Im having difficulties to get logs to print anything when requests happens outside the tests. The tests does log correctly but not the real requests.
I've read that you need to add the correct permissions on IAM profile. This is how my profile looks now.
policies:
AWSLambdaFullAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"events:*",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Subscribe",
"sns:Unsubscribe",
"sns:Publish",
"sqs:ListQueues",
"sqs:SendMessage",
"tag:GetResources",
"kms:ListAliases",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"iot:GetTopicRule",
"iot:ListTopicRules",
"iot:CreateTopicRule",
"iot:ReplaceTopicRule",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:ListPolicies",
"iot:ListThings",
"iot:DescribeEndpoint",
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
}
]
}
AWSLambdaVPCAccessExecutionRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
Trust Relationships:
The identity provider(s) edgelambda.amazonaws.com
The identity provider(s) lambda.amazonaws.com
What am I missing? Why wont real requests to cloudfront log? I can see that the lambda function is working when I try to do fetch content from the cloudfront distribution.
Please attach below policy to the existing roles you have,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "YOUR_SID",
"Effect": "Allow",
"Action": ["cloudfront:*"],
"Resource": "*"
}
]
}
The Sid, or statement ID, is optional.
It would be worth to have a quick look on http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/access-control-managing-permissions.html
Related
I created an IAM user at AWS that should be allowed to perform a couple of S3 bucket actions, but only when MFA is enabled. Therefore I added a policy according to the AWS documentation with the following content:
{
"Statement": [
{
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowListActions"
},
{
"Action": "iam:ListMFADevices",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/*"
],
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA"
},
{
"Action": [
"iam:ResyncMFADevice",
"iam:EnableMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:CreateVirtualMFADevice"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowIndividualUserToManageTheirOwnMFA"
},
{
"Action": "iam:DeactivateMFADevice",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA"
},
{
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Effect": "Deny",
"NotAction": [
"iam:ResyncMFADevice",
"iam:ListVirtualMFADevices",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:EnableMFADevice",
"iam:CreateVirtualMFADevice"
],
"Resource": "*",
"Sid": "BlockMostAccessUnlessSignedInWithMFA"
}
],
"Version": "2012-10-17"
}
This is simply the default policy, recommended by AWS. Nevertheless, when the particular user logs in and tries to add a virtual MFA, he sees the following error message:
User: arn:aws:iam::1234567890:user/users/user#example.com is not authorized to perform: iam:ListMFADevices on resource: user user#example.com because no identity-based policy allows the iam:ListMFADevices action
Do I miss something in the setup of the permissions?
I too had a similar error recently, the AWS docs are awful related to this. Once the MFA device it setup, everything works fine, but getting it set up, I couldn't find the permission to do this either.
One workaround, is to set this up for the user, send them a pic of the QR code, so they can complete the setup on their device.
It's not a perfect situation as this requires trust in a human to do this initial step.
If anyone has the actual answer for how to do this, I too would be interested in hearing as the AWS docs and content online I couldn't find the policy that needs to be applied for this to work without this manual intervention.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam:::mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam:::user/${aws:username}"
}
]
}
I'm trying to set up a policy for a Group ("TheGroup") that when attached to a User would allow that user to Create new Users AND assign them to another specific group ("TheSubGroup").
I believe I have the CreateUser part mostly done but I'm not sure of syntax for how to also allow this user to AddUserToGroup("TheSubGroup") in the second part of the policy below.
Any thoughts?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageUsersPermissions",
"Effect": "Allow",
"Action": [
"iam:ChangePasword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:DeleteUser",
"iam:UpdateAccessKey",
"iam:ListAttachedUserPolicies",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::1234567890:group/TheSubGroup"
]
}
}
}
]
}
The AddUserToGroup action applies to group resources. Try targeting the group resource:
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "arn:aws:iam::1234567890:group/TheSubGroup"
}
I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.
I have a Pipeline setup, a Deployment Group setup, AutoScaling Group, ELB, and LAUCH CONFIGURATION but it fails when it gets to the actual deployment:
and this my roles in codeDeploy-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricAlarm",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:DescribeVpcClassicLink"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
Is there a policy that I'm not considering that needs to be attached to this role?
As I understood,I would rather following steps.
You need to create a CodeDeployServiceRole and you just used built in policy.
Create a CodeDeploy application and deployment group and assign your CodeDeployServiceRole there.
In launch configuration you don't have to worry about CodeDeploy and just config you instance profile with required policies for instance operations.
I have a test account where I'd like to give developers access to try out anything they'd like EXCEPT I don't want to give them permissions to add / delete / mess with other users. I tried allowing everything and then denying IAM access but then they couldn't change their own password. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
]
}
This made it so users got the following error when they tried to login and change their pw:
User is not authorized to perform iam:ChangePassword
For a more concise answer you can use wild cards. Not perfectly future proof but those are most of the damaging verbs. :)
Also I found the policy simulator very useful: IAM policy simulator
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:Add*",
"iam:Create*",
"iam:Deactivate*",
"iam:Delete*",
"iam:Detach*",
"iam:Enable*",
"iam:PassRole",
"iam:Put*",
"iam:Remove*",
"iam:Resync*",
"iam:Set*",
"iam:Simulate*",
"iam:Update*",
"iam:Put*"
],
"Resource": "*"
}
]}
I figured out an answer that I'm only moderately okay with. I accomplished this by denying every IAM action except the ability to change password and see the password requirements.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreateAccountAlias",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:CreateVirtualMFADevice",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteAccountAlias",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteSSHPublicKey",
"iam:DeleteServerCertificate",
"iam:DeleteSigningCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DeleteVirtualMFADevice",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:EnableMFADevice",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountSummary",
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetLoginProfile",
"iam:GetOpenIDConnectProvider",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetSAMLProvider",
"iam:GetSSHPublicKey",
"iam:GetServerCertificate",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListSSHPublicKeys",
"iam:ListServerCertificates",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup",
"iam:ResyncMFADevice",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:UpdateAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateSSHPublicKey",
"iam:UpdateServerCertificate",
"iam:UpdateSigningCertificate",
"iam:UpdateUser",
"iam:UploadSSHPublicKey",
"iam:UploadServerCertificate",
"iam:UploadSigningCertificate"
],
"Resource": [
"*"
]
}
]
}
It works, but I'd love something more concise / future proof.
You can use something like below. Using NotAction. This will deny everything for IAM except whatever you mention in NotAction. You can create user using below, but please do note that you will also have to assign policy/roles so add permissions for those under 'NotAction'. Everything else except actions specified in 'NotAction' will be blocked in IAM console. Another part of policy allows everything in console. So just block IAM while allow everything and certain attributes of IAM.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"NotAction": [
"iam:CreateUser"
],
"Resource": "arn:aws:iam::*:*"
},
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Best regards,
Sanjeev B.
I use the following for Infra admins who don't need access to user/group/policy changes.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
},
{
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:AddClientIDToOpenIDConnectProvider",
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateGroup",
"iam:CreateLoginProfile",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:CreateSAMLProvider",
"iam:CreateUser",
"iam:DeleteAccountPasswordPolicy",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile",
"iam:DeleteOpenIDConnectProvider",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteSAMLProvider",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:PutGroupPolicy",
"iam:PutRolePolicy",
"iam:PutUserPolicy",
"iam:RemoveClientIDFromOpenIDConnectProvider",
"iam:RemoveUserFromGroup",
"iam:SetDefaultPolicyVersion",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateOpenIDConnectProviderThumbprint",
"iam:UpdateSAMLProvider",
"iam:UpdateUser",
],
"Resource": [
"*"
]
}
]
}
I am trying to grant to an IAM password user full access to an Elastic Beanstalk application (create/modify/delete environments). Following the AWS doc here results in the user being able to see the Application but being unable to view Environments or create new ones (message: Access Denied, without further specification).
Here is the current policy that is attached:
{
"Version": "XXX-XX-XX",
"Statement": [
{
"Sid": "StmtXXXXXXXXX",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"autoscaling:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
"arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
]
},
{
"Action": [
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Has anyone done this yet?
This is what I use. I couldn't be asked to go further in separating it. You can use tags for as well.
What I have done more is to run more and more things in separate accounts. If there are separate apps there are little or no reason to have them in the same account anyway. You can have cross account access for users. https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
}
]
}