| cloudtrail:CreateTrail | Admin |
| cloudtrail:DeleteTrail | Admin |
| cloudtrail:PutEventSelectors | Admin |
| cloudtrail:PutInsightSelectors | Admin |
| cloudtrail:UpdateTrail | Admin |
| cloudtrail:AddTags | Operator |
| cloudtrail:RemoveTags | Operator |
| cloudtrail:StartLogging | Operator |
| cloudtrail:StopLogging | Operator |
| cloudtrail:DescribeTrails | Metadata |
| cloudtrail:GetEventSelectors | Metadata |
| cloudtrail:GetInsightSelectors | Metadata |
| cloudtrail:GetTrail | Metadata |
| cloudtrail:GetTrailStatus | Metadata |
| cloudtrail:ListPublicKeys | Metadata |
| cloudtrail:ListTags | Metadata |
| cloudtrail:ListTrails | Metadata |
| cloudtrail:LookupEvents | Metadata |
| kms:ListAliases | Metadata |
| s3:GetBucketLocation | Metadata |
| s3:ListAllMyBuckets | Metadata |
