPC peering connections tagged with the specified resource tag.	No	DR	No	Public CP DP, Private CP DP
VPC Peering	VPC	ec2:DeleteVpcPeeringConnection	N/A	TESSELL_TENANT_ID = {{TenantName}}	YES		CrossAccountAccessRole	*	Allows deleting VPC peering connections tagged with the specified resource tag.	No	DR	No	Public CP DP, Private CP DP
VPN		ec2:ExportClientVpnClientCertificateRevocationList	N/A	N/A	NO		CrossAccountAccessRole	*	Allows exporting VPN client certificate revocation lists.	Yes		No	Public CP DP, Private CP DP
VPN		ec2:ExportClientVpnClientConfiguration	N/A	N/A	NO		CrossAccountAccessRole	*	Allows exporting VPN client configurations.	Yes		No	Public CP DP, Private CP DP

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tessell.com/tessell/governance/subscriptions/aws-permission-mapping.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.