Policy: AWSFMAdminReadOnlyAccess ARN: arn:aws:iam::aws:policy/AWSFMAdminReadOnlyAccess Allowed Actions Actions Services ec2:DescribeAvailabilityZones ec2 ec2:DescribeRegions ec2 firehose:ListDeliveryStreams firehose fms:Get* fms fms:List* fms network-firewall:DescribeRuleGroup network-firewall network-firewall:DescribeRuleGroupMetadata network-firewall network-firewall:ListRuleGroups network-firewall organizations:DescribeAccount organizations organizations:DescribeOrganization organizations organizations:ListAccounts organizations organizations:ListAccountsForParent organizations organizations:ListChildren organizations organizations:ListDelegatedAdministrators organizations organizations:ListOrganizationalUnitsForParent organizations organizations:ListRoots organizations route53resolver:GetFirewallRuleGroup route53resolver route53resolver:ListFirewallRuleGroups route53resolver s3:GetBucketPolicy s3 shield:GetSubscriptionState shield waf:Get* waf waf:List* waf waf-regional:Get* waf-regional waf-regional:List* waf-regional wafv2:CheckCapacity wafv2 wafv2:ListAvailableManagedRuleGroupVersions wafv2 wafv2:ListAvailableManagedRuleGroups wafv2 wafv2:ListRuleGroups wafv2