Policy: AWSFMAdminFullAccess ARN: arn:aws:iam::aws:policy/AWSFMAdminFullAccess Allowed Actions Actions Services ec2:DescribeAvailabilityZones ec2 ec2:DescribeRegions ec2 elasticloadbalancing:SetWebACL elasticloadbalancing firehose:ListDeliveryStreams firehose fms:* fms iam:CreateServiceLinkedRole iam network-firewall:DescribeRuleGroup network-firewall network-firewall:DescribeRuleGroupMetadata network-firewall network-firewall:ListRuleGroups network-firewall organizations:DeregisterDelegatedAdministrator organizations organizations:DescribeAccount organizations organizations:DescribeOrganization organizations organizations:EnableAWSServiceAccess organizations organizations:ListAccounts organizations organizations:ListAccountsForParent organizations organizations:ListChildren organizations organizations:ListDelegatedAdministrators organizations organizations:ListOrganizationalUnitsForParent organizations organizations:ListRoots organizations organizations:RegisterDelegatedAdministrator organizations route53resolver:GetFirewallRuleGroup route53resolver route53resolver:ListFirewallRuleGroups route53resolver s3:GetBucketPolicy s3 s3:PutBucketPolicy s3 shield:GetSubscriptionState shield waf:* waf waf-regional:* waf-regional wafv2:CheckCapacity wafv2 wafv2:ListAvailableManagedRuleGroupVersions wafv2 wafv2:ListAvailableManagedRuleGroups wafv2 wafv2:ListRuleGroups wafv2 wafv2:PutLoggingConfiguration wafv2