What are the required minimal AWS permissions/roles for CPM operation?