{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRImageAccess",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": [
                "arn:aws:ecr:*:<your-aws-account-id>:repository/*"
            ]        
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:*:<your-aws-account-id>:log-group:/aws/bedrock-agentcore/runtimes/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:*:<your-aws-account-id>:log-group:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:<your-aws-account-id>:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
            ]
        },
        {
            "Sid": "ECRTokenAccess",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow", 
            "Action": [ 
                "xray:PutTraceSegments", 
                "xray:PutTelemetryRecords", 
                "xray:GetSamplingRules", 
                "xray:GetSamplingTargets"
            ],
            "Resource": [ "*" ] 
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": "cloudwatch:PutMetricData",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "bedrock-agentcore"
                }
            }
        },
        {
            "Sid": "GetAgentAccessToken",
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:GetWorkloadAccessToken",
                "bedrock-agentcore:GetWorkloadAccessTokenForJWT",
                "bedrock-agentcore:GetWorkloadAccessTokenForUserId"
            ],
            "Resource": [
              "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:workload-identity-directory/default",
              "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:workload-identity-directory/default/workload-identity/*"
            ]
        },
        {
            "Sid": "AgentCoreIdentityManagement",
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:CreateOauth2CredentialProvider",
                "bedrock-agentcore:CreateWorkloadIdentity",
                "bedrock-agentcore:GetResourceOauth2Token",
                "bedrock-agentcore:ListOauth2CredentialProviders",
                "bedrock-agentcore:ListWorkloadIdentities",
                "bedrock-agentcore:DeleteOauth2CredentialProvider",
                "bedrock-agentcore:DeleteWorkloadIdentity",
                "bedrock-agentcore:GetOauth2CredentialProvider",
                "bedrock-agentcore:GetWorkloadIdentity",
                "bedrock-agentcore:UpdateOauth2CredentialProvider",
                "bedrock-agentcore:UpdateWorkloadIdentity"
            ],
            "Resource": [
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:token-vault/default",
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:token-vault/default/*",
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:workload-identity-directory/default",
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:workload-identity-directory/default/workload-identity/*"
            ]
        },
        {
            "Sid": "AgentCoreGatewayManagement",
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:CreateGateway",
                "bedrock-agentcore:DeleteGateway",
                "bedrock-agentcore:GetGateway",
                "bedrock-agentcore:ListGateways",
                "bedrock-agentcore:UpdateGateway",
                "bedrock-agentcore:CreateGatewayTarget",
                "bedrock-agentcore:DeleteGatewayTarget",
                "bedrock-agentcore:GetGatewayTarget",
                "bedrock-agentcore:ListGatewayTargets",
                "bedrock-agentcore:UpdateGatewayTarget"
            ],
            "Resource": [
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:gateway/*",
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:gateway/*/target/*"
            ]
        },
        {
            "Sid": "AgentCoreMemoryAccess",
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:CreateEvent",
                "bedrock-agentcore:ListEvents",
                "bedrock-agentcore:GetEvent",
                "bedrock-agentcore:DeleteEvent"
            ],
            "Resource": [
                "arn:aws:bedrock-agentcore:*:<your-aws-account-id>:memory/*"
            ]
        },
        {
            "Sid": "SecretsManagerAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:*:<your-aws-account-id>:secret:*"
            ]
        },
        {
            "Sid": "BedrockModelInvocation", 
            "Effect": "Allow", 
            "Action": [ 
                "bedrock:InvokeModel", 
                "bedrock:InvokeModelWithResponseStream"
            ], 
            "Resource": [
                "arn:aws:bedrock:*::foundation-model/*",
                "arn:aws:bedrock:*:<your-aws-account-id>:*"
            ]
        },
        {
            "Sid": "LambdaInvokeAccess",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:<your-aws-account-id>:function:bac-mcp-tool*"
            ]
        }
    ]
}