{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-west-2:AWSACCOUNT:key/UUID",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListRoles",
                "cloudtrail:GetTrail",
                "cloudtrail:ListTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:DescribeTrails",
                "sns:Unsubscribe"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetBucketNotification",
                "s3:ListBucket",
                "s3:PutBucketNotification"
            ],
            "Resource": [
                "arn:aws:s3:::aws-cloudtrail-logs-example",
                "arn:aws:s3:::aws-cloudtrail-logs-example/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "sns:Subscribe"
            ],
            "Resource": "arn:aws:sns:us-west-2:AWSACCOUNT:vectraStack-SnsTopic-ARN",
            "Effect": "Allow"
        }
    ]
}
