{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ServiceBoundaries",
      "Effect": "Allow",
      "Action": [
        "s3:*",
        "ec2:*",
        "lambda:*",
        "logs:*",
        "sqs:*",
        "resource-groups:*",
        "ssm:*",
        "ssmmessages:*",
        "ec2messages:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "RoleInNamespace",
      "Effect": "Allow",
      "Action": ["iam:PassRole"],
      "Resource": "arn:${aws_partition}:iam::${account_id}:role/${role_namespace}/*"
    },
    {
      "Sid": "Decrypt",
      "Effect": "Allow",
      "Action": ["kms:Decrypt"],
      "Resource": "*"
    }
  ]
}