> ## Documentation Index > Fetch the complete documentation index at: https://docs.streamkap.com/llms.txt > Use this file to discover all available pages before exploring further. # AWS BYOC Please read through [Bring Your Own Cloud (BYOC)](/bring-your-own-cloud-byoc) to understand BYOC in more detail. # Deployment Options * Turnkey / default - creates a VPN and cluster for a fully managed install * BYO-VPN - requires the customer to provide a VPN # Overview This document guides you through giving Streamkap access to provision software to your AWS account by creating an IAM role that trusted Streamkap IAM principal. Access is limited to the permissions defined in the following IAM policies: ```json StreamkapProvisionAccess.json theme={null} { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Resource": "*", "Action": [ "ec2:DescribeAddressesAttribute", "ec2:CreateNetworkAclEntry", "ecr:UntagResource", "eks:ListAccessEntries", "eks:CreateAccessEntry", "eks:DescribeAccessEntry", "eks:UpdateAccessEntry", "eks:AssociateAccessPolicy", "eks:DisassociateAccessPolicy", "eks:CreateAddon", "eks:DescribeAddon", "eks:UpdateAddon", "eks:DescribeAddonConfiguration", "eks:DescribeAddonVersions", "eks:ListAddons", "eks:ListAssociatedAccessPolicies", "eks:CreateCluster", "eks:DescribeCluster", "eks:CreateNodegroup", "eks:DescribeNodegroup", "eks:UpdateNodegroupVersion", "eks:TagResource", "eks:UntagResource", "eks:ListTagsForResource", "eks:DescribeUpdate", "eks:UpdateNodegroupConfig", "eks:CreatePodIdentityAssociation", "eks:Describe*", "ec2:CreateNetworkInterface", "ec2:Describe*", "iam:UntagPolicy", "iam:UntagRole", "kms:UntagResource", "logs:UntagResource", "logs:ListTagsForResource", "ec2:AllocateAddress", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateInternetGateway", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNatGateway", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupReferences", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcs", "ec2:ModifyLaunchTemplate", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RunInstances", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyInstanceAttribute", "ec2:TerminateInstances", "ec2:GetConsoleOutput", "ec2:DescribeInstances", "ec2:AttachNetworkInterface", "ec2:AssociateAddress", "ecr:CreateRepository", "ecr:DescribeRepositories", "ecr:ListTagsForResource", "ecr:TagResource", "iam:AttachRolePolicy", "iam:CreateOpenIDConnectProvider", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:GetOpenIDConnectProvider", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListPolicyVersions", "iam:PassRole", "iam:PutRolePolicy", "iam:TagOpenIDConnectProvider", "iam:TagPolicy", "iam:TagRole", "iam:UpdateAssumeRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:UpdateRole", "iam:DetachRolePolicy", "iam:ListInstanceProfilesForRole", "kms:CreateAlias", "kms:CreateGrant", "kms:CreateKey", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListResourceTags", "kms:PutKeyPolicy", "kms:TagResource", "kms:UpdateAlias", "kms:EnableKeyRotation", "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", "logs:PutRetentionPolicy", "logs:TagLogGroup", "logs:TagResource", "logs:UntagResource", "acm:*", "elasticloadbalancing:*", "cloudformation:Describe*", "cloudformation:EstimateTemplateCost", "cloudformation:Get*", "cloudformation:List*", "cloudformation:ValidateTemplate", "cloudformation:Detect*", "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject", "s3:CreateBucket", "s3:PutBucketPolicy", "s3:GetBucketPolicy", "s3:PutBucketTagging", "s3:GetBucketTagging", "s3:GetBucketAcl", "s3:PutBucketAcl", "s3:PutBucketOwnershipControls", "s3:GetBucketOwnershipControls", "s3:PutBucketVersioning", "s3:GetBucketVersioning", "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetBucketCors", "s3:GetBucketWebsite", "s3:GetAccelerateConfiguration", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketRequestPayment", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketPublicAccessBlock", "s3:GetBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "eks:ListNodegroups", "eks:ListPodIdentityAssociations", "ec2:ModifyVolume", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:TagQueue", "sqs:ListQueueTags", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:DescribeRule", "events:ListTargetsByRule", "events:ListTagsForResource", "events:TagResource", "iam:GetInstanceProfile", "iam:TagInstanceProfile", "iam:ListInstanceProfiles" ] } ] } ``` ```json StreamkapDeprovisionAccess.json theme={null} { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Resource": "*", "Action": [ "ec2:DeleteNetworkAclEntry", "eks:DeleteAddon", "eks:DeleteCluster", "eks:DescribeCluster", "eks:DeleteNodegroup", "eks:DescribeNodegroup", "ec2:DeleteInternetGateway", "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeNatGateways", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcClassicLink", "ec2:DescribeVpcClassicLinkDnsSupport", "ec2:DescribeVpcs", "ec2:DetachInternetGateway", "ec2:DetachNetworkInterface", "ec2:DisassociateAddress", "ec2:DisassociateRouteTable", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupIngress", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyInstanceAttribute", "ec2:TerminateInstances", "ec2:GetConsoleOutput", "ec2:DescribeInstances", "ec2:AttachNetworkInterface", "ec2:AssociateAddress", "ecr:DeleteRepository", "ecr:DescribeRepositories", "ecr:ListTagsForResource", "iam:DeleteOpenIDConnectProvider", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetOpenIDConnectProvider", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListPolicyVersions", "iam:ListRolePolicies", "kms:DeleteAlias", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:ListAliases", "kms:ListResourceTags", "kms:RetireGrant", "kms:ScheduleKeyDeletion", "logs:DeleteLogGroup", "logs:DescribeLogGroups", "logs:ListTagsLogGroup", "route53:ChangeTagsForResource", "route53:DeleteHostedZone", "route53:GetDNSSEC", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "s3:GetObject", "s3:ListBucket", "s3:DeleteBucket", "eks:DeletePodIdentityAssociation", "eks:DeleteAccessEntry", "iam:DeleteInstanceProfile", "sqs:DeleteQueue", "events:DeleteRule", "events:RemoveTargets" ] } ] } ``` Please note that this will happen in a sub-account/subnet that is connected to your main hub. Here are the steps: 1. Create an IAM policy granting permission to provision an install. 2. Create an IAM policy granting permision to deprovision an install. 3. Create an IAM role that uses those policies, and grants access to the vendor via a trust policy. 4. Share the IAM role’s ARN with Streamkap. Once the role is created and acknowledged by Streamkap team, we will handle the deployment. In the final result, you should see the BYOC deployment is added as a new [project](/projects) in your Streamkap account. # Using AWS Console ## 1. Create the Provision Policy * In the AWS console, navigate to the **IAM** control panel.

* Navigate to “**Policies**”.

* Click the orange “**Create Policy**” policy button

* Look for the “Policy editor”, where “visual” will be selected. Select “JSON”.

* Replace the **entire policy contents** JSON with the contents of the `StreamkapProvisionAccess.json` mentioned above * Below the editor, click the orange “**Next**” button. * Name the policy `StreamkapProvisionAccess`, and click “Create policy” at the bottom. ## 2. Create the Deprovision Policy * In the AWS console, navigate to the **IAM** control panel.

Navigate to “**Policies**”.

Click the orange “**Create Policy**” policy button

Look for the “Policy editor” component group, where “visual” will be selected. Select “JSON”.

Replace the **entire policy contents** JSON with the IAM policy `StreamkapDeprovisionAccess.json`as mentioned above * Below the editor, click the orange “**Next**” button. * Name the policy `StreamkapDeprovisionAccess`, and click “Create policy” at the bottom. ## 3. Create the Access Role * Return to the IAM dashboard and navigate to “**Roles**”

* Click the orange “**Create role**” button.

* Under “trusted entity type”, select “**Custom trust policy**”

* This will reveal a JSON editor field with the heading “**Custom trust policy”**. * Replace the **entire trust policy** contents with the following. ```JSON JSON theme={null} { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::300973880807:root" }, "Action": "sts:AssumeRole" } ] } ``` * Click “Next” at the bottom of the page. * Search for the `StreamkapProvisionAccess` and `StreamkapDeprovisionAccess` policies and check the boxes.

* Click “**Next**” * Name the role `StreamkapInstallAccess` (or another name of your choice). The page should look like this:

* Click “**Create role**” * On the role page, locate the **ARN** field and make note of the value. It should take the form `arn:aws:iam::{some number}:role/StreamkapInstallAccess` .

* Copy the **role ARN** from earlier and sent it back to us. # Using Cloudformation ```yaml CreateStreamkapRole.yaml theme={null} AWSTemplateFormatVersion: "2010-09-09" Resources: StreamkapProvisionAccessPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: "StreamkapProvisionAccess" PolicyDocument: Version: "2012-10-17" Statement: - Sid: "" Effect: "Allow" Action: - "ec2:DescribeAddressesAttribute" - "ec2:CreateNetworkAclEntry" - "ecr:UntagResource" - "eks:ListAccessEntries" - "eks:CreateAccessEntry" - "eks:DescribeAccessEntry" - "eks:UpdateAccessEntry" - "eks:AssociateAccessPolicy" - "eks:DisassociateAccessPolicy" - "eks:CreateAddon" - "eks:DescribeAddon" - "eks:UpdateAddon" - "eks:DescribeAddonConfiguration" - "eks:DescribeAddonVersions" - "eks:ListAddons" - "eks:ListAssociatedAccessPolicies" - "eks:CreateCluster" - "eks:DescribeCluster" - "eks:CreateNodegroup" - "eks:DescribeNodegroup" - "eks:UpdateNodegroupVersion" - "eks:TagResource" - "eks:UntagResource" - "eks:ListTagsForResource" - "eks:DescribeUpdate" - "eks:UpdateNodegroupConfig" - "eks:CreatePodIdentityAssociation" - "eks:Describe*" - "ec2:CreateNetworkInterface" - "ec2:Describe*" - "iam:UntagPolicy" - "iam:UntagRole" - "kms:UntagResource" - "logs:UntagResource" - "logs:ListTagsForResource" - "ec2:AllocateAddress" - "ec2:AssociateRouteTable" - "ec2:AttachInternetGateway" - "ec2:AuthorizeSecurityGroupEgress" - "ec2:AuthorizeSecurityGroupIngress" - "ec2:CreateInternetGateway" - "ec2:CreateLaunchTemplate" - "ec2:CreateLaunchTemplateVersion" - "ec2:CreateNatGateway" - "ec2:CreateRoute" - "ec2:CreateRouteTable" - "ec2:CreateSecurityGroup" - "ec2:CreateSubnet" - "ec2:CreateTags" - "ec2:CreateVpc" - "ec2:DescribeAddresses" - "ec2:DescribeAvailabilityZones" - "ec2:DescribeInternetGateways" - "ec2:DescribeLaunchTemplateVersions" - "ec2:DescribeLaunchTemplates" - "ec2:DescribeNatGateways" - "ec2:DescribeNetworkAcls" - "ec2:DescribeRouteTables" - "ec2:DescribeSecurityGroupReferences" - "ec2:DescribeSecurityGroupRules" - "ec2:DescribeSecurityGroups" - "ec2:DescribeSubnets" - "ec2:DescribeTags" - "ec2:DescribeVpcAttribute" - "ec2:DescribeVpcClassicLink" - "ec2:DescribeVpcClassicLinkDnsSupport" - "ec2:DescribeVpcs" - "ec2:ModifyLaunchTemplate" - "ec2:ModifySubnetAttribute" - "ec2:ModifyVpcAttribute" - "ec2:RevokeSecurityGroupEgress" - "ec2:RunInstances" - "ec2:ModifyNetworkInterfaceAttribute" - "ec2:ModifyInstanceAttribute" - "ec2:TerminateInstances" - "ec2:GetConsoleOutput" - "ec2:DescribeInstances" - "ec2:AttachNetworkInterface" - "ec2:AssociateAddress" - "ecr:CreateRepository" - "ecr:DescribeRepositories" - "ecr:ListTagsForResource" - "ecr:TagResource" - "iam:AttachRolePolicy" - "iam:CreateOpenIDConnectProvider" - "iam:CreatePolicy" - "iam:CreatePolicyVersion" - "iam:CreateRole" - "iam:CreateServiceLinkedRole" - "iam:GetOpenIDConnectProvider" - "iam:GetPolicy" - "iam:GetPolicyVersion" - "iam:GetRole" - "iam:GetRolePolicy" - "iam:ListAttachedRolePolicies" - "iam:ListRolePolicies" - "iam:ListPolicyVersions" - "iam:PassRole" - "iam:PutRolePolicy" - "iam:TagOpenIDConnectProvider" - "iam:TagPolicy" - "iam:TagRole" - "iam:UpdateAssumeRolePolicy" - "iam:RemoveRoleFromInstanceProfile" - "iam:CreateInstanceProfile" - "iam:AddRoleToInstanceProfile" - "iam:UpdateRole" - "iam:DetachRolePolicy" - "iam:ListInstanceProfilesForRole" - "kms:CreateAlias" - "kms:CreateGrant" - "kms:CreateKey" - "kms:DescribeKey" - "kms:GetKeyPolicy" - "kms:GetKeyRotationStatus" - "kms:ListAliases" - "kms:ListResourceTags" - "kms:PutKeyPolicy" - "kms:TagResource" - "kms:UpdateAlias" - "kms:EnableKeyRotation" - "logs:CreateLogGroup" - "logs:DescribeLogGroups" - "logs:ListTagsLogGroup" - "logs:PutRetentionPolicy" - "logs:TagLogGroup" - "logs:TagResource" - "logs:UntagResource" - "acm:*" - "elasticloadbalancing:*" - "cloudformation:Describe*" - "cloudformation:EstimateTemplateCost" - "cloudformation:Get*" - "cloudformation:List*" - "cloudformation:ValidateTemplate" - "cloudformation:Detect*" - "route53:ChangeResourceRecordSets" - "route53:ChangeTagsForResource" - "route53:CreateHostedZone" - "route53:GetChange" - "route53:GetHostedZone" - "route53:ListResourceRecordSets" - "route53:ListTagsForResource" - "s3:GetObject" - "s3:ListBucket" - "s3:PutObject" - "s3:DeleteObject" - "s3:CreateBucket" - "s3:PutBucketPolicy" - "s3:GetBucketPolicy" - "s3:PutBucketTagging" - "s3:GetBucketTagging" - "s3:GetBucketAcl" - "s3:PutBucketAcl" - "s3:PutBucketOwnershipControls" - "s3:GetBucketOwnershipControls" - "s3:PutBucketVersioning" - "s3:GetBucketVersioning" - "s3:AbortMultipartUpload" - "s3:GetBucketLocation" - "s3:GetBucketCors" - "s3:GetBucketWebsite" - "s3:GetAccelerateConfiguration" - "s3:GetBucketLogging" - "s3:GetBucketObjectLockConfiguration" - "s3:GetBucketRequestPayment" - "s3:GetEncryptionConfiguration" - "s3:GetLifecycleConfiguration" - "s3:GetReplicationConfiguration" - "s3:PutLifecycleConfiguration" - "s3:PutBucketPublicAccessBlock" - "s3:GetBucketPublicAccessBlock" - "s3:PutEncryptionConfiguration" - "eks:ListNodegroups" - "eks:ListPodIdentityAssociations" - "ec2:ModifyVolume" - "sqs:CreateQueue" - "sqs:SetQueueAttributes" - "sqs:GetQueueAttributes" - "sqs:GetQueueUrl" - "sqs:TagQueue" - "sqs:ListQueueTags" - "events:PutRule" - "events:PutTargets" - "events:RemoveTargets" - "events:DescribeRule" - "events:ListTargetsByRule" - "events:ListTagsForResource" - "events:TagResource" - "iam:GetInstanceProfile" - "iam:TagInstanceProfile" - "iam:ListInstanceProfiles" Resource: "*" StreamkapDeprovisionAccessPolicy: Type: "AWS::IAM::ManagedPolicy" Properties: ManagedPolicyName: "StreamkapDeprovisionAccess" PolicyDocument: Version: "2012-10-17" Statement: - Sid: "" Effect: "Allow" Action: - "ec2:DeleteNetworkAclEntry" - "eks:DeleteAddon" - "eks:DeleteCluster" - "eks:DescribeCluster" - "eks:DeleteNodegroup" - "eks:DescribeNodegroup" - "ec2:DeleteInternetGateway" - "ec2:DeleteLaunchTemplate" - "ec2:DeleteLaunchTemplateVersions" - "ec2:DeleteNatGateway" - "ec2:DeleteNetworkInterface" - "ec2:DeleteRoute" - "ec2:DeleteRouteTable" - "ec2:DeleteSecurityGroup" - "ec2:DeleteSubnet" - "ec2:DeleteTags" - "ec2:DeleteVpc" - "ec2:DescribeAddresses" - "ec2:DescribeInternetGateways" - "ec2:DescribeLaunchTemplateVersions" - "ec2:DescribeLaunchTemplates" - "ec2:DescribeNatGateways" - "ec2:DescribeNetworkAcls" - "ec2:DescribeNetworkInterfaces" - "ec2:DescribeRouteTables" - "ec2:DescribeSecurityGroupRules" - "ec2:DescribeSecurityGroups" - "ec2:DescribeSubnets" - "ec2:DescribeTags" - "ec2:DescribeVpcAttribute" - "ec2:DescribeVpcClassicLink" - "ec2:DescribeVpcClassicLinkDnsSupport" - "ec2:DescribeVpcs" - "ec2:DetachInternetGateway" - "ec2:DetachNetworkInterface" - "ec2:DisassociateAddress" - "ec2:DisassociateRouteTable" - "ec2:ReleaseAddress" - "ec2:RevokeSecurityGroupIngress" - "ec2:ModifyNetworkInterfaceAttribute" - "ec2:ModifyInstanceAttribute" - "ec2:TerminateInstances" - "ec2:GetConsoleOutput" - "ec2:DescribeInstances" - "ec2:AttachNetworkInterface" - "ec2:AssociateAddress" - "ecr:DeleteRepository" - "ecr:DescribeRepositories" - "ecr:ListTagsForResource" - "iam:DeleteOpenIDConnectProvider" - "iam:DeletePolicy" - "iam:DeletePolicyVersion" - "iam:DeleteRole" - "iam:DeleteRolePolicy" - "iam:DetachRolePolicy" - "iam:GetOpenIDConnectProvider" - "iam:GetPolicy" - "iam:GetPolicyVersion" - "iam:GetRole" - "iam:GetRolePolicy" - "iam:ListAttachedRolePolicies" - "iam:ListInstanceProfilesForRole" - "iam:ListPolicyVersions" - "iam:ListRolePolicies" - "kms:DeleteAlias" - "kms:DescribeKey" - "kms:GetKeyPolicy" - "kms:GetKeyRotationStatus" - "kms:ListAliases" - "kms:ListResourceTags" - "kms:RetireGrant" - "kms:ScheduleKeyDeletion" - "logs:DeleteLogGroup" - "logs:DescribeLogGroups" - "logs:ListTagsLogGroup" - "route53:ChangeTagsForResource" - "route53:DeleteHostedZone" - "route53:GetDNSSEC" - "route53:GetHostedZone" - "route53:ListResourceRecordSets" - "route53:ListTagsForResource" - "s3:GetObject" - "s3:ListBucket" - "s3:DeleteBucket" - "eks:DeletePodIdentityAssociation" - "eks:DeleteAccessEntry" - "iam:DeleteInstanceProfile" - "sqs:DeleteQueue" - "events:DeleteRule" - "events:RemoveTargets" Resource: "*" StreamkapInstallAccessRole: Type: "AWS::IAM::Role" Properties: RoleName: "StreamkapInstallAccess" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Sid: "" Effect: "Allow" Principal: AWS: "arn:aws:iam::300973880807:root" Action: "sts:AssumeRole" ManagedPolicyArns: - !Ref StreamkapProvisionAccessPolicy - !Ref StreamkapDeprovisionAccessPolicy ```