Scenario: Restrict access to only listener-related actions of the Application Load Balancer.
Policy example:

{ 
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "alb:CreateListener", 
        "alb:DeleteListener", 
        "alb:ModifyListener", 
        "alb:DescribeListener", 
        "alb:DescribeListenerAttributes", 
        "alb:DescribeListenerHealth" 
      ], 
      "Resource": [ 
        "*" 
      ] 
    } 
  ] 
}

Interpretation: This policy limits the operation scope of the policy by enumerating all listener-related actions under alb, and can also be used with wild-card to define listener-related operations. The writing is as follows:

{ 
  "Statement": [ 
    { 
      "Effect": "Allow", 
      "Action": [ 
        "alb:*Listener*" 
      ], 
      "Resource": [ 
        "*" 
      ] 
    } 
  ] 
}

The operation granularity permission usage instructions can be found in the Action documentation .