IAMCTL incorrectly calculates "NotAction" policies. #14
Description
When I have a policy like the following (managed PowerUserAccess arn:aws:iam::aws:policy/PowerUserAccess). The incorrect calculation makes it difficult to correctly assert the true deterministic IAM policy.
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions",
"account:GetAccountInformation"
],
"Resource": "*"
}
]
}
The resulting output incorrectly displays ALLOW for the calculated policy.
e.g.
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,trust,trust,Allow,sts,AssumeRole,,arn:aws:iam::463865331983:saml-provider/AWSSSO_b7e09d74f10bd765_DO_NOT_DELETE
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,AddClientIDToOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,AddRoleToInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,AddUserToGroup,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,AttachGroupPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,AttachRolePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,AttachUserPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ChangePassword,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateAccessKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateAccountAlias,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateGroup,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateLoginProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreatePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreatePolicyVersion,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateSAMLProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateServiceLinkedRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateServiceSpecificCredential,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateVirtualMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeactivateMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteAccessKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteAccountAlias,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteAccountPasswordPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteCloudFrontPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteGroup,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteGroupPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteLoginProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeletePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeletePolicyVersion,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteRolePermissionsBoundary,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteRolePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteSAMLProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteSSHPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteServerCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteServiceLinkedRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteServiceSpecificCredential,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteSigningCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteUserPermissionsBoundary,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteUserPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteVirtualMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DetachGroupPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DetachRolePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DetachUserPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,EnableMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GenerateCredentialReport,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GenerateOrganizationsAccessReport,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GenerateServiceLastAccessedDetails,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetAccessKeyLastUsed,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetAccountAuthorizationDetails,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetAccountEmailAddress,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetAccountName,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetAccountPasswordPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetAccountSummary,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetCloudFrontPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetContextKeysForCustomPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetContextKeysForPrincipalPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetCredentialReport,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetGroup,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetGroupPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetLoginProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetOrganizationsAccessReport,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetPolicyVersion,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetRolePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetSAMLProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetSSHPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetServerCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetServiceLastAccessedDetails,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetServiceLastAccessedDetailsWithEntities,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetServiceLinkedRoleDeletionStatus,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,GetUserPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListAccessKeys,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListAccountAliases,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListAttachedGroupPolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListAttachedRolePolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListAttachedUserPolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListCloudFrontPublicKeys,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListEntitiesForPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListGroupPolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListGroups,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListGroupsForUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListInstanceProfileTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListInstanceProfiles,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListInstanceProfilesForRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListMFADeviceTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListMFADevices,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListOpenIDConnectProviderTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListOpenIDConnectProviders,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListPolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListPoliciesGrantingServiceAccess,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListPolicyTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListPolicyVersions,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListRolePolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListRoleTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListRoles,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListSAMLProviderTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListSAMLProviders,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListSSHPublicKeys,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListSTSRegionalEndpointsStatus,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListServerCertificateTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListServerCertificates,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListServiceSpecificCredentials,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListSigningCertificates,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListUserPolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListUserTags,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListUsers,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListVirtualMFADevices,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,PassRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,PutGroupPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,PutRolePermissionsBoundary,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,PutRolePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,PutUserPermissionsBoundary,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,PutUserPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,RemoveClientIDFromOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,RemoveRoleFromInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,RemoveUserFromGroup,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ResetServiceSpecificCredential,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ResyncMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,SetDefaultPolicyVersion,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,SetSTSRegionalEndpointStatus,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,SetSecurityTokenServicePreferences,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,SimulateCustomPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,SimulatePrincipalPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagSAMLProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagServerCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,TagUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagInstanceProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagMFADevice,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagOpenIDConnectProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagSAMLProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagServerCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UntagUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateAccessKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateAccountEmailAddress,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateAccountName,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateAccountPasswordPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateAssumeRolePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateCloudFrontPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateGroup,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateLoginProfile,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateOpenIDConnectProviderThumbprint,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateRoleDescription,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateSAMLProvider,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateSSHPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateServerCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateServiceSpecificCredential,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateSigningCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UpdateUser,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UploadCloudFrontPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UploadSSHPublicKey,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UploadServerCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,UploadSigningCertificate,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,AcceptHandshake,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,AttachPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CancelHandshake,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CloseAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CreateAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CreateGovCloudAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CreateOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CreateOrganizationalUnit,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,CreatePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DeclineHandshake,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DeleteOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DeleteOrganizationalUnit,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DeletePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DeleteResourcePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DeregisterDelegatedAdministrator,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeCreateAccountStatus,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeEffectivePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeHandshake,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeOrganizationalUnit,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeResourcePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DetachPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DisableAWSServiceAccess,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DisablePolicyType,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,EnableAWSServiceAccess,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,EnableAllFeatures,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,EnablePolicyType,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,InviteAccountToOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,LeaveOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListAWSServiceAccessForOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListAccounts,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListAccountsForParent,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListChildren,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListCreateAccountStatus,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListDelegatedAdministrators,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListDelegatedServicesForAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListHandshakesForAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListHandshakesForOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListOrganizationalUnitsForParent,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListParents,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListPolicies,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListPoliciesForTarget,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListRoots,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListTagsForResource,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,ListTargetsForPolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,MoveAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,PutResourcePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,RegisterDelegatedAdministrator,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,RemoveAccountFromOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,TagResource,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,UntagResource,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,UpdateOrganizationalUnit,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,UpdatePolicy,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,CloseAccount,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,DeleteAlternateContact,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,DisableRegion,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,EnableRegion,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,GetAccountInformation,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,GetAlternateContact,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,GetChallengeQuestions,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,GetContactInformation,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,GetRegionOptStatus,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,ListRegions,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,PutAlternateContact,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,PutChallengeQuestions,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,PutContactInformation,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,CreateServiceLinkedRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,DeleteServiceLinkedRole,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,iam,ListRoles,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,organizations,DescribeOrganization,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,ListRegions,*,
AWSPowerUser,/aws-reserved/sso.amazonaws.com/us-west-2/,PowerUserAccess,managed,Allow,account,GetAccountInformation,*,