diff --git a/aws/policy/application-services.yaml b/aws/policy/application-services.yaml
index 375e3b22..31b92478 100644
--- a/aws/policy/application-services.yaml
+++ b/aws/policy/application-services.yaml
@@ -7,13 +7,12 @@ Statement:
       - ses:DescribeReceiptRuleSet
       - ses:CreateReceiptRuleSet
       - ses:DeleteReceiptRuleSet
-      - ses:ListReceiptRuleSets
+      - ses:List*
       - ses:SetActiveReceiptRuleSet
       - ses:GetIdentityNotificationAttributes
       - ses:GetIdentityVerificationAttributes
       - ses:GetIdentityDkimAttributes
       - ses:DeleteIdentity
-      - ses:ListIdentities
       - ses:SetIdentityFeedbackForwardingEnabled
       - ses:SetIdentityHeadersInNotificationsEnabled
       - ses:SetIdentityNotificationTopic
@@ -24,15 +23,13 @@ Statement:
       - ses:GetIdentityPolicies
       - ses:PutIdentityPolicy
       - ses:DeleteIdentityPolicy
-      - ses:ListIdentityPolicies
       - ssm:DescribeParameters
       - ssm:DescribeAssociation
       - ssm:GetDeployablePatchSnapshotForInstance
       - ssm:GetDocument
       - ssm:DescribeDocument
       - ssm:GetManifest
-      - ssm:ListAssociations
-      - ssm:ListInstanceAssociations
+      - ssm:List*
       - ssm:PutInventory
       - ssm:PutComplianceItems
       - ssm:PutConfigurePackageResult
@@ -138,6 +135,9 @@ Statement:
       - SNS:SetSubscriptionAttributes
       - SNS:Subscribe
       - SNS:Unsubscribe
+      - SNS:ListTagsForResource
+      - SNS:TagResource
+      - SNS:UntagResource
       - states:DescribeExecution
       - states:DescribeStateMachine
       - states:DeleteStateMachine
@@ -203,6 +203,9 @@ Statement:
     Action:
       - SNS:Subscribe
       - SNS:Unsubscribe
+      - SNS:ListTagsForResource
+      - SNS:TagResource
+      - SNS:UntagResource
     Resource:
       # https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/
       - 'arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged'