| iam:PassRole | Admin |
| shield:AssociateDRTLogBucket | Admin |
| shield:AssociateDRTRole | Admin |
| shield:CreateProtection | Admin |
| shield:CreateSubscription | Admin |
| shield:DeleteProtection | Admin |
| shield:DeleteSubscription | Admin |
| shield:DisassociateDRTLogBucket | Admin |
| shield:DisassociateDRTRole | Admin |
| shield:UpdateEmergencyContactSettings | Admin |
| shield:UpdateSubscription | Admin |
| iam:GetRole | Metadata |
| iam:ListAttachedRolePolicies | Metadata |
| s3:GetBucketPolicy | Metadata |
| shield:DescribeAttack | Metadata |
| shield:DescribeDRTAccess | Metadata |
| shield:DescribeEmergencyContactSettings | Metadata |
| shield:DescribeProtection | Metadata |
| shield:DescribeSubscription | Metadata |
| shield:GetSubscriptionState | Metadata |
| shield:ListAttacks | Metadata |
| shield:ListProtections | Metadata |
