{
  "createlandingzone": {
    "name": "CreateLandingZone",
    "description": "Grants permission to create a landing zone",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [
      "aws:RequestTag/${TagKey}",
      "aws:TagKeys"
    ],
    "dependentActions": [
      "controltower:TagResource"
    ]
  },
  "createmanagedaccount": {
    "name": "CreateManagedAccount",
    "isPermissionOnly": true,
    "description": "Grants permission to create an account managed by AWS Control Tower",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "deletelandingzone": {
    "name": "DeleteLandingZone",
    "description": "Grants permission to delete AWS Control Tower landing zone",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "LandingZone",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "deregistermanagedaccount": {
    "name": "DeregisterManagedAccount",
    "isPermissionOnly": true,
    "description": "Grants permission to deregister an account created through the account factory from AWS Control Tower",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "deregisterorganizationalunit": {
    "name": "DeregisterOrganizationalUnit",
    "isPermissionOnly": true,
    "description": "Grants permission to deregister an organizational unit from AWS Control Tower management",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describeaccountfactoryconfig": {
    "name": "DescribeAccountFactoryConfig",
    "isPermissionOnly": true,
    "description": "Grants permission to describe the current account factory configuration",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describecoreservice": {
    "name": "DescribeCoreService",
    "isPermissionOnly": true,
    "description": "Grants permission to describe resources managed by core accounts in AWS Control Tower",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describeguardrail": {
    "name": "DescribeGuardrail",
    "isPermissionOnly": true,
    "description": "Grants permission to describe a guardrail",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describeguardrailfortarget": {
    "name": "DescribeGuardrailForTarget",
    "isPermissionOnly": true,
    "description": "Grants permission to describe a guardrail for a organizational unit",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describelandingzoneconfiguration": {
    "name": "DescribeLandingZoneConfiguration",
    "isPermissionOnly": true,
    "description": "Grants permission to describe the current Landing Zone configuration",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describemanagedaccount": {
    "name": "DescribeManagedAccount",
    "isPermissionOnly": true,
    "description": "Grants permission to describe an account created through account factory",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describemanagedorganizationalunit": {
    "name": "DescribeManagedOrganizationalUnit",
    "isPermissionOnly": true,
    "description": "Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describeregisterorganizationalunitoperation": {
    "name": "DescribeRegisterOrganizationalUnitOperation",
    "isPermissionOnly": true,
    "description": "Grants permission to describe a Register Organizational Unit Operation",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "describesinglesignon": {
    "name": "DescribeSingleSignOn",
    "isPermissionOnly": true,
    "description": "Grants permission to describe the current AWS Control Tower IAM Identity Center configuration",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "disablebaseline": {
    "name": "DisableBaseline",
    "description": "Grants permission to disable a Baseline on a target",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "disablecontrol": {
    "name": "DisableControl",
    "description": "Grants permission to remove a control from an organizational unit",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledControl",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "disableguardrail": {
    "name": "DisableGuardrail",
    "isPermissionOnly": true,
    "description": "Grants permission to disable a guardrail from an organizational unit",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "enablebaseline": {
    "name": "EnableBaseline",
    "description": "Grants permission to enable a Baseline on a target",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [
      "aws:RequestTag/${TagKey}",
      "aws:TagKeys"
    ],
    "dependentActions": [
      "controltower:TagResource"
    ]
  },
  "enablecontrol": {
    "name": "EnableControl",
    "description": "Grants permission to activate a control for an organizational unit",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledControl",
        "required": false,
        "conditionKeys": [],
        "dependentActions": [
          "controltower:TagResource"
        ]
      }
    ],
    "conditionKeys": [
      "aws:RequestTag/${TagKey}",
      "aws:TagKeys"
    ],
    "dependentActions": []
  },
  "enableguardrail": {
    "name": "EnableGuardrail",
    "isPermissionOnly": true,
    "description": "Grants permission to enable a guardrail to an organizational unit",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getaccountinfo": {
    "name": "GetAccountInfo",
    "isPermissionOnly": true,
    "description": "Grants permission to describe an account email and validate that it exists",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getavailableupdates": {
    "name": "GetAvailableUpdates",
    "isPermissionOnly": true,
    "description": "Grants permission to list available updates for the current AWS Control Tower deployment",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getbaseline": {
    "name": "GetBaseline",
    "description": "Grants permission to get Baseline details",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "Baseline",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getbaselineoperation": {
    "name": "GetBaselineOperation",
    "description": "Grants permission to get the current status of a particular Baseline operation",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getcontroloperation": {
    "name": "GetControlOperation",
    "description": "Grants permission to get the current status of a particular EnabledControl or DisableControl operation",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getenabledbaseline": {
    "name": "GetEnabledBaseline",
    "description": "Grants permission to get an enabled Baseline",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getenabledcontrol": {
    "name": "GetEnabledControl",
    "description": "Grants permission to get an enabled control from an organizational unit",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "EnabledControl",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getguardrailcompliancestatus": {
    "name": "GetGuardrailComplianceStatus",
    "isPermissionOnly": true,
    "description": "Grants permission to get the current compliance status of a guardrail",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "gethomeregion": {
    "name": "GetHomeRegion",
    "isPermissionOnly": true,
    "description": "Grants permission to get the home region of the AWS Control Tower setup",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getlandingzone": {
    "name": "GetLandingZone",
    "description": "Grants permission to get the current status of the landing zone setup",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "LandingZone",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getlandingzonedriftstatus": {
    "name": "GetLandingZoneDriftStatus",
    "description": "Grants permission to get the current landing zone drift status",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getlandingzoneoperation": {
    "name": "GetLandingZoneOperation",
    "description": "Grants permission to get the current status of a particular landing zone operation",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getlandingzonestatus": {
    "name": "GetLandingZoneStatus",
    "isPermissionOnly": true,
    "description": "Grants permission to get the current status of the landing zone setup",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listbaselines": {
    "name": "ListBaselines",
    "description": "Grants permission to list Baselines",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listcontroloperations": {
    "name": "ListControlOperations",
    "description": "Grants permission to list all control operations",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listdirectorygroups": {
    "name": "ListDirectoryGroups",
    "isPermissionOnly": true,
    "description": "Grants permission to list the current directory groups available through IAM Identity Center",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listdriftdetails": {
    "name": "ListDriftDetails",
    "description": "Grants permission to list occurrences of drift in AWS Control Tower",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listenabledbaselines": {
    "name": "ListEnabledBaselines",
    "description": "Grants permission to list enabled Baselines",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listenabledcontrols": {
    "name": "ListEnabledControls",
    "description": "Grants permission to list all enabled controls in a specified organizational unit",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listenabledguardrails": {
    "name": "ListEnabledGuardrails",
    "isPermissionOnly": true,
    "description": "Grants permission to list currently enabled guardrails",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listextendgovernanceprecheckdetails": {
    "name": "ListExtendGovernancePrecheckDetails",
    "isPermissionOnly": true,
    "description": "Grants permission to list Precheck details for an Organizational Unit",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listexternalconfigrulecompliance": {
    "name": "ListExternalConfigRuleCompliance",
    "description": "Grants permission to list the compliance of external AWS Config rules",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listguardrailviolations": {
    "name": "ListGuardrailViolations",
    "isPermissionOnly": true,
    "description": "Grants permission to list existing guardrail violations",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listguardrails": {
    "name": "ListGuardrails",
    "isPermissionOnly": true,
    "description": "Grants permission to list all available guardrails",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listguardrailsfortarget": {
    "name": "ListGuardrailsForTarget",
    "isPermissionOnly": true,
    "description": "Grants permission to list guardrails and their current state for a organizational unit",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listlandingzoneoperations": {
    "name": "ListLandingZoneOperations",
    "description": "Grants permission to list all landing zone operations",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listlandingzones": {
    "name": "ListLandingZones",
    "description": "Grants permission to list all landing zones",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listmanagedaccounts": {
    "name": "ListManagedAccounts",
    "isPermissionOnly": true,
    "description": "Grants permission to list accounts managed through AWS Control Tower",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listmanagedaccountsforguardrail": {
    "name": "ListManagedAccountsForGuardrail",
    "isPermissionOnly": true,
    "description": "Grants permission to list managed accounts with a specified guardrail applied",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listmanagedaccountsforparent": {
    "name": "ListManagedAccountsForParent",
    "isPermissionOnly": true,
    "description": "Grants permission to list managed accounts under an organizational unit",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listmanagedorganizationalunits": {
    "name": "ListManagedOrganizationalUnits",
    "isPermissionOnly": true,
    "description": "Grants permission to list organizational units managed by AWS Control Tower",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listmanagedorganizationalunitsforguardrail": {
    "name": "ListManagedOrganizationalUnitsForGuardrail",
    "isPermissionOnly": true,
    "description": "Grants permission to list managed organizational units that have a specified guardrail applied",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "listtagsforresource": {
    "name": "ListTagsForResource",
    "description": "Grants permission to list the tags for a resource",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      },
      {
        "name": "EnabledControl",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      },
      {
        "name": "LandingZone",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "manageorganizationalunit": {
    "name": "ManageOrganizationalUnit",
    "isPermissionOnly": true,
    "description": "Grants permission to set up an organizational unit to be managed by AWS Control Tower",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "performprelaunchchecks": {
    "name": "PerformPreLaunchChecks",
    "isPermissionOnly": true,
    "description": "Grants permission to perform validations in an account",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "resetenabledbaseline": {
    "name": "ResetEnabledBaseline",
    "description": "Grants permission to reset an enabled Baseline",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "resetenabledcontrol": {
    "name": "ResetEnabledControl",
    "description": "Grants permission to reset an enabled control for an organizational unit",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledControl",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "resetlandingzone": {
    "name": "ResetLandingZone",
    "description": "Grants permission to reset a landing zone",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "LandingZone",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "setuplandingzone": {
    "name": "SetupLandingZone",
    "isPermissionOnly": true,
    "description": "Grants permission to set up or update AWS Control Tower landing zone",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "tagresource": {
    "name": "TagResource",
    "description": "Grants permission to add tags to a resource",
    "accessLevel": "Tagging",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      },
      {
        "name": "EnabledControl",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      },
      {
        "name": "LandingZone",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "aws:RequestTag/${TagKey}",
      "aws:TagKeys"
    ],
    "dependentActions": []
  },
  "untagresource": {
    "name": "UntagResource",
    "description": "Grants permission to remove tags from a resource",
    "accessLevel": "Tagging",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      },
      {
        "name": "EnabledControl",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      },
      {
        "name": "LandingZone",
        "required": false,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "aws:TagKeys"
    ],
    "dependentActions": []
  },
  "updateaccountfactoryconfig": {
    "name": "UpdateAccountFactoryConfig",
    "isPermissionOnly": true,
    "description": "Grants permission to update the account factory configuration",
    "accessLevel": "Write",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "updateenabledbaseline": {
    "name": "UpdateEnabledBaseline",
    "description": "Grants permission to update an enabled Baseline",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledBaseline",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "updateenabledcontrol": {
    "name": "UpdateEnabledControl",
    "description": "Grants permission to update an enabled control for an organizational unit",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "EnabledControl",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  },
  "updatelandingzone": {
    "name": "UpdateLandingZone",
    "description": "Grants permission to update a landing zone",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "LandingZone",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [],
    "dependentActions": []
  }
}