| cloudfront:CreateCloudFrontOriginAccessIdentity | Admin |
| cloudfront:CreateDistribution | Admin |
| cloudfront:CreateDistributionWithTags | Admin |
| cloudfront:CreateFieldLevelEncryptionConfig | Admin |
| cloudfront:CreateFieldLevelEncryptionProfile | Admin |
| cloudfront:CreatePublicKey | Admin |
| cloudfront:CreateStreamingDistribution | Admin |
| cloudfront:CreateStreamingDistributionWithTags | Admin |
| cloudfront:DeleteCloudFrontOriginAccessIdentity | Admin |
| cloudfront:DeleteDistribution | Admin |
| cloudfront:DeleteFieldLevelEncryptionConfig | Admin |
| cloudfront:DeleteFieldLevelEncryptionProfile | Admin |
| cloudfront:DeletePublicKey | Admin |
| cloudfront:DeleteStreamingDistribution | Admin |
| cloudfront:GetPublicKeyConfig | Admin |
| cloudfront:UpdateCloudFrontOriginAccessIdentity | Admin |
| cloudfront:UpdateDistribution | Admin |
| cloudfront:UpdateFieldLevelEncryptionConfig | Admin |
| cloudfront:UpdateFieldLevelEncryptionProfile | Admin |
| cloudfront:UpdatePublicKey | Admin |
| cloudfront:UpdateStreamingDistribution | Admin |
| cloudfront-keyvaluestore:DeleteKey | Admin |
| cloudfront-keyvaluestore:PutKey | Admin |
| cloudfront-keyvaluestore:UpdateKeys | Admin |
| cloudfront:CreateInvalidation | Operator |
| cloudfront:TagResource | Operator |
| cloudfront:UntagResource | Operator |
| acm:ListCertificates | Metadata |
| cloudfront:GetCloudFrontOriginAccessIdentity | Metadata |
| cloudfront:GetCloudFrontOriginAccessIdentityConfig | Metadata |
| cloudfront:GetDistribution | Metadata |
| cloudfront:GetDistributionConfig | Metadata |
| cloudfront:GetFieldLevelEncryption | Metadata |
| cloudfront:GetFieldLevelEncryptionConfig | Metadata |
| cloudfront:GetFieldLevelEncryptionProfile | Metadata |
| cloudfront:GetFieldLevelEncryptionProfileConfig | Metadata |
| cloudfront:GetInvalidation | Metadata |
| cloudfront:GetPublicKey | Metadata |
| cloudfront:GetStreamingDistribution | Metadata |
| cloudfront:GetStreamingDistributionConfig | Metadata |
| cloudfront:ListCloudFrontOriginAccessIdentities | Metadata |
| cloudfront:ListDistributions | Metadata |
| cloudfront:ListDistributionsByWebACLId | Metadata |
| cloudfront:ListFieldLevelEncryptionConfigs | Metadata |
| cloudfront:ListFieldLevelEncryptionProfiles | Metadata |
| cloudfront:ListInvalidations | Metadata |
| cloudfront:ListPublicKeys | Metadata |
| cloudfront:ListStreamingDistributions | Metadata |
| cloudfront:ListTagsForResource | Metadata |
| cloudfront-keyvaluestore:DescribeKeyValueStore | Metadata |
| cloudfront-keyvaluestore:GetKey | Metadata |
| cloudfront-keyvaluestore:ListKeys | Metadata |
| elasticloadbalancing:DescribeLoadBalancers | Metadata |
| iam:ListServerCertificates | Metadata |
| s3:ListAllMyBuckets | Metadata |
