{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ICSPowerUserWildcardPermissions",
            "Action": [
                "access-analyzer:*",
                "acm:*",
                "acm-pca:*",
                "apigateway:*",
                "appstream:*",
                "athena:*",
                "autoscaling:*",
                "backup:*",
                "backup-gateway:*",
                "batch:*",
                "cassandra:*",
                "cloudformation:*",
                "cloudhsm:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "codecommit:*",
                "cognito-idp:*",
                "config:*",
                "connect:*",
                "datasync:*",
                "directconnect:*",
                "dms:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "eks:*",
                "elasticache:*",
                "elasticbeanstalk:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "glue:*",
                "guardduty:*",
                "health:*",
                "inspector:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kinesisanalytics:*",
                "kms:*",
                "lambda:*",
                "logs:*",
                "memorydb:*",
                "mq:*",
                "network-firewall:*",
                "organizations:*",
                "outposts:*",
                "quicksight:*",
                "ram:*",
                "rbin:*",
                "rds:*",
                "redshift:*",
                "redshift-serverless:*",
                "route53:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "securityhub:*",
                "serverlessrepo:*",
                "ses:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "states:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "transcribe:*",
                "transfer:*",
                "waf-regional:*",
                "wafv2:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "ICSPowerUserIndividualPermissions",
            "Action": [
                "controltower:GetEnabledControl",
                "controltower:ListEnabledControls",
                "controltower:GetLandingZone",
                "controltower:GetLandingZoneDriftStatus",
                "controltower:GetLandingZoneStatus",
                "controltower:ListLandingZones",
                "iam:AddClientIDToOpenIDConnectProvider",
                "iam:AddRoleToInstanceProfile",
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateAccountAlias",
                "iam:CreateGroup",
                "iam:CreateInstanceProfile",
                "iam:CreateLoginProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateSAMLProvider",
                "iam:CreateServiceLinkedRole",
                "iam:CreateServiceSpecificCredential",
                "iam:CreateUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteAccessKey",
                "iam:DeleteAccountAlias",
                "iam:DeleteAccountPasswordPolicy",
                "iam:DeleteGroup",
                "iam:DeleteGroupPolicy",
                "iam:DeleteInstanceProfile",
                "iam:DeleteLoginProfile",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DeleteSAMLProvider",
                "iam:DeleteServerCertificate",
                "iam:DeleteServiceLinkedRole",
                "iam:DeleteServiceSpecificCredential",
                "iam:DeleteSigningCertificate",
                "iam:DeleteSSHPublicKey",
                "iam:DeleteUser",
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteUserPolicy",
                "iam:DeleteVirtualMFADevice",
                "iam:DetachGroupPolicy",
                "iam:DetachRolePolicy",
                "iam:DetachUserPolicy",
                "iam:EnableMFADevice",
                "iam:GenerateCredentialReport",
                "iam:Get*",
                "iam:List*",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:PutRolePolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:PutUserPolicy",
                "iam:RemoveClientIDFromOpenIDConnectProvider",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:RemoveUserFromGroup",
                "iam:ResetServiceSpecificCredential",
                "iam:ResyncMFADevice",
                "iam:SetDefaultPolicyVersion",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "iam:TagInstanceProfile",
                "iam:TagMFADevice",
                "iam:TagOpenIDConnectProvider",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:TagSAMLProvider",
                "iam:TagServerCertificate",
                "iam:TagUser",
                "iam:UntagInstanceProfile",
                "iam:UntagMFADevice",
                "iam:UntagOpenIDConnectProvider",
                "iam:UntagPolicy",
                "iam:UntagRole",
                "iam:UntagSAMLProvider",
                "iam:UntagServerCertificate",
                "iam:UntagUser",
                "iam:UpdateAccessKey",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateGroup",
                "iam:UpdateLoginProfile",
                "iam:UpdateOpenIDConnectProviderThumbprint",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription",
                "iam:UpdateSAMLProvider",
                "iam:UpdateServerCertificate",
                "iam:UpdateServiceSpecificCredential",
                "iam:UpdateSigningCertificate",
                "iam:UpdateSSHPublicKey",
                "iam:UpdateUser",
                "iam:UploadServerCertificate",
                "iam:UploadSigningCertificate",
                "iam:UploadSSHPublicKey",
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}