{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ICSPowerUserWildcardPermissions",
            "Action": [
                "access-analyzer:*",
                "account:*",
                "acm:*",
                "acm-pca:*",
                "airflow:*",
                "aoss:*",
                "apigateway:*",
                "apprunner:*",
                "appstream:*",
                "appsync:*",
                "athena:*",
                "autoscaling:*",
                "backup:*",
                "backup-gateway:*",
                "batch:*",
                "bedrock:*",
                "cassandra:*",
                "cleanrooms:*",
                "cloudformation:*",
                "cloudfront:*",
                "cloudhsm:*",
                "cloudsearch:*",
                "cloudtrail:*",
                "cloudwatch:*",
                "codebuild:*",
                "codecommit:*",
                "cognito-idp:*",
                "config:*",
                "connect:*",
                "datasync:*",
                "dax:*",
                "directconnect:*",
                "dms:*",
                "docdb-elastic:*",
                "ds:*",
                "dynamodb:*",
                "ec2:*",
                "ecr:*",
                "ecr-public:*",
                "ecs:*",
                "eks:*",
                "elasticache:*",
                "elasticbeanstalk:*",
                "elasticfilesystem:*",
                "elasticloadbalancing:*",
                "elasticmapreduce:*",
                "elastictranscoder:*",
                "es:*",
                "events:*",
                "firehose:*",
                "fsx:*",
                "glacier:*",
                "globalaccelerator:*",
                "glue:*",
                "guardduty:*",
                "health:*",
                "kafka:*",
                "kendra:*",
                "kinesis:*",
                "kinesisanalytics:*",
                "kinesisvideo:*",
                "kms:*",
                "lambda:*",
                "lightsail:*",
                "logs:*",
                "lookoutequipment:*",
                "macie2:*",
                "memorydb:*",
                "mq:*",
                "network-firewall:*",
                "oam:*",
                "organizations:*",
                "outposts:*",
                "quicksight:*",
                "ram:*",
                "rbin:*",
                "rds:*",
                "redshift:*",
                "redshift-serverless:*",
                "route53:*",
                "route53domains:*",
                "route53resolver:*",
                "s3:*",
                "sagemaker:*",
                "secretsmanager:*",
                "securityhub:*",
                "serverlessrepo:*",
                "ses:*",
                "shield:*",
                "sns:*",
                "sqs:*",
                "ssm:*",
                "states:*",
                "storagegateway:*",
                "support:*",
                "tag:*",
                "timestream:*",
                "transcribe:*",
                "transfer:*",
                "waf:*",
                "waf-regional:*",
                "wafv2:*",
                "workspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "ICSPowerUserIndividualPermissions",
            "Action": [
                "controltower:GetEnabledControl",
                "controltower:ListEnabledControls",
                "controltower:GetLandingZone",
                "controltower:GetLandingZoneDriftStatus",
                "controltower:GetLandingZoneStatus",
                "controltower:ListLandingZones",
                "iam:AddClientIDToOpenIDConnectProvider",
                "iam:AddRoleToInstanceProfile",
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateAccountAlias",
                "iam:CreateGroup",
                "iam:CreateInstanceProfile",
                "iam:CreateLoginProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateSAMLProvider",
                "iam:CreateServiceLinkedRole",
                "iam:CreateServiceSpecificCredential",
                "iam:CreateUser",
                "iam:CreateVirtualMFADevice",
                "iam:DeactivateMFADevice",
                "iam:DeleteAccessKey",
                "iam:DeleteAccountAlias",
                "iam:DeleteAccountPasswordPolicy",
                "iam:DeleteGroup",
                "iam:DeleteGroupPolicy",
                "iam:DeleteInstanceProfile",
                "iam:DeleteLoginProfile",
                "iam:DeleteOpenIDConnectProvider",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePermissionsBoundary",
                "iam:DeleteRolePolicy",
                "iam:DeleteSAMLProvider",
                "iam:DeleteServerCertificate",
                "iam:DeleteServiceLinkedRole",
                "iam:DeleteServiceSpecificCredential",
                "iam:DeleteSigningCertificate",
                "iam:DeleteSSHPublicKey",
                "iam:DeleteUser",
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteUserPolicy",
                "iam:DeleteVirtualMFADevice",
                "iam:DetachGroupPolicy",
                "iam:DetachRolePolicy",
                "iam:DetachUserPolicy",
                "iam:EnableMFADevice",
                "iam:GenerateCredentialReport",
                "iam:GenerateOrganizationsAccessReport",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:GetAccessKeyLastUsed",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:GetContextKeysForCustomPolicy",
                "iam:GetContextKeysForPrincipalPolicy",
                "iam:GetCredentialReport",
                "iam:GetGroup",
                "iam:GetGroupPolicy",
                "iam:GetInstanceProfile",
                "iam:GetLoginProfile",
                "iam:GetOpenIDConnectProvider",
                "iam:GetOrganizationsAccessReport",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetSAMLProvider",
                "iam:GetServerCertificate",
                "iam:GetServiceLastAccessedDetails",
                "iam:GetServiceLastAccessedDetailsWithEntities",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:GetSSHPublicKey",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAccountAliases",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListInstanceProfileTags",
                "iam:ListMFADevices",
                "iam:ListMFADeviceTags",
                "iam:ListOpenIDConnectProviders",
                "iam:ListOpenIDConnectProviderTags",
                "iam:ListPolicies",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListPolicyTags",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:ListSAMLProviders",
                "iam:ListSAMLProviderTags",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListServiceSpecificCredentials",
                "iam:ListSigningCertificates",
                "iam:ListSSHPublicKeys",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:ListUserTags",
                "iam:ListVirtualMFADevices",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:PutRolePermissionsBoundary",
                "iam:PutRolePolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:PutUserPolicy",
                "iam:RemoveClientIDFromOpenIDConnectProvider",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:RemoveUserFromGroup",
                "iam:ResetServiceSpecificCredential",
                "iam:ResyncMFADevice",
                "iam:SetDefaultPolicyVersion",
                "iam:SetSecurityTokenServicePreferences",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "iam:TagInstanceProfile",
                "iam:TagMFADevice",
                "iam:TagOpenIDConnectProvider",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:TagSAMLProvider",
                "iam:TagServerCertificate",
                "iam:TagUser",
                "iam:UntagInstanceProfile",
                "iam:UntagMFADevice",
                "iam:UntagOpenIDConnectProvider",
                "iam:UntagPolicy",
                "iam:UntagRole",
                "iam:UntagSAMLProvider",
                "iam:UntagServerCertificate",
                "iam:UntagUser",
                "iam:UpdateAccessKey",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateGroup",
                "iam:UpdateLoginProfile",
                "iam:UpdateOpenIDConnectProviderThumbprint",
                "iam:UpdateRole",
                "iam:UpdateRoleDescription",
                "iam:UpdateSAMLProvider",
                "iam:UpdateServerCertificate",
                "iam:UpdateServiceSpecificCredential",
                "iam:UpdateSigningCertificate",
                "iam:UpdateSSHPublicKey",
                "iam:UpdateUser",
                "iam:UploadServerCertificate",
                "iam:UploadSigningCertificate",
                "iam:UploadSSHPublicKey",
                "inspector2:ListCoverage",
                "inspector2:ListFindings",
                "pricing:GetProducts",
                "savingsplans:DescribeSavingsPlans",
                "sts:GetCallerIdentity"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}