IAM Role: AWS/CloudFront/Operator

Permission	Grant
cloudfront:CreateInvalidation	Operator
cloudfront:TagResource	Operator
cloudfront:UntagResource	Operator
acm:ListCertificates	Metadata
cloudfront:GetCloudFrontOriginAccessIdentity	Metadata
cloudfront:GetCloudFrontOriginAccessIdentityConfig	Metadata
cloudfront:GetDistribution	Metadata
cloudfront:GetDistributionConfig	Metadata
cloudfront:GetFieldLevelEncryption	Metadata
cloudfront:GetFieldLevelEncryptionConfig	Metadata
cloudfront:GetFieldLevelEncryptionProfile	Metadata
cloudfront:GetFieldLevelEncryptionProfileConfig	Metadata
cloudfront:GetInvalidation	Metadata
cloudfront:GetPublicKey	Metadata
cloudfront:GetStreamingDistribution	Metadata
cloudfront:GetStreamingDistributionConfig	Metadata
cloudfront:ListCloudFrontOriginAccessIdentities	Metadata
cloudfront:ListDistributions	Metadata
cloudfront:ListDistributionsByWebACLId	Metadata
cloudfront:ListFieldLevelEncryptionConfigs	Metadata
cloudfront:ListFieldLevelEncryptionProfiles	Metadata
cloudfront:ListInvalidations	Metadata
cloudfront:ListPublicKeys	Metadata
cloudfront:ListStreamingDistributions	Metadata
cloudfront:ListTagsForResource	Metadata
cloudfront-keyvaluestore:DescribeKeyValueStore	Metadata
cloudfront-keyvaluestore:GetKey	Metadata
cloudfront-keyvaluestore:ListKeys	Metadata
elasticloadbalancing:DescribeLoadBalancers	Metadata
iam:ListServerCertificates	Metadata
s3:ListAllMyBuckets	Metadata