diff --git a/parliament/__init__.py b/parliament/__init__.py
index 791a0e7..f9b5d48 100644
--- a/parliament/__init__.py
+++ b/parliament/__init__.py
@@ -1,7 +1,7 @@
"""
This library is a linter for AWS IAM policies.
"""
-__version__ = "1.3.0"
+__version__ = "1.3.1"
import fnmatch
import functools
diff --git a/parliament/iam_definition.json b/parliament/iam_definition.json
index eb15ba7..0ec9b59 100644
--- a/parliament/iam_definition.json
+++ b/parliament/iam_definition.json
@@ -4742,7 +4742,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Creates an application from a resource group",
+ "description": "Grants permission to create an application from a resource group",
"privilege": "CreateApplication",
"resource_types": [
{
@@ -4754,7 +4754,7 @@
},
{
"access_level": "Write",
- "description": "Creates a component from a group of resources",
+ "description": "Grants permission to create a component from a group of resources",
"privilege": "CreateComponent",
"resource_types": [
{
@@ -4766,7 +4766,19 @@
},
{
"access_level": "Write",
- "description": "Deletes an application",
+ "description": "Grants permission to create log a pattern",
+ "privilege": "CreateLogPattern",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an application",
"privilege": "DeleteApplication",
"resource_types": [
{
@@ -4778,7 +4790,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a component",
+ "description": "Grants permission to delete a component",
"privilege": "DeleteComponent",
"resource_types": [
{
@@ -4788,9 +4800,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a log pattern",
+ "privilege": "DeleteLogPattern",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Read",
- "description": "Describes an application",
+ "description": "Grants permission to describe an application",
"privilege": "DescribeApplication",
"resource_types": [
{
@@ -4802,7 +4826,7 @@
},
{
"access_level": "Read",
- "description": "Describes a component",
+ "description": "Grants permission to describe a component",
"privilege": "DescribeComponent",
"resource_types": [
{
@@ -4814,7 +4838,7 @@
},
{
"access_level": "Read",
- "description": "Describes a component configuration",
+ "description": "Grants permission to describe a component's configuration",
"privilege": "DescribeComponentConfiguration",
"resource_types": [
{
@@ -4826,7 +4850,7 @@
},
{
"access_level": "Read",
- "description": "Describe the recommended application component configuration",
+ "description": "Grants permission to describe the recommended application component configuration",
"privilege": "DescribeComponentConfigurationRecommendation",
"resource_types": [
{
@@ -4838,7 +4862,19 @@
},
{
"access_level": "Read",
- "description": "Describes an observation",
+ "description": "Grants permission to describe a log pattern",
+ "privilege": "DescribeLogPattern",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe an observation",
"privilege": "DescribeObservation",
"resource_types": [
{
@@ -4850,7 +4886,7 @@
},
{
"access_level": "Read",
- "description": "Describes a problem",
+ "description": "Grants permission to describe a problem",
"privilege": "DescribeProblem",
"resource_types": [
{
@@ -4862,7 +4898,7 @@
},
{
"access_level": "Read",
- "description": "Describes the observation in a problem",
+ "description": "Grants permission to describe the observation in a problem",
"privilege": "DescribeProblemObservations",
"resource_types": [
{
@@ -4874,7 +4910,7 @@
},
{
"access_level": "List",
- "description": "Lists all applications",
+ "description": "Grants permission to list all applications",
"privilege": "ListApplications",
"resource_types": [
{
@@ -4886,7 +4922,7 @@
},
{
"access_level": "List",
- "description": "List an application's components",
+ "description": "Grants permission to list an application's components",
"privilege": "ListComponents",
"resource_types": [
{
@@ -4898,7 +4934,43 @@
},
{
"access_level": "List",
- "description": "Lists the problems in an application",
+ "description": "Grants permission to list configuration history",
+ "privilege": "ListConfigurationHistory",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list log pattern sets for an application",
+ "privilege": "ListLogPatternSets",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list log patterns",
+ "privilege": "ListLogPatterns",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the problems in an application",
"privilege": "ListProblems",
"resource_types": [
{
@@ -4908,9 +4980,45 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list tags for the resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to tag a resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to untag a resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
- "description": "Updates an application",
+ "description": "Grants permission to update an application",
"privilege": "UpdateApplication",
"resource_types": [
{
@@ -4922,7 +5030,7 @@
},
{
"access_level": "Write",
- "description": "Updates a component",
+ "description": "Grants permission to update a component",
"privilege": "UpdateComponent",
"resource_types": [
{
@@ -4934,7 +5042,7 @@
},
{
"access_level": "Write",
- "description": "Updates a component configuration",
+ "description": "Grants permission to update a component's configuration",
"privilege": "UpdateComponentConfiguration",
"resource_types": [
{
@@ -4943,6 +5051,18 @@
"resource_type": ""
}
]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a log pattern",
+ "privilege": "UpdateLogPattern",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
}
],
"resources": [],
@@ -7694,6 +7814,140 @@
],
"service_name": "AWS AppSync"
},
+ {
+ "conditions": [],
+ "prefix": "aps",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a workspace",
+ "privilege": "CreateWorkspace",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a workspace",
+ "privilege": "DeleteWorkspace",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe a workspace",
+ "privilege": "DescribeWorkspace",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve AMP workspace labels",
+ "privilege": "GetLabels",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the metadata for AMP workspace metrics",
+ "privilege": "GetMetricMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve AMP workspace time series data",
+ "privilege": "GetSeries",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list workspaces",
+ "privilege": "ListWorkspaces",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to run a query on AMP workspace metrics",
+ "privilege": "QueryMetrics",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to perform a remote write operation to initiate the streaming of metrics to AMP workspace",
+ "privilege": "RemoteWrite",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to modify the alias of existing AMP workspace",
+ "privilege": "UpdateWorkspaceAlias",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workspace*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:aps::${Region}:${Account}:workspace/${ResourceId}",
+ "condition_keys": [],
+ "resource": "workspace"
+ }
+ ],
+ "service_name": "Amazon Managed Service for Prometheus"
+ },
{
"conditions": [],
"prefix": "arsenal",
@@ -8224,6 +8478,725 @@
],
"service_name": "Amazon Athena"
},
+ {
+ "conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters actions based on the tags that are passed in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters actions based on the tags associated with the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters actions based on the tag keys that are passed in the request",
+ "type": "String"
+ }
+ ],
+ "prefix": "auditmanager",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to associate an evidence folder with an assessment report in AWS Audit Manager",
+ "privilege": "AssociateAssessmentReportEvidenceFolder",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to associate a list of evidence to an assessment report in AWS Audit Manager",
+ "privilege": "BatchAssociateAssessmentReportEvidence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create delegations for an assessment in AWS Audit Manager",
+ "privilege": "BatchCreateDelegationByAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete delegations for an assessment in AWS Audit Manager",
+ "privilege": "BatchDeleteDelegationByAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to disassociate a list of evidence from an assessment report in AWS Audit Manager",
+ "privilege": "BatchDisassociateAssessmentReportEvidence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to import a list of evidence to an assessment control in AWS Audit Manager",
+ "privilege": "BatchImportEvidenceToAssessmentControl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an assessment to be used with AWS Audit Manager",
+ "privilege": "CreateAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a framework for use in AWS Audit Manager",
+ "privilege": "CreateAssessmentFramework",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an assessment report in AWS Audit Manager",
+ "privilege": "CreateAssessmentReport",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a control to be used in AWS Audit Manager",
+ "privilege": "CreateControl",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an assessment in AWS Audit Manager",
+ "privilege": "DeleteAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an assessment framework in AWS Audit Manager",
+ "privilege": "DeleteAssessmentFramework",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentFramework*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an assessment report in AWS Audit Manager",
+ "privilege": "DeleteAssessmentReport",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a control in AWS Audit Manager",
+ "privilege": "DeleteControl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "control*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to deregister an account in AWS Audit Manager",
+ "privilege": "DeregisterAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to deregister the delegated administrator account for AWS Audit Manager",
+ "privilege": "DeregisterOrganizationAdminAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to disassociate an evidence folder from an assessment report in AWS Audit Manager",
+ "privilege": "DisassociateAssessmentReportEvidenceFolder",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the status of an account in AWS Audit Manager",
+ "privilege": "GetAccountStatus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get an assessment created in AWS Audit Manager",
+ "privilege": "GetAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get an assessment framework in AWS Audit Manager",
+ "privilege": "GetAssessmentFramework",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentFramework*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the URL for an assessment report in AWS Audit Manager",
+ "privilege": "GetAssessmentReportUrl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get changelogs for an assessment in AWS Audit Manager",
+ "privilege": "GetChangeLogs",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get a control in AWS Audit Manager",
+ "privilege": "GetControl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "control*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get all delegations in AWS Audit Manager",
+ "privilege": "GetDelegations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get evidence from AWS Audit Manager",
+ "privilege": "GetEvidence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get all the evidence from an evidence folder in AWS Audit Manager",
+ "privilege": "GetEvidenceByEvidenceFolder",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the evidence folder from AWS Audit Manager",
+ "privilege": "GetEvidenceFolder",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the evidence folders from an assessment in AWS Audit Manager",
+ "privilege": "GetEvidenceFoldersByAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the evidence folders from an assessment control in AWS Audit Manager",
+ "privilege": "GetEvidenceFoldersByAssessmentControl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the delegated administrator account in AWS Audit Manager",
+ "privilege": "GetOrganizationAdminAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the services in scope for an assessment in AWS Audit Manager",
+ "privilege": "GetServicesInScope",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get all settings configured in AWS Audit Manager",
+ "privilege": "GetSettings",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all assessment frameworks in AWS Audit Manager",
+ "privilege": "ListAssessmentFrameworks",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all assessment reports in AWS Audit Manager",
+ "privilege": "ListAssessmentReports",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all assessments in AWS Audit Manager",
+ "privilege": "ListAssessments",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all controls in AWS Audit Manager",
+ "privilege": "ListControls",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all the data source keywords in AWS Audit Manager",
+ "privilege": "ListKeywordsForDataSource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all notifications in AWS Audit Manager",
+ "privilege": "ListNotifications",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list tags for an AWS Audit Manager resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "control"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to register an account in AWS Audit Manager",
+ "privilege": "RegisterAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to register an account within the organization as the delegated administrator for AWS Audit Manager",
+ "privilege": "RegisterOrganizationAdminAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to tag an AWS Audit Manager resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "control"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to untag an AWS Audit Manager resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "control"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an assessment in AWS Audit Manager",
+ "privilege": "UpdateAssessment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an assessment control in AWS Audit Manager",
+ "privilege": "UpdateAssessmentControl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the status of an assessment control set in AWS Audit Manager",
+ "privilege": "UpdateAssessmentControlSetStatus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentControlSet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an assessment framework in AWS Audit Manager",
+ "privilege": "UpdateAssessmentFramework",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessmentFramework*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the status of an assessment in AWS Audit Manager",
+ "privilege": "UpdateAssessmentStatus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "assessment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a control in AWS Audit Manager",
+ "privilege": "UpdateControl",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "control*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update settings in AWS Audit Manager",
+ "privilege": "UpdateSettings",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to validate the integrity of an assessment report in AWS Audit Manager",
+ "privilege": "ValidateAssessmentReportIntegrity",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${assessmentId}",
+ "condition_keys": [],
+ "resource": "assessment"
+ },
+ {
+ "arn": "arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${assessmentFrameworkId}",
+ "condition_keys": [],
+ "resource": "assessmentFramework"
+ },
+ {
+ "arn": "arn:${Partition}:auditmanager:${Region}:${Account}:assessment/${assessmentId}/controlSet/{controlSetId}",
+ "condition_keys": [],
+ "resource": "assessmentControlSet"
+ },
+ {
+ "arn": "arn:${Partition}:auditmanager:${Region}:${Account}:control/${controlId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "control"
+ }
+ ],
+ "service_name": "AWS Audit Manager"
+ },
{
"conditions": [
{
@@ -12118,6 +13091,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to query Cost Catagory names and values for a specified time period",
+ "privilege": "GetCostCategories",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to retrieve a cost forecast for a forecast time period",
@@ -12744,6 +13729,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to establish a web socket connection to the messaging session endpoint",
+ "privilege": "Connect",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to connect an Active Directory to your Amazon Chime Enterprise account",
@@ -12782,6 +13779,53 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an app instance under the AWS account",
+ "privilege": "CreateAppInstance",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to promote an AppInstanceUser to an AppInstanceAdmin",
+ "privilege": "CreateAppInstanceAdmin",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a user under an Amazon Chime AppInstance",
+ "privilege": "CreateAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a new attendee for an active Amazon Chime SDK meeting",
@@ -12833,6 +13877,77 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a channel for an app instance under the AWS account",
+ "privilege": "CreateChannel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to ban a user from a channel",
+ "privilege": "CreateChannelBan",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add a user to a channel",
+ "privilege": "CreateChannelMembership",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a channel moderator",
+ "privilege": "CreateChannelModerator",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a new Amazon Chime SDK meeting in the specified media Region, with no initial attendees",
@@ -13031,6 +14146,59 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an AppInstance",
+ "privilege": "DeleteAppInstance",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to demote an AppInstanceAdmin to an AppInstanceUser",
+ "privilege": "DeleteAppInstanceAdmin",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to disable data streaming for the app instance",
+ "privilege": "DeleteAppInstanceStreamingConfigurations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an AppInstanceUser",
+ "privilege": "DeleteAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete the specified attendee from an Amazon Chime SDK meeting",
@@ -13057,6 +14225,91 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a channel",
+ "privilege": "DeleteChannel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to remove a user from a channel's ban list",
+ "privilege": "DeleteChannelBan",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to remove a member from a channel",
+ "privilege": "DeleteChannelMembership",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a channel message",
+ "privilege": "DeleteChannelMessage",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a channel moderator",
+ "privilege": "DeleteChannelModerator",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete delegated AWS account management from your Amazon Chime account",
@@ -13285,6 +14538,149 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of an AppInstance",
+ "privilege": "DescribeAppInstance",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of an AppInstanceAdmin",
+ "privilege": "DescribeAppInstanceAdmin",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of an AppInstanceUser",
+ "privilege": "DescribeAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of a channel",
+ "privilege": "DescribeChannel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of a channel ban",
+ "privilege": "DescribeChannelBan",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of a channel membership",
+ "privilege": "DescribeChannelMembership",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the details of a channel based on the membership of the specified AppInstanceUser",
+ "privilege": "DescribeChannelMembershipForAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of a channel moderated by the specified AppInstanceUser",
+ "privilege": "DescribeChannelModeratedByAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of a single ChannelModerator",
+ "privilege": "DescribeChannelModerator",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to disassociate the primary provisioned number from the specified Amazon Chime user",
@@ -13393,6 +14789,30 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get retention settings for an app instance",
+ "privilege": "GetAppInstanceRetentionSettings",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the streaming configurations for an app instance",
+ "privilege": "GetAppInstanceStreamingConfigurations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get attendee details for a specified meeting ID and attendee ID",
@@ -13435,6 +14855,23 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the full details of a channel message",
+ "privilege": "GetChannelMessage",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get domain details for a domain associated with your Amazon Chime account",
@@ -13495,6 +14932,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the endpoint for the messaging session",
+ "privilege": "GetMessagingSessionEndpoint",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get details for the specified phone number",
@@ -13843,6 +15292,47 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list administrators in the app instance",
+ "privilege": "ListAppInstanceAdmins",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all AppInstanceUsers created under a single app instance",
+ "privilege": "ListAppInstanceUsers",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all Amazon Chime app instances created under a single AWS account",
+ "privilege": "ListAppInstances",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list the tags applied to an Amazon Chime SDK attendee resource",
@@ -13906,6 +15396,115 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all the users banned from a particular channel",
+ "privilege": "ListChannelBans",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all channel memberships in a channel",
+ "privilege": "ListChannelMemberships",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all channels that a particular AppInstanceUser is a part of",
+ "privilege": "ListChannelMembershipsForAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all the messages in a channel",
+ "privilege": "ListChannelMessages",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all the moderators for a channel",
+ "privilege": "ListChannelModerators",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all the Channels created under a single Chime AppInstance",
+ "privilege": "ListChannels",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all channels moderated by an app instance user",
+ "privilege": "ListChannelsModeratedByAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list account delegate information associated with your Amazon Chime account",
@@ -14088,13 +15687,13 @@
},
{
"access_level": "List",
- "description": "Grants permission to list the tags applied to an Amazon Chime SDK meeting resource.",
+ "description": "Grants permission to list the tags applied to an Amazon Chime resource.",
"privilege": "ListTagsForResource",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "meeting"
+ "resource_type": "channel"
}
]
},
@@ -14158,6 +15757,30 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to enable data retention for the app instance",
+ "privilege": "PutAppInstanceRetentionSettings",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to configure data streaming for the app instance",
+ "privilege": "PutAppInstanceStreamingConfigurations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update details for an events configuration for a bot to receive outgoing events",
@@ -14285,6 +15908,23 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to redact message content",
+ "privilege": "RedactChannelMessage",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Redacts the specified Chime conversation Message",
@@ -14405,6 +16045,23 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to send a message to a particular channel that the member is a part of",
+ "privilege": "SendChannelMessage",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to submit the \"Request attachments\" request",
@@ -14476,13 +16133,13 @@
},
{
"access_level": "Tagging",
- "description": "Grants permission to apply the specified tags to the specified Amazon Chime SDK meeting resource.",
+ "description": "Grants permission to apply the specified tags to the specified Amazon Chime resource.",
"privilege": "TagResource",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "meeting"
+ "resource_type": "channel"
},
{
"condition_keys": [
@@ -14533,13 +16190,13 @@
},
{
"access_level": "Tagging",
- "description": "Grants permission to untag the specified tags from the specified Amazon Chime SDK meeting resource.",
+ "description": "Grants permission to untag the specified tags from the specified Amazon Chime resource.",
"privilege": "UntagResource",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "meeting"
+ "resource_type": "channel"
}
]
},
@@ -14591,6 +16248,30 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update AppInstance metadata",
+ "privilege": "UpdateAppInstance",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the details for an AppInstanceUser",
+ "privilege": "UpdateAppInstanceUser",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update the status of the specified bot",
@@ -14619,6 +16300,57 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a channel's attributes",
+ "privilege": "UpdateChannel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the content of a message",
+ "privilege": "UpdateChannelMessage",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to set the timestamp to the point when a user last read messages in a channel",
+ "privilege": "UpdateChannelReadMarker",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "app-instance-user*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update the global settings related to Amazon Chime for the AWS account",
@@ -14807,6 +16539,27 @@
"aws:ResourceTag/${TagKey}"
],
"resource": "meeting"
+ },
+ {
+ "arn": "arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "app-instance"
+ },
+ {
+ "arn": "arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}/user/${AppInstanceUserId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "app-instance-user"
+ },
+ {
+ "arn": "arn:${Partition}:chime::${AccountId}:app-instance/${AppInstanceId}/channel/${ChannelId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "channel"
}
],
"service_name": "Amazon Chime"
@@ -15977,47 +17730,47 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "",
+ "description": "Filters actions based on the tags that are passed in the request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "",
+ "description": "Filters actions based on the tags associated with the resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "",
+ "description": "Filters actions based on the tag keys that are passed in the request",
"type": "String"
},
{
"condition": "cloudformation:ChangeSetName",
- "description": "An AWS CloudFormation change set name. Use to control which change sets IAM users can execute or delete.",
+ "description": "Filters actions based on an AWS CloudFormation change set name. Use to control which change sets IAM users can execute or delete",
"type": "String"
},
{
"condition": "cloudformation:ImportResourceTypes",
- "description": "The template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they want to import a resource into a stack.",
+ "description": "Filters actions based on the template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they want to import a resource into a stack",
"type": "String"
},
{
"condition": "cloudformation:ResourceTypes",
- "description": "The template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they create or update a stack.",
+ "description": "Filters actions based on the template resource types, such as AWS::EC2::Instance. Use to control which resource types IAM users can work with when they create or update a stack",
"type": "String"
},
{
"condition": "cloudformation:RoleArn",
- "description": "The ARN of an IAM service role. Use to control which service role IAM users can use to work with stacks or change sets.",
+ "description": "Filters actions based on the ARN of an IAM service role. Use to control which service role IAM users can use to work with stacks or change sets",
"type": "ARN"
},
{
"condition": "cloudformation:StackPolicyUrl",
- "description": "An Amazon S3 stack policy URL. Use to control which stack policies IAM users can associate with a stack during a create or update stack action.",
+ "description": "Filters actions based on an Amazon S3 stack policy URL. Use to control which stack policies IAM users can associate with a stack during a create or update stack action",
"type": "String"
},
{
"condition": "cloudformation:TemplateUrl",
- "description": "An Amazon S3 template URL. Use to control which templates IAM users can use when they create or update stacks.",
+ "description": "Filters actions based on an Amazon S3 template URL. Use to control which templates IAM users can use when they create or update stacks",
"type": "String"
}
],
@@ -16025,7 +17778,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Cancels an update on the specified stack.",
+ "description": "Grants permission to cancel an update on the specified stack",
"privilege": "CancelUpdateStack",
"resource_types": [
{
@@ -16037,7 +17790,7 @@
},
{
"access_level": "Write",
- "description": "For a specified stack that is in the UPDATE_ROLLBACK_FAILED state, continues rolling it back to the UPDATE_ROLLBACK_COMPLETE state.",
+ "description": "Grants permission to continue rolling back a stack that is in the UPDATE_ROLLBACK_FAILED state to the UPDATE_ROLLBACK_COMPLETE state",
"privilege": "ContinueUpdateRollback",
"resource_types": [
{
@@ -16056,7 +17809,7 @@
},
{
"access_level": "Write",
- "description": "Creates a list of changes for a stack.",
+ "description": "Grants permission to create a list of changes for a stack",
"privilege": "CreateChangeSet",
"resource_types": [
{
@@ -16082,7 +17835,7 @@
},
{
"access_level": "Write",
- "description": "Creates a stack as specified in the template.",
+ "description": "Grants permission to create a stack as specified in the template",
"privilege": "CreateStack",
"resource_types": [
{
@@ -16106,19 +17859,29 @@
},
{
"access_level": "Write",
- "description": "Creates stack instances for the specified accounts, within the specified regions.",
+ "description": "Grants permission to create stack instances for the specified accounts, within the specified regions",
"privilege": "CreateStackInstances",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
"resource_type": "stackset*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "stackset-target"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "type"
}
]
},
{
"access_level": "Write",
- "description": "Creates a stackset as specified in the template.",
+ "description": "Grants permission to create a stackset as specified in the template",
"privilege": "CreateStackSet",
"resource_types": [
{
@@ -16135,7 +17898,7 @@
},
{
"access_level": "Write",
- "description": "",
+ "description": "Grants permission to upload templates to Amazon S3 buckets. Used only by the AWS CloudFormation console and is not documented in the API reference",
"privilege": "CreateUploadBucket",
"resource_types": [
{
@@ -16147,7 +17910,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified change set. Deleting change sets ensures that no one executes the wrong change set.",
+ "description": "Grants permission to delete the specified change set. Deleting change sets ensures that no one executes the wrong change set",
"privilege": "DeleteChangeSet",
"resource_types": [
{
@@ -16166,7 +17929,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a specified stack.",
+ "description": "Grants permission to delete a specified stack",
"privilege": "DeleteStack",
"resource_types": [
{
@@ -16185,19 +17948,29 @@
},
{
"access_level": "Write",
- "description": "Deletes stack instances for the specified accounts, in the specified regions.",
+ "description": "Grants permission to delete stack instances for the specified accounts, in the specified regions",
"privilege": "DeleteStackInstances",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
"resource_type": "stackset*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "stackset-target"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "type"
}
]
},
{
"access_level": "Write",
- "description": "Deletes a specified stackset.",
+ "description": "Grants permission to delete a specified stackset",
"privilege": "DeleteStackSet",
"resource_types": [
{
@@ -16209,7 +17982,7 @@
},
{
"access_level": "Write",
- "description": "Deregisters an existing CloudFormation type or type version",
+ "description": "Grants permission to deregister an existing CloudFormation type or type version",
"privilege": "DeregisterType",
"resource_types": [
{
@@ -16221,7 +17994,7 @@
},
{
"access_level": "Read",
- "description": "Retrieves your account's AWS CloudFormation limits.",
+ "description": "Grants permission to retrieve your account's AWS CloudFormation limits",
"privilege": "DescribeAccountLimits",
"resource_types": [
{
@@ -16233,7 +18006,7 @@
},
{
"access_level": "Read",
- "description": "Returns the description for the specified change set.",
+ "description": "Grants permission to return the description for the specified change set",
"privilege": "DescribeChangeSet",
"resource_types": [
{
@@ -16252,7 +18025,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about a stack drift detection operation.",
+ "description": "Grants permission to return information about a stack drift detection operation",
"privilege": "DescribeStackDriftDetectionStatus",
"resource_types": [
{
@@ -16264,7 +18037,7 @@
},
{
"access_level": "Read",
- "description": "Returns all stack related events for a specified stack.",
+ "description": "Grants permission to return all stack related events for a specified stack",
"privilege": "DescribeStackEvents",
"resource_types": [
{
@@ -16276,7 +18049,7 @@
},
{
"access_level": "Read",
- "description": "Returns the stack instance that's associated with the specified stack set, AWS account, and region.",
+ "description": "Grants permission to return the stack instance that's associated with the specified stack set, AWS account, and region",
"privilege": "DescribeStackInstance",
"resource_types": [
{
@@ -16288,7 +18061,7 @@
},
{
"access_level": "Read",
- "description": "Returns a description of the specified resource in the specified stack.",
+ "description": "Grants permission to return a description of the specified resource in the specified stack",
"privilege": "DescribeStackResource",
"resource_types": [
{
@@ -16300,7 +18073,7 @@
},
{
"access_level": "Read",
- "description": "Returns drift information for the resources that have been checked for drift in the specified stack.",
+ "description": "Grants permission to return drift information for the resources that have been checked for drift in the specified stack",
"privilege": "DescribeStackResourceDrifts",
"resource_types": [
{
@@ -16312,7 +18085,7 @@
},
{
"access_level": "Read",
- "description": "Returns AWS resource descriptions for running and deleted stacks.",
+ "description": "Grants permission to return AWS resource descriptions for running and deleted stacks",
"privilege": "DescribeStackResources",
"resource_types": [
{
@@ -16324,7 +18097,7 @@
},
{
"access_level": "Read",
- "description": "Returns the description of the specified stack set.",
+ "description": "Grants permission to return the description of the specified stack set",
"privilege": "DescribeStackSet",
"resource_types": [
{
@@ -16336,7 +18109,7 @@
},
{
"access_level": "Read",
- "description": "Returns the description of the specified stack set operation.",
+ "description": "Grants permission to return the description of the specified stack set operation",
"privilege": "DescribeStackSetOperation",
"resource_types": [
{
@@ -16348,7 +18121,7 @@
},
{
"access_level": "List",
- "description": "Returns the description for the specified stack.",
+ "description": "Grants permission to return the description for the specified stack",
"privilege": "DescribeStacks",
"resource_types": [
{
@@ -16360,7 +18133,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about the CloudFormation type requested",
+ "description": "Grants permission to return information about the CloudFormation type requested",
"privilege": "DescribeType",
"resource_types": [
{
@@ -16372,7 +18145,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about the registration process for a CloudFormation type",
+ "description": "Grants permission to return information about the registration process for a CloudFormation type",
"privilege": "DescribeTypeRegistration",
"resource_types": [
{
@@ -16384,7 +18157,7 @@
},
{
"access_level": "Read",
- "description": "Detects whether a stack's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters.",
+ "description": "Grants permission to detects whether a stack's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters",
"privilege": "DetectStackDrift",
"resource_types": [
{
@@ -16396,7 +18169,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about whether a resource's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters.",
+ "description": "Grants permission to return information about whether a resource's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters",
"privilege": "DetectStackResourceDrift",
"resource_types": [
{
@@ -16408,7 +18181,7 @@
},
{
"access_level": "Read",
- "description": "Enables users to detect drift on a stack set and the stack instances that belong to that stack set.",
+ "description": "Grants permission to enable users to detect drift on a stack set and the stack instances that belong to that stack set",
"privilege": "DetectStackSetDrift",
"resource_types": [
{
@@ -16420,7 +18193,7 @@
},
{
"access_level": "Read",
- "description": "Returns the estimated monthly cost of a template.",
+ "description": "Grants permission to return the estimated monthly cost of a template",
"privilege": "EstimateTemplateCost",
"resource_types": [
{
@@ -16432,7 +18205,7 @@
},
{
"access_level": "Write",
- "description": "Updates a stack using the input information that was provided when the specified change set was created.",
+ "description": "Grants permission to update a stack using the input information that was provided when the specified change set was created",
"privilege": "ExecuteChangeSet",
"resource_types": [
{
@@ -16451,7 +18224,7 @@
},
{
"access_level": "Read",
- "description": "Returns the stack policy for a specified stack.",
+ "description": "Grants permission to return the stack policy for a specified stack",
"privilege": "GetStackPolicy",
"resource_types": [
{
@@ -16463,7 +18236,7 @@
},
{
"access_level": "Read",
- "description": "Returns the template body for a specified stack.",
+ "description": "Grants permission to return the template body for a specified stack",
"privilege": "GetTemplate",
"resource_types": [
{
@@ -16475,7 +18248,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about a new or existing template.",
+ "description": "Grants permission to return information about a new or existing template",
"privilege": "GetTemplateSummary",
"resource_types": [
{
@@ -16492,7 +18265,7 @@
},
{
"access_level": "List",
- "description": "Returns the ID and status of each active change set for a stack. For example, AWS CloudFormation lists change sets that are in the CREATE_IN_PROGRESS or CREATE_PENDING state.",
+ "description": "Grants permission to return the ID and status of each active change set for a stack. For example, AWS CloudFormation lists change sets that are in the CREATE_IN_PROGRESS or CREATE_PENDING state",
"privilege": "ListChangeSets",
"resource_types": [
{
@@ -16504,7 +18277,7 @@
},
{
"access_level": "List",
- "description": "Lists all exported output values in the account and region in which you call this action.",
+ "description": "Grants permission to list all exported output values in the account and region in which you call this action",
"privilege": "ListExports",
"resource_types": [
{
@@ -16516,7 +18289,7 @@
},
{
"access_level": "List",
- "description": "Lists all stacks that are importing an exported output value.",
+ "description": "Grants permission to list all stacks that are importing an exported output value",
"privilege": "ListImports",
"resource_types": [
{
@@ -16528,7 +18301,7 @@
},
{
"access_level": "List",
- "description": "Returns summary information about stack instances that are associated with the specified stack set.",
+ "description": "Grants permission to return summary information about stack instances that are associated with the specified stack set",
"privilege": "ListStackInstances",
"resource_types": [
{
@@ -16540,7 +18313,7 @@
},
{
"access_level": "List",
- "description": "Returns descriptions of all resources of the specified stack.",
+ "description": "Grants permission to return descriptions of all resources of the specified stack",
"privilege": "ListStackResources",
"resource_types": [
{
@@ -16552,7 +18325,7 @@
},
{
"access_level": "List",
- "description": "Returns summary information about the results of a stack set operation.",
+ "description": "Grants permission to return summary information about the results of a stack set operation",
"privilege": "ListStackSetOperationResults",
"resource_types": [
{
@@ -16564,7 +18337,7 @@
},
{
"access_level": "List",
- "description": "Returns summary information about operations performed on a stack set.",
+ "description": "Grants permission to return summary information about operations performed on a stack set",
"privilege": "ListStackSetOperations",
"resource_types": [
{
@@ -16576,7 +18349,7 @@
},
{
"access_level": "List",
- "description": "Returns summary information about stack sets that are associated with the user.",
+ "description": "Grants permission to return summary information about stack sets that are associated with the user",
"privilege": "ListStackSets",
"resource_types": [
{
@@ -16588,7 +18361,7 @@
},
{
"access_level": "List",
- "description": "Returns the summary information for stacks whose status matches the specified StackStatusFilter.",
+ "description": "Grants permission to return the summary information for stacks whose status matches the specified StackStatusFilter",
"privilege": "ListStacks",
"resource_types": [
{
@@ -16600,7 +18373,7 @@
},
{
"access_level": "List",
- "description": "Lists CloudFormation type registration attempts",
+ "description": "Grants permission to list CloudFormation type registration attempts",
"privilege": "ListTypeRegistrations",
"resource_types": [
{
@@ -16612,7 +18385,7 @@
},
{
"access_level": "List",
- "description": "Lists versions of a particular CloudFormation type",
+ "description": "Grants permission to list versions of a particular CloudFormation type",
"privilege": "ListTypeVersions",
"resource_types": [
{
@@ -16624,7 +18397,7 @@
},
{
"access_level": "List",
- "description": "Lists available CloudFormation types",
+ "description": "Grants permission to list available CloudFormation types",
"privilege": "ListTypes",
"resource_types": [
{
@@ -16636,7 +18409,7 @@
},
{
"access_level": "Write",
- "description": "Registers a new CloudFormation type",
+ "description": "Grants permission to register a new CloudFormation type",
"privilege": "RegisterType",
"resource_types": [
{
@@ -16648,7 +18421,7 @@
},
{
"access_level": "Permissions management",
- "description": "Sets a stack policy for a specified stack.",
+ "description": "Grants permission to set a stack policy for a specified stack",
"privilege": "SetStackPolicy",
"resource_types": [
{
@@ -16667,7 +18440,7 @@
},
{
"access_level": "Write",
- "description": "Sets which version of a CloudFormation type applies to CloudFormation operations",
+ "description": "Grants permission to set which version of a CloudFormation type applies to CloudFormation operations",
"privilege": "SetTypeDefaultVersion",
"resource_types": [
{
@@ -16679,7 +18452,7 @@
},
{
"access_level": "Write",
- "description": "Sends a signal to the specified resource with a success or failure status.",
+ "description": "Grants permission to send a signal to the specified resource with a success or failure status",
"privilege": "SignalResource",
"resource_types": [
{
@@ -16691,7 +18464,7 @@
},
{
"access_level": "Write",
- "description": "Stops an in-progress operation on a stack set and its associated stack instances.",
+ "description": "Grants permission to stop an in-progress operation on a stack set and its associated stack instances",
"privilege": "StopStackSetOperation",
"resource_types": [
{
@@ -16703,7 +18476,7 @@
},
{
"access_level": "Tagging",
- "description": "Tagging cloudformation resources.",
+ "description": "Grants permission to tag cloudformation resources",
"privilege": "TagResource",
"resource_types": [
{
@@ -16720,7 +18493,7 @@
},
{
"access_level": "Tagging",
- "description": "Untagging cloudformation resources.",
+ "description": "Grants permission to untag cloudformation resources",
"privilege": "UntagResource",
"resource_types": [
{
@@ -16737,7 +18510,7 @@
},
{
"access_level": "Write",
- "description": "Updates a stack as specified in the template.",
+ "description": "Grants permission to update a stack as specified in the template",
"privilege": "UpdateStack",
"resource_types": [
{
@@ -16761,19 +18534,29 @@
},
{
"access_level": "Write",
- "description": "Updates the parameter values for stack instances for the specified accounts, within the specified regions.",
+ "description": "Grants permission to update the parameter values for stack instances for the specified accounts, within the specified regions",
"privilege": "UpdateStackInstances",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
"resource_type": "stackset*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "stackset-target"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "type"
}
]
},
{
"access_level": "Write",
- "description": "Updates a stackset as specified in the template.",
+ "description": "Grants permission to update a stackset as specified in the template",
"privilege": "UpdateStackSet",
"resource_types": [
{
@@ -16781,6 +18564,16 @@
"dependent_actions": [],
"resource_type": "stackset*"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "stackset-target"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "type"
+ },
{
"condition_keys": [
"cloudformation:RoleArn",
@@ -16795,7 +18588,7 @@
},
{
"access_level": "Write",
- "description": "Updates termination protection for the specified stack.",
+ "description": "Grants permission to update termination protection for the specified stack",
"privilege": "UpdateTerminationProtection",
"resource_types": [
{
@@ -16807,7 +18600,7 @@
},
{
"access_level": "Read",
- "description": "Validates a specified template.",
+ "description": "Grants permission to validate a specified template",
"privilege": "ValidateTemplate",
"resource_types": [
{
@@ -16819,6 +18612,11 @@
}
],
"resources": [
+ {
+ "arn": "arn:${Partition}:cloudformation:${Region}:${Account}:changeSet/${ChangeSetName}/${Id}",
+ "condition_keys": [],
+ "resource": "changeset"
+ },
{
"arn": "arn:${Partition}:cloudformation:${Region}:${Account}:stack/${StackName}/${Id}",
"condition_keys": [
@@ -16834,9 +18632,14 @@
"resource": "stackset"
},
{
- "arn": "arn:${Partition}:cloudformation:${Region}:${Account}:changeSet/${ChangeSetName}/${Id}",
+ "arn": "arn:${Partition}:cloudformation:${Region}:${Account}:stackset-target/${StackSetTarget}",
"condition_keys": [],
- "resource": "changeset"
+ "resource": "stackset-target"
+ },
+ {
+ "arn": "arn:${Partition}:cloudformation:${Region}:${Account}:type/resource/${Type}",
+ "condition_keys": [],
+ "resource": "type"
}
],
"service_name": "AWS CloudFormation"
@@ -18514,6 +20317,80 @@
],
"service_name": "Amazon CloudSearch"
},
+ {
+ "conditions": [],
+ "prefix": "cloudshell",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to create a CloudShell environment",
+ "privilege": "CreateEnvironment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to connect to a CloudShell environment from the AWS Console",
+ "privilege": "CreateSession",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Environment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to download files from a CloudShell environment",
+ "privilege": "GetFileDownloadUrls",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Environment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to upload files to a CloudShell environment",
+ "privilege": "GetFileUploadUrls",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Environment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to forward console credentials to the environment",
+ "privilege": "PutCredentials",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Environment*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:cloudshell:${Region}:${Account}:environment/${EnvironmentId}",
+ "condition_keys": [],
+ "resource": "Environment"
+ }
+ ],
+ "service_name": "AWS CloudShell"
+ },
{
"conditions": [],
"prefix": "cloudtrail",
@@ -22559,7 +24436,7 @@
]
},
{
- "access_level": "Tagging",
+ "access_level": "List",
"description": "Grants permission to list tags for a Profiling Group",
"privilege": "ListTagsForResource",
"resource_types": [
@@ -24147,6 +26024,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a host resource",
+ "privilege": "UpdateHost",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Host*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to use a Connection resource to call provider actions",
@@ -27259,6 +29148,163 @@
"resources": [],
"service_name": "Comprehend Medical"
},
+ {
+ "conditions": [],
+ "prefix": "compute-optimizer",
+ "privileges": [
+ {
+ "access_level": "List",
+ "description": "Grants permission to view the status of recommendation export jobs",
+ "privilege": "DescribeRecommendationExportJobs",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to export autoscaling group recommendations to S3 for the provided accounts",
+ "privilege": "ExportAutoScalingGroupRecommendations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "autoscaling:DescribeAutoScalingGroups",
+ "compute-optimizer:GetAutoScalingGroupRecommendations"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to export EC2 instance recommendations to S3 for the provided accounts",
+ "privilege": "ExportEC2InstanceRecommendations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "compute-optimizer:GetEC2InstanceRecommendations",
+ "ec2:DescribeInstances"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get recommendations for the provided autoscaling groups",
+ "privilege": "GetAutoScalingGroupRecommendations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "autoscaling:DescribeAutoScalingGroups"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get recommendations for the provided ebs volumes",
+ "privilege": "GetEBSVolumeRecommendations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "ec2:DescribeVolumes"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get recommendations for the provided EC2 instances",
+ "privilege": "GetEC2InstanceRecommendations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "ec2:DescribeInstances"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get the recommendation projected metrics of the specified instance",
+ "privilege": "GetEC2RecommendationProjectedMetrics",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "ec2:DescribeInstances"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get the enrollment status for the specified account",
+ "privilege": "GetEnrollmentStatus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get recommendations for the provided lambda functions",
+ "privilege": "GetLambdaFunctionRecommendations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "lambda:ListFunctions",
+ "lambda:ListProvisionedConcurrencyConfigs"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to get the recommendation summaries for the specified account(s)",
+ "privilege": "GetRecommendationSummaries",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the enrollment status",
+ "privilege": "UpdateEnrollmentStatus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ }
+ ],
+ "resources": [],
+ "service_name": "AWS Compute Optimizer"
+ },
{
"conditions": [],
"prefix": "compute-optimizer",
@@ -27409,7 +29455,7 @@
"privileges": [
{
"access_level": "Read",
- "description": "Returns the current configuration items for resources that are present in your AWS Config aggregator",
+ "description": "Grants permission to return the current configuration items for resources that are present in your AWS Config aggregator",
"privilege": "BatchGetAggregateResourceConfig",
"resource_types": [
{
@@ -27421,7 +29467,7 @@
},
{
"access_level": "Read",
- "description": "Returns the current configuration for one or more requested resources",
+ "description": "Grants permission to return the current configuration for one or more requested resources",
"privilege": "BatchGetResourceConfig",
"resource_types": [
{
@@ -27433,7 +29479,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the authorization granted to the specified configuration aggregator account in a specified region",
+ "description": "Grants permission to delete the authorization granted to the specified configuration aggregator account in a specified region",
"privilege": "DeleteAggregationAuthorization",
"resource_types": [
{
@@ -27445,7 +29491,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified AWS Config rule and all of its evaluation results",
+ "description": "Grants permission to delete the specified AWS Config rule and all of its evaluation results",
"privilege": "DeleteConfigRule",
"resource_types": [
{
@@ -27457,7 +29503,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified configuration aggregator and the aggregated data associated with the aggregator",
+ "description": "Grants permission to delete the specified configuration aggregator and the aggregated data associated with the aggregator",
"privilege": "DeleteConfigurationAggregator",
"resource_types": [
{
@@ -27469,7 +29515,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the configuration recorder",
+ "description": "Grants permission to delete the configuration recorder",
"privilege": "DeleteConfigurationRecorder",
"resource_types": [
{
@@ -27481,7 +29527,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified conformance pack and all the AWS Config rules and all evaluation results within that conformance pack.",
+ "description": "Grants permission to delete the specified conformance pack and all the AWS Config rules and all evaluation results within that conformance pack",
"privilege": "DeleteConformancePack",
"resource_types": [
{
@@ -27493,7 +29539,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the delivery channel",
+ "description": "Grants permission to delete the delivery channel",
"privilege": "DeleteDeliveryChannel",
"resource_types": [
{
@@ -27505,7 +29551,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the evaluation results for the specified Config rule",
+ "description": "Grants permission to delete the evaluation results for the specified Config rule",
"privilege": "DeleteEvaluationResults",
"resource_types": [
{
@@ -27517,7 +29563,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified organization config rule and all of its evaluation results from all member accounts in that organization.",
+ "description": "Grants permission to delete the specified organization config rule and all of its evaluation results from all member accounts in that organization",
"privilege": "DeleteOrganizationConfigRule",
"resource_types": [
{
@@ -27529,7 +29575,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified organization conformance pack and all of its evaluation results from all member accounts in that organization.",
+ "description": "Grants permission to delete the specified organization conformance pack and all of its evaluation results from all member accounts in that organization",
"privilege": "DeleteOrganizationConformancePack",
"resource_types": [
{
@@ -27541,7 +29587,7 @@
},
{
"access_level": "Write",
- "description": "Deletes pending authorization requests for a specified aggregator account in a specified region",
+ "description": "Grants permission to delete pending authorization requests for a specified aggregator account in a specified region",
"privilege": "DeletePendingAggregationRequest",
"resource_types": [
{
@@ -27553,7 +29599,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the remediation configuration",
+ "description": "Grants permission to delete the remediation configuration",
"privilege": "DeleteRemediationConfiguration",
"resource_types": [
{
@@ -27565,7 +29611,7 @@
},
{
"access_level": "Write",
- "description": "Deletes one or more remediation exceptions for specific resource keys for a specific AWS Config Rule.",
+ "description": "Grants permission to delete one or more remediation exceptions for specific resource keys for a specific AWS Config Rule",
"privilege": "DeleteRemediationExceptions",
"resource_types": [
{
@@ -27577,7 +29623,7 @@
},
{
"access_level": "Write",
- "description": "Records the configuration state for a custom resource that has been deleted.",
+ "description": "Grants permission to record the configuration state for a custom resource that has been deleted",
"privilege": "DeleteResourceConfig",
"resource_types": [
{
@@ -27589,7 +29635,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the retention configuration",
+ "description": "Grants permission to delete the retention configuration",
"privilege": "DeleteRetentionConfiguration",
"resource_types": [
{
@@ -27599,9 +29645,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete the stored query for an AWS account in an AWS Region",
+ "privilege": "DeleteStoredQuery",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "StoredQuery*"
+ }
+ ]
+ },
{
"access_level": "Read",
- "description": "Schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel",
+ "description": "Grants permission to schedule delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel",
"privilege": "DeliverConfigSnapshot",
"resource_types": [
{
@@ -27613,7 +29671,7 @@
},
{
"access_level": "List",
- "description": "Returns a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules",
+ "description": "Grants permission to return a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules",
"privilege": "DescribeAggregateComplianceByConfigRules",
"resource_types": [
{
@@ -27625,7 +29683,7 @@
},
{
"access_level": "List",
- "description": "Returns a list of authorizations granted to various aggregator accounts and regions",
+ "description": "Grants permission to return a list of authorizations granted to various aggregator accounts and regions",
"privilege": "DescribeAggregationAuthorizations",
"resource_types": [
{
@@ -27637,7 +29695,7 @@
},
{
"access_level": "List",
- "description": "Indicates whether the specified AWS Config rules are compliant",
+ "description": "Grants permission to indicate whether the specified AWS Config rules are compliant",
"privilege": "DescribeComplianceByConfigRule",
"resource_types": [
{
@@ -27649,7 +29707,7 @@
},
{
"access_level": "List",
- "description": "Indicates whether the specified AWS resources are compliant",
+ "description": "Grants permission to indicate whether the specified AWS resources are compliant",
"privilege": "DescribeComplianceByResource",
"resource_types": [
{
@@ -27661,7 +29719,7 @@
},
{
"access_level": "List",
- "description": "Returns status information for each of your AWS managed Config rules",
+ "description": "Grants permission to return status information for each of your AWS managed Config rules",
"privilege": "DescribeConfigRuleEvaluationStatus",
"resource_types": [
{
@@ -27673,7 +29731,7 @@
},
{
"access_level": "List",
- "description": "Returns details about your AWS Config rules",
+ "description": "Grants permission to return details about your AWS Config rules",
"privilege": "DescribeConfigRules",
"resource_types": [
{
@@ -27685,7 +29743,7 @@
},
{
"access_level": "List",
- "description": "Returns status information for sources within an aggregator",
+ "description": "Grants permission to return status information for sources within an aggregator",
"privilege": "DescribeConfigurationAggregatorSourcesStatus",
"resource_types": [
{
@@ -27697,7 +29755,7 @@
},
{
"access_level": "List",
- "description": "Returns the details of one or more configuration aggregators",
+ "description": "Grants permission to return the details of one or more configuration aggregators",
"privilege": "DescribeConfigurationAggregators",
"resource_types": [
{
@@ -27709,7 +29767,7 @@
},
{
"access_level": "List",
- "description": "Returns the current status of the specified configuration recorder",
+ "description": "Grants permission to return the current status of the specified configuration recorder",
"privilege": "DescribeConfigurationRecorderStatus",
"resource_types": [
{
@@ -27721,7 +29779,7 @@
},
{
"access_level": "List",
- "description": "Returns the name of one or more specified configuration recorders",
+ "description": "Grants permission to return the names of one or more specified configuration recorders",
"privilege": "DescribeConfigurationRecorders",
"resource_types": [
{
@@ -27733,7 +29791,7 @@
},
{
"access_level": "Read",
- "description": "Returns compliance information for each rule in that conformance pack.",
+ "description": "Grants permission to return compliance information for each rule in that conformance pack",
"privilege": "DescribeConformancePackCompliance",
"resource_types": [
{
@@ -27745,7 +29803,7 @@
},
{
"access_level": "Read",
- "description": "Provides one or more conformance packs deployment status.",
+ "description": "Grants permission to provide one or more conformance packs deployment status",
"privilege": "DescribeConformancePackStatus",
"resource_types": [
{
@@ -27757,7 +29815,7 @@
},
{
"access_level": "Read",
- "description": "Returns a list of one or more conformance packs.",
+ "description": "Grants permission to return a list of one or more conformance packs",
"privilege": "DescribeConformancePacks",
"resource_types": [
{
@@ -27769,7 +29827,7 @@
},
{
"access_level": "List",
- "description": "Returns the current status of the specified delivery channel",
+ "description": "Grants permission to return the current status of the specified delivery channel",
"privilege": "DescribeDeliveryChannelStatus",
"resource_types": [
{
@@ -27781,7 +29839,7 @@
},
{
"access_level": "List",
- "description": "Returns details about the specified delivery channel",
+ "description": "Grants permission to return details about the specified delivery channel",
"privilege": "DescribeDeliveryChannels",
"resource_types": [
{
@@ -27793,7 +29851,7 @@
},
{
"access_level": "Read",
- "description": "Provides organization config rule deployment status for an organization.",
+ "description": "Grants permission to provide organization config rule deployment status for an organization",
"privilege": "DescribeOrganizationConfigRuleStatuses",
"resource_types": [
{
@@ -27805,7 +29863,7 @@
},
{
"access_level": "Read",
- "description": "Returns a list of organization config rules.",
+ "description": "Grants permission to return a list of organization config rules",
"privilege": "DescribeOrganizationConfigRules",
"resource_types": [
{
@@ -27817,7 +29875,7 @@
},
{
"access_level": "Read",
- "description": "Provides organization conformance pack deployment status for an organization.",
+ "description": "Grants permission to provide organization conformance pack deployment status for an organization",
"privilege": "DescribeOrganizationConformancePackStatuses",
"resource_types": [
{
@@ -27829,7 +29887,7 @@
},
{
"access_level": "Read",
- "description": "Returns a list of organization conformance packs.",
+ "description": "Grants permission to return a list of organization conformance packs",
"privilege": "DescribeOrganizationConformancePacks",
"resource_types": [
{
@@ -27841,7 +29899,7 @@
},
{
"access_level": "List",
- "description": "Returns a list of all pending aggregation requests",
+ "description": "Grants permission to return a list of all pending aggregation requests",
"privilege": "DescribePendingAggregationRequests",
"resource_types": [
{
@@ -27853,7 +29911,7 @@
},
{
"access_level": "List",
- "description": "Returns the details of one or more remediation configurations",
+ "description": "Grants permission to return the details of one or more remediation configurations",
"privilege": "DescribeRemediationConfigurations",
"resource_types": [
{
@@ -27865,7 +29923,7 @@
},
{
"access_level": "List",
- "description": "Returns the details of one or more remediation exceptions.",
+ "description": "Grants permission to return the details of one or more remediation exceptions",
"privilege": "DescribeRemediationExceptions",
"resource_types": [
{
@@ -27877,7 +29935,7 @@
},
{
"access_level": "List",
- "description": "Provides a detailed view of a Remediation Execution for a set of resources including state, timestamps and any error messages for steps that have failed",
+ "description": "Grants permission to provide a detailed view of a Remediation Execution for a set of resources including state, timestamps and any error messages for steps that have failed",
"privilege": "DescribeRemediationExecutionStatus",
"resource_types": [
{
@@ -27889,7 +29947,7 @@
},
{
"access_level": "List",
- "description": "Returns the details of one or more retention configurations",
+ "description": "Grants permission to return the details of one or more retention configurations",
"privilege": "DescribeRetentionConfigurations",
"resource_types": [
{
@@ -27901,7 +29959,7 @@
},
{
"access_level": "Read",
- "description": "Returns the evaluation results for the specified AWS Config rule for a specific resource in a rule",
+ "description": "Grants permission to return the evaluation results for the specified AWS Config rule for a specific resource in a rule",
"privilege": "GetAggregateComplianceDetailsByConfigRule",
"resource_types": [
{
@@ -27913,7 +29971,7 @@
},
{
"access_level": "Read",
- "description": "Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator",
+ "description": "Grants permission to return the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator",
"privilege": "GetAggregateConfigRuleComplianceSummary",
"resource_types": [
{
@@ -27925,7 +29983,7 @@
},
{
"access_level": "Read",
- "description": "Returns the resource counts across accounts and regions that are present in your AWS Config aggregator",
+ "description": "Grants permission to return the resource counts across accounts and regions that are present in your AWS Config aggregator",
"privilege": "GetAggregateDiscoveredResourceCounts",
"resource_types": [
{
@@ -27937,7 +29995,7 @@
},
{
"access_level": "Read",
- "description": "Returns configuration item that is aggregated for your specific resource in a specific source account and region",
+ "description": "Grants permission to return configuration item that is aggregated for your specific resource in a specific source account and region",
"privilege": "GetAggregateResourceConfig",
"resource_types": [
{
@@ -27949,7 +30007,7 @@
},
{
"access_level": "Read",
- "description": "Returns the evaluation results for the specified AWS Config rule",
+ "description": "Grants permission to return the evaluation results for the specified AWS Config rule",
"privilege": "GetComplianceDetailsByConfigRule",
"resource_types": [
{
@@ -27961,7 +30019,7 @@
},
{
"access_level": "Read",
- "description": "Returns the evaluation results for the specified AWS resource",
+ "description": "Grants permission to return the evaluation results for the specified AWS resource",
"privilege": "GetComplianceDetailsByResource",
"resource_types": [
{
@@ -27973,7 +30031,7 @@
},
{
"access_level": "Read",
- "description": "Returns the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each",
+ "description": "Grants permission to return the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each",
"privilege": "GetComplianceSummaryByConfigRule",
"resource_types": [
{
@@ -27985,7 +30043,7 @@
},
{
"access_level": "Read",
- "description": "Returns the number of resources that are compliant and the number that are noncompliant",
+ "description": "Grants permission to return the number of resources that are compliant and the number that are noncompliant",
"privilege": "GetComplianceSummaryByResourceType",
"resource_types": [
{
@@ -27997,7 +30055,7 @@
},
{
"access_level": "Read",
- "description": "Returns compliance details of a conformance pack for all AWS resources that are monitered by conformance pack.",
+ "description": "Grants permission to return compliance details of a conformance pack for all AWS resources that are monitered by conformance pack",
"privilege": "GetConformancePackComplianceDetails",
"resource_types": [
{
@@ -28009,7 +30067,7 @@
},
{
"access_level": "Read",
- "description": "Provides compliance summary for one or more conformance packs.",
+ "description": "Grants permission to provide compliance summary for one or more conformance packs",
"privilege": "GetConformancePackComplianceSummary",
"resource_types": [
{
@@ -28021,7 +30079,7 @@
},
{
"access_level": "Read",
- "description": "Returns the resource types, the number of each resource type, and the total number of resources that AWS Config is recording in this region for your AWS account",
+ "description": "Grants permission to return the resource types, the number of each resource type, and the total number of resources that AWS Config is recording in this region for your AWS account",
"privilege": "GetDiscoveredResourceCounts",
"resource_types": [
{
@@ -28033,7 +30091,7 @@
},
{
"access_level": "Read",
- "description": "Returns detailed status for each member account within an organization for a given organization config rule.",
+ "description": "Grants permission to return detailed status for each member account within an organization for a given organization config rule",
"privilege": "GetOrganizationConfigRuleDetailedStatus",
"resource_types": [
{
@@ -28045,7 +30103,7 @@
},
{
"access_level": "Read",
- "description": "Returns detailed status for each member account within an organization for a given organization conformance pack.",
+ "description": "Grants permission to return detailed status for each member account within an organization for a given organization conformance pack",
"privilege": "GetOrganizationConformancePackDetailedStatus",
"resource_types": [
{
@@ -28057,7 +30115,7 @@
},
{
"access_level": "Read",
- "description": "Returns a list of configuration items for the specified resource",
+ "description": "Grants permission to return a list of configuration items for the specified resource",
"privilege": "GetResourceConfigHistory",
"resource_types": [
{
@@ -28067,9 +30125,21 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to return the details of a specific stored query",
+ "privilege": "GetStoredQuery",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "StoredQuery*"
+ }
+ ]
+ },
{
"access_level": "List",
- "description": "Accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions",
+ "description": "Grants permission to accept a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions",
"privilege": "ListAggregateDiscoveredResources",
"resource_types": [
{
@@ -28081,7 +30151,7 @@
},
{
"access_level": "List",
- "description": "Accepts a resource type and returns a list of resource identifiers for the resources of that type",
+ "description": "Grants permission to accept a resource type and returns a list of resource identifiers for the resources of that type",
"privilege": "ListDiscoveredResources",
"resource_types": [
{
@@ -28093,7 +30163,19 @@
},
{
"access_level": "List",
- "description": "List the tags for AWS Config resource",
+ "description": "Grants permission to list the stored queries for an AWS account in an AWS Region",
+ "privilege": "ListStoredQueries",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "StoredQuery*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the tags for AWS Config resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -28115,7 +30197,7 @@
},
{
"access_level": "Write",
- "description": "Authorizes the aggregator account and region to collect data from the source account and region",
+ "description": "Grants permission to authorize the aggregator account and region to collect data from the source account and region",
"privilege": "PutAggregationAuthorization",
"resource_types": [
{
@@ -28135,7 +30217,7 @@
},
{
"access_level": "Write",
- "description": "Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations",
+ "description": "Grants permission to add or update an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations",
"privilege": "PutConfigRule",
"resource_types": [
{
@@ -28155,7 +30237,7 @@
},
{
"access_level": "Write",
- "description": "Creates and updates the configuration aggregator with the selected source accounts and regions",
+ "description": "Grants permission to create and update the configuration aggregator with the selected source accounts and regions",
"privilege": "PutConfigurationAggregator",
"resource_types": [
{
@@ -28175,7 +30257,7 @@
},
{
"access_level": "Write",
- "description": "Creates a new configuration recorder to record the selected resource configurations",
+ "description": "Grants permission to create a new configuration recorder to record the selected resource configurations",
"privilege": "PutConfigurationRecorder",
"resource_types": [
{
@@ -28187,7 +30269,7 @@
},
{
"access_level": "Write",
- "description": "Creates or updates a conformance pack.",
+ "description": "Grants permission to create or update a conformance pack",
"privilege": "PutConformancePack",
"resource_types": [
{
@@ -28199,7 +30281,7 @@
},
{
"access_level": "Write",
- "description": "Creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic",
+ "description": "Grants permission to create a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic",
"privilege": "PutDeliveryChannel",
"resource_types": [
{
@@ -28211,7 +30293,7 @@
},
{
"access_level": "Write",
- "description": "Used by an AWS Lambda function to deliver evaluation results to AWS Config",
+ "description": "Grants permission to be used by an AWS Lambda function to deliver evaluation results to AWS Config",
"privilege": "PutEvaluations",
"resource_types": [
{
@@ -28223,7 +30305,19 @@
},
{
"access_level": "Write",
- "description": "Adds or updates organization config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations.",
+ "description": "Grants permission to deliver evaluation result to AWS Config",
+ "privilege": "PutExternalEvaluation",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add or update organization config rule for your entire organization evaluating whether your AWS resources comply with your desired configurations",
"privilege": "PutOrganizationConfigRule",
"resource_types": [
{
@@ -28235,7 +30329,7 @@
},
{
"access_level": "Write",
- "description": "Adds or updates organization conformance pack for your entire organization evaluating whether your AWS resources comply with your desired configurations.",
+ "description": "Grants permission to add or update organization conformance pack for your entire organization evaluating whether your AWS resources comply with your desired configurations",
"privilege": "PutOrganizationConformancePack",
"resource_types": [
{
@@ -28247,7 +30341,7 @@
},
{
"access_level": "Write",
- "description": "Adds or updates the remediation configuration with a specific AWS Config rule with the selected target or action",
+ "description": "Grants permission to add or update the remediation configuration with a specific AWS Config rule with the selected target or action",
"privilege": "PutRemediationConfigurations",
"resource_types": [
{
@@ -28259,7 +30353,7 @@
},
{
"access_level": "Write",
- "description": "Adds or updates remediation exceptions for specific resources for a specific AWS Config rule.",
+ "description": "Grants permission to add or update remediation exceptions for specific resources for a specific AWS Config rule",
"privilege": "PutRemediationExceptions",
"resource_types": [
{
@@ -28271,7 +30365,7 @@
},
{
"access_level": "Write",
- "description": "Records the configuration state for the resource provided in the request.",
+ "description": "Grants permission to record the configuration state for the resource provided in the request",
"privilege": "PutResourceConfig",
"resource_types": [
{
@@ -28283,7 +30377,7 @@
},
{
"access_level": "Write",
- "description": "Creates and updates the retention configuration with details about retention period (number of days) that AWS Config stores your historical information",
+ "description": "Grants permission to create and update the retention configuration with details about retention period (number of days) that AWS Config stores your historical information",
"privilege": "PutRetentionConfiguration",
"resource_types": [
{
@@ -28293,9 +30387,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to save a new query or updates an existing saved query",
+ "privilege": "PutStoredQuery",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "StoredQuery*"
+ }
+ ]
+ },
{
"access_level": "Read",
- "description": "Accepts a structured query language (SQL) SELECT command and an aggregator to query configuration state of AWS resources across multiple accounts and regions, performs the corresponding search, and returns resource configurations matching the properties.",
+ "description": "Grants permission to accept a structured query language (SQL) SELECT command and an aggregator to query configuration state of AWS resources across multiple accounts and regions, performs the corresponding search, and returns resource configurations matching the properties",
"privilege": "SelectAggregateResourceConfig",
"resource_types": [
{
@@ -28307,7 +30413,7 @@
},
{
"access_level": "Read",
- "description": "Accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties",
+ "description": "Grants permission to accept a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties",
"privilege": "SelectResourceConfig",
"resource_types": [
{
@@ -28319,7 +30425,7 @@
},
{
"access_level": "Write",
- "description": "Evaluates your resources against the specified Config rules",
+ "description": "Grants permission to evaluate your resources against the specified Config rules",
"privilege": "StartConfigRulesEvaluation",
"resource_types": [
{
@@ -28331,7 +30437,7 @@
},
{
"access_level": "Write",
- "description": "Starts recording configurations of the AWS resources you have selected to record in your AWS account",
+ "description": "Grants permission to start recording configurations of the AWS resources you have selected to record in your AWS account",
"privilege": "StartConfigurationRecorder",
"resource_types": [
{
@@ -28343,7 +30449,7 @@
},
{
"access_level": "Write",
- "description": "Runs an on-demand remediation for the specified AWS Config rules against the last known remediation configuration",
+ "description": "Grants permission to run an on-demand remediation for the specified AWS Config rules against the last known remediation configuration",
"privilege": "StartRemediationExecution",
"resource_types": [
{
@@ -28355,7 +30461,7 @@
},
{
"access_level": "Write",
- "description": "Stops recording configurations of the AWS resources you have selected to record in your AWS account",
+ "description": "Grants permission to stop recording configurations of the AWS resources you have selected to record in your AWS account",
"privilege": "StopConfigurationRecorder",
"resource_types": [
{
@@ -28367,7 +30473,7 @@
},
{
"access_level": "Tagging",
- "description": "Associates the specified tags to a resource with the specified resourceArn",
+ "description": "Grants permission to associate the specified tags to a resource with the specified resourceArn",
"privilege": "TagResource",
"resource_types": [
{
@@ -28402,7 +30508,7 @@
},
{
"access_level": "Tagging",
- "description": "Deletes specified tags from a resource",
+ "description": "Grants permission to delete specified tags from a resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -28478,6 +30584,11 @@
"arn": "arn:${Partition}:config:${Region}:${Account}:remediation-configuration/${RemediationConfigurationId}",
"condition_keys": [],
"resource": "RemediationConfiguration"
+ },
+ {
+ "arn": "arn:${Partition}:config:${Region}:${Account}:stored-query/${StoredQueryName}/${StoredQueryId}",
+ "condition_keys": [],
+ "resource": "StoredQuery"
}
],
"service_name": "AWS Config"
@@ -28504,6 +30615,11 @@
"description": "Filters access by the attribute type of the Amazon Connect instance.",
"type": "String"
},
+ {
+ "condition": "connect:InstanceId",
+ "description": "Filters access by restricting federation into specified connect instances .",
+ "type": "String"
+ },
{
"condition": "connect:StorageResourceType",
"description": "Filters access by restricting the storage resource type of the Amazon Connect instance storage configuration.",
@@ -28654,24 +30770,48 @@
"ds:CreateAlias",
"ds:CreateDirectory",
"ds:CreateIdentityPoolDirectory",
+ "ds:DeleteDirectory",
"ds:DescribeDirectories",
"ds:UnauthorizeApplication",
- "firehose:DescribeDeliveryStream",
- "firehose:ListDeliveryStreams",
"iam:AttachRolePolicy",
"iam:CreateServiceLinkedRole",
- "iam:PutRolePolicy",
- "kinesis:DescribeStream",
- "kinesis:ListStreams",
- "kms:CreateGrant",
- "kms:DescribeKey",
- "kms:ListAliases",
- "kms:RetireGrant",
- "logs:CreateLogGroup",
- "s3:CreateBucket",
- "s3:GetBucketLocation",
- "s3:ListAllMyBuckets"
+ "iam:PutRolePolicy"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a quick connect in an Amazon Connect instance.",
+ "privilege": "CreateQuickConnect",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "contact-flow"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "queue"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "user"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
],
+ "dependent_actions": [],
"resource_type": ""
}
]
@@ -28764,6 +30904,25 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to delete a quick connect in an Amazon Connect instance.",
+ "privilege": "DeleteQuickConnect",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permissions to delete a user in an Amazon Connect instance.",
@@ -28822,14 +30981,7 @@
{
"condition_keys": [],
"dependent_actions": [
- "ds:DescribeDirectories",
- "firehose:DescribeDeliveryStream",
- "firehose:ListDeliveryStreams",
- "kinesis:DescribeStream",
- "kinesis:ListStreams",
- "kms:DescribeKey",
- "kms:ListAliases",
- "s3:ListAllMyBuckets"
+ "ds:DescribeDirectories"
],
"resource_type": "instance*"
}
@@ -28873,6 +31025,25 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permissions to describe a quick connect in an Amazon Connect instance.",
+ "privilege": "DescribeQuickConnect",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permissions to describe a routing profile in an Amazon Connect instance.",
@@ -28935,18 +31106,6 @@
}
]
},
- {
- "access_level": "Write",
- "description": "Grants permissions to delete an Amazon Connect instance. When you remove an instance, the link to an existing AWS directory is also removed.",
- "privilege": "DestroyInstance",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "instance*"
- }
- ]
- },
{
"access_level": "Write",
"description": "Grants permissions to disassociate approved origin for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.",
@@ -29072,6 +31231,13 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "instance*"
+ },
+ {
+ "condition_keys": [
+ "connect:InstanceId"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
}
]
},
@@ -29237,6 +31403,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permissions to list quick connect resources in an Amazon Connect instance.",
+ "privilege": "ListQuickConnects",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "instance*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permissions to list queue resources in a routing profile in an Amazon Connect instance.",
@@ -29302,6 +31480,11 @@
"dependent_actions": [],
"resource_type": "contact-flow"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -29345,30 +31528,6 @@
}
]
},
- {
- "access_level": "Write",
- "description": "Grants permissions to modify configuration settings for an existing Amazon Connect instance. The associated required actions grant permission to modify the settings for the instance.",
- "privilege": "ModifyInstance",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [
- "firehose:DescribeDeliveryStream",
- "firehose:ListDeliveryStreams",
- "kinesis:DescribeStream",
- "kinesis:ListStreams",
- "kms:CreateGrant",
- "kms:DescribeKey",
- "kms:ListAliases",
- "kms:RetireGrant",
- "s3:CreateBucket",
- "s3:GetBucketLocation",
- "s3:ListAllMyBuckets"
- ],
- "resource_type": "instance*"
- }
- ]
- },
{
"access_level": "Write",
"description": "Grants permissions to resume recording for the specified contact.",
@@ -29475,6 +31634,11 @@
"dependent_actions": [],
"resource_type": "contact-flow"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -29506,6 +31670,11 @@
"dependent_actions": [],
"resource_type": "contact-flow"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -29631,6 +31800,59 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to update the configuration of a quick connect in an Amazon Connect instance.",
+ "privilege": "UpdateQuickConnectConfig",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "contact-flow"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "queue"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "user"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to update a quick connect name and description in an Amazon Connect instance.",
+ "privilege": "UpdateQuickConnectName",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "quick-connect*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permissions to update the concurrency in a routing profile in an Amazon Connect instance.",
@@ -29887,6 +32109,13 @@
"condition_keys": [],
"resource": "queue"
},
+ {
+ "arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/transfer-destination/${QuickConnectId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "quick-connect"
+ },
{
"arn": "arn:${Partition}:connect:${Region}:${Account}:instance/${InstanceId}/contact-flow/${ContactFlowId}",
"condition_keys": [
@@ -30736,7 +32965,7 @@
]
},
{
- "access_level": "Write",
+ "access_level": "Read",
"description": "Grants permissions to get information about a job.",
"privilege": "GetJob",
"resource_types": [
@@ -38462,6 +40691,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe the status of Kinesis streaming and related details for a given table",
+ "privilege": "DescribeKinesisStreamingDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Returns the current provisioned-capacity limits for your AWS account in a region, both for the region as a whole and for any one DynamoDB table that you create there",
@@ -38546,6 +40787,30 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to stop replication from the DynamoDB table to the Kinesis data stream",
+ "privilege": "DisableKinesisStreamingDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to start table data replication to the specified Kinesis data stream at a timestamp chosen during the enable workflow",
+ "privilege": "EnableKinesisStreamingDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Initiates an Export of a DynamoDB table to S3",
@@ -39563,12 +41828,17 @@
},
{
"condition": "ec2:VolumeSize",
- "description": "Filters access by the size of the volume, in GiB.",
+ "description": "Filters access by the size of the volume, in GiB",
+ "type": "Numeric"
+ },
+ {
+ "condition": "ec2:VolumeThroughput",
+ "description": "Filters access by the throughput of the volume, in MiBps",
"type": "Numeric"
},
{
"condition": "ec2:VolumeType",
- "description": "Filters access by the type of volume (gp2, io1, io2, st1, sc1, or standard)",
+ "description": "Filters access by the type of volume (gp2, gp3, io1, io2, st1, sc1, or standard)",
"type": "String"
},
{
@@ -39600,9 +41870,53 @@
"privilege": "AcceptReservedInstancesExchangeQuote",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Region",
+ "ec2:ReservedInstancesOfferingType",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "reserved-instances"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to accept a request to associate subnets with a transit gateway multicast domain",
+ "privilege": "AcceptTransitGatewayMulticastDomainAssociations",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-attachment"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-multicast-domain"
}
]
},
@@ -39650,6 +41964,16 @@
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "vpc-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
+ ],
+ "dependent_actions": [],
"resource_type": "vpc-endpoint-service*"
}
]
@@ -39700,9 +42024,13 @@
"privilege": "AllocateAddress",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "ipv4pool-ec2"
}
]
},
@@ -39712,7 +42040,18 @@
"privilege": "AllocateHosts",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
"resource_type": "dedicated-host*"
}
@@ -39727,7 +42066,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -39736,7 +42081,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "security-group*"
@@ -39745,7 +42091,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "vpc*"
@@ -39758,9 +42105,18 @@
"privilege": "AssignIpv6Addresses",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-interface*"
}
]
},
@@ -39770,9 +42126,18 @@
"privilege": "AssignPrivateIpAddresses",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-interface*"
}
]
},
@@ -39782,9 +42147,43 @@
"privilege": "AssociateAddress",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "elastic-ip"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
}
]
},
@@ -39797,7 +42196,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -39805,8 +42210,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet*"
@@ -39819,9 +42226,14 @@
"privilege": "AssociateDhcpOptions",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
}
]
},
@@ -39873,9 +42285,43 @@
"privilege": "AssociateRouteTable",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "internet-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway"
}
]
},
@@ -39885,9 +42331,15 @@
"privilege": "AssociateSubnetCidrBlock",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "subnet*"
}
]
},
@@ -39899,8 +42351,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet*"
@@ -39956,9 +42410,23 @@
"privilege": "AssociateVpcCidrBlock",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv6pool-ec2"
}
]
},
@@ -40011,9 +42479,23 @@
"privilege": "AttachInternetGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "internet-gateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc*"
}
]
},
@@ -40023,9 +42505,34 @@
"privilege": "AttachNetworkInterface",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface*"
}
]
},
@@ -40060,6 +42567,7 @@
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
@@ -40073,9 +42581,23 @@
"privilege": "AttachVpnGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway*"
}
]
},
@@ -40088,7 +42610,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -40135,9 +42663,20 @@
"privilege": "BundleInstance",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -40187,9 +42726,22 @@
"privilege": "CancelExportTask",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "export-image-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "export-instance-task"
}
]
},
@@ -40199,9 +42751,22 @@
"privilege": "CancelImportTask",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "import-image-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "import-snapshot-task"
}
]
},
@@ -40223,9 +42788,13 @@
"privilege": "CancelSpotFleetRequests",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "spot-fleet-request*"
}
]
},
@@ -40235,9 +42804,13 @@
"privilege": "CancelSpotInstanceRequests",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "spot-instances-request*"
}
]
},
@@ -40247,9 +42820,20 @@
"privilege": "ConfirmProductInstance",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -40284,9 +42868,15 @@
"resource_types": [
{
"condition_keys": [
- "aws:TagKeys",
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
- "ec2:Region"
+ "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
],
"dependent_actions": [],
"resource_type": "snapshot*"
@@ -40300,9 +42890,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "capacity-reservation*"
@@ -40316,12 +42908,28 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "carrier-gateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc*"
}
]
},
@@ -40332,12 +42940,44 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc"
}
]
},
@@ -40350,7 +42990,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -40358,8 +43004,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet*"
@@ -40409,9 +43057,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "dhcp-options*"
@@ -40425,12 +43075,26 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "egress-only-internet-gateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc*"
}
]
},
@@ -40441,12 +43105,107 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "fleet*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "image"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "launch-template"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
+ "dependent_actions": [],
+ "resource_type": "snapshot"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -40457,9 +43216,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [
"iam:PassRole"
@@ -40469,11 +43230,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AuthorizedService",
"ec2:AvailabilityZone",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
- "ec2:Vpc"
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface"
@@ -40481,6 +43246,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
@@ -40492,6 +43259,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy"
@@ -40508,9 +43277,13 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "fpga-image*"
@@ -40523,9 +43296,20 @@
"privilege": "CreateImage",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -40536,12 +43320,32 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "export-instance-task*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance*"
}
]
},
@@ -40552,9 +43356,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "internet-gateway*"
@@ -40568,9 +43374,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "key-pair*"
@@ -40584,12 +43392,135 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "launch-template*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "capacity-reservation"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
+ "dependent_actions": [],
+ "resource_type": "dedicated-host"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "image"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:PlacementGroupStrategy",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "placement-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
+ "dependent_actions": [],
+ "resource_type": "snapshot"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -40606,6 +43537,109 @@
],
"dependent_actions": [],
"resource_type": "launch-template*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "capacity-reservation"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
+ "dependent_actions": [],
+ "resource_type": "dedicated-host"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "image"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:PlacementGroupStrategy",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "placement-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
+ "dependent_actions": [],
+ "resource_type": "snapshot"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -40642,6 +43676,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -40650,9 +43686,12 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "local-gateway-route-table-vpc-association*"
@@ -40660,6 +43699,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy"
@@ -40676,9 +43717,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "prefix-list*"
@@ -40692,12 +43735,38 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "elastic-ip*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "natgateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet*"
}
]
},
@@ -40708,12 +43777,27 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "network-acl*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc*"
}
]
},
@@ -40721,11 +43805,28 @@
"access_level": "Write",
"description": "Grants permission to create a numbered entry (a rule) in a network ACL",
"privilege": "CreateNetworkAclEntry",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-acl*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a path to analyze for reachability",
+ "privilege": "CreateNetworkInsightsPath",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-insights-path*"
}
]
},
@@ -40736,12 +43837,44 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
}
]
},
@@ -40753,14 +43886,13 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "ec2:AuthorizedUser",
+ "ec2:AuthorizedService",
"ec2:AvailabilityZone",
- "ec2:Permission",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
"ec2:Vpc",
- "ec2:AuthorizedService"
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface*"
@@ -40774,9 +43906,12 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:PlacementGroupStrategy",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "placement-group*"
@@ -40789,9 +43924,17 @@
"privilege": "CreateReservedInstancesListing",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Region",
+ "ec2:ReservedInstancesOfferingType",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "reserved-instances*"
}
]
},
@@ -40809,6 +43952,121 @@
],
"dependent_actions": [],
"resource_type": "route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "carrier-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "egress-only-internet-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "internet-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "local-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "natgateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "prefix-list"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AccepterVpc",
+ "ec2:Region",
+ "ec2:RequesterVpc",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc-peering-connection"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway"
}
]
},
@@ -40818,9 +44076,16 @@
"privilege": "CreateRouteTable",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
}
]
},
@@ -40831,12 +44096,27 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "security-group*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc"
}
]
},
@@ -40847,10 +44127,15 @@
"resource_types": [
{
"condition_keys": [
- "aws:TagKeys",
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
"ec2:ParentVolume",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
],
"dependent_actions": [],
"resource_type": "snapshot*"
@@ -40858,11 +44143,16 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
"ec2:Encrypted",
+ "ec2:ParentSnapshot",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
@@ -40878,6 +44168,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:EbsOptimized",
"ec2:InstanceProfile",
@@ -40893,10 +44185,15 @@
},
{
"condition_keys": [
- "aws:TagKeys",
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
"ec2:ParentVolume",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
],
"dependent_actions": [],
"resource_type": "snapshot*"
@@ -40904,11 +44201,16 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
"ec2:Encrypted",
+ "ec2:ParentSnapshot",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
@@ -40935,12 +44237,28 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc*"
}
]
},
@@ -40952,8 +44270,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -40963,24 +44279,44 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "customer-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
"resource_type": "dedicated-host"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -40988,25 +44324,63 @@
"resource_type": "dhcp-options"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "egress-only-internet-gateway"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ElasticGpuType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "elastic-gpu"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "elastic-ip"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "export-image-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "export-instance-task"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "fleet"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Owner",
"ec2:Public",
"ec2:Region",
@@ -41018,8 +44392,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "host-reservation"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:ImageType",
"ec2:Owner",
"ec2:Public",
@@ -41033,8 +44414,24 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "import-image-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "import-snapshot-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:EbsOptimized",
"ec2:InstanceProfile",
@@ -41051,8 +44448,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41060,45 +44455,108 @@
"resource_type": "internet-gateway"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv4pool-ec2"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv6pool-ec2"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "launch-template"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-route-table"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-route-table-virtual-interface-group-association"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-route-table-vpc-association"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-virtual-interface"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-virtual-interface-group"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "natgateway"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Vpc"
@@ -41109,8 +44567,7 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:AuthorizedService",
"ec2:AvailabilityZone",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
@@ -41124,8 +44581,25 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:PlacementGroupStrategy",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "placement-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "prefix-list"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:AvailabilityZone",
"ec2:InstanceType",
"ec2:Region",
@@ -41139,8 +44613,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Vpc"
@@ -41151,8 +44623,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Vpc"
@@ -41163,8 +44633,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Owner",
"ec2:ParentVolume",
"ec2:Region",
@@ -41178,19 +44646,24 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "spot-instance-request"
+ "resource_type": "spot-fleet-request"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "spot-instances-request"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
@@ -41202,8 +44675,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41213,8 +44684,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41224,8 +44693,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41235,8 +44702,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41246,8 +44711,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41257,8 +44720,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-connect-peer"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41268,8 +44738,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41279,8 +44747,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:Encrypted",
"ec2:ParentSnapshot",
@@ -41288,6 +44754,7 @@
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
@@ -41296,8 +44763,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy"
@@ -41308,8 +44773,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41319,10 +44782,9 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
],
"dependent_actions": [],
"resource_type": "vpc-endpoint-service"
@@ -41330,8 +44792,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41341,19 +44801,43 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:AccepterVpc",
"ec2:Region",
+ "ec2:RequesterVpc",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "vpc-peering-connection"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
+ "dependent_actions": [],
"resource_type": "vpn-connection"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41376,9 +44860,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "traffic-mirror-filter*"
@@ -41416,8 +44902,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface*"
@@ -41425,6 +44918,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41433,9 +44928,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "traffic-mirror-session*"
@@ -41443,6 +44940,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41458,9 +44957,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "traffic-mirror-target*"
@@ -41468,8 +44969,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface"
@@ -41483,15 +44991,49 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "transit-gateway*"
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a Connect attachment from a specified transit gateway attachment",
+ "privilege": "CreateTransitGatewayConnect",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-attachment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a Connect peer between a transit gateway and an appliance",
+ "privilege": "CreateTransitGatewayConnectPeer",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-attachment*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a multicast domain for a transit gateway",
@@ -41500,6 +45042,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41508,9 +45052,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "transit-gateway-multicast-domain*"
@@ -41525,6 +45071,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41533,9 +45081,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "transit-gateway-attachment*"
@@ -41609,6 +45159,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41617,9 +45169,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "transit-gateway-route-table*"
@@ -41634,6 +45188,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -41642,9 +45198,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "transit-gateway-attachment*"
@@ -41652,8 +45210,11 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "vpc*"
@@ -41661,8 +45222,12 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet"
@@ -41676,18 +45241,36 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:Encrypted",
"ec2:ParentSnapshot",
"ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
"resource_type": "volume*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
+ "dependent_actions": [],
+ "resource_type": "snapshot"
}
]
},
@@ -41698,12 +45281,26 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "vpc*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv6pool-ec2"
}
]
},
@@ -41715,8 +45312,11 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [
"route53:AssociateVPCWithHostedZone"
@@ -41725,11 +45325,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
- "ec2:VpceServiceName",
- "ec2:VpceServiceOwner"
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "vpc-endpoint*"
@@ -41737,8 +45337,11 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "route-table"
@@ -41746,8 +45349,11 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "security-group"
@@ -41755,8 +45361,12 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet"
@@ -41769,9 +45379,23 @@
"privilege": "CreateVpcEndpointConnectionNotification",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc-endpoint"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc-endpoint-service"
}
]
},
@@ -41782,9 +45406,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
"ec2:VpceServicePrivateDnsName"
],
"dependent_actions": [],
@@ -41800,6 +45426,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Tenancy"
@@ -41809,9 +45437,13 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:AccepterVpc",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
- "ec2:RequesterVpc"
+ "ec2:RequesterVpc",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "vpc-peering-connection*"
@@ -41825,7 +45457,22 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "customer-gateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
"ec2:AuthenticationType",
"ec2:DPDTimeoutSeconds",
"ec2:GatewayType",
@@ -41846,6 +45493,28 @@
],
"dependent_actions": [],
"resource_type": "vpn-connection*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway"
}
]
},
@@ -41855,9 +45524,30 @@
"privilege": "CreateVpnConnectionRoute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpn-connection*"
}
]
},
@@ -41867,9 +45557,15 @@
"privilege": "CreateVpnGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpn-gateway*"
}
]
},
@@ -41880,9 +45576,11 @@
"resource_types": [
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
- "aws:ResourceTag/${TagKey}"
+ "ec2:Vpc",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "carrier-gateway*"
@@ -41898,7 +45596,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -41914,7 +45618,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -41922,8 +45632,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet"
@@ -41968,9 +45680,13 @@
"privilege": "DeleteEgressOnlyInternetGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "egress-only-internet-gateway*"
}
]
},
@@ -41980,9 +45696,13 @@
"privilege": "DeleteFleets",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "fleet*"
}
]
},
@@ -42008,9 +45728,15 @@
"privilege": "DeleteFpgaImage",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "fpga-image*"
}
]
},
@@ -42036,9 +45762,13 @@
"privilege": "DeleteKeyPair",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "key-pair"
}
]
},
@@ -42054,7 +45784,7 @@
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "launch-template*"
+ "resource_type": "launch-template"
}
]
},
@@ -42070,7 +45800,7 @@
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "launch-template*"
+ "resource_type": "launch-template"
}
]
},
@@ -42099,7 +45829,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "local-gateway-route-table-vpc-association*"
@@ -42128,9 +45859,13 @@
"privilege": "DeleteNatGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "natgateway*"
}
]
},
@@ -42168,15 +45903,58 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a network insights analysis",
+ "privilege": "DeleteNetworkInsightsAnalysis",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-insights-analysis*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a network insights path",
+ "privilege": "DeleteNetworkInsightsPath",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-insights-path*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete a detached network interface",
"privilege": "DeleteNetworkInterface",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-interface*"
}
]
},
@@ -42204,6 +45982,26 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete the queued purchases for the specified Reserved Instances",
+ "privilege": "DeleteQueuedReservedInstances",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Region",
+ "ec2:ReservedInstancesOfferingType",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "reserved-instances*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete a route from a route table",
@@ -42218,6 +46016,15 @@
],
"dependent_actions": [],
"resource_type": "route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "prefix-list"
}
]
},
@@ -42293,9 +46100,15 @@
"privilege": "DeleteSubnet",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "subnet*"
}
]
},
@@ -42307,8 +46120,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42318,24 +46129,44 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "customer-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
"resource_type": "dedicated-host"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42343,25 +46174,65 @@
"resource_type": "dhcp-options"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "egress-only-internet-gateway"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ElasticGpuType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "elastic-gpu"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "elastic-ip"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "export-image-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "export-instance-task"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "fleet"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:Public",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42371,30 +46242,62 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "host-reservation"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
+ "dependent_actions": [],
"resource_type": "image"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "import-image-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "import-snapshot-task"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
"resource_type": "instance"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42402,47 +46305,111 @@
"resource_type": "internet-gateway"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv4pool-ec2"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv6pool-ec2"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "launch-template"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-route-table"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-route-table-virtual-interface-group-association"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-route-table-vpc-association"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-virtual-interface"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "local-gateway-virtual-interface-group"
},
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": "natgateway"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "network-acl"
@@ -42450,10 +46417,13 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface"
@@ -42461,32 +46431,51 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:PlacementGroupStrategy",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "reserved-instances"
+ "resource_type": "placement-group"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "prefix-list"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Region",
+ "ec2:ReservedInstancesOfferingType",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "reserved-instances"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
"resource_type": "route-table"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "security-group"
@@ -42494,10 +46483,12 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
],
"dependent_actions": [],
"resource_type": "snapshot"
@@ -42505,30 +46496,62 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "spot-instance-request"
+ "resource_type": "spot-fleet-request"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "spot-instances-request"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
"resource_type": "subnet"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "traffic-mirror-filter"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "traffic-mirror-session"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "traffic-mirror-target"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42538,8 +46561,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42549,8 +46570,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-connect-peer"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42560,8 +46588,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42571,10 +46597,15 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Encrypted",
+ "ec2:ParentSnapshot",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VolumeIops",
+ "ec2:VolumeSize",
+ "ec2:VolumeThroughput",
+ "ec2:VolumeType"
],
"dependent_actions": [],
"resource_type": "volume"
@@ -42582,10 +46613,9 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "vpc"
@@ -42593,8 +46623,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42604,10 +46632,9 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
],
"dependent_actions": [],
"resource_type": "vpc-endpoint-service"
@@ -42615,8 +46642,6 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42626,19 +46651,43 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
+ "ec2:AccepterVpc",
"ec2:Region",
+ "ec2:RequesterVpc",
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "vpc-peering-connection"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
+ "dependent_actions": [],
"resource_type": "vpn-connection"
},
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "aws:RequestTag/${TagKey}",
- "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
@@ -42668,15 +46717,6 @@
"description": "Grants permission to delete a traffic mirror filter rule",
"privilege": "DeleteTrafficMirrorFilterRule",
"resource_types": [
- {
- "condition_keys": [
- "aws:ResourceTag/${TagKey}",
- "ec2:Region",
- "ec2:ResourceTag/${TagKey}"
- ],
- "dependent_actions": [],
- "resource_type": "traffic-mirror-filter*"
- },
{
"condition_keys": [
"ec2:Region"
@@ -42734,6 +46774,38 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a transit gateway connect attachment",
+ "privilege": "DeleteTransitGatewayConnect",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-attachment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a transit gateway connect peer",
+ "privilege": "DeleteTransitGatewayConnectPeer",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-connect-peer*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permissions to delete a transit gateway multicast domain",
@@ -42854,6 +46926,7 @@
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
@@ -42867,9 +46940,14 @@
"privilege": "DeleteVpc",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
}
]
},
@@ -42879,9 +46957,23 @@
"privilege": "DeleteVpcEndpointConnectionNotifications",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc-endpoint-service*"
}
]
},
@@ -42894,7 +46986,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
],
"dependent_actions": [],
"resource_type": "vpc-endpoint-service*"
@@ -42941,9 +47034,30 @@
"privilege": "DeleteVpnConnection",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpn-connection*"
}
]
},
@@ -42953,9 +47067,30 @@
"privilege": "DeleteVpnConnectionRoute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpn-connection*"
}
]
},
@@ -42965,9 +47100,13 @@
"privilege": "DeleteVpnGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpn-gateway*"
}
]
},
@@ -42989,9 +47128,17 @@
"privilege": "DeregisterImage",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "image*"
}
]
},
@@ -43015,11 +47162,16 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
- "resource_type": "network-interface*"
+ "resource_type": "network-interface"
},
{
"condition_keys": [
@@ -43028,7 +47180,7 @@
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "transit-gateway-multicast-domain*"
+ "resource_type": "transit-gateway-multicast-domain"
}
]
},
@@ -43040,11 +47192,16 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
- "resource_type": "network-interface*"
+ "resource_type": "network-interface"
},
{
"condition_keys": [
@@ -43053,7 +47210,7 @@
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
- "resource_type": "transit-gateway-multicast-domain*"
+ "resource_type": "transit-gateway-multicast-domain"
}
]
},
@@ -43621,6 +47778,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe one or more IPv6 address pools",
+ "privilege": "DescribeIpv6Pools",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to describe one or more key pairs",
@@ -43777,6 +47946,30 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe one or more network insights analyses",
+ "privilege": "DescribeNetworkInsightsAnalyses",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe one or more network insights paths",
+ "privilege": "DescribeNetworkInsightsPaths",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to describe a network interface attribute",
@@ -44161,6 +48354,30 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe one or more transit gateway connect peers",
+ "privilege": "DescribeTransitGatewayConnectPeers",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe one or more transit gateway connect attachments",
+ "privilege": "DescribeTransitGatewayConnects",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to describe one or more transit gateway multicast domains",
@@ -44464,28 +48681,30 @@
"privilege": "DetachInternetGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
- }
- ]
- },
- {
- "access_level": "Write",
- "description": "Grants permission to detach a network interface from an instance",
- "privilege": "DetachNetworkInterface",
- "resource_types": [
+ "resource_type": "internet-gateway*"
+ },
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
}
]
},
{
"access_level": "Write",
- "description": "Grants permission to detach an EBS volume from an instance",
- "privilege": "DetachVolume",
+ "description": "Grants permission to detach a network interface from an instance",
+ "privilege": "DetachNetworkInterface",
"resource_types": [
{
"condition_keys": [
@@ -44503,6 +48722,27 @@
"dependent_actions": [],
"resource_type": "instance*"
},
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to detach an EBS volume from an instance",
+ "privilege": "DetachVolume",
+ "resource_types": [
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
@@ -44513,10 +48753,27 @@
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
"resource_type": "volume*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance"
}
]
},
@@ -44526,9 +48783,23 @@
"privilege": "DetachVpnGateway",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway*"
}
]
},
@@ -44555,11 +48826,9 @@
"ec2:Owner",
"ec2:ParentVolume",
"ec2:Region",
- "ec2:AvailabilityZone",
+ "ec2:ResourceTag/${TagKey}",
"ec2:SnapshotTime",
- "ec2:Encrypted",
- "ec2:VolumeSize",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:VolumeSize"
],
"dependent_actions": [],
"resource_type": "snapshot*"
@@ -44597,9 +48866,23 @@
"privilege": "DisableVgwRoutePropagation",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway*"
}
]
},
@@ -44626,9 +48909,14 @@
"privilege": "DisableVpcClassicLinkDnsSupport",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc"
}
]
},
@@ -44638,9 +48926,43 @@
"privilege": "DisassociateAddress",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "elastic-ip"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
}
]
},
@@ -44653,7 +48975,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -44706,9 +49034,25 @@
"privilege": "DisassociateRouteTable",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "route-table"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -44718,9 +49062,15 @@
"privilege": "DisassociateSubnetCidrBlock",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "subnet*"
}
]
},
@@ -44732,8 +49082,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet*"
@@ -44818,11 +49170,9 @@
"ec2:Owner",
"ec2:ParentVolume",
"ec2:Region",
- "ec2:AvailabilityZone",
+ "ec2:ResourceTag/${TagKey}",
"ec2:SnapshotTime",
- "ec2:Encrypted",
- "ec2:VolumeSize",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:VolumeSize"
],
"dependent_actions": [],
"resource_type": "snapshot*"
@@ -44860,9 +49210,23 @@
"privilege": "EnableVgwRoutePropagation",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway*"
}
]
},
@@ -44872,9 +49236,20 @@
"privilege": "EnableVolumeIO",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Encrypted",
+ "ec2:ParentSnapshot",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VolumeIops",
+ "ec2:VolumeSize",
+ "ec2:VolumeThroughput",
+ "ec2:VolumeType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "volume*"
}
]
},
@@ -44901,9 +49276,14 @@
"privilege": "EnableVpcClassicLinkDnsSupport",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc"
}
]
},
@@ -44913,9 +49293,19 @@
"privilege": "ExportClientVpnClientCertificateRevocationList",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "client-vpn-endpoint*"
}
]
},
@@ -44925,9 +49315,19 @@
"privilege": "ExportClientVpnClientConfiguration",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "client-vpn-endpoint*"
}
]
},
@@ -44937,9 +49337,19 @@
"privilege": "ExportImage",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "image*"
}
]
},
@@ -44949,9 +49359,13 @@
"privilege": "ExportTransitGatewayRoutes",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-route-table*"
}
]
},
@@ -44967,15 +49381,35 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get information about the IPv6 CIDR block associations for a specified IPv6 address pool",
+ "privilege": "GetAssociatedIpv6PoolCidrs",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "ipv6pool-ec2*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get usage information about a Capacity Reservation",
"privilege": "GetCapacityReservationUsage",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "capacity-reservation*"
}
]
},
@@ -44997,9 +49431,20 @@
"privilege": "GetConsoleOutput",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -45062,15 +49507,40 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the resource groups to which a Capacity Reservation has been added",
+ "privilege": "GetGroupsForCapacityReservation",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "capacity-reservation*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to preview a reservation purchase with configurations that match those of a Dedicated Host",
"privilege": "GetHostReservationPurchasePreview",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "dedicated-host*"
}
]
},
@@ -45080,9 +49550,20 @@
"privilege": "GetLaunchTemplateData",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -45092,9 +49573,13 @@
"privilege": "GetManagedPrefixListAssociations",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "prefix-list*"
}
]
},
@@ -45104,9 +49589,13 @@
"privilege": "GetManagedPrefixListEntries",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "prefix-list*"
}
]
},
@@ -45116,9 +49605,20 @@
"privilege": "GetPasswordData",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -45128,9 +49628,17 @@
"privilege": "GetReservedInstancesExchangeQuote",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Region",
+ "ec2:ReservedInstancesOfferingType",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "reserved-instances"
}
]
},
@@ -45140,9 +49648,13 @@
"privilege": "GetTransitGatewayAttachmentPropagations",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-attachment*"
}
]
},
@@ -45152,9 +49664,13 @@
"privilege": "GetTransitGatewayMulticastDomainAssociations",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-multicast-domain"
}
]
},
@@ -45164,9 +49680,13 @@
"privilege": "GetTransitGatewayPrefixListReferences",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-route-table*"
}
]
},
@@ -45176,9 +49696,13 @@
"privilege": "GetTransitGatewayRouteTableAssociations",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-route-table*"
}
]
},
@@ -45188,9 +49712,13 @@
"privilege": "GetTransitGatewayRouteTablePropagations",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-route-table*"
}
]
},
@@ -45203,7 +49731,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -45216,9 +49750,19 @@
"privilege": "ImportImage",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "snapshot"
}
]
},
@@ -45228,9 +49772,25 @@
"privilege": "ImportInstance",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -45252,9 +49812,19 @@
"privilege": "ImportSnapshot",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "snapshot"
}
]
},
@@ -45270,6 +49840,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to modify the opt-in status of the Local Zone and Wavelength Zone group for your account",
+ "privilege": "ModifyAvailabilityZoneGroup",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to modify a Capacity Reservation's capacity and the conditions under which it is to be released",
@@ -45296,10 +49878,35 @@
"aws:ResourceTag/${TagKey}",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
- "ec2:Attribute/${AttributeName}"
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc"
}
]
},
@@ -45333,9 +49940,92 @@
"privilege": "ModifyFleet",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "fleet*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "image"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "launch-template"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
+ "dependent_actions": [],
+ "resource_type": "snapshot"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -45345,9 +50035,15 @@
"privilege": "ModifyFpgaImageAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "fpga-image*"
}
]
},
@@ -45357,9 +50053,18 @@
"privilege": "ModifyHosts",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "dedicated-host*"
}
]
},
@@ -45393,9 +50098,17 @@
"privilege": "ModifyImageAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "image*"
}
]
},
@@ -45405,9 +50118,46 @@
"privilege": "ModifyInstanceAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Encrypted",
+ "ec2:ParentSnapshot",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VolumeIops",
+ "ec2:VolumeSize",
+ "ec2:VolumeThroughput",
+ "ec2:VolumeType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "volume"
}
]
},
@@ -45417,9 +50167,29 @@
"privilege": "ModifyInstanceCapacityReservationAttributes",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "capacity-reservation"
}
]
},
@@ -45429,7 +50199,18 @@
"privilege": "ModifyInstanceCreditSpecification",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
"resource_type": "instance*"
}
@@ -45442,7 +50223,16 @@
"resource_types": [
{
"condition_keys": [
- "ec2:Region"
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "instance*"
@@ -45455,9 +50245,20 @@
"privilege": "ModifyInstanceMetadataOptions",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -45467,9 +50268,44 @@
"privilege": "ModifyInstancePlacement",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
+ "dependent_actions": [],
+ "resource_type": "dedicated-host"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:PlacementGroupStrategy",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "placement-group"
}
]
},
@@ -45511,9 +50347,44 @@
"privilege": "ModifyNetworkInterfaceAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-interface*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
}
]
},
@@ -45523,9 +50394,17 @@
"privilege": "ModifyReservedInstances",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Region",
+ "ec2:ReservedInstancesOfferingType",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "reserved-instances*"
}
]
},
@@ -45555,9 +50434,13 @@
"privilege": "ModifySpotFleetRequest",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "spot-fleet-request*"
}
]
},
@@ -45567,9 +50450,15 @@
"privilege": "ModifySubnetAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "subnet*"
}
]
},
@@ -45659,6 +50548,15 @@
],
"dependent_actions": [],
"resource_type": "transit-gateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-route-table"
}
]
},
@@ -45684,6 +50582,15 @@
],
"dependent_actions": [],
"resource_type": "transit-gateway-route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-attachment"
}
]
},
@@ -45704,8 +50611,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet"
@@ -45718,9 +50627,20 @@
"privilege": "ModifyVolume",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Encrypted",
+ "ec2:ParentSnapshot",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VolumeIops",
+ "ec2:VolumeSize",
+ "ec2:VolumeThroughput",
+ "ec2:VolumeType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "volume*"
}
]
},
@@ -45730,9 +50650,20 @@
"privilege": "ModifyVolumeAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Encrypted",
+ "ec2:ParentSnapshot",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VolumeIops",
+ "ec2:VolumeSize",
+ "ec2:VolumeThroughput",
+ "ec2:VolumeType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "volume*"
}
]
},
@@ -45742,9 +50673,14 @@
"privilege": "ModifyVpcAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
}
]
},
@@ -45766,7 +50702,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "route-table"
@@ -45775,7 +50712,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "security-group"
@@ -45783,8 +50721,10 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
],
"dependent_actions": [],
"resource_type": "subnet"
@@ -45797,9 +50737,23 @@
"privilege": "ModifyVpcEndpointConnectionNotification",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc-endpoint-service*"
}
]
},
@@ -45812,8 +50766,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:VpceServicePrivateDnsName",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
],
"dependent_actions": [],
"resource_type": "vpc-endpoint-service*"
@@ -45829,7 +50783,8 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
],
"dependent_actions": [],
"resource_type": "vpc-endpoint-service*"
@@ -45842,9 +50797,15 @@
"privilege": "ModifyVpcPeeringConnectionOptions",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AccepterVpc",
+ "ec2:Region",
+ "ec2:RequesterVpc",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc-peering-connection*"
}
]
},
@@ -45854,9 +50815,14 @@
"privilege": "ModifyVpcTenancy",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpc*"
}
]
},
@@ -45870,7 +50836,83 @@
"aws:ResourceTag/${TagKey}",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
- "ec2:GatewayType"
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-connection*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "customer-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to modify the connection options for your Site-to-Site VPN connection",
+ "privilege": "ModifyVpnConnectionOptions",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
],
"dependent_actions": [],
"resource_type": "vpn-connection*"
@@ -45883,9 +50925,30 @@
"privilege": "ModifyVpnTunnelCertificate",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "vpn-connection*"
}
]
},
@@ -45901,6 +50964,7 @@
"ec2:ResourceTag/${TagKey}",
"ec2:AuthenticationType",
"ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
"ec2:IKEVersions",
"ec2:InsideTunnelCidr",
"ec2:Phase1DHGroupNumbers",
@@ -45927,9 +50991,20 @@
"privilege": "MonitorInstances",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -45963,9 +51038,20 @@
"privilege": "PurchaseHostReservation",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "dedicated-host*"
}
]
},
@@ -46048,8 +51134,13 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface*"
@@ -46073,8 +51164,13 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
"resource_type": "network-interface*"
@@ -46090,6 +51186,44 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to reject requests to associate cross-account subnets with a transit gateway multicast domain",
+ "privilege": "RejectTransitGatewayMulticastDomainAssociations",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-attachment"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway-multicast-domain"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to reject a transit gateway peering attachment request",
@@ -46134,6 +51268,16 @@
"ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
+ "resource_type": "vpc-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
+ ],
+ "dependent_actions": [],
"resource_type": "vpc-endpoint-service*"
}
]
@@ -46162,9 +51306,13 @@
"privilege": "ReleaseAddress",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "elastic-ip"
}
]
},
@@ -46174,9 +51322,18 @@
"privilege": "ReleaseHosts",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AutoPlacement",
+ "ec2:AvailabilityZone",
+ "ec2:InstanceType",
+ "ec2:Quantity",
+ "ec2:HostRecovery"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "dedicated-host*"
}
]
},
@@ -46211,9 +51368,14 @@
"privilege": "ReplaceNetworkAclAssociation",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-acl*"
}
]
},
@@ -46223,9 +51385,14 @@
"privilege": "ReplaceNetworkAclEntry",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-acl*"
}
]
},
@@ -46243,6 +51410,123 @@
],
"dependent_actions": [],
"resource_type": "route-table*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "carrier-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "egress-only-internet-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "internet-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "local-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "natgateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "prefix-list"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "transit-gateway"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AccepterVpc",
+ "ec2:Region",
+ "ec2:RequesterVpc",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc-peering-connection"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-gateway"
}
]
},
@@ -46252,9 +51536,14 @@
"privilege": "ReplaceRouteTableAssociation",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "route-table*"
}
]
},
@@ -46289,9 +51578,20 @@
"privilege": "ReportInstanceStatus",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -46301,9 +51601,14 @@
"privilege": "RequestSpotFleet",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "security-group"
}
]
},
@@ -46313,9 +51618,55 @@
"privilege": "RequestSpotInstances",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "image"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -46337,9 +51688,15 @@
"privilege": "ResetFpgaImageAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "fpga-image*"
}
]
},
@@ -46349,9 +51706,17 @@
"privilege": "ResetImageAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "image*"
}
]
},
@@ -46361,9 +51726,20 @@
"privilege": "ResetInstanceAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "instance*"
}
]
},
@@ -46373,9 +51749,18 @@
"privilege": "ResetNetworkInterfaceAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "network-interface*"
}
]
},
@@ -46385,9 +51770,17 @@
"privilege": "ResetSnapshotAttribute",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "snapshot*"
}
]
},
@@ -46428,7 +51821,13 @@
"condition_keys": [
"aws:ResourceTag/${TagKey}",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
],
"dependent_actions": [],
"resource_type": "client-vpn-endpoint*"
@@ -46477,9 +51876,9 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:ImageType",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
"ec2:Owner",
"ec2:Public",
"ec2:Region",
@@ -46491,33 +51890,31 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:EbsOptimized",
"ec2:InstanceProfile",
"ec2:InstanceType",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
"ec2:PlacementGroup",
"ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
"ec2:RootDeviceType",
- "ec2:Tenancy",
- "ec2:MetadataHttpEndpoint",
- "ec2:MetadataHttpTokens",
- "ec2:MetadataHttpPutResponseHopLimit"
+ "ec2:Tenancy"
],
"dependent_actions": [],
"resource_type": "instance*"
},
{
"condition_keys": [
- "aws:ResourceTag/",
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:AuthorizedService",
"ec2:AvailabilityZone",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
"ec2:Region",
- "ec2:ResourceTag/",
+ "ec2:ResourceTag/${TagKey}",
"ec2:Subnet",
"ec2:Vpc",
"ec2:AssociatePublicIpAddress"
@@ -46528,8 +51925,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Vpc"
@@ -46540,9 +51937,9 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:AvailabilityZone",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
"ec2:Vpc"
@@ -46552,16 +51949,17 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"ec2:AvailabilityZone",
"ec2:Encrypted",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
"ec2:ParentSnapshot",
"ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"dependent_actions": [],
@@ -46580,6 +51978,11 @@
},
{
"condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
"ec2:ElasticGpuType"
],
"dependent_actions": [],
@@ -46592,28 +51995,34 @@
},
{
"condition_keys": [
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
- "ec2:Region"
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "key-pair"
},
{
"condition_keys": [
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
- "ec2:Region"
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "launch-template"
},
{
"condition_keys": [
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
+ "aws:ResourceTag/${TagKey}",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:PlacementGroupStrategy",
- "ec2:Region"
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"dependent_actions": [],
"resource_type": "placement-group"
@@ -46621,8 +52030,8 @@
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
- "ec2:IsLaunchTemplateResource",
- "ec2:LaunchTemplate",
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Owner",
"ec2:ParentVolume",
"ec2:Region",
@@ -46641,9 +52050,84 @@
"privilege": "RunScheduledInstances",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:ImageType",
+ "ec2:Owner",
+ "ec2:Public",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "image*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "key-pair"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-interface"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:PlacementGroupStrategy",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": "placement-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "security-group"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Owner",
+ "ec2:ParentVolume",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:SnapshotTime",
+ "ec2:VolumeSize"
+ ],
+ "dependent_actions": [],
+ "resource_type": "snapshot"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "subnet"
}
]
},
@@ -46653,9 +52137,13 @@
"privilege": "SearchLocalGatewayRoutes",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "local-gateway-route-table*"
}
]
},
@@ -46665,9 +52153,13 @@
"privilege": "SearchTransitGatewayMulticastGroups",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-multicast-domain"
}
]
},
@@ -46677,9 +52169,13 @@
"privilege": "SearchTransitGatewayRoutes",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
- "resource_type": ""
+ "resource_type": "transit-gateway-route-table*"
}
]
},
@@ -46708,86 +52204,201 @@
},
{
"access_level": "Write",
- "description": "Grants permission to start a stopped instance",
- "privilege": "StartInstances",
+ "description": "Grants permission to start a stopped instance",
+ "privilege": "StartInstances",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to start analyzing a specified path",
+ "privilege": "StartNetworkInsightsAnalysis",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Vpc"
+ ],
+ "dependent_actions": [],
+ "resource_type": "network-insights-path*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to start the private DNS verification process for a VPC endpoint service",
+ "privilege": "StartVpcEndpointServicePrivateDnsVerification",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:VpceServicePrivateDnsName"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpc-endpoint-service*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to stop an Amazon EBS-backed instance",
+ "privilege": "StopInstances",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to terminate active Client VPN endpoint connections",
+ "privilege": "TerminateClientVpnConnections",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:ServerCertificateArn",
+ "ec2:ClientRootCertificateChainArn",
+ "ec2:DirectoryArn",
+ "ec2:SamlProviderArn",
+ "ec2:CloudwatchLogGroupArn",
+ "ec2:CloudwatchLogStreamArn"
+ ],
+ "dependent_actions": [],
+ "resource_type": "client-vpn-endpoint*"
+ },
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:AuthenticationType",
+ "ec2:DPDTimeoutSeconds",
+ "ec2:GatewayType",
+ "ec2:IKEVersions",
+ "ec2:InsideTunnelCidr",
+ "ec2:Phase1DHGroupNumbers",
+ "ec2:Phase2DHGroupNumbers",
+ "ec2:Phase1EncryptionAlgorithms",
+ "ec2:Phase2EncryptionAlgorithms",
+ "ec2:Phase1IntegrityAlgorithms",
+ "ec2:Phase2IntegrityAlgorithms",
+ "ec2:Phase1LifetimeSeconds",
+ "ec2:Phase2LifetimeSeconds",
+ "ec2:PresharedKeys",
+ "ec2:RekeyFuzzPercentage",
+ "ec2:RekeyMarginTimeSeconds",
+ "ec2:RoutingType"
+ ],
+ "dependent_actions": [],
+ "resource_type": "vpn-connection"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to shut down one or more instances",
+ "privilege": "TerminateInstances",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "ec2:AvailabilityZone",
+ "ec2:EbsOptimized",
+ "ec2:InstanceProfile",
+ "ec2:InstanceType",
+ "ec2:PlacementGroup",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:RootDeviceType",
+ "ec2:Tenancy"
+ ],
+ "dependent_actions": [],
+ "resource_type": "instance*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to unassign one or more IPv6 addresses from a network interface",
+ "privilege": "UnassignIpv6Addresses",
"resource_types": [
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
"ec2:AvailabilityZone",
- "ec2:EbsOptimized",
- "ec2:InstanceProfile",
- "ec2:InstanceType",
- "ec2:PlacementGroup",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
- "ec2:RootDeviceType",
- "ec2:Tenancy"
- ],
- "dependent_actions": [],
- "resource_type": "instance*"
- }
- ]
- },
- {
- "access_level": "Write",
- "description": "Grants permission to start the private DNS verification process for a VPC endpoint service",
- "privilege": "StartVpcEndpointServicePrivateDnsVerification",
- "resource_types": [
- {
- "condition_keys": [
- "aws:ResourceTag/${TagKey}",
- "ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
- "resource_type": "vpc-endpoint-service*"
+ "resource_type": "network-interface*"
}
]
},
{
"access_level": "Write",
- "description": "Grants permission to stop an Amazon EBS-backed instance",
- "privilege": "StopInstances",
+ "description": "Grants permission to unassign one or more secondary private IP addresses from a network interface",
+ "privilege": "UnassignPrivateIpAddresses",
"resource_types": [
{
"condition_keys": [
"aws:ResourceTag/${TagKey}",
+ "ec2:AuthorizedService",
"ec2:AvailabilityZone",
- "ec2:EbsOptimized",
- "ec2:InstanceProfile",
- "ec2:InstanceType",
- "ec2:PlacementGroup",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
- "ec2:RootDeviceType",
- "ec2:Tenancy"
- ],
- "dependent_actions": [],
- "resource_type": "instance*"
- }
- ]
- },
- {
- "access_level": "Write",
- "description": "Grants permission to terminate active Client VPN endpoint connections",
- "privilege": "TerminateClientVpnConnections",
- "resource_types": [
- {
- "condition_keys": [
- "aws:ResourceTag/${TagKey}",
- "ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:Subnet",
+ "ec2:Vpc",
+ "ec2:AssociatePublicIpAddress"
],
"dependent_actions": [],
- "resource_type": "client-vpn-endpoint*"
+ "resource_type": "network-interface*"
}
]
},
{
"access_level": "Write",
- "description": "Grants permission to shut down one or more instances",
- "privilege": "TerminateInstances",
+ "description": "Grants permission to disable detailed monitoring for a running instance",
+ "privilege": "UnmonitorInstances",
"resource_types": [
{
"condition_keys": [
@@ -46807,42 +52418,6 @@
}
]
},
- {
- "access_level": "Write",
- "description": "Grants permission to unassign one or more IPv6 addresses from a network interface",
- "privilege": "UnassignIpv6Addresses",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": ""
- }
- ]
- },
- {
- "access_level": "Write",
- "description": "Grants permission to unassign one or more secondary private IP addresses from a network interface",
- "privilege": "UnassignPrivateIpAddresses",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": ""
- }
- ]
- },
- {
- "access_level": "Write",
- "description": "Grants permission to disable detailed monitoring for a running instance",
- "privilege": "UnmonitorInstances",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": ""
- }
- ]
- },
{
"access_level": "Write",
"description": "Grants permission to update descriptions for one or more outbound rules in a VPC security group",
@@ -46891,6 +52466,17 @@
}
],
"resources": [
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "elastic-ip"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:capacity-reservation/${CapacityReservationId}",
"condition_keys": [
@@ -46909,7 +52495,9 @@
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy",
+ "ec2:Vpc"
],
"resource": "carrier-gateway"
},
@@ -46938,14 +52526,16 @@
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:customer-gateway/${CustomerGatewayId}",
"condition_keys": [
+ "aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"resource": "customer-gateway"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:dedicated-host/${HostId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:dedicated-host/${DedicatedHostId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -46955,6 +52545,7 @@
"ec2:HostRecovery",
"ec2:InstanceType",
"ec2:Quantity",
+ "ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
"resource": "dedicated-host"
@@ -46984,7 +52575,12 @@
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:elastic-gpu/${ElasticGpuId}",
"condition_keys": [
- "ec2:ElasticGpuType"
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:ElasticGpuType",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
"resource": "elastic-gpu"
},
@@ -46993,6 +52589,17 @@
"condition_keys": [],
"resource": "elastic-inference"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:export-image-task/${ExportImageTaskId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "export-image-task"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:export-instance-task/${ExportTaskId}",
"condition_keys": [
@@ -47028,6 +52635,17 @@
],
"resource": "fpga-image"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:host-reservation/${HostReservationId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "host-reservation"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}::image/${ImageId}",
"condition_keys": [
@@ -47043,6 +52661,28 @@
],
"resource": "image"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:import-image-task/${ImportImageTaskId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "import-image-task"
+ },
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:import-snapshot-task/${ImportSnapshotTaskId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "import-snapshot-task"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}",
"condition_keys": [
@@ -47073,7 +52713,7 @@
"resource": "internet-gateway"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:ipv4pool-ec2/${Ipv4PoolEc2Id}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47081,10 +52721,10 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "key-pair"
+ "resource": "ipv4pool-ec2"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:ipv6pool-ec2/${Ipv6PoolEc2Id}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47092,10 +52732,10 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "launch-template"
+ "resource": "ipv6pool-ec2"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:key-pair/${KeyPairName}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47103,10 +52743,10 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "local-gateway"
+ "resource": "key-pair"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table/${LocalGatewayRouteTableId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:launch-template/${LaunchTemplateId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47114,7 +52754,18 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "local-gateway-route-table"
+ "resource": "launch-template"
+ },
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway/${LocalGatewayId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "local-gateway"
},
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table-virtual-interface-group-association/${LocalGatewayRouteTableVirtualInterfaceGroupAssociationId}",
@@ -47134,12 +52785,13 @@
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
"resource": "local-gateway-route-table-vpc-association"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface/${LocalGatewayVirtualInterfaceId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-route-table/${LocalGatewayRoutetableId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47147,7 +52799,7 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "local-gateway-virtual-interface"
+ "resource": "local-gateway-route-table"
},
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface-group/${LocalGatewayVirtualInterfaceGroupId}",
@@ -47160,6 +52812,17 @@
],
"resource": "local-gateway-virtual-interface-group"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:local-gateway-virtual-interface/${LocalGatewayVirtualInterfaceId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "local-gateway-virtual-interface"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:natgateway/${NatGatewayId}",
"condition_keys": [
@@ -47183,6 +52846,28 @@
],
"resource": "network-acl"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-analysis/${NetworkInsightsAnalysisId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "network-insights-analysis"
+ },
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:network-insights-path/${NetworkInsightsPathId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "network-insights-path"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:network-interface/${NetworkInterfaceId}",
"condition_keys": [
@@ -47281,6 +52966,17 @@
],
"resource": "snapshot"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:spot-fleet-request/${SpotFleetRequestId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "spot-fleet-request"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:spot-instances-request/${SpotInstanceRequestId}",
"condition_keys": [
@@ -47290,7 +52986,7 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "spot-instance-request"
+ "resource": "spot-instances-request"
},
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:subnet/${SubnetId}",
@@ -47305,6 +53001,24 @@
],
"resource": "subnet"
},
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}",
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
+ "resource": "traffic-mirror-filter"
+ },
+ {
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}",
+ "condition_keys": [
+ "ec2:Region"
+ ],
+ "resource": "traffic-mirror-filter-rule"
+ },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-session/${TrafficMirrorSessionId}",
"condition_keys": [
@@ -47328,7 +53042,7 @@
"resource": "traffic-mirror-target"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter/${TrafficMirrorFilterId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47336,17 +53050,21 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "traffic-mirror-filter"
+ "resource": "transit-gateway-attachment"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:traffic-mirror-filter-rule/${TrafficMirrorFilterRuleId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-connect-peer/${TransitGatewayConnectPeerId}",
"condition_keys": [
- "ec2:Region"
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
],
- "resource": "traffic-mirror-filter-rule"
+ "resource": "transit-gateway-connect-peer"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-attachment/${TransitGatewayAttachmentId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
@@ -47354,7 +53072,7 @@
"ec2:Region",
"ec2:ResourceTag/${TagKey}"
],
- "resource": "transit-gateway-attachment"
+ "resource": "transit-gateway"
},
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway-multicast-domain/${TransitGatewayMulticastDomainId}",
@@ -47378,17 +53096,6 @@
],
"resource": "transit-gateway-route-table"
},
- {
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:transit-gateway/${TransitGatewayId}",
- "condition_keys": [
- "aws:RequestTag/${TagKey}",
- "aws:ResourceTag/${TagKey}",
- "aws:TagKeys",
- "ec2:Region",
- "ec2:ResourceTag/${TagKey}"
- ],
- "resource": "transit-gateway"
- },
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:volume/${VolumeId}",
"condition_keys": [
@@ -47402,62 +53109,63 @@
"ec2:ResourceTag/${TagKey}",
"ec2:VolumeIops",
"ec2:VolumeSize",
+ "ec2:VolumeThroughput",
"ec2:VolumeType"
],
"resource": "volume"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint/${VpcEndpointId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}",
- "ec2:Tenancy"
+ "ec2:ResourceTag/${TagKey}"
],
- "resource": "vpc"
+ "resource": "vpc-endpoint"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint/${VpceId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service/${VpcEndpointServiceId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
"ec2:ResourceTag/${TagKey}",
- "ec2:VpceServiceName",
- "ec2:VpceServiceOwner"
+ "ec2:VpceServicePrivateDnsName"
],
- "resource": "vpc-endpoint"
+ "resource": "vpc-endpoint-service"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-endpoint-service/${VpceServiceId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-flow-log/${VpcFlowLogId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}",
- "ec2:VpceServicePrivateDnsName"
+ "ec2:ResourceTag/${TagKey}"
],
- "resource": "vpc-endpoint-service"
+ "resource": "vpc-flow-log"
},
{
- "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-flow-log/${VpcFlowLogId}",
+ "arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc/${VpcId}",
"condition_keys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ec2:Region",
- "ec2:ResourceTag/${TagKey}"
+ "ec2:ResourceTag/${TagKey}",
+ "ec2:Tenancy"
],
- "resource": "vpc-flow-log"
+ "resource": "vpc"
},
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:vpc-peering-connection/${VpcPeeringConnectionId}",
"condition_keys": [
+ "aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
"ec2:AccepterVpc",
"ec2:Region",
"ec2:RequesterVpc",
@@ -47495,7 +53203,13 @@
},
{
"arn": "arn:${Partition}:ec2:${Region}:${Account}:vpn-gateway/${VpnGatewayId}",
- "condition_keys": [],
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:ResourceTag/${TagKey}",
+ "aws:TagKeys",
+ "ec2:Region",
+ "ec2:ResourceTag/${TagKey}"
+ ],
"resource": "vpn-gateway"
}
],
@@ -51918,27 +57632,32 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "Filters actions based on the allowed set of values for each of the tags",
+ "description": "Filters access by a tag key and value pair that is allowed in the request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "Filters actions based on tag key-value pairs attached to the resource",
+ "description": "Filters access by a tag key and value pair of a resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "Filters actions based on the presence of mandatory tags in the request",
+ "description": "Filters access by a list of tag keys that are allowed in the request",
"type": "String"
},
{
"condition": "elasticfilesystem:AccessPointArn",
- "description": "The ARN of the access point used to mount the file system",
+ "description": "Filters access by the ARN of the access point used to mount the file system",
"type": "String"
},
+ {
+ "condition": "elasticfilesystem:AccessedViaMountTarget",
+ "description": "Filters access by whether the file system is accessed via mount targets",
+ "type": "Bool"
+ },
{
"condition": "elasticfilesystem:Encrypted",
- "description": "Control encryption behavior for new EFS file systems",
+ "description": "Filters access by whether users can create only encrypted or unencrypted file systems",
"type": "Bool"
}
],
@@ -51946,7 +57665,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Starts a backup job for an existing file system.",
+ "description": "Grants permission to start a backup job for an existing file system",
"privilege": "Backup",
"resource_types": [
{
@@ -51958,7 +57677,7 @@
},
{
"access_level": "Read",
- "description": "Permission for allowing read-access to a file system.",
+ "description": "Grants permission to allow an NFS client read-access to a file system",
"privilege": "ClientMount",
"resource_types": [
{
@@ -51968,7 +57687,8 @@
},
{
"condition_keys": [
- "elasticfilesystem:AccessPointArn"
+ "elasticfilesystem:AccessPointArn",
+ "elasticfilesystem:AccessedViaMountTarget"
],
"dependent_actions": [],
"resource_type": ""
@@ -51977,7 +57697,7 @@
},
{
"access_level": "Write",
- "description": "Permission for allowing root-access to a file system.",
+ "description": "Grants permission to allow an NFS client root-access to a file system",
"privilege": "ClientRootAccess",
"resource_types": [
{
@@ -51987,7 +57707,8 @@
},
{
"condition_keys": [
- "elasticfilesystem:AccessPointArn"
+ "elasticfilesystem:AccessPointArn",
+ "elasticfilesystem:AccessedViaMountTarget"
],
"dependent_actions": [],
"resource_type": ""
@@ -51996,7 +57717,7 @@
},
{
"access_level": "Write",
- "description": "Permission for allowing write-access to a file system.",
+ "description": "Grants permission to allow an NFS client write-access to a file system",
"privilege": "ClientWrite",
"resource_types": [
{
@@ -52006,7 +57727,8 @@
},
{
"condition_keys": [
- "elasticfilesystem:AccessPointArn"
+ "elasticfilesystem:AccessPointArn",
+ "elasticfilesystem:AccessedViaMountTarget"
],
"dependent_actions": [],
"resource_type": ""
@@ -52015,7 +57737,7 @@
},
{
"access_level": "Write",
- "description": "Creates an access point for the specified file system.",
+ "description": "Grants permission to create an access point for the specified file system",
"privilege": "CreateAccessPoint",
"resource_types": [
{
@@ -52026,8 +57748,8 @@
]
},
{
- "access_level": "Tagging",
- "description": "Creates a new, empty file system.",
+ "access_level": "Write",
+ "description": "Grants permission to create a new, empty file system",
"privilege": "CreateFileSystem",
"resource_types": [
{
@@ -52043,7 +57765,7 @@
},
{
"access_level": "Write",
- "description": "Creates a mount target for a file system.",
+ "description": "Grants permission to create a mount target for a file system",
"privilege": "CreateMountTarget",
"resource_types": [
{
@@ -52055,7 +57777,7 @@
},
{
"access_level": "Tagging",
- "description": "Creates or overwrites tags associated with a file system.",
+ "description": "Grants permission to create or overwrite tags associated with a file system; deprecated, see TagResource",
"privilege": "CreateTags",
"resource_types": [
{
@@ -52075,7 +57797,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified access point.",
+ "description": "Grants permission to delete the specified access point",
"privilege": "DeleteAccessPoint",
"resource_types": [
{
@@ -52087,7 +57809,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a file system, permanently severing access to its contents.",
+ "description": "Grants permission to delete a file system, permanently severing access to its contents",
"privilege": "DeleteFileSystem",
"resource_types": [
{
@@ -52099,7 +57821,7 @@
},
{
"access_level": "Write",
- "description": "Clears the resource-level policy for a given file system.",
+ "description": "Grants permission to delete the resource-level policy for a file system",
"privilege": "DeleteFileSystemPolicy",
"resource_types": [
{
@@ -52111,7 +57833,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the specified mount target.",
+ "description": "Grants permission to delete the specified mount target",
"privilege": "DeleteMountTarget",
"resource_types": [
{
@@ -52123,7 +57845,7 @@
},
{
"access_level": "Tagging",
- "description": "Deletes the specified tags from a file system.",
+ "description": "Grants permission to delete the specified tags from a file system; deprecated, see UntagResource",
"privilege": "DeleteTags",
"resource_types": [
{
@@ -52142,7 +57864,7 @@
},
{
"access_level": "List",
- "description": "Returns the descriptions of Amazon EFS access points.",
+ "description": "Grants permission to view the descriptions of Amazon EFS access points",
"privilege": "DescribeAccessPoints",
"resource_types": [
{
@@ -52159,7 +57881,7 @@
},
{
"access_level": "Read",
- "description": "Returns the current BackupPolicy object for the specified Amazon EFS file system.",
+ "description": "Grants permission to view the BackupPolicy object for an Amazon EFS file system",
"privilege": "DescribeBackupPolicy",
"resource_types": [
{
@@ -52171,7 +57893,7 @@
},
{
"access_level": "Read",
- "description": "Returns the current resource-level policy for a given file system.",
+ "description": "Grants permission to view the resource-level policy for an Amazon EFS file system",
"privilege": "DescribeFileSystemPolicy",
"resource_types": [
{
@@ -52183,7 +57905,7 @@
},
{
"access_level": "List",
- "description": "Returns the description of a specific Amazon EFS file system if either the file system CreationToken or the FileSystemId is provided; otherwise, returns descriptions of all file systems owned by the caller's AWS account in the AWS region of the endpoint that you're calling.",
+ "description": "Grants permission to view the description of an Amazon EFS file system specified by file system CreationToken or FileSystemId; or to view the description of all file systems owned by the caller's AWS account in the AWS region of the endpoint that is being called",
"privilege": "DescribeFileSystems",
"resource_types": [
{
@@ -52195,7 +57917,7 @@
},
{
"access_level": "Read",
- "description": "Returns the current LifecycleConfiguration object for the specified Amazon EFS file system.",
+ "description": "Grants permission to view the LifecycleConfiguration object for an Amazon EFS file system",
"privilege": "DescribeLifecycleConfiguration",
"resource_types": [
{
@@ -52207,7 +57929,7 @@
},
{
"access_level": "Read",
- "description": "Returns the security groups currently in effect for a mount target.",
+ "description": "Grants permission to view the security groups in effect for a mount target",
"privilege": "DescribeMountTargetSecurityGroups",
"resource_types": [
{
@@ -52219,7 +57941,7 @@
},
{
"access_level": "Read",
- "description": "Returns the descriptions of all the current mount targets, or a specific mount target, for a file system.",
+ "description": "Grants permission to view the descriptions of all mount targets, or a specific mount target, for a file system",
"privilege": "DescribeMountTargets",
"resource_types": [
{
@@ -52236,7 +57958,7 @@
},
{
"access_level": "Read",
- "description": "Returns the tags associated with a file system.",
+ "description": "Grants permission to view the tags associated with a file system",
"privilege": "DescribeTags",
"resource_types": [
{
@@ -52248,7 +57970,7 @@
},
{
"access_level": "Read",
- "description": "Returns the tags associated with the specified Amazon EFS resource.",
+ "description": "Grants permission to view the tags associated with the specified Amazon EFS resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -52265,7 +57987,7 @@
},
{
"access_level": "Write",
- "description": "Modifies the set of security groups in effect for a mount target.",
+ "description": "Grants permission to modify the set of security groups in effect for a mount target",
"privilege": "ModifyMountTargetSecurityGroups",
"resource_types": [
{
@@ -52277,7 +57999,7 @@
},
{
"access_level": "Write",
- "description": "Enables automatic backups with AWS Backup by creating a new BackupPolicy object.",
+ "description": "Grants permission to enable or disable automatic backups with AWS Backup by creating a new BackupPolicy object",
"privilege": "PutBackupPolicy",
"resource_types": [
{
@@ -52289,7 +58011,7 @@
},
{
"access_level": "Write",
- "description": "Apply a resource-level policy granting and/or restricting actions from given actors for the specified file system.",
+ "description": "Grants permission to apply a resource-level policy that defines the actions allowed or denied from given actors for the specified file system",
"privilege": "PutFileSystemPolicy",
"resource_types": [
{
@@ -52301,7 +58023,7 @@
},
{
"access_level": "Write",
- "description": "Enables lifecycle management by creating a new LifecycleConfiguration object.",
+ "description": "Grants permission to enable lifecycle management by creating a new LifecycleConfiguration object",
"privilege": "PutLifecycleConfiguration",
"resource_types": [
{
@@ -52313,7 +58035,7 @@
},
{
"access_level": "Write",
- "description": "Starts a restore job for an existing file system.",
+ "description": "Grants permission to start a restore job for a backup of a file system",
"privilege": "Restore",
"resource_types": [
{
@@ -52325,7 +58047,7 @@
},
{
"access_level": "Tagging",
- "description": "Creates or overwrites tags associated with the specified Amazon EFS resource.",
+ "description": "Grants permission to create or overwrite tags associated with the specified Amazon EFS resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -52342,7 +58064,7 @@
},
{
"access_level": "Tagging",
- "description": "Deletes the specified tags from a specified Amazon EFS resource.",
+ "description": "Grants permission to delete the specified tags from an Amazon EFS resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -52359,7 +58081,7 @@
},
{
"access_level": "Write",
- "description": "Updates the throughput mode or the amount of provisioned throughput of an existing file system.",
+ "description": "Grants permission to update the throughput mode or the amount of provisioned throughput of an existing file system",
"privilege": "UpdateFileSystem",
"resource_types": [
{
@@ -54345,7 +60067,19 @@
"privileges": [
{
"access_level": "List",
- "description": "Download the Software files for AWS Elemental Appliances and Software Purchases",
+ "description": "Grants permission to complete the process of uploading a Software file for AWS Elemental Appliances and Software Purchases",
+ "privilege": "CompleteFileUpload",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to download the Software files for AWS Elemental Appliances and Software Purchases",
"privilege": "DownloadSoftware",
"resource_types": [
{
@@ -54357,7 +60091,7 @@
},
{
"access_level": "List",
- "description": "Generate Software Licenses for AWS Elemental Appliances and Software Purchases",
+ "description": "Grants permission to generate Software Licenses for AWS Elemental Appliances and Software Purchases",
"privilege": "GenerateLicenses",
"resource_types": [
{
@@ -54369,7 +60103,7 @@
},
{
"access_level": "Read",
- "description": "Describe an activation",
+ "description": "Grants permission to describe an activation",
"privilege": "GetActivation",
"resource_types": [
{
@@ -54381,7 +60115,7 @@
},
{
"access_level": "Read",
- "description": "This action lists tags for an AWS Elemental Activations resource",
+ "description": "Grants permission to list tags for an AWS Elemental Activations resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -54391,9 +60125,21 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to start the process of uploading a Software file for AWS Elemental Appliances and Software Purchases",
+ "privilege": "StartFileUpload",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Tagging",
- "description": "This action adds a tag for an AWS Elemental Activations resource",
+ "description": "Grants permission to add a tag for an AWS Elemental Activations resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -54413,7 +60159,7 @@
},
{
"access_level": "Tagging",
- "description": "This action removes a tag from an AWS Elemental Activations resource",
+ "description": "Grants permission to remove a tag from an AWS Elemental Activations resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -54657,6 +60403,235 @@
"resources": [],
"service_name": "Elemental Support Content"
},
+ {
+ "conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters actions based on the presence of tag key-value pairs in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters actions based on tag key-value pairs attached to the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters actions based on the presence of tag keys in the request",
+ "type": "String"
+ },
+ {
+ "condition": "emr-containers:ExecutionRoleArn",
+ "description": "Filters actions based on whether the execution role arn is provided with the action",
+ "type": "String"
+ }
+ ],
+ "prefix": "emr-containers",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to cancel a job run",
+ "privilege": "CancelJobRun",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "jobRun*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a virtual cluster",
+ "privilege": "CreateVirtualCluster",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a virtual cluster",
+ "privilege": "DeleteVirtualCluster",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe a job run",
+ "privilege": "DescribeJobRun",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "jobRun*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe a virtual cluster",
+ "privilege": "DescribeVirtualCluster",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list job runs associated with a virtual cluster",
+ "privilege": "ListJobRuns",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list tags for the specified resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "jobRun"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list virtual clusters",
+ "privilege": "ListVirtualClusters",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to start a job run",
+ "privilege": "StartJobRun",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "emr-containers:ExecutionRoleArn"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to tag the specified resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "jobRun"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to untag the specified resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "jobRun"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "virtualCluster"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${virtualClusterId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "virtualCluster"
+ },
+ {
+ "arn": "arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${virtualClusterId}/jobruns/${jobRunId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "emr-containers:ExecutionRoleArn"
+ ],
+ "resource": "jobRun"
+ }
+ ],
+ "service_name": "Amazon EMR on EKS (EMR Containers)"
+ },
{
"conditions": [],
"prefix": "es",
@@ -56097,7 +62072,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Sets the AWS Firewall Manager administrator account and enables the service in all organization accounts",
+ "description": "Grants permission to set the AWS Firewall Manager administrator account and enables the service in all organization accounts",
"privilege": "AssociateAdminAccount",
"resource_types": [
{
@@ -56109,7 +62084,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to permanently deletes an AWS Firewall Manager applications list.",
+ "description": "Grants permission to permanently deletes an AWS Firewall Manager applications list",
"privilege": "DeleteAppsList",
"resource_types": [
{
@@ -56121,7 +62096,7 @@
},
{
"access_level": "Write",
- "description": "Deletes an AWS Firewall Manager association with the IAM role and the Amazon Simple Notification Service (SNS) topic that is used to notify the FM administrator about major FM events and errors across the organization.",
+ "description": "Grants permission to delete an AWS Firewall Manager association with the IAM role and the Amazon Simple Notification Service (SNS) topic that is used to notify the FM administrator about major FM events and errors across the organization",
"privilege": "DeleteNotificationChannel",
"resource_types": [
{
@@ -56133,7 +62108,7 @@
},
{
"access_level": "Write",
- "description": "Permanently deletes an AWS Firewall Manager policy.",
+ "description": "Grants permission to permanently delete an AWS Firewall Manager policy",
"privilege": "DeletePolicy",
"resource_types": [
{
@@ -56152,7 +62127,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to permanently deletes an AWS Firewall Manager protocols list.",
+ "description": "Grants permission to permanently deletes an AWS Firewall Manager protocols list",
"privilege": "DeleteProtocolsList",
"resource_types": [
{
@@ -56164,7 +62139,7 @@
},
{
"access_level": "Write",
- "description": "Disassociates the account that has been set as the AWS Firewall Manager administrator account and and disables the service in all organization accounts",
+ "description": "Grants permission to disassociate the account that has been set as the AWS Firewall Manager administrator account and and disables the service in all organization accounts",
"privilege": "DisassociateAdminAccount",
"resource_types": [
{
@@ -56176,7 +62151,7 @@
},
{
"access_level": "Read",
- "description": "Returns the AWS Organizations master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator.",
+ "description": "Grants permission to retrieve the AWS Organizations master account that is associated with AWS Firewall Manager as the AWS Firewall Manager administrator",
"privilege": "GetAdminAccount",
"resource_types": [
{
@@ -56188,7 +62163,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to return information about the specified AWS Firewall Manager applications list.",
+ "description": "Grants permission to return information about the specified AWS Firewall Manager applications list",
"privilege": "GetAppsList",
"resource_types": [
{
@@ -56200,7 +62175,7 @@
},
{
"access_level": "Read",
- "description": "Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.",
+ "description": "Grants permission to retrieve detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy",
"privilege": "GetComplianceDetail",
"resource_types": [
{
@@ -56212,7 +62187,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about the Amazon Simple Notification Service (SNS) topic that is used to record AWS Firewall Manager SNS logs.",
+ "description": "Grants permission to retrieve information about the Amazon Simple Notification Service (SNS) topic that is used to record AWS Firewall Manager SNS logs",
"privilege": "GetNotificationChannel",
"resource_types": [
{
@@ -56224,7 +62199,7 @@
},
{
"access_level": "Read",
- "description": "Returns information about the specified AWS Firewall Manager policy.",
+ "description": "Grants permission to retrieve information about the specified AWS Firewall Manager policy",
"privilege": "GetPolicy",
"resource_types": [
{
@@ -56236,7 +62211,7 @@
},
{
"access_level": "Read",
- "description": "Returns policy-level attack summary information in the event of a potential DDoS attack.",
+ "description": "Grants permission to retrieve policy-level attack summary information in the event of a potential DDoS attack",
"privilege": "GetProtectionStatus",
"resource_types": [
{
@@ -56248,7 +62223,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to return information about the specified AWS Firewall Manager protocols list.",
+ "description": "Grants permission to return information about the specified AWS Firewall Manager protocols list",
"privilege": "GetProtocolsList",
"resource_types": [
{
@@ -56258,9 +62233,21 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve violations for a resource based on the specified AWS Firewall Manager policy and AWS account",
+ "privilege": "GetViolationDetails",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "policy*"
+ }
+ ]
+ },
{
"access_level": "List",
- "description": "Grants permission to return an array of AppsListDataSummary objects.",
+ "description": "Grants permission to return an array of AppsListDataSummary objects",
"privilege": "ListAppsLists",
"resource_types": [
{
@@ -56272,7 +62259,7 @@
},
{
"access_level": "List",
- "description": "Returns an array of PolicyComplianceStatus objects in the response. Use PolicyComplianceStatus to get a summary of which member accounts are protected by the specified policy.",
+ "description": "Grants permission to retrieve an array of PolicyComplianceStatus objects in the response. Use PolicyComplianceStatus to get a summary of which member accounts are protected by the specified policy",
"privilege": "ListComplianceStatus",
"resource_types": [
{
@@ -56284,7 +62271,7 @@
},
{
"access_level": "List",
- "description": "Returns an array of member account ids if the caller is FMS admin account.",
+ "description": "Grants permission to retrieve an array of member account ids if the caller is FMS admin account",
"privilege": "ListMemberAccounts",
"resource_types": [
{
@@ -56296,7 +62283,7 @@
},
{
"access_level": "List",
- "description": "Returns an array of PolicySummary objects in the response.",
+ "description": "Grants permission to retrieve an array of PolicySummary objects in the response",
"privilege": "ListPolicies",
"resource_types": [
{
@@ -56308,7 +62295,7 @@
},
{
"access_level": "List",
- "description": "Grants permission to return an array of ProtocolsListDataSummary objects.",
+ "description": "Grants permission to return an array of ProtocolsListDataSummary objects",
"privilege": "ListProtocolsLists",
"resource_types": [
{
@@ -56320,7 +62307,7 @@
},
{
"access_level": "Read",
- "description": "Lists the Tags for a given resource.",
+ "description": "Grants permission to list Tags for a given resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -56332,7 +62319,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to create an AWS Firewall Manager applications list.",
+ "description": "Grants permission to create an AWS Firewall Manager applications list",
"privilege": "PutAppsList",
"resource_types": [
{
@@ -56352,7 +62339,7 @@
},
{
"access_level": "Write",
- "description": "Designates the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager (FM) could use to notify the FM administrator about major FM events and errors across the organization.",
+ "description": "Grants permission to designate the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager (FM) could use to notify the FM administrator about major FM events and errors across the organization",
"privilege": "PutNotificationChannel",
"resource_types": [
{
@@ -56364,7 +62351,7 @@
},
{
"access_level": "Write",
- "description": "Creates an AWS Firewall Manager policy.",
+ "description": "Grants permission to create an AWS Firewall Manager policy",
"privilege": "PutPolicy",
"resource_types": [
{
@@ -56384,7 +62371,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to creates an AWS Firewall Manager protocols list.",
+ "description": "Grants permission to creates an AWS Firewall Manager protocols list",
"privilege": "PutProtocolsList",
"resource_types": [
{
@@ -56404,7 +62391,7 @@
},
{
"access_level": "Tagging",
- "description": "Adds a Tag to a given resource.",
+ "description": "Grants permission to add a Tag to a given resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -56424,7 +62411,7 @@
},
{
"access_level": "Tagging",
- "description": "Removes a Tag from a given resource.",
+ "description": "Grants permission to remove a Tag from a given resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -59909,6 +65896,491 @@
],
"service_name": "Amazon GameLift"
},
+ {
+ "conditions": [],
+ "prefix": "geo",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an association between a geofence-collection and a tracker resource",
+ "privilege": "AssociateTrackerConsumer",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a batch of geofences from a geofence collection",
+ "privilege": "BatchDeleteGeofence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to evaluate device positions against the position of geofences in a given geofence collection",
+ "privilege": "BatchEvaluateGeofences",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to send a batch request to retrieve device positions",
+ "privilege": "BatchGetDevicePosition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to send a batch request for adding geofences into a given geofence collection",
+ "privilege": "BatchPutGeofence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to upload a position update for one or more devices to a tracker resource",
+ "privilege": "BatchUpdateDevicePosition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a geofence-collection",
+ "privilege": "CreateGeofenceCollection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a map resource",
+ "privilege": "CreateMap",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a place index resource",
+ "privilege": "CreatePlaceIndex",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "place-index*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a tracker resource",
+ "privilege": "CreateTracker",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to deletes a geofence-collection",
+ "privilege": "DeleteGeofenceCollection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a map resource",
+ "privilege": "DeleteMap",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a place index resource",
+ "privilege": "DeletePlaceIndex",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "place-index*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a tracker resource",
+ "privilege": "DeleteTracker",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve a geofence collection details",
+ "privilege": "DescribeGeofenceCollection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve a map resource details",
+ "privilege": "DescribeMap",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve a a place-index resource details",
+ "privilege": "DescribePlaceIndex",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "place-index*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve a tracker resource details",
+ "privilege": "DescribeTracker",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to remove the association between a tracker resource and a geofence-collection",
+ "privilege": "DisassociateTrackerConsumer",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the latest device position",
+ "privilege": "GetDevicePosition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grant permission to retrieve the device position history",
+ "privilege": "GetDevicePositionHistory",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the geofence details from a geofence-collection.",
+ "privilege": "GetGeofence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the glyph file for a map resource",
+ "privilege": "GetMapGlyphs",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the sprite file for a map resource",
+ "privilege": "GetMapSprites",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the map style descriptor from a map resource",
+ "privilege": "GetMapStyleDescriptor",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the map tile from the map resource",
+ "privilege": "GetMapTile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieves the map TileJSON details from a given map resource",
+ "privilege": "GetMapTileJson",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "map*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to lists geofence-collections",
+ "privilege": "ListGeofenceCollections",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to list geofences stored in a given geofence collection",
+ "privilege": "ListGeofences",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list map resources",
+ "privilege": "ListMaps",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to return a list of place index resources",
+ "privilege": "ListPlaceIndexes",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve a list of geofence collections currently associated to the given tracker resource",
+ "privilege": "ListTrackerConsumers",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to return a list of tracker resources",
+ "privilege": "ListTrackers",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add a new geofence or update an existing geofence to a given geofence-collection",
+ "privilege": "PutGeofence",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to reverse geocodes a given coordinate",
+ "privilege": "SearchPlaceIndexForPosition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "place-index*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to geocode free-form text, such as an address, name, city or region",
+ "privilege": "SearchPlaceIndexForText",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "place-index*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the description of a geofence collection",
+ "privilege": "UpdateGeofenceCollection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "geofence-collection*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the description of a tracker resource",
+ "privilege": "UpdateTracker",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "tracker*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:geo:${Region}:${Account}:geofence-collection/${GeofenceCollectionName}",
+ "condition_keys": [],
+ "resource": "geofence-collection"
+ },
+ {
+ "arn": "arn:${Partition}:geo:${Region}:${Account}:map/${MapName}",
+ "condition_keys": [],
+ "resource": "map"
+ },
+ {
+ "arn": "arn:${Partition}:geo:${Region}:${Account}:place-index/${IndexName}",
+ "condition_keys": [],
+ "resource": "place-index"
+ },
+ {
+ "arn": "arn:${Partition}:geo:${Region}:${Account}:tracker/${TrackerName}",
+ "condition_keys": [],
+ "resource": "tracker"
+ }
+ ],
+ "service_name": "Amazon Location"
+ },
{
"conditions": [
{
@@ -60366,7 +66838,19 @@
"privileges": [
{
"access_level": "Write",
- "description": "Advertises an IPv4 address range that is provisioned for use with your accelerator through bring your own IP addresses (BYOIP).",
+ "description": "Grants permission to add a virtual private cloud (VPC) subnet endpoint to a custom routing accelerator endpoint group.",
+ "privilege": "AddCustomRoutingEndpoints",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "endpointgroup*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to advertises an IPv4 address range that is provisioned for use with your accelerator through bring your own IP addresses (BYOIP).",
"privilege": "AdvertiseByoipCidr",
"resource_types": [
{
@@ -60378,7 +66862,19 @@
},
{
"access_level": "Write",
- "description": "Create an accelerator.",
+ "description": "Grants permission to allows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.",
+ "privilege": "AllowCustomRoutingTraffic",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "endpointgroup*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a standard accelerator.",
"privilege": "CreateAccelerator",
"resource_types": [
{
@@ -60393,7 +66889,46 @@
},
{
"access_level": "Write",
- "description": "Add an endpoint group.",
+ "description": "Grants permission to create a Custom Routing accelerator",
+ "privilege": "CreateCustomRoutingAccelerator",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an endpoint group for the specified listener for a custom routing accelerator.",
+ "privilege": "CreateCustomRoutingEndpointGroup",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "listener*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a listener to process inbound connections from clients to a custom routing accelerator.",
+ "privilege": "CreateCustomRoutingListener",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add an endpoint group to a standard accelerator listener.",
"privilege": "CreateEndpointGroup",
"resource_types": [
{
@@ -60405,7 +66940,7 @@
},
{
"access_level": "Write",
- "description": "Add a listener.",
+ "description": "Grants permission to add a listener to a standard accelerator.",
"privilege": "CreateListener",
"resource_types": [
{
@@ -60417,7 +66952,7 @@
},
{
"access_level": "Write",
- "description": "Delete the accelerator.",
+ "description": "Grants permission to delete a standard accelerator.",
"privilege": "DeleteAccelerator",
"resource_types": [
{
@@ -60429,7 +66964,43 @@
},
{
"access_level": "Write",
- "description": "Delete the endpoint group.",
+ "description": "Grants permission to delete a custom routing accelerator.",
+ "privilege": "DeleteCustomRoutingAccelerator",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an endpoint group from a listener for a custom routing accelerator.",
+ "privilege": "DeleteCustomRoutingEndpointGroup",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "endpointgroup*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a listener for a custom routing accelerator.",
+ "privilege": "DeleteCustomRoutingListener",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "listener*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an endpoint group associated with a standard accelerator listener.",
"privilege": "DeleteEndpointGroup",
"resource_types": [
{
@@ -60441,7 +67012,7 @@
},
{
"access_level": "Write",
- "description": "Delete the listener.",
+ "description": "Grants permission to delete a listener from a standard accelerator.",
"privilege": "DeleteListener",
"resource_types": [
{
@@ -60453,7 +67024,19 @@
},
{
"access_level": "Write",
- "description": "Releases the specified address range that you provisioned for use with your accelerator through bring your own IP addresses (BYOIP) and deletes the corresponding address pool.",
+ "description": "Grants permission to disallows custom routing of user traffic to a private destination IP:PORT in a specific VPC subnet.",
+ "privilege": "DenyCustomRoutingTraffic",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "endpointgroup*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to releases the specified address range that you provisioned for use with your accelerator through bring your own IP addresses (BYOIP).",
"privilege": "DeprovisionByoipCidr",
"resource_types": [
{
@@ -60465,7 +67048,7 @@
},
{
"access_level": "Read",
- "description": "Describe the accelerator.",
+ "description": "Grants permissions to describe a standard accelerator.",
"privilege": "DescribeAccelerator",
"resource_types": [
{
@@ -60477,7 +67060,7 @@
},
{
"access_level": "Read",
- "description": "Describe the accelerator Attributes.",
+ "description": "Grants permission to describe a standard accelerator attributes.",
"privilege": "DescribeAcceleratorAttributes",
"resource_types": [
{
@@ -60489,7 +67072,55 @@
},
{
"access_level": "Read",
- "description": "Describe the endpoint group.",
+ "description": "Grants permission to describe a custom routing accelerator.",
+ "privilege": "DescribeCustomRoutingAccelerator",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe the attributes of a custom routing accelerator.",
+ "privilege": "DescribeCustomRoutingAcceleratorAttributes",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe an endpoint group for a custom routing accelerator.",
+ "privilege": "DescribeCustomRoutingEndpointGroup",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "endpointgroup*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe a listener for a custom routing accelerator.",
+ "privilege": "DescribeCustomRoutingListener",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "listener*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe a standard accelerator endpoint group.",
"privilege": "DescribeEndpointGroup",
"resource_types": [
{
@@ -60501,7 +67132,7 @@
},
{
"access_level": "Read",
- "description": "Describe the listener.",
+ "description": "Grants permission to describe a standard accelerator listener.",
"privilege": "DescribeListener",
"resource_types": [
{
@@ -60513,7 +67144,7 @@
},
{
"access_level": "List",
- "description": "List the accelerators.",
+ "description": "Grants permission to list all standard accelerators.",
"privilege": "ListAccelerators",
"resource_types": [
{
@@ -60525,7 +67156,7 @@
},
{
"access_level": "List",
- "description": "List the byoip cidrs.",
+ "description": "Grants permission to list the BYOIP cidrs.",
"privilege": "ListByoipCidrs",
"resource_types": [
{
@@ -60537,7 +67168,67 @@
},
{
"access_level": "List",
- "description": "List the endpoint groups.",
+ "description": "Grants permission to list the custom routing accelerators for an AWS account.",
+ "privilege": "ListCustomRoutingAccelerators",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the endpoint groups that are associated with a listener for a custom routing accelerator.",
+ "privilege": "ListCustomRoutingEndpointGroups",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "listener*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the listeners for a custom routing accelerator.",
+ "privilege": "ListCustomRoutingListeners",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the port mappings for a custom routing accelerator.",
+ "privilege": "ListCustomRoutingPortMappings",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the port mappings for a specific endpoint IP address (a destination address) in a subnet",
+ "privilege": "ListCustomRoutingPortMappingsByDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all endpoint groups associated with a standard accelerator listener.",
"privilege": "ListEndpointGroups",
"resource_types": [
{
@@ -60549,7 +67240,7 @@
},
{
"access_level": "List",
- "description": "List the listeners.",
+ "description": "Grants permission to list all listeners associated with a standard accelerator.",
"privilege": "ListListeners",
"resource_types": [
{
@@ -60561,7 +67252,7 @@
},
{
"access_level": "Read",
- "description": "List tags for a globalaccelerator resource.",
+ "description": "Grants permission to list tags for a globalaccelerator resource.",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -60573,7 +67264,7 @@
},
{
"access_level": "Write",
- "description": "Provisions an address range for use with your accelerator through bring your own IP addresses (BYOIP) and creates a corresponding address pool.",
+ "description": "Grants permission to provisions an address range for use with your accelerator through bring your own IP addresses (BYOIP).",
"privilege": "ProvisionByoipCidr",
"resource_types": [
{
@@ -60583,9 +67274,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to remove virtual private cloud (VPC) subnet endpoints from a custom routing accelerator endpoint group.",
+ "privilege": "RemoveCustomRoutingEndpoints",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "endpointgroup*"
+ }
+ ]
+ },
{
"access_level": "Tagging",
- "description": "Add tags to globalaccelerator resource.",
+ "description": "Grants permission to add tags to a globalaccelerator resource.",
"privilege": "TagResource",
"resource_types": [
{
@@ -60605,7 +67308,7 @@
},
{
"access_level": "Tagging",
- "description": "Remove tags from globalaccelerator resource.",
+ "description": "Grants permission to remove tags from a globalaccelerator resource.",
"privilege": "UntagResource",
"resource_types": [
{
@@ -60624,7 +67327,7 @@
},
{
"access_level": "Write",
- "description": "Update the accelerator.",
+ "description": "Grants permission to update a standard accelerator.",
"privilege": "UpdateAccelerator",
"resource_types": [
{
@@ -60636,7 +67339,7 @@
},
{
"access_level": "Write",
- "description": "Update the accelerator attributes.",
+ "description": "Grants permission to update a standard accelerator attributes.",
"privilege": "UpdateAcceleratorAttributes",
"resource_types": [
{
@@ -60648,7 +67351,43 @@
},
{
"access_level": "Write",
- "description": "Update the endpoint group.",
+ "description": "Grants permission to update a custom routing accelerator.",
+ "privilege": "UpdateCustomRoutingAccelerator",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the attributes for a custom routing accelerator.",
+ "privilege": "UpdateCustomRoutingAcceleratorAttributes",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "accelerator*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a listener for a custom routing accelerator.",
+ "privilege": "UpdateCustomRoutingListener",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "listener*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an endpoint group on a standard accelerator listener.",
"privilege": "UpdateEndpointGroup",
"resource_types": [
{
@@ -60660,7 +67399,7 @@
},
{
"access_level": "Write",
- "description": "Update the listener.",
+ "description": "Grants permission to update a listener on a standard accelerator.",
"privilege": "UpdateListener",
"resource_types": [
{
@@ -60672,7 +67411,7 @@
},
{
"access_level": "Write",
- "description": "Stops advertising an IPv4 address range that is provisioned as an address pool.",
+ "description": "Grants permission to stops advertising a BYOIP IPv4 address.",
"privilege": "WithdrawByoipCidr",
"resource_types": [
{
@@ -61786,7 +68525,7 @@
]
},
{
- "access_level": "Write",
+ "access_level": "Read",
"description": "Grants permission to create a mapping",
"privilege": "GetMapping",
"resource_types": [
@@ -61865,6 +68604,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve resource policies",
+ "privilege": "GetResourcePolicies",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "catalog*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to retrieve a resource policy",
@@ -63029,6 +69780,422 @@
],
"service_name": "AWS Glue"
},
+ {
+ "conditions": [
+ {
+ "condition": "aws:CurrentTime",
+ "description": "Filters access by checking date/time conditions for the current date and time",
+ "type": "Date"
+ },
+ {
+ "condition": "aws:EpochTime",
+ "description": "Filters access by checking date/time conditions for the current date and time in epoch or Unix time",
+ "type": "Date"
+ },
+ {
+ "condition": "aws:MultiFactorAuthAge",
+ "description": "Filters access by checking how long ago (in seconds) the security credentials validated by multi-factor authentication (MFA) in the request were issued using MFA",
+ "type": "Numeric"
+ },
+ {
+ "condition": "aws:MultiFactorAuthPresent",
+ "description": "Filters access by checking whether multi-factor authentication (MFA) was used to validate the temporary security credentials that made the current request",
+ "type": "Boolean"
+ },
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters create requests based on the allowed set of values for each of the mandatory tags",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters actions based on the tag value associated with the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:SecureTransport",
+ "description": "Filters access by checking whether the request was sent using SSL",
+ "type": "Boolean"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters create requests based on the presence of mandatory tags in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:UserAgent",
+ "description": "Filters access by the requester's client application",
+ "type": "String"
+ }
+ ],
+ "prefix": "greengrass",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to cancel a deployment",
+ "privilege": "CancelDeployment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:CancelJob",
+ "iot:DeleteThingShadow",
+ "iot:DescribeJob",
+ "iot:DescribeThing",
+ "iot:DescribeThingGroup",
+ "iot:GetThingShadow",
+ "iot:UpdateJob",
+ "iot:UpdateThingShadow"
+ ],
+ "resource_type": "deployment*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a component",
+ "privilege": "CreateComponentVersion",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "component*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a deployment",
+ "privilege": "CreateDeployment",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [
+ "iot:CancelJob",
+ "iot:CreateJob",
+ "iot:DeleteThingShadow",
+ "iot:DescribeJob",
+ "iot:DescribeThing",
+ "iot:DescribeThingGroup",
+ "iot:GetThingShadow",
+ "iot:UpdateJob",
+ "iot:UpdateThingShadow"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a component",
+ "privilege": "DeleteComponent",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "componentVersion*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a AWS IoT Greengrass core device, which is an AWS IoT thing. This operation removes the core device from the list of core devices. This operation doesn't delete the AWS IoT thing",
+ "privilege": "DeleteCoreDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeJobExecution"
+ ],
+ "resource_type": "coreDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve metadata for a version of a component",
+ "privilege": "DescribeComponent",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "componentVersion*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the recipe for a version of a component",
+ "privilege": "GetComponent",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "componentVersion*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieves metadata for a AWS IoT Greengrass core device",
+ "privilege": "GetCoreDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "coreDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get a deployment",
+ "privilege": "GetDeployment",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeJob",
+ "iot:DescribeThing",
+ "iot:DescribeThingGroup",
+ "iot:GetThingShadow"
+ ],
+ "resource_type": "deployment*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieve a paginated list of all versions for a component",
+ "privilege": "ListComponentVersions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "component*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieve a paginated list of component summaries",
+ "privilege": "ListComponents",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieve a paginated list of AWS IoT Greengrass core devices",
+ "privilege": "ListCoreDevices",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieves a paginated list of deployments",
+ "privilege": "ListDeployments",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeJob",
+ "iot:DescribeThing",
+ "iot:DescribeThingGroup",
+ "iot:GetThingShadow"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieves a paginated list of deployment jobs that AWS IoT Greengrass sends to AWS IoT Greengrass core devices",
+ "privilege": "ListEffectiveDeployments",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeJob",
+ "iot:DescribeJobExecution",
+ "iot:DescribeThing",
+ "iot:DescribeThingGroup",
+ "iot:GetThingShadow"
+ ],
+ "resource_type": "coreDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieve a paginated list of the components that a AWS IoT Greengrass core device runs",
+ "privilege": "ListInstalledComponents",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "coreDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the tags for a resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "component"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "componentVersion"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "coreDevice"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "deployment"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to add tags to a resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "component"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "componentVersion"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "coreDevice"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "deployment"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to remove tags from a resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "component"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "componentVersion"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "coreDevice"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "deployment"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "component"
+ },
+ {
+ "arn": "arn:${Partition}:greengrass:${Region}:${Account}:components:${ComponentName}:versions:${ComponentVersion}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "componentVersion"
+ },
+ {
+ "arn": "arn:${Partition}:greengrass:${Region}:${Account}:coreDevices:${CoreDeviceThingName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "coreDevice"
+ },
+ {
+ "arn": "arn:${Partition}:greengrass:${Region}:${Account}:deployments:${DeploymentId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "deployment"
+ }
+ ],
+ "service_name": "AWS IoT Greengrass V2"
+ },
{
"conditions": [
{
@@ -66090,7 +73257,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "Returns the status of enabling or disabling the Organizational View feature",
"privilege": "DescribeHealthServiceStatusForOrganization",
"resource_types": [
@@ -68478,6 +75645,28 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Create a new Container Recipe",
+ "privilege": "CreateContainerRecipe",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "imagebuilder:GetComponent"
+ ],
+ "resource_type": "containerRecipe*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Create a new distribution configuration",
@@ -68601,6 +75790,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a container recipe",
+ "privilege": "DeleteContainerRecipe",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "containerRecipe*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Delete a distribution configuration",
@@ -68674,7 +75875,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "View the resource policy associated with a component",
"privilege": "GetComponentPolicy",
"resource_types": [
@@ -68685,6 +75886,30 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "View details about a container recipe",
+ "privilege": "GetContainerRecipe",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "containerRecipe*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "View the resource policy associated with a container recipe",
+ "privilege": "GetContainerRecipePolicy",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "containerRecipe*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "View details about a distribution configuration",
@@ -68729,7 +75954,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "View the resource policy associated with an image",
"privilege": "GetImagePolicy",
"resource_types": [
@@ -68753,7 +75978,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "View the resource policy associated with an image recipe",
"privilege": "GetImageRecipePolicy",
"resource_types": [
@@ -68800,6 +76025,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "List the container recipes owned by or shared with your account",
+ "privilege": "ListContainerRecipes",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "List the distribution configurations in your account",
@@ -68940,6 +76177,18 @@
}
]
},
+ {
+ "access_level": "Permissions management",
+ "description": "Set the resource policy associated with a container recipe",
+ "privilege": "PutContainerRecipePolicy",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "containerRecipe*"
+ }
+ ]
+ },
{
"access_level": "Permissions management",
"description": "Set the resource policy associated with an image",
@@ -68988,6 +76237,11 @@
"dependent_actions": [],
"resource_type": "component"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "containerRecipe"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -69034,6 +76288,11 @@
"dependent_actions": [],
"resource_type": "component"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "containerRecipe"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -69160,6 +76419,13 @@
],
"resource": "imageRecipe"
},
+ {
+ "arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:container-recipe/${ContainerRecipeName}/${ContainerRecipeVersion}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "containerRecipe"
+ },
{
"arn": "arn:${Partition}:imagebuilder:${Region}:${Account}:image-pipeline/${ImagePipelineName}",
"condition_keys": [
@@ -70058,6 +77324,31 @@
}
]
},
+ {
+ "access_level": "Tagging",
+ "description": "Creates a fleet metric",
+ "privilege": "CreateFleetMetric",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Creates a job.",
@@ -70486,6 +77777,18 @@
}
]
},
+ {
+ "access_level": "Tagging",
+ "description": "Deletes the specified fleet metric",
+ "privilege": "DeleteFleetMetric",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Deletes a job and its related job executions.",
@@ -70904,6 +78207,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Gets information about the specified fleet metric.",
+ "privilege": "DescribeFleetMetric",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Gets information about the specified index.",
@@ -71176,6 +78491,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Get buckets aggregation for IoT fleet index",
+ "privilege": "GetBucketsAggregation",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Get cardinality for IoT fleet index",
@@ -71529,6 +78856,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Lists the fleet metrics in your account.",
+ "privilege": "ListFleetMetrics",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Lists all indices for fleet index",
@@ -71804,6 +79143,11 @@
"dependent_actions": [],
"resource_type": "dynamicthinggroup"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -72380,6 +79724,11 @@
"dependent_actions": [],
"resource_type": "dynamicthinggroup"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -72521,6 +79870,11 @@
"dependent_actions": [],
"resource_type": "dynamicthinggroup"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -72710,6 +80064,23 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Updates a fleet metric",
+ "privilege": "UpdateFleetMetric",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "fleetmetric*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Updates fleet indexing configuration",
@@ -72900,6 +80271,13 @@
"condition_keys": [],
"resource": "index"
},
+ {
+ "arn": "arn:${Partition}:iot:${Region}:${Account}:fleetmetric/${FleetMetricName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "fleetmetric"
+ },
{
"arn": "arn:${Partition}:iot:${Region}:${Account}:job/${JobId}",
"condition_keys": [
@@ -74075,17 +81453,253 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "A tag key that is present in the request that the user makes to IoT Events.",
+ "description": "Filters actions based on the tags that are passed in the request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "The tag key by which a tag value is attached to an IoT Events resource.",
+ "description": "Filters actions based on the tags associated with the resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "The list of all the tag key names associated with the IoT Events resource in the request.",
+ "description": "Filters actions based on the tag keys that are passed in the request",
+ "type": "String"
+ }
+ ],
+ "prefix": "iotdeviceadvisor",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a suite definition",
+ "privilege": "CreateSuiteDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a suite definition",
+ "privilege": "DeleteSuiteDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get a suite definition",
+ "privilege": "GetSuiteDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get a suite run",
+ "privilege": "GetSuiteRun",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suiterun*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the qualification report for a suite run",
+ "privilege": "GetSuiteRunReport",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suiterun*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list suite definitions",
+ "privilege": "ListSuiteDefinitions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list suite runs",
+ "privilege": "ListSuiteRuns",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to list the tags (metadata) assigned to a resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suiterun"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the test cases provided by IoT Device Advisor",
+ "privilege": "ListTestCases",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to start a suite run",
+ "privilege": "StartSuiteRun",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to add to or modify the tags of the given resource. Tags are metadata which can be used to manage a resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suiterun"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to remove the given tags (metadata) from a resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suiterun"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a suite definition",
+ "privilege": "UpdateSuiteDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "suitedefinition*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suitedefinition/${suiteDefinitionId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "suitedefinition"
+ },
+ {
+ "arn": "arn:${Partition}:iotdeviceadvisor:${Region}:${Account}:suiterun/${suiteDefinitionId}/${suiteRunId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "suiterun"
+ }
+ ],
+ "service_name": "AWS IoT Core Device Advisor"
+ },
+ {
+ "conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters access by the tag key-value pairs in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters access by the tags attached to the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters actions by the tag keys in the request",
+ "type": "String"
+ },
+ {
+ "condition": "iotevents:keyValue",
+ "description": "Filters access by the instanceId (key-value) of the message",
"type": "String"
}
],
@@ -74093,7 +81707,43 @@
"privileges": [
{
"access_level": "Write",
- "description": "Sends a set of messages to the AWS IoT Events system.",
+ "description": "Grants permission to send one or more acknowledge action requests to AWS IoT Events",
+ "privilege": "BatchAcknowledgeAlarm",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "input*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to disable one or more alarm instances",
+ "privilege": "BatchDisableAlarm",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "input*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to enable one or more alarm instances",
+ "privilege": "BatchEnableAlarm",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "input*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to send a set of messages to the AWS IoT Events system",
"privilege": "BatchPutMessage",
"resource_types": [
{
@@ -74105,7 +81755,31 @@
},
{
"access_level": "Write",
- "description": "Update an detector within the AWS IoT Events system.",
+ "description": "Grants permission to reset one or more alarm instances",
+ "privilege": "BatchResetAlarm",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "input*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to change one or more alarm instances to the snooze mode",
+ "privilege": "BatchSnoozeAlarm",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "input*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a detector instance within the AWS IoT Events system",
"privilege": "BatchUpdateDetector",
"resource_types": [
{
@@ -74117,7 +81791,27 @@
},
{
"access_level": "Write",
- "description": "Creates a detector model.",
+ "description": "Grants permission to create an alarm model to monitor an AWS IoT Events input attribute or an AWS IoT SiteWise asset property",
+ "privilege": "CreateAlarmModel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a detector model to monitor an AWS IoT Events input attribute",
"privilege": "CreateDetectorModel",
"resource_types": [
{
@@ -74137,7 +81831,7 @@
},
{
"access_level": "Write",
- "description": "Creates an input.",
+ "description": "Grants permission to create an Input in IotEvents",
"privilege": "CreateInput",
"resource_types": [
{
@@ -74157,7 +81851,19 @@
},
{
"access_level": "Write",
- "description": "Deletes a detector model.",
+ "description": "Grants permission to delete an alarm model",
+ "privilege": "DeleteAlarmModel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a detector model",
"privilege": "DeleteDetectorModel",
"resource_types": [
{
@@ -74169,7 +81875,7 @@
},
{
"access_level": "Write",
- "description": "Deletes an input.",
+ "description": "Grants permission to delete an input",
"privilege": "DeleteInput",
"resource_types": [
{
@@ -74181,7 +81887,31 @@
},
{
"access_level": "Read",
- "description": "Returns information about the specified detector (instance).",
+ "description": "Grants permission to retrieve information about an alarm instance",
+ "privilege": "DescribeAlarm",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve information about an alarm model",
+ "privilege": "DescribeAlarmModel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retriev information about a detector instance",
"privilege": "DescribeDetector",
"resource_types": [
{
@@ -74193,7 +81923,7 @@
},
{
"access_level": "Read",
- "description": "Describes a detector model.",
+ "description": "Grants permission to retrieve information about a detector model",
"privilege": "DescribeDetectorModel",
"resource_types": [
{
@@ -74205,7 +81935,7 @@
},
{
"access_level": "Read",
- "description": "Describes an input.",
+ "description": "Grants permission to retrieve an information about Input",
"privilege": "DescribeInput",
"resource_types": [
{
@@ -74217,7 +81947,7 @@
},
{
"access_level": "Read",
- "description": "Retrieves the current settings of the AWS IoT Events logging options.",
+ "description": "Grants permission to retrieve the current settings of the AWS IoT Events logging options",
"privilege": "DescribeLoggingOptions",
"resource_types": [
{
@@ -74229,7 +81959,43 @@
},
{
"access_level": "List",
- "description": "Lists all the versions of a detector model. Only the metadata associated with each detector model version is returned.",
+ "description": "Grants permission to list all the versions of an alarm model",
+ "privilege": "ListAlarmModelVersions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the alarm models that you created",
+ "privilege": "ListAlarmModels",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to retrieve information about all alarm instances per alarmModel",
+ "privilege": "ListAlarms",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all the versions of a detector model",
"privilege": "ListDetectorModelVersions",
"resource_types": [
{
@@ -74241,7 +82007,7 @@
},
{
"access_level": "List",
- "description": "Lists the detector models you have created. Only the metadata associated with each detector model is returned.",
+ "description": "Grants permission to list the detector models that you created",
"privilege": "ListDetectorModels",
"resource_types": [
{
@@ -74253,7 +82019,7 @@
},
{
"access_level": "List",
- "description": "Lists detectors (the instances of a detector model).",
+ "description": "Grants permission to retrieve information about all detector instances per detectormodel",
"privilege": "ListDetectors",
"resource_types": [
{
@@ -74265,7 +82031,7 @@
},
{
"access_level": "List",
- "description": "Lists the inputs you have created.",
+ "description": "Grants permission to lists the inputs you have created",
"privilege": "ListInputs",
"resource_types": [
{
@@ -74277,7 +82043,7 @@
},
{
"access_level": "Read",
- "description": "Lists the tags (metadata) which you have assigned to the resource.",
+ "description": "Grants permission to list the tags (metadata) which you have assigned to the resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -74294,7 +82060,7 @@
},
{
"access_level": "Write",
- "description": "Sets or updates the AWS IoT Events logging options.",
+ "description": "Grants permission to set or update the AWS IoT Events logging options",
"privilege": "PutLoggingOptions",
"resource_types": [
{
@@ -74306,7 +82072,7 @@
},
{
"access_level": "Tagging",
- "description": "Adds to or modifies the tags of the given resource. Tags are metadata which can be used to manage a resource.",
+ "description": "Grants permission to adds to or modifies the tags of the given resource.Tags are metadata which can be used to manage a resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -74331,7 +82097,7 @@
},
{
"access_level": "Tagging",
- "description": "Removes the given tags (metadata) from the resource.",
+ "description": "Grants permission to remove the given tags (metadata) from the resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -74355,7 +82121,19 @@
},
{
"access_level": "Write",
- "description": "Updates a detector model.",
+ "description": "Grants permission to update an alarm model",
+ "privilege": "UpdateAlarmModel",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "alarmModel*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a detector model",
"privilege": "UpdateDetectorModel",
"resource_types": [
{
@@ -74367,7 +82145,7 @@
},
{
"access_level": "Write",
- "description": "Updates an input.",
+ "description": "Grants permission to update an input",
"privilege": "UpdateInput",
"resource_types": [
{
@@ -74379,7 +82157,7 @@
},
{
"access_level": "Write",
- "description": "Updates input routing.",
+ "description": "Grants permission to update input routing",
"privilege": "UpdateInputRouting",
"resource_types": [
{
@@ -74398,6 +82176,13 @@
],
"resource": "detectorModel"
},
+ {
+ "arn": "arn:${Partition}:iotevents:${Region}:${Account}:alarmModel/${AlarmModelName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "alarmModel"
+ },
{
"arn": "arn:${Partition}:iotevents:${Region}:${Account}:input/${inputName}",
"condition_keys": [
@@ -74408,6 +82193,242 @@
],
"service_name": "AWS IoT Events"
},
+ {
+ "conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters access by the tag key-value pairs in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters access by the tags attached to the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters actions by the tag keys in the request",
+ "type": "String"
+ }
+ ],
+ "prefix": "iotfleethub",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an application",
+ "privilege": "CreateApplication",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [
+ "sso:CreateManagedApplicationInstance",
+ "sso:DescribeRegisteredRegions"
+ ],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an dashboard",
+ "privilege": "CreateDashboard",
+ "resource_types": [
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an application",
+ "privilege": "DeleteApplication",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "sso:DeleteManagedApplicationInstance"
+ ],
+ "resource_type": "application*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an dashboard",
+ "privilege": "DeleteDashboard",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "dashboard*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe an application",
+ "privilege": "DescribeApplication",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "application*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to describe an dashboard",
+ "privilege": "DescribeDashboard",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "dashboard*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all applications",
+ "privilege": "ListApplications",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all dashboards",
+ "privilege": "ListDashboards",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to list all tags for a resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "application"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "dashboard"
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to tag a resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "application"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "dashboard"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to untag a resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "application"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "dashboard"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an application",
+ "privilege": "UpdateApplication",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "application*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an dashboard",
+ "privilege": "UpdateDashboard",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "dashboard*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:iotfleethub::${Account}:application/${ApplicationId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "application"
+ },
+ {
+ "arn": "arn:${Partition}:iotfleethub::${Account}:dashboard/${DashboardId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "dashboard"
+ }
+ ],
+ "service_name": "Fleet Hub for AWS IoT Device Management"
+ },
{
"conditions": [
{
@@ -74440,6 +82461,11 @@
"description": "Filters access by the ID of an AWS Single Sign-On group",
"type": "String"
},
+ {
+ "condition": "iotsitewise:iam",
+ "description": "Filters access by the ID of an AWS IAM identity",
+ "type": "String"
+ },
{
"condition": "iotsitewise:portal",
"description": "Filters access by the ID of a portal",
@@ -74512,7 +82538,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Write",
"description": "Grants permission to create an access policy for a portal or a project",
"privilege": "CreateAccessPolicy",
"resource_types": [
@@ -74645,7 +82671,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Write",
"description": "Grants permission to delete an access policy",
"privilege": "DeleteAccessPolicy",
"resource_types": [
@@ -74731,7 +82757,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "Grants permission to describe an access policy",
"privilege": "DescribeAccessPolicy",
"resource_types": [
@@ -74899,7 +82925,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "List",
"description": "Grants permission to list all access policies for an identity or a resource",
"privilege": "ListAccessPolicies",
"resource_types": [
@@ -74927,6 +82953,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the asset relationship graph for an asset",
+ "privilege": "ListAssetRelationships",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "asset*"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list all assets",
@@ -75172,7 +83210,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Write",
"description": "Grants permission to update an access policy",
"privilege": "UpdateAccessPolicy",
"resource_types": [
@@ -75819,6 +83857,821 @@
],
"service_name": "AWS IoT Things Graph"
},
+ {
+ "conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "A tag key that is present in the request that the user makes to IoT Wireless.",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "The tag key component of a tag attached to an IoT Wireless resource.",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "The list of all the tag key names associated with the resource in the request.",
+ "type": "String"
+ }
+ ],
+ "prefix": "iotwireless",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Link partner accounts with Aws account.",
+ "privilege": "AssociateAwsAccountWithPartnerAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Associate the wireless device with AWS IoT thing for a given wirelessDeviceId.",
+ "privilege": "AssociateWirelessDeviceWithThing",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeThing"
+ ],
+ "resource_type": "WirelessDevice*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thing*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Associate a WirelessGateway with the IoT Core Identity certificate.",
+ "privilege": "AssociateWirelessGatewayWithCertificate",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "cert*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Associate the wireless gateway with AWS IoT thing for a given wirelessGatewayId.",
+ "privilege": "AssociateWirelessGatewayWithThing",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeThing"
+ ],
+ "resource_type": "WirelessGateway*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thing*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a Destination resource.",
+ "privilege": "CreateDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a DeviceProfile resource.",
+ "privilege": "CreateDeviceProfile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "DeviceProfile*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a ServiceProfile resource.",
+ "privilege": "CreateServiceProfile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "ServiceProfile*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a WirelessDevice resource with given Destination.",
+ "privilege": "CreateWirelessDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a WirelessGateway resource.",
+ "privilege": "CreateWirelessGateway",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a task for a given WirelessGateway.",
+ "privilege": "CreateWirelessGatewayTask",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Create a WirelessGateway task definition.",
+ "privilege": "CreateWirelessGatewayTaskDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete a Destination.",
+ "privilege": "DeleteDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete a DeviceProfile.",
+ "privilege": "DeleteDeviceProfile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "DeviceProfile*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete a ServiceProfile.",
+ "privilege": "DeleteServiceProfile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "ServiceProfile*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete a WirelessDevice.",
+ "privilege": "DeleteWirelessDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete a WirelessGateway.",
+ "privilege": "DeleteWirelessGateway",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete task for a given WirelessGateway.",
+ "privilege": "DeleteWirelessGatewayTask",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Delete a WirelessGateway task definition.",
+ "privilege": "DeleteWirelessGatewayTaskDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Disassociate an AWS account from a partner account.",
+ "privilege": "DisassociateAwsAccountFromPartnerAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Disassociate a wireless device from a AWS IoT thing.",
+ "privilege": "DisassociateWirelessDeviceFromThing",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeThing"
+ ],
+ "resource_type": "WirelessDevice*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thing*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Disassociate a WirelessGateway from a IoT Core Identity certificate.",
+ "privilege": "DisassociateWirelessGatewayFromCertificate",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "cert*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Disassociate a WirelessGateway from a IoT Core thing.",
+ "privilege": "DisassociateWirelessGatewayFromThing",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iot:DescribeThing"
+ ],
+ "resource_type": "WirelessGateway*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thing*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the Destination",
+ "privilege": "GetDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the DeviceProfile",
+ "privilege": "GetDeviceProfile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "DeviceProfile*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the associated PartnerAccount",
+ "privilege": "GetPartnerAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Retrieve the customer account specific endpoint for CUPS protocol connection or LoRaWAN Network Server (LNS) protocol connection, and optionally server trust certificate in PEM format.",
+ "privilege": "GetServiceEndpoint",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the ServiceProfile",
+ "privilege": "GetServiceProfile",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "ServiceProfile*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the WirelessDevice",
+ "privilege": "GetWirelessDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get statistics info for a given WirelessDevice",
+ "privilege": "GetWirelessDeviceStatistics",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the WirelessGateway",
+ "privilege": "GetWirelessGateway",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the IoT Core Identity certificate id associated with the WirelessGateway.",
+ "privilege": "GetWirelessGatewayCertificate",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get Current firmware version and other information for the WirelessGateway",
+ "privilege": "GetWirelessGatewayFirmwareInformation",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get statistics info for a given WirelessGateway",
+ "privilege": "GetWirelessGatewayStatistics",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Get the task for a given WirelessGateway",
+ "privilege": "GetWirelessGatewayTask",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Describe the given WirelessGateway task definition.",
+ "privilege": "GetWirelessGatewayTaskDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "List information of available Destinations based on the AWS account.",
+ "privilege": "ListDestinations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "List information of available DeviceProfiles based on the AWS account.",
+ "privilege": "ListDeviceProfiles",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Lists the available partner accounts.",
+ "privilege": "ListPartnerAccounts",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "List information of available ServiceProfiles based on the AWS account.",
+ "privilege": "ListServiceProfiles",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Lists all tags for a given resource.",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "DeviceProfile"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "ServiceProfile"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "List information of available WirelessDevices based on the AWS account.",
+ "privilege": "ListWirelessDevices",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "List information of available WirelessGateway task definitions based on the AWS account.",
+ "privilege": "ListWirelessGatewayTaskDefinitions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "List information of available WirelessGateways based on the AWS account.",
+ "privilege": "ListWirelessGateways",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Send the decrypted application data frame to the target device",
+ "privilege": "SendDataToWirelessDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Tag a given resource.",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "DeviceProfile"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "ServiceProfile"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Simulate a provisioned device to send an uplink data with payload of 'Hello'",
+ "privilege": "TestWirelessDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Remove the given tags from the resource.",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "DeviceProfile"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "ServiceProfile"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Update a Destination resource.",
+ "privilege": "UpdateDestination",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Destination*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Update a partner account.",
+ "privilege": "UpdatePartnerAccount",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Update a WirelessDevice resource.",
+ "privilege": "UpdateWirelessDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessDevice*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Update a WirelessGateway resource.",
+ "privilege": "UpdateWirelessGateway",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "WirelessGateway*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessDevice/${WirelessDeviceId}",
+ "condition_keys": [],
+ "resource": "WirelessDevice"
+ },
+ {
+ "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:WirelessGateway/${WirelessGatewayId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "WirelessGateway"
+ },
+ {
+ "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:DeviceProfile/${DeviceProfileId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "DeviceProfile"
+ },
+ {
+ "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:ServiceProfile/${ServiceProfileId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "ServiceProfile"
+ },
+ {
+ "arn": "arn:${Partition}:iotwireless:${Region}:${Account}:Destination/${DestinationName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "Destination"
+ },
+ {
+ "arn": "arn:${Partition}:iot:${Region}:${Account}:thing/${ThingName}",
+ "condition_keys": [],
+ "resource": "thing"
+ },
+ {
+ "arn": "arn:${Partition}:iot:${Region}:${Account}:cert/${Certificate}",
+ "condition_keys": [],
+ "resource": "cert"
+ }
+ ],
+ "service_name": "AWS IoT Core for LoRaWAN"
+ },
{
"conditions": [],
"prefix": "iq",
@@ -76265,17 +85118,17 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "Filters access based on the allowed set of values for each of the tags",
+ "description": "Filters actions based on the presence of tag key-value pairs in the request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "Filters access based on tag-value associated with a MSK resource",
+ "description": "Filters actions based on tag key-value pairs attached to the MSK resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "Filters access based on the presence of mandatory tag keys in the request",
+ "description": "Filters actions based on the presence of tag keys in the request",
"type": "String"
}
],
@@ -76283,7 +85136,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Grants permission to associate one or more Scram Secrets with an Amazon MSK cluster.",
+ "description": "Grants permission to associate one or more Scram Secrets with an Amazon MSK cluster",
"privilege": "BatchAssociateScramSecret",
"resource_types": [
{
@@ -76298,7 +85151,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to disassociate one or more Scram Secrets from an Amazon MSK cluster.",
+ "description": "Grants permission to disassociate one or more Scram Secrets from an Amazon MSK cluster",
"privilege": "BatchDisassociateScramSecret",
"resource_types": [
{
@@ -76312,7 +85165,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to create a cluster",
+ "description": "Grants permission to create an MSK cluster",
"privilege": "CreateCluster",
"resource_types": [
{
@@ -76336,7 +85189,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to create a configuration.",
+ "description": "Grants permission to create an MSK configuration",
"privilege": "CreateConfiguration",
"resource_types": [
{
@@ -76348,7 +85201,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to delete a cluster.",
+ "description": "Grants permission to delete an MSK cluster",
"privilege": "DeleteCluster",
"resource_types": [
{
@@ -76360,7 +85213,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to delete the specified MSK configuration.",
+ "description": "Grants permission to delete the specified MSK configuration",
"privilege": "DeleteConfiguration",
"resource_types": [
{
@@ -76372,7 +85225,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to describe a cluster.",
+ "description": "Grants permission to describe an MSK cluster",
"privilege": "DescribeCluster",
"resource_types": [
{
@@ -76384,7 +85237,7 @@
},
{
"access_level": "Read",
- "description": "Returns a description of the cluster operation specified by the ARN.",
+ "description": "Grants permission to describe the cluster operation that is specified by the given ARN",
"privilege": "DescribeClusterOperation",
"resource_types": [
{
@@ -76396,7 +85249,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to describe a configuration.",
+ "description": "Grants permission to describe an MSK configuration",
"privilege": "DescribeConfiguration",
"resource_types": [
{
@@ -76408,7 +85261,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to describe a configuration revision.",
+ "description": "Grants permission to describe an MSK configuration revision",
"privilege": "DescribeConfigurationRevision",
"resource_types": [
{
@@ -76420,7 +85273,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to get connection details for the broker nodes in a cluster.",
+ "description": "Grants permission to get connection details for the brokers in an MSK cluster",
"privilege": "GetBootstrapBrokers",
"resource_types": [
{
@@ -76432,7 +85285,7 @@
},
{
"access_level": "List",
- "description": "Returns a list of the Apache Kafka versions to which you can update this cluster.",
+ "description": "Grants permission to get a list of the Apache Kafka versions to which you can update an MSK cluster",
"privilege": "GetCompatibleKafkaVersions",
"resource_types": [
{
@@ -76444,7 +85297,7 @@
},
{
"access_level": "List",
- "description": "Returns a list of all the operations that have been performed on the specified MSK cluster.",
+ "description": "Returns a list of all the operations that have been performed on the specified MSK cluster",
"privilege": "ListClusterOperations",
"resource_types": [
{
@@ -76456,7 +85309,7 @@
},
{
"access_level": "List",
- "description": "Grants permission to return a list of all clusters in the current account.",
+ "description": "Grants permission to list all MSK clusters in this account",
"privilege": "ListClusters",
"resource_types": [
{
@@ -76468,7 +85321,19 @@
},
{
"access_level": "List",
- "description": "Grants permission to return a list of all configurations in the current account.",
+ "description": "Grants permission to list all revisions for an MSK configuration in this account",
+ "privilege": "ListConfigurationRevisions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list all MSK configurations in this account",
"privilege": "ListConfigurations",
"resource_types": [
{
@@ -76480,7 +85345,19 @@
},
{
"access_level": "List",
- "description": "Grants permission to return a list of nodes in a cluster.",
+ "description": "Grants permission to list all Apache Kafka versions supported by Amazon MSK",
+ "privilege": "ListKafkaVersions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list brokers in an MSK cluster",
"privilege": "ListNodes",
"resource_types": [
{
@@ -76492,7 +85369,7 @@
},
{
"access_level": "List",
- "description": "Grants permission to return a list of the Scram Secrets associated with an Amazon MSK cluster.",
+ "description": "Grants permission to list the Scram Secrets associated with an Amazon MSK cluster",
"privilege": "ListScramSecrets",
"resource_types": [
{
@@ -76504,7 +85381,7 @@
},
{
"access_level": "List",
- "description": "Grants permission to list tags of a MSK resource.",
+ "description": "Grants permission to list tags of an MSK resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -76514,9 +85391,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to reboot broker",
+ "privilege": "RebootBroker",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Tagging",
- "description": "Grants permission to tag a MSK resource.",
+ "description": "Grants permission to tag an MSK resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -76536,7 +85425,7 @@
},
{
"access_level": "Tagging",
- "description": "Grants permission to remove tags from a MSK resource.",
+ "description": "Grants permission to remove tags from an MSK resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -76555,7 +85444,7 @@
},
{
"access_level": "Write",
- "description": "Updates the number of broker nodes of the cluster.",
+ "description": "Updates the number of brokers of the MSK cluster",
"privilege": "UpdateBrokerCount",
"resource_types": [
{
@@ -76567,7 +85456,7 @@
},
{
"access_level": "Write",
- "description": "Updates the storage size of the broker nodes of the cluster",
+ "description": "Updates the storage size of the brokers of the MSK cluster",
"privilege": "UpdateBrokerStorage",
"resource_types": [
{
@@ -76579,7 +85468,7 @@
},
{
"access_level": "Write",
- "description": "Update Kafka configuration running on a cluster.",
+ "description": "Grants permission to update the configuration of the MSK cluster",
"privilege": "UpdateClusterConfiguration",
"resource_types": [
{
@@ -76591,7 +85480,7 @@
},
{
"access_level": "Write",
- "description": "Updates the cluster to the specified Apache Kafka version.",
+ "description": "Grants permission to update the MSK cluster to the specified Apache Kafka version",
"privilege": "UpdateClusterKafkaVersion",
"resource_types": [
{
@@ -76603,7 +85492,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to create a new revision of the configuration.",
+ "description": "Grants permission to create a new revision of the MSK configuration",
"privilege": "UpdateConfiguration",
"resource_types": [
{
@@ -76615,7 +85504,7 @@
},
{
"access_level": "Write",
- "description": "Updates the monitoring settings for the cluster.",
+ "description": "Grants permission to update the monitoring settings for the MSK cluster",
"privilege": "UpdateMonitoring",
"resource_types": [
{
@@ -76641,17 +85530,17 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "Filters create requests based on the allowed set of values for each of the mandatory tags.",
+ "description": "Filters create requests based on the allowed set of values for each of the mandatory tags",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "Filters actions based on the tag value associated with the resource.",
+ "description": "Filters actions based on the tag value associated with the resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "Filters create requests based on the presence of mandatory tags in the request.",
+ "description": "Filters create requests based on the presence of mandatory tags in the request",
"type": "String"
}
],
@@ -76659,7 +85548,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Batch Delete document",
+ "description": "Grant permission to batch delete document",
"privilege": "BatchDeleteDocument",
"resource_types": [
{
@@ -76671,7 +85560,7 @@
},
{
"access_level": "Write",
- "description": "Batch put document",
+ "description": "Grant permission to batch put document",
"privilege": "BatchPutDocument",
"resource_types": [
{
@@ -76683,7 +85572,7 @@
},
{
"access_level": "Write",
- "description": "Create a data source",
+ "description": "Grant permission to create a data source",
"privilege": "CreateDataSource",
"resource_types": [
{
@@ -76703,7 +85592,7 @@
},
{
"access_level": "Write",
- "description": "Create an Faq",
+ "description": "Grant permission to create an Faq",
"privilege": "CreateFaq",
"resource_types": [
{
@@ -76723,7 +85612,7 @@
},
{
"access_level": "Write",
- "description": "Create an Index",
+ "description": "Grant permission to create an Index",
"privilege": "CreateIndex",
"resource_types": [
{
@@ -76738,7 +85627,27 @@
},
{
"access_level": "Write",
- "description": "Delete a data source",
+ "description": "Grant permission to create a Thesaurus",
+ "privilege": "CreateThesaurus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grant permission to delete a data source",
"privilege": "DeleteDataSource",
"resource_types": [
{
@@ -76755,7 +85664,7 @@
},
{
"access_level": "Write",
- "description": "Delete an Faq",
+ "description": "Grant permission to delete an Faq",
"privilege": "DeleteFaq",
"resource_types": [
{
@@ -76772,7 +85681,7 @@
},
{
"access_level": "Write",
- "description": "Delete an Index",
+ "description": "Grant permission to delete an Index",
"privilege": "DeleteIndex",
"resource_types": [
{
@@ -76782,9 +85691,26 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grant permission to delete a Thesaurus",
+ "privilege": "DeleteThesaurus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thesaurus*"
+ }
+ ]
+ },
{
"access_level": "Read",
- "description": "Describe a data source",
+ "description": "Grant permission to describe a data source",
"privilege": "DescribeDataSource",
"resource_types": [
{
@@ -76801,7 +85727,7 @@
},
{
"access_level": "Read",
- "description": "Describe an Faq",
+ "description": "Grant permission to describe an Faq",
"privilege": "DescribeFaq",
"resource_types": [
{
@@ -76818,7 +85744,7 @@
},
{
"access_level": "Read",
- "description": "Describe an Index",
+ "description": "Grant permission to describe an Index",
"privilege": "DescribeIndex",
"resource_types": [
{
@@ -76828,9 +85754,26 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grant permission to describe a Thesaurus",
+ "privilege": "DescribeThesaurus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thesaurus*"
+ }
+ ]
+ },
{
"access_level": "List",
- "description": "Get Data Source sync job history",
+ "description": "Grant permission to get Data Source sync job history",
"privilege": "ListDataSourceSyncJobs",
"resource_types": [
{
@@ -76847,7 +85790,7 @@
},
{
"access_level": "List",
- "description": "List the data sources",
+ "description": "Grant permission to list the data sources",
"privilege": "ListDataSources",
"resource_types": [
{
@@ -76859,7 +85802,7 @@
},
{
"access_level": "List",
- "description": "List the Faqs",
+ "description": "Grant permission to list the Faqs",
"privilege": "ListFaqs",
"resource_types": [
{
@@ -76871,7 +85814,7 @@
},
{
"access_level": "List",
- "description": "List the indexes",
+ "description": "Grant permission to list the indexes",
"privilege": "ListIndices",
"resource_types": [
{
@@ -76883,7 +85826,7 @@
},
{
"access_level": "List",
- "description": "Lists tags for a resource",
+ "description": "Grant permission to list tags for a resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -76900,12 +85843,29 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "index"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thesaurus"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grant permission to list the Thesauri",
+ "privilege": "ListThesauri",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
}
]
},
{
"access_level": "Read",
- "description": "Query documents and Faqs",
+ "description": "Grant permission to query documents and faqs",
"privilege": "Query",
"resource_types": [
{
@@ -76917,7 +85877,7 @@
},
{
"access_level": "Write",
- "description": "Start Data Source sync job",
+ "description": "Grant permission to start Data Source sync job",
"privilege": "StartDataSourceSyncJob",
"resource_types": [
{
@@ -76934,7 +85894,7 @@
},
{
"access_level": "Write",
- "description": "Stop Data Source sync job",
+ "description": "Grant permission to stop Data Source sync job",
"privilege": "StopDataSourceSyncJob",
"resource_types": [
{
@@ -76951,7 +85911,7 @@
},
{
"access_level": "Write",
- "description": "Send feedback about a query results",
+ "description": "Grant permission to send feedback about a query results",
"privilege": "SubmitFeedback",
"resource_types": [
{
@@ -76963,7 +85923,7 @@
},
{
"access_level": "Tagging",
- "description": "Tags a resource with given key value pairs",
+ "description": "Grant permission to tag a resource with given key value pairs",
"privilege": "TagResource",
"resource_types": [
{
@@ -76981,6 +85941,11 @@
"dependent_actions": [],
"resource_type": "index"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thesaurus"
+ },
{
"condition_keys": [
"aws:RequestTag/${TagKey}",
@@ -76993,7 +85958,7 @@
},
{
"access_level": "Tagging",
- "description": "Removes the tag with the given key from a resource",
+ "description": "Grant permission to remove the tag with the given key from a resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -77011,6 +85976,11 @@
"dependent_actions": [],
"resource_type": "index"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thesaurus"
+ },
{
"condition_keys": [
"aws:TagKeys"
@@ -77022,7 +85992,7 @@
},
{
"access_level": "Write",
- "description": "Update a data source",
+ "description": "Grant permission to update a data source",
"privilege": "UpdateDataSource",
"resource_types": [
{
@@ -77039,7 +86009,7 @@
},
{
"access_level": "Write",
- "description": "Update an Index",
+ "description": "Grant permission to update an Index",
"privilege": "UpdateIndex",
"resource_types": [
{
@@ -77048,6 +86018,23 @@
"resource_type": "index*"
}
]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grant permission to update a thesaurus",
+ "privilege": "UpdateThesaurus",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "index*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "thesaurus*"
+ }
+ ]
}
],
"resources": [
@@ -77071,6 +86058,13 @@
"aws:ResourceTag/${TagKey}"
],
"resource": "faq"
+ },
+ {
+ "arn": "arn:${Partition}:kendra:${Region}:${Account}:index/${IndexId}/thesaurus/${ThesaurusId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "thesaurus"
}
],
"service_name": "Amazon Kendra"
@@ -78543,109 +87537,124 @@
},
{
"conditions": [
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters access to the specified AWS KMS operations based on tags assigned to the customer master key",
+ "type": "String"
+ },
{
"condition": "kms:BypassPolicyLockoutSafetyCheck",
- "description": "Controls access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request.",
+ "description": "Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request",
"type": "Bool"
},
{
"condition": "kms:CallerAccount",
- "description": "Controls access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement.",
+ "description": "Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement",
"type": "String"
},
{
"condition": "kms:CustomerMasterKeySpec",
- "description": "Controls access to an API operation based on the CustomerMasterKeySpec property of the CMK that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource.",
+ "description": "Filters access to an API operation based on the CustomerMasterKeySpec property of the CMK that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource",
"type": "String"
},
{
"condition": "kms:CustomerMasterKeyUsage",
- "description": "Controls access to an API operation based on the KeyUsage property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource.",
+ "description": "Filters access to an API operation based on the KeyUsage property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource",
"type": "String"
},
{
"condition": "kms:DataKeyPairSpec",
- "description": "Controls access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the DataKeyPairSpec parameter in the request.",
+ "description": "Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the DataKeyPairSpec parameter in the request",
"type": "String"
},
{
"condition": "kms:EncryptionAlgorithm",
- "description": "Controls access to encryption operations based on the value of the encryption algorithm in the request.",
+ "description": "Filters access to encryption operations based on the value of the encryption algorithm in the request",
"type": "String"
},
{
"condition": "kms:EncryptionContextKeys",
- "description": "Controls access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation.",
+ "description": "Filters access based on the presence of specified keys in the encryption context. The encryption context is an optional element in a cryptographic operation",
"type": "String"
},
{
"condition": "kms:ExpirationModel",
- "description": "Controls access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request.",
+ "description": "Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request",
"type": "String"
},
{
"condition": "kms:GrantConstraintType",
- "description": "Controls access to the CreateGrant operation based on the grant constraint in the request.",
+ "description": "Filters access to the CreateGrant operation based on the grant constraint in the request",
"type": "String"
},
{
"condition": "kms:GrantIsForAWSResource",
- "description": "Controls access to the CreateGrant operation when the request comes from a specified AWS service.",
+ "description": "Filters access to the CreateGrant operation when the request comes from a specified AWS service",
"type": "Bool"
},
{
"condition": "kms:GrantOperations",
- "description": "Controls access to the CreateGrant operation based on the operations in the grant.",
+ "description": "Filters access to the CreateGrant operation based on the operations in the grant",
"type": "String"
},
{
"condition": "kms:GranteePrincipal",
- "description": "Controls access to the CreateGrant operation based on the grantee principal in the grant.",
+ "description": "Filters access to the CreateGrant operation based on the grantee principal in the grant",
"type": "String"
},
{
"condition": "kms:KeyOrigin",
- "description": "Controls access to an API operation based on the Origin property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource.",
+ "description": "Filters access to an API operation based on the Origin property of the CMK created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a CMK resource",
"type": "String"
},
{
"condition": "kms:MessageType",
- "description": "Controls access to the Sign and Verify operations based on the value of the MessageType parameter in the request.",
+ "description": "Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request",
"type": "String"
},
{
"condition": "kms:ReEncryptOnSameKey",
- "description": "Controls access to the ReEncrypt operation when it uses the same customer master key that was used for the Encrypt operation.",
+ "description": "Filters access to the ReEncrypt operation when it uses the same customer master key that was used for the Encrypt operation",
"type": "Bool"
},
+ {
+ "condition": "kms:RequestAlias",
+ "description": "Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request",
+ "type": "String"
+ },
+ {
+ "condition": "kms:ResourceAliases",
+ "description": "Filters access to specified AWS KMS operations based on aliases associated with the customer master key",
+ "type": "String"
+ },
{
"condition": "kms:RetiringPrincipal",
- "description": "Controls access to the CreateGrant operation based on the retiring principal in the grant.",
+ "description": "Filters access to the CreateGrant operation based on the retiring principal in the grant",
"type": "String"
},
{
"condition": "kms:SigningAlgorithm",
- "description": "Controls access to the Sign and Verify operations based on the signing algorithm in the request.",
+ "description": "Filters access to the Sign and Verify operations based on the signing algorithm in the request",
"type": "String"
},
{
"condition": "kms:ValidTo",
- "description": "Controls access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date.",
+ "description": "Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date",
"type": "Numeric"
},
{
"condition": "kms:ViaService",
- "description": "Controls access when a request made on the principal's behalf comes from a specified AWS service.",
+ "description": "Filters access when a request made on the principal's behalf comes from a specified AWS service",
"type": "String"
},
{
"condition": "kms:WrappingAlgorithm",
- "description": "Controls access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request.",
+ "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request",
"type": "String"
},
{
"condition": "kms:WrappingKeySpec",
- "description": "Controls access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request.",
+ "description": "Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request",
"type": "String"
}
],
@@ -78653,7 +87662,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Controls permission to cancel the scheduled deletion of a customer master key.",
+ "description": "Controls permission to cancel the scheduled deletion of a customer master key",
"privilege": "CancelKeyDeletion",
"resource_types": [
{
@@ -78673,7 +87682,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster.",
+ "description": "Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster",
"privilege": "ConnectCustomKeyStore",
"resource_types": [
{
@@ -78685,7 +87694,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to create an alias for a customer master key (CMK). Aliases are optional friendly names that you can associate with customer master keys.",
+ "description": "Controls permission to create an alias for a customer master key (CMK). Aliases are optional friendly names that you can associate with customer master keys",
"privilege": "CreateAlias",
"resource_types": [
{
@@ -78710,7 +87719,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage.",
+ "description": "Controls permission to create a custom key store that is associated with an AWS CloudHSM cluster that you own and manage",
"privilege": "CreateCustomKeyStore",
"resource_types": [
{
@@ -78724,7 +87733,7 @@
},
{
"access_level": "Permissions management",
- "description": "Controls permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy.",
+ "description": "Controls permission to add a grant to a customer master key. You can use grants to add permissions without changing the key policy or IAM policy",
"privilege": "CreateGrant",
"resource_types": [
{
@@ -78746,7 +87755,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to create a customer master key that can be used to protect data keys and other sensitive information.",
+ "description": "Controls permission to create a customer master key that can be used to protect data keys and other sensitive information",
"privilege": "CreateKey",
"resource_types": [
{
@@ -78763,7 +87772,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to decrypt ciphertext that was encrypted under a customer master key.",
+ "description": "Controls permission to decrypt ciphertext that was encrypted under a customer master key",
"privilege": "Decrypt",
"resource_types": [
{
@@ -78785,7 +87794,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to delete an alias. Aliases are optional friendly names that you can associate with customer master keys.",
+ "description": "Controls permission to delete an alias. Aliases are optional friendly names that you can associate with customer master keys",
"privilege": "DeleteAlias",
"resource_types": [
{
@@ -78810,7 +87819,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to delete a custom key store.",
+ "description": "Controls permission to delete a custom key store",
"privilege": "DeleteCustomKeyStore",
"resource_types": [
{
@@ -78822,7 +87831,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to delete cryptographic material that you imported into a customer master key. This action makes the key unusable.",
+ "description": "Controls permission to delete cryptographic material that you imported into a customer master key. This action makes the key unusable",
"privilege": "DeleteImportedKeyMaterial",
"resource_types": [
{
@@ -78842,7 +87851,7 @@
},
{
"access_level": "Read",
- "description": "Controls permission to view detailed information about custom key stores in the account and region.",
+ "description": "Controls permission to view detailed information about custom key stores in the account and region",
"privilege": "DescribeCustomKeyStores",
"resource_types": [
{
@@ -78854,7 +87863,7 @@
},
{
"access_level": "Read",
- "description": "Controls permission to view detailed information about a customer master key.",
+ "description": "Controls permission to view detailed information about a customer master key",
"privilege": "DescribeKey",
"resource_types": [
{
@@ -78874,7 +87883,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to disable a customer master key, which prevents it from being used in cryptographic operations.",
+ "description": "Controls permission to disable a customer master key, which prevents it from being used in cryptographic operations",
"privilege": "DisableKey",
"resource_types": [
{
@@ -78894,7 +87903,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to disable automatic rotation of a customer managed customer master key.",
+ "description": "Controls permission to disable automatic rotation of a customer managed customer master key",
"privilege": "DisableKeyRotation",
"resource_types": [
{
@@ -78914,7 +87923,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster.",
+ "description": "Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster",
"privilege": "DisconnectCustomKeyStore",
"resource_types": [
{
@@ -78926,7 +87935,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to change the state of a customer master key (CMK) to enabled. This allows the CMK to be used in cryptographic operations.",
+ "description": "Controls permission to change the state of a customer master key (CMK) to enabled. This allows the CMK to be used in cryptographic operations",
"privilege": "EnableKey",
"resource_types": [
{
@@ -78946,7 +87955,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to enable automatic rotation of the cryptographic material in a customer master key.",
+ "description": "Controls permission to enable automatic rotation of the cryptographic material in a customer master key",
"privilege": "EnableKeyRotation",
"resource_types": [
{
@@ -78966,7 +87975,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to use the specified customer master key to encrypt data and data keys.",
+ "description": "Controls permission to use the specified customer master key to encrypt data and data keys",
"privilege": "Encrypt",
"resource_types": [
{
@@ -78988,7 +87997,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to use the customer master key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS.",
+ "description": "Controls permission to use the customer master key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS",
"privilege": "GenerateDataKey",
"resource_types": [
{
@@ -79010,7 +88019,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to use the customer master key to generate data key pairs.",
+ "description": "Controls permission to use the customer master key to generate data key pairs",
"privilege": "GenerateDataKeyPair",
"resource_types": [
{
@@ -79033,7 +88042,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to use the customer master key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy.",
+ "description": "Controls permission to use the customer master key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy",
"privilege": "GenerateDataKeyPairWithoutPlaintext",
"resource_types": [
{
@@ -79056,7 +88065,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to use the customer master key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key.",
+ "description": "Controls permission to use the customer master key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key",
"privilege": "GenerateDataKeyWithoutPlaintext",
"resource_types": [
{
@@ -79078,7 +88087,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to get a cryptographically secure random byte string from AWS KMS.",
+ "description": "Controls permission to get a cryptographically secure random byte string from AWS KMS",
"privilege": "GenerateRandom",
"resource_types": [
{
@@ -79090,7 +88099,7 @@
},
{
"access_level": "Read",
- "description": "Controls permission to view the key policy for the specified customer master key.",
+ "description": "Controls permission to view the key policy for the specified customer master key",
"privilege": "GetKeyPolicy",
"resource_types": [
{
@@ -79110,7 +88119,7 @@
},
{
"access_level": "Read",
- "description": "Controls permission to determine whether automatic key rotation is enabled on the customer master key.",
+ "description": "Controls permission to determine whether automatic key rotation is enabled on the customer master key",
"privilege": "GetKeyRotationStatus",
"resource_types": [
{
@@ -79130,7 +88139,7 @@
},
{
"access_level": "Read",
- "description": "Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token.",
+ "description": "Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token",
"privilege": "GetParametersForImport",
"resource_types": [
{
@@ -79152,7 +88161,7 @@
},
{
"access_level": "Read",
- "description": "Controls permission to download the public key of an asymmetric customer master key.",
+ "description": "Controls permission to download the public key of an asymmetric customer master key",
"privilege": "GetPublicKey",
"resource_types": [
{
@@ -79172,7 +88181,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to import cryptographic material into a customer master key.",
+ "description": "Controls permission to import cryptographic material into a customer master key",
"privilege": "ImportKeyMaterial",
"resource_types": [
{
@@ -79194,7 +88203,7 @@
},
{
"access_level": "List",
- "description": "Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with customer master keys.",
+ "description": "Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with customer master keys",
"privilege": "ListAliases",
"resource_types": [
{
@@ -79206,7 +88215,7 @@
},
{
"access_level": "List",
- "description": "Controls permission to view all grants for a customer master key.",
+ "description": "Controls permission to view all grants for a customer master key",
"privilege": "ListGrants",
"resource_types": [
{
@@ -79227,7 +88236,7 @@
},
{
"access_level": "List",
- "description": "Controls permission to view the names of key policies for a customer master key.",
+ "description": "Controls permission to view the names of key policies for a customer master key",
"privilege": "ListKeyPolicies",
"resource_types": [
{
@@ -79247,7 +88256,7 @@
},
{
"access_level": "List",
- "description": "Controls permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account.",
+ "description": "Controls permission to view the key ID and Amazon Resource Name (ARN) of all customer master keys in the account",
"privilege": "ListKeys",
"resource_types": [
{
@@ -79258,8 +88267,8 @@
]
},
{
- "access_level": "Read",
- "description": "Controls permission to view all tags that are attached to a customer master key.",
+ "access_level": "List",
+ "description": "Controls permission to view all tags that are attached to a customer master key",
"privilege": "ListResourceTags",
"resource_types": [
{
@@ -79279,7 +88288,7 @@
},
{
"access_level": "List",
- "description": "Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants.",
+ "description": "Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants",
"privilege": "ListRetirableGrants",
"resource_types": [
{
@@ -79291,7 +88300,7 @@
},
{
"access_level": "Permissions management",
- "description": "Controls permission to replace the key policy for the specified customer master key.",
+ "description": "Controls permission to replace the key policy for the specified customer master key",
"privilege": "PutKeyPolicy",
"resource_types": [
{
@@ -79312,7 +88321,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS.",
+ "description": "Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS",
"privilege": "ReEncryptFrom",
"resource_types": [
{
@@ -79335,7 +88344,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS.",
+ "description": "Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS",
"privilege": "ReEncryptTo",
"resource_types": [
{
@@ -79358,7 +88367,7 @@
},
{
"access_level": "Permissions management",
- "description": "Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform.",
+ "description": "Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform",
"privilege": "RetireGrant",
"resource_types": [
{
@@ -79370,7 +88379,7 @@
},
{
"access_level": "Permissions management",
- "description": "Controls permission to revoke a grant, which denies permission for all operations that depend on the grant.",
+ "description": "Controls permission to revoke a grant, which denies permission for all operations that depend on the grant",
"privilege": "RevokeGrant",
"resource_types": [
{
@@ -79391,7 +88400,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to schedule deletion of a customer master key.",
+ "description": "Controls permission to schedule deletion of a customer master key",
"privilege": "ScheduleKeyDeletion",
"resource_types": [
{
@@ -79411,7 +88420,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to produce a digital signature for a message.",
+ "description": "Controls permission to produce a digital signature for a message",
"privilege": "Sign",
"resource_types": [
{
@@ -79433,7 +88442,7 @@
},
{
"access_level": "Tagging",
- "description": "Controls permission to create or update tags that are attached to a customer master key.",
+ "description": "Controls permission to create or update tags that are attached to a customer master key",
"privilege": "TagResource",
"resource_types": [
{
@@ -79453,7 +88462,7 @@
},
{
"access_level": "Tagging",
- "description": "Controls permission to delete tags that are attached to a customer master key.",
+ "description": "Controls permission to delete tags that are attached to a customer master key",
"privilege": "UntagResource",
"resource_types": [
{
@@ -79473,7 +88482,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to associate an alias with a different customer master key. An alias is an optional friendly name that you can associate with a customer master key.",
+ "description": "Controls permission to associate an alias with a different customer master key. An alias is an optional friendly name that you can associate with a customer master key",
"privilege": "UpdateAlias",
"resource_types": [
{
@@ -79498,7 +88507,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to change the properties of a custom key store.",
+ "description": "Controls permission to change the properties of a custom key store",
"privilege": "UpdateCustomKeyStore",
"resource_types": [
{
@@ -79510,7 +88519,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to delete or change the description of a customer master key.",
+ "description": "Controls permission to delete or change the description of a customer master key",
"privilege": "UpdateKeyDescription",
"resource_types": [
{
@@ -79530,7 +88539,7 @@
},
{
"access_level": "Write",
- "description": "Controls permission to use the specified customer master key to verify digital signatures.",
+ "description": "Controls permission to use the specified customer master key to verify digital signatures",
"privilege": "Verify",
"resource_types": [
{
@@ -81799,7 +90808,7 @@
{
"access_level": "List",
"description": "Grants permission to list received licenses",
- "privilege": "ListReceivedLicensess",
+ "privilege": "ListReceivedLicenses",
"resource_types": [
{
"condition_keys": [],
@@ -84099,13 +93108,13 @@
"privileges": [
{
"access_level": "Write",
- "description": "Grants permission to associates a dataset manifest with a project",
+ "description": "Grants permission to create a dataset manifest",
"privilege": "CreateDataset",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84117,7 +93126,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": "model*"
}
]
},
@@ -84135,13 +93144,13 @@
},
{
"access_level": "Write",
- "description": "Grants permission to delete a dataset associated with a project",
+ "description": "Grants permission to delete a dataset",
"privilege": "DeleteDataset",
"resource_types": [
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84154,11 +93163,6 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
}
]
},
@@ -84182,7 +93186,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84195,11 +93199,6 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
}
]
},
@@ -84223,12 +93222,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84241,11 +93235,6 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
}
]
},
@@ -84257,7 +93246,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84269,7 +93258,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84293,12 +93282,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84311,11 +93295,6 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
}
]
},
@@ -84327,12 +93306,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
},
@@ -84345,11 +93319,6 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "model*"
- },
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": "project*"
}
]
},
@@ -84361,7 +93330,7 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "project*"
+ "resource_type": ""
}
]
}
@@ -84951,18 +93920,6 @@
}
]
},
- {
- "access_level": "Write",
- "description": "Grants permission to archive one or more findings",
- "privilege": "ArchiveFindings",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": ""
- }
- ]
- },
{
"access_level": "Read",
"description": "Grants permission to retrieve information about one or more custom data identifiers",
@@ -85478,7 +94435,7 @@
{
"access_level": "List",
"description": "Grants permission to retrieve the tags for an Amazon Macie resource or member account",
- "privilege": "ListTagsForResources",
+ "privilege": "ListTagsForResource",
"resource_types": [
{
"condition_keys": [],
@@ -85526,18 +94483,6 @@
}
]
},
- {
- "access_level": "Write",
- "description": "Grants permission to reactivate (unarchive) one or more findings",
- "privilege": "UnarchiveFindings",
- "resource_types": [
- {
- "condition_keys": [],
- "dependent_actions": [],
- "resource_type": ""
- }
- ]
- },
{
"access_level": "Tagging",
"description": "Grants permission to remove tags from an Amazon Macie resource or member account",
@@ -85631,32 +94576,32 @@
],
"resources": [
{
- "arn": "arn:${Partition}:macie2::${Account}:classification-job/${ResourceId}",
+ "arn": "arn:${Partition}:macie2:${Region}:${Account}:classification-job/${ResourceId}",
"condition_keys": [
"aws:ResourceTag/${TagKey}"
],
"resource": "ClassificationJob"
},
{
- "arn": "arn:${Partition}:macie2::${Account}:custom-data-identifier/${ResourceId}",
+ "arn": "arn:${Partition}:macie2:${Region}:${Account}:custom-data-identifier/${ResourceId}",
"condition_keys": [
"aws:ResourceTag/${TagKey}"
],
"resource": "CustomDataIdentifier"
},
{
- "arn": "arn:${Partition}:macie2::${Account}:member/${ResourceId}",
+ "arn": "arn:${Partition}:macie2:${Region}:${Account}:findings-filter/${ResourceId}",
"condition_keys": [
"aws:ResourceTag/${TagKey}"
],
- "resource": "Member"
+ "resource": "FindingsFilter"
},
{
- "arn": "arn:${Partition}:macie2::${Account}:findings-filter/${ResourceId}",
+ "arn": "arn:${Partition}:macie2:${Region}:${Account}:member/${ResourceId}",
"condition_keys": [
"aws:ResourceTag/${TagKey}"
],
- "resource": "FindingsFilter"
+ "resource": "Member"
}
],
"service_name": "Amazon Macie"
@@ -85697,7 +94642,12 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "member*"
+ "resource_type": "member"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "network"
}
]
},
@@ -85829,7 +94779,12 @@
{
"condition_keys": [],
"dependent_actions": [],
- "resource_type": "member*"
+ "resource_type": "member"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "network"
}
]
},
@@ -85939,6 +94894,38 @@
],
"service_name": "Amazon Managed Blockchain"
},
+ {
+ "conditions": [],
+ "prefix": "marketplacecommerceanalytics",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Request a data set to be published to your Amazon S3 bucket.",
+ "privilege": "GenerateDataSet",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Request a support data set to be published to your Amazon S3 bucket.",
+ "privilege": "StartSupportDataExport",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ }
+ ],
+ "resources": [],
+ "service_name": "AWS Marketplace Commerce Analytics Service"
+ },
{
"conditions": [],
"prefix": "mechanicalturk",
@@ -87056,17 +96043,17 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "The tag for a MediaLive request.",
+ "description": "The tag for a MediaLive request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "The tag for a MediaLive resource.",
+ "description": "The tag for a MediaLive resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "The tag keys for a MediaLive resource or request.",
+ "description": "The tag keys for a MediaLive resource or request",
"type": "String"
}
],
@@ -87086,7 +96073,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to delete channels, inputs, input security groups, and multiplexes.",
+ "description": "Grants permission to delete channels, inputs, input security groups, and multiplexes",
"privilege": "BatchDelete",
"resource_types": [
{
@@ -87113,7 +96100,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to start channels and multiplexes.",
+ "description": "Grants permission to start channels and multiplexes",
"privilege": "BatchStart",
"resource_types": [
{
@@ -87130,7 +96117,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to stop channels and multiplexes.",
+ "description": "Grants permission to stop channels and multiplexes",
"privilege": "BatchStop",
"resource_types": [
{
@@ -87147,7 +96134,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to add and remove actions from a channel's schedule.",
+ "description": "Grants permission to add and remove actions from a channel's schedule",
"privilege": "BatchUpdateSchedule",
"resource_types": [
{
@@ -87273,7 +96260,7 @@
},
{
"access_level": "Tagging",
- "description": "Grants permission to create tags for channels, inputs, input security groups, multiplexes, and reservations.",
+ "description": "Grants permission to create tags for channels, inputs, input security groups, multiplexes, and reservations",
"privilege": "CreateTags",
"resource_types": [
{
@@ -87383,9 +96370,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete all schedule actions for a channel",
+ "privilege": "DeleteSchedule",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "channel*"
+ }
+ ]
+ },
{
"access_level": "Tagging",
- "description": "Grants permission to delete tags from channels, inputs, input security groups, multiplexes, and reservations.",
+ "description": "Grants permission to delete tags from channels, inputs, input security groups, multiplexes, and reservations",
"privilege": "DeleteTags",
"resource_types": [
{
@@ -87532,7 +96531,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to view a list of actions scheduled on a channel.",
+ "description": "Grants permission to view a list of actions scheduled on a channel",
"privilege": "DescribeSchedule",
"resource_types": [
{
@@ -87652,7 +96651,7 @@
},
{
"access_level": "List",
- "description": "Grants permission to list tags for channels, inputs, input security groups, multiplexes, and reservations.",
+ "description": "Grants permission to list tags for channels, inputs, input security groups, multiplexes, and reservations",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -89357,7 +98356,7 @@
]
},
{
- "access_level": "Write",
+ "access_level": "Read",
"description": "Generate project parameters required for code generation",
"privilege": "GenerateProjectParameters",
"resource_types": [
@@ -91168,6 +100167,7 @@
"sso-directory:DescribeUsers",
"sso:AssociateProfile",
"sso:GetManagedApplicationInstance",
+ "sso:GetProfile",
"sso:ListDirectoryAssociations",
"sso:ListProfiles"
],
@@ -91220,6 +100220,7 @@
"sso-directory:DescribeUsers",
"sso:DisassociateProfile",
"sso:GetManagedApplicationInstance",
+ "sso:GetProfile",
"sso:ListDirectoryAssociations",
"sso:ListProfiles"
],
@@ -92915,17 +101916,17 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "Filters actions based on the presence of tag key-value pairs in the request",
+ "description": "Filters actions based on the tags that are passed in the request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "Filters actions based on tag key-value pairs attached to the resource",
+ "description": "Filters actions based on the tags associated with the resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "Filters actions based on the presence of tag keys in the request",
+ "description": "Filters actions based on the tag keys that are passed in the request",
"type": "String"
},
{
@@ -92937,6 +101938,11 @@
"condition": "networkmanager:tgwArn",
"description": "Controls which transit gateways can be registered or deregistered",
"type": "String"
+ },
+ {
+ "condition": "networkmanager:tgwConnectPeerArn",
+ "description": "Controls which connect peers can be associated or disassociated",
+ "type": "String"
}
],
"prefix": "networkmanager",
@@ -92992,6 +101998,55 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to associate a transit gateway connect peer to a device",
+ "privilege": "AssociateTransitGatewayConnectPeer",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "link"
+ },
+ {
+ "condition_keys": [
+ "networkmanager:tgwConnectPeerArn"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a new connection",
+ "privilege": "CreateConnection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a new device",
@@ -93074,6 +102129,23 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a connection",
+ "privilege": "DeleteConnection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "connection*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete a device",
@@ -93209,6 +102281,42 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to disassociate a transit gateway connect peer from a device",
+ "privilege": "DisassociateTransitGatewayConnectPeer",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ },
+ {
+ "condition_keys": [
+ "networkmanager:tgwConnectPeerArn"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe connections",
+ "privilege": "GetConnections",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "connection"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to describe customer gateway associations",
@@ -93294,6 +102402,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to describe transit gateway connect peer associations",
+ "privilege": "GetTransitGatewayConnectPeerAssociations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to describe transit gateway registrations",
@@ -93311,6 +102431,11 @@
"description": "Grants permission to lists tag for a Network Manager resource",
"privilege": "ListTagsForResource",
"resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "connection"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -93364,6 +102489,11 @@
"description": "Grants permission to tag a Network Manager resource",
"privilege": "TagResource",
"resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "connection"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -93400,6 +102530,11 @@
"description": "Grants permission to untag a Network Manager resource",
"privilege": "UntagResource",
"resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "connection"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -93429,6 +102564,23 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a connection",
+ "privilege": "UpdateConnection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "connection*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "global-network*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update a device",
@@ -93521,6 +102673,13 @@
"aws:ResourceTag/${TagKey}"
],
"resource": "device"
+ },
+ {
+ "arn": "arn:${Partition}:networkmanager::${Account}:connection/${GlobalNetworkId}/${ResourceId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "connection"
}
],
"service_name": "Network Manager"
@@ -95600,7 +104759,7 @@
},
{
"access_level": "Write",
- "description": "Grants permission to delete an outpost",
+ "description": "Grants permission to delete an Outpost",
"privilege": "DeleteOutpost",
"resource_types": [
{
@@ -95669,6 +104828,42 @@
"resource_type": ""
}
]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list tags for a resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add tags to a resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to remove tags from a resource",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
}
],
"resources": [],
@@ -98616,32 +107811,32 @@
"conditions": [
{
"condition": "aws:RequestTag/${TagKey}",
- "description": "Filters actions based on the presence of tag key-value pairs in the request",
+ "description": "Filters access by tag key-value pairs in the request",
"type": "String"
},
{
"condition": "aws:ResourceTag/${TagKey}",
- "description": "Filters actions based on tag key-value pairs attached to the resource",
+ "description": "Filters access by tag key-value pairs attached to the resource",
"type": "String"
},
{
"condition": "aws:TagKeys",
- "description": "Filters actions based on the presence of tag keys in the request",
+ "description": "Filters access by tag keys",
"type": "String"
},
{
"condition": "quicksight:IamArn",
- "description": "IAM user ARN or role ARN.",
+ "description": "Filters access by IAM user or role ARN",
"type": "String"
},
{
"condition": "quicksight:SessionName",
- "description": "The session name.",
+ "description": "Filters access by session name",
"type": "String"
},
{
"condition": "quicksight:UserName",
- "description": "The user name.",
+ "description": "Filters access by user name",
"type": "String"
}
],
@@ -98684,7 +107879,7 @@
},
{
"access_level": "Write",
- "description": "CreateAdmin enables the user to provision Amazon QuickSight administrators, authors, and readers.",
+ "description": "Grants permission to provision Amazon QuickSight administrators, authors, and readers",
"privilege": "CreateAdmin",
"resource_types": [
{
@@ -98696,7 +107891,7 @@
},
{
"access_level": "Write",
- "description": "Creates an analysis from a template",
+ "description": "Grants permission to create an analysis from a template",
"privilege": "CreateAnalysis",
"resource_types": [
{
@@ -98728,7 +107923,7 @@
},
{
"access_level": "Write",
- "description": "Creates a dashboard from a template",
+ "description": "Grants permission to create a QuickSight Dashboard",
"privilege": "CreateDashboard",
"resource_types": [
{
@@ -98753,7 +107948,9 @@
"resource_types": [
{
"condition_keys": [],
- "dependent_actions": [],
+ "dependent_actions": [
+ "quicksight:PassDataSource"
+ ],
"resource_type": "datasource*"
},
{
@@ -98783,7 +107980,7 @@
},
{
"access_level": "Write",
- "description": "Create a QuickSight group.",
+ "description": "Grants permission to create a QuickSight group",
"privilege": "CreateGroup",
"resource_types": [
{
@@ -98795,7 +107992,7 @@
},
{
"access_level": "Write",
- "description": "Add a QuickSight user to a QuickSight group.",
+ "description": "Grants permission to add a QuickSight user to a QuickSight group",
"privilege": "CreateGroupMembership",
"resource_types": [
{
@@ -98809,7 +108006,7 @@
},
{
"access_level": "Write",
- "description": "Creates an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight.",
+ "description": "Grants permission to create an assignment with one specified IAM Policy ARN that will be assigned to specified groups or users of QuickSight",
"privilege": "CreateIAMPolicyAssignment",
"resource_types": [
{
@@ -98853,7 +108050,7 @@
},
{
"access_level": "Write",
- "description": "CreateReader enables the user to provision Amazon QuickSight readers.",
+ "description": "Grants permission to provision Amazon QuickSight readers",
"privilege": "CreateReader",
"resource_types": [
{
@@ -98865,7 +108062,7 @@
},
{
"access_level": "Write",
- "description": "Creates a template from an existing QuickSight analysis or template",
+ "description": "Grants permission to create a template",
"privilege": "CreateTemplate",
"resource_types": [
{
@@ -98885,7 +108082,7 @@
},
{
"access_level": "Write",
- "description": "Creates a template alias for a template",
+ "description": "Grants permission to create a template alias",
"privilege": "CreateTemplateAlias",
"resource_types": [
{
@@ -98897,7 +108094,7 @@
},
{
"access_level": "Write",
- "description": "Creates a QuickSight theme",
+ "description": "Grant permission to create a theme",
"privilege": "CreateTheme",
"resource_types": [
{
@@ -98917,7 +108114,7 @@
},
{
"access_level": "Write",
- "description": "Creates a theme alias for a theme",
+ "description": "Grants permission to create an alias for a theme version",
"privilege": "CreateThemeAlias",
"resource_types": [
{
@@ -98929,7 +108126,7 @@
},
{
"access_level": "Write",
- "description": "CreateUser enables the user to provision Amazon QuickSight authors and readers.",
+ "description": "Grants permission to provision Amazon QuickSight authors and readers",
"privilege": "CreateUser",
"resource_types": [
{
@@ -98939,6 +108136,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a VPC connection",
+ "privilege": "CreateVPCConnection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete an account customization for QuickSight account or namespace",
@@ -98953,7 +108162,7 @@
},
{
"access_level": "Write",
- "description": "Deletes an analysis",
+ "description": "Grants permissions to delete an analysis",
"privilege": "DeleteAnalysis",
"resource_types": [
{
@@ -98965,7 +108174,19 @@
},
{
"access_level": "Write",
- "description": "Deletes a dashboard",
+ "description": "Grants permission to delete a custom permissions resource",
+ "privilege": "DeleteCustomPermissions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a QuickSight Dashboard",
"privilege": "DeleteDashboard",
"resource_types": [
{
@@ -99017,7 +108238,7 @@
},
{
"access_level": "Write",
- "description": "Remove a user group from QuickSight.",
+ "description": "Grants permission to remove a user group from QuickSight",
"privilege": "DeleteGroup",
"resource_types": [
{
@@ -99029,7 +108250,7 @@
},
{
"access_level": "Write",
- "description": "Remove a user from a group so that he/she is no longer a member of the group.",
+ "description": "Grants permission to remove a user from a group so that he/she is no longer a member of the group",
"privilege": "DeleteGroupMembership",
"resource_types": [
{
@@ -99043,7 +108264,7 @@
},
{
"access_level": "Write",
- "description": "Update an existing assignment.",
+ "description": "Grants permission to update an existing assignment",
"privilege": "DeleteIAMPolicyAssignment",
"resource_types": [
{
@@ -99067,7 +108288,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a template",
+ "description": "Grants permission to delete a template",
"privilege": "DeleteTemplate",
"resource_types": [
{
@@ -99079,7 +108300,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the item that the specified template alias points to",
+ "description": "Grants permission to delete a template alias",
"privilege": "DeleteTemplateAlias",
"resource_types": [
{
@@ -99091,7 +108312,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a theme",
+ "description": "Grants permission to delete a theme",
"privilege": "DeleteTheme",
"resource_types": [
{
@@ -99103,7 +108324,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the item that the specified theme alias points to",
+ "description": "Grants permission to delete the alias of a theme",
"privilege": "DeleteThemeAlias",
"resource_types": [
{
@@ -99115,7 +108336,7 @@
},
{
"access_level": "Write",
- "description": "Delete the QuickSight user that is associated with the identity of the IAM user/role making the call. The IAM user is not deleted as a result of this call.",
+ "description": "Grants permission to delete a QuickSight user, given the user name",
"privilege": "DeleteUser",
"resource_types": [
{
@@ -99127,7 +108348,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a user identified by its principal ID.",
+ "description": "Grants permission to deletes a user identified by its principal ID",
"privilege": "DeleteUserByPrincipalId",
"resource_types": [
{
@@ -99137,6 +108358,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a VPC connection",
+ "privilege": "DeleteVPCConnection",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to describe an account customization for QuickSight account or namespace",
@@ -99163,7 +108396,7 @@
},
{
"access_level": "Read",
- "description": "Provides a summary for an analysis",
+ "description": "Grants permission to describe an analysis",
"privilege": "DescribeAnalysis",
"resource_types": [
{
@@ -99175,7 +108408,7 @@
},
{
"access_level": "Read",
- "description": "Describes read and write permissions for an analysis",
+ "description": "Grants permission to describe permissions for an analysis",
"privilege": "DescribeAnalysisPermissions",
"resource_types": [
{
@@ -99199,7 +108432,7 @@
},
{
"access_level": "Read",
- "description": "Provides a summary for a dashboard",
+ "description": "Grants permission to describe a QuickSight Dashboard",
"privilege": "DescribeDashboard",
"resource_types": [
{
@@ -99211,7 +108444,7 @@
},
{
"access_level": "Read",
- "description": "Describes read and write permissions for a dashboard",
+ "description": "Grants permission to describe permissions for a QuickSight Dashboard",
"privilege": "DescribeDashboardPermissions",
"resource_types": [
{
@@ -99303,7 +108536,7 @@
},
{
"access_level": "Read",
- "description": "Return a QuickSight group\u2019s description and ARN.",
+ "description": "Grants permission to describe a QuickSight group",
"privilege": "DescribeGroup",
"resource_types": [
{
@@ -99315,7 +108548,7 @@
},
{
"access_level": "Read",
- "description": "Describe an existing assignment.",
+ "description": "Grants permission to describe an existing assignment",
"privilege": "DescribeIAMPolicyAssignment",
"resource_types": [
{
@@ -99359,7 +108592,7 @@
},
{
"access_level": "Read",
- "description": "Describes a template's metadata",
+ "description": "Grants permission to describe a template",
"privilege": "DescribeTemplate",
"resource_types": [
{
@@ -99371,7 +108604,7 @@
},
{
"access_level": "Read",
- "description": "Describes the template alias for a template",
+ "description": "Grants permission to describe a template alias",
"privilege": "DescribeTemplateAlias",
"resource_types": [
{
@@ -99383,7 +108616,7 @@
},
{
"access_level": "Read",
- "description": "Describes read and write permissions on a template",
+ "description": "Grants permission to describe permissions for a template",
"privilege": "DescribeTemplatePermissions",
"resource_types": [
{
@@ -99395,7 +108628,7 @@
},
{
"access_level": "Read",
- "description": "Describes a theme's metadata",
+ "description": "Grants permission to describe a theme",
"privilege": "DescribeTheme",
"resource_types": [
{
@@ -99407,7 +108640,7 @@
},
{
"access_level": "Read",
- "description": "Describes the theme alias for a theme",
+ "description": "Grants permission to describe a theme alias",
"privilege": "DescribeThemeAlias",
"resource_types": [
{
@@ -99419,7 +108652,7 @@
},
{
"access_level": "Read",
- "description": "Describes read and write permissions on a theme",
+ "description": "Grants permission to describe permissions for a theme",
"privilege": "DescribeThemePermissions",
"resource_types": [
{
@@ -99431,7 +108664,7 @@
},
{
"access_level": "Read",
- "description": "Return information about a user, given the user name.",
+ "description": "Grants permission to describe a QuickSight user given the user name",
"privilege": "DescribeUser",
"resource_types": [
{
@@ -99443,7 +108676,7 @@
},
{
"access_level": "Read",
- "description": "Return an auth code representing a QuickSight user.",
+ "description": "Grants permission to get an auth code representing a QuickSight user",
"privilege": "GetAuthCode",
"resource_types": [
{
@@ -99455,7 +108688,7 @@
},
{
"access_level": "Read",
- "description": "Return a QuickSight dashboard embedding URL.",
+ "description": "Grants permission to get a URL used to embed a QuickSight Dashboard",
"privilege": "GetDashboardEmbedUrl",
"resource_types": [
{
@@ -99467,7 +108700,7 @@
},
{
"access_level": "Read",
- "description": "GetGroupMapping is used only in Amazon QuickSight Enterprise edition accounts. It enables the user to use Amazon QuickSight to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight.",
+ "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to identify and display the Microsoft Active Directory (Microsoft Active Directory) directory groups that are mapped to roles in Amazon QuickSight",
"privilege": "GetGroupMapping",
"resource_types": [
{
@@ -99479,7 +108712,7 @@
},
{
"access_level": "Read",
- "description": "Grants permission to get a URL to embed QuickSight console experience.",
+ "description": "Grants permission to get a URL to embed QuickSight console experience",
"privilege": "GetSessionEmbedUrl",
"resource_types": [
{
@@ -99491,7 +108724,7 @@
},
{
"access_level": "List",
- "description": "Lists analyses in an AWS account",
+ "description": "Grants permission to list all analyses in an account",
"privilege": "ListAnalyses",
"resource_types": [
{
@@ -99515,7 +108748,7 @@
},
{
"access_level": "List",
- "description": "Lists all the versions of the dashboards in the QuickSight subscription",
+ "description": "Grants permission to list all versions of a QuickSight Dashboard",
"privilege": "ListDashboardVersions",
"resource_types": [
{
@@ -99527,7 +108760,7 @@
},
{
"access_level": "List",
- "description": "Lists dashboards in an AWS account",
+ "description": "Grants permission to list all Dashboards in a QuickSight Account",
"privilege": "ListDashboards",
"resource_types": [
{
@@ -99569,7 +108802,7 @@
},
{
"access_level": "List",
- "description": "Return a list of member users in a group.",
+ "description": "Grants permission to list member users in a group",
"privilege": "ListGroupMemberships",
"resource_types": [
{
@@ -99581,7 +108814,7 @@
},
{
"access_level": "List",
- "description": "Get a list of all user groups in QuickSight.",
+ "description": "Grants permission to list all user groups in QuickSight",
"privilege": "ListGroups",
"resource_types": [
{
@@ -99593,7 +108826,7 @@
},
{
"access_level": "List",
- "description": "List all assignments in the current Amazon QuickSight account.",
+ "description": "Grants permission to list all assignments in the current Amazon QuickSight account",
"privilege": "ListIAMPolicyAssignments",
"resource_types": [
{
@@ -99605,7 +108838,7 @@
},
{
"access_level": "List",
- "description": "List all assignments assigned to a user and the groups it belongs",
+ "description": "Grants permission to list all assignments assigned to a user and the groups it belongs",
"privilege": "ListIAMPolicyAssignmentsForUser",
"resource_types": [
{
@@ -99644,7 +108877,7 @@
},
{
"access_level": "List",
- "description": "List tags of a QuickSight resource.",
+ "description": "Grants permission to list tags of a QuickSight resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -99671,7 +108904,7 @@
},
{
"access_level": "List",
- "description": "Lists all the aliases of a template",
+ "description": "Grants permission to list all aliases for a template",
"privilege": "ListTemplateAliases",
"resource_types": [
{
@@ -99683,7 +108916,7 @@
},
{
"access_level": "List",
- "description": "Lists all the versions of the templates in the current Amazon QuickSight account",
+ "description": "Grants permission to list all versions of a template",
"privilege": "ListTemplateVersions",
"resource_types": [
{
@@ -99695,7 +108928,7 @@
},
{
"access_level": "List",
- "description": "Lists all the templates in the current Amazon QuickSight account",
+ "description": "Grants permission to list all templates in a QuickSight account",
"privilege": "ListTemplates",
"resource_types": [
{
@@ -99707,7 +108940,7 @@
},
{
"access_level": "List",
- "description": "Lists all the aliases of a theme",
+ "description": "Grants permission to list all aliases of a theme",
"privilege": "ListThemeAliases",
"resource_types": [
{
@@ -99719,7 +108952,7 @@
},
{
"access_level": "List",
- "description": "Lists all the versions of a theme",
+ "description": "Grants permission to list all versions of a theme",
"privilege": "ListThemeVersions",
"resource_types": [
{
@@ -99731,7 +108964,7 @@
},
{
"access_level": "List",
- "description": "Lists all the themes in the current Amazon QuickSight account",
+ "description": "Grants permission to list all themes in an account",
"privilege": "ListThemes",
"resource_types": [
{
@@ -99743,7 +108976,7 @@
},
{
"access_level": "List",
- "description": "Return a list of groups that a given user is a member of.",
+ "description": "Grants permission to list groups that a given user is a member of",
"privilege": "ListUserGroups",
"resource_types": [
{
@@ -99755,7 +108988,7 @@
},
{
"access_level": "List",
- "description": "Return a list of all of the QuickSight users belonging to this account.",
+ "description": "Grants permission to list all of the QuickSight users belonging to this account",
"privilege": "ListUsers",
"resource_types": [
{
@@ -99807,7 +109040,7 @@
},
{
"access_level": "Write",
- "description": "Create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request.",
+ "description": "Grants permission to create a QuickSight user, whose identity is associated with the IAM identity/role specified in the request",
"privilege": "RegisterUser",
"resource_types": [
{
@@ -99822,7 +109055,7 @@
},
{
"access_level": "Write",
- "description": "Restores a deleted analysis",
+ "description": "Grants permission to restore a deleted analysis",
"privilege": "RestoreAnalysis",
"resource_types": [
{
@@ -99834,7 +109067,7 @@
},
{
"access_level": "List",
- "description": "Searches for analyses that belong to the user specified in the filter",
+ "description": "Grants permission to search for a sub-set of analyses",
"privilege": "SearchAnalyses",
"resource_types": [
{
@@ -99846,7 +109079,7 @@
},
{
"access_level": "List",
- "description": "Searches for dashboards that belong to a user",
+ "description": "Grants permission to search for a sub-set of QuickSight Dashboards",
"privilege": "SearchDashboards",
"resource_types": [
{
@@ -99858,7 +109091,7 @@
},
{
"access_level": "Write",
- "description": "SearchDirectoryGroups is used only in Amazon QuickSight Enterprise edition accounts. It enables the user to use Amazon QuickSight to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight.",
+ "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight",
"privilege": "SearchDirectoryGroups",
"resource_types": [
{
@@ -99870,7 +109103,7 @@
},
{
"access_level": "Write",
- "description": "SearchDirectoryGroups is used only in Amazon QuickSight Enterprise edition accounts. It enables the user to use Amazon QuickSight to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight.",
+ "description": "Grants permission to use Amazon QuickSight, in Enterprise edition, to display your Microsoft Active Directory directory groups so that you can choose which ones to map to roles in Amazon QuickSight",
"privilege": "SetGroupMapping",
"resource_types": [
{
@@ -99882,7 +109115,7 @@
},
{
"access_level": "Write",
- "description": "Subscribe enables the user to subscribe to Amazon QuickSight. Enabling this action also allows the user to upgrade the subscription to Enterprise edition.",
+ "description": "Grants permission to subscribe to Amazon QuickSight, and also to allow the user to upgrade the subscription to Enterprise edition",
"privilege": "Subscribe",
"resource_types": [
{
@@ -99894,7 +109127,7 @@
},
{
"access_level": "Tagging",
- "description": "Add tags to a QuickSight resource",
+ "description": "Grants permission to add tags to a QuickSight resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -99929,7 +109162,7 @@
},
{
"access_level": "Write",
- "description": "Unsubscribe enables the user to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight.",
+ "description": "Grants permission to unsubscribe from Amazon QuickSight, which permanently deletes all users and their resources from Amazon QuickSight",
"privilege": "Unsubscribe",
"resource_types": [
{
@@ -99941,7 +109174,7 @@
},
{
"access_level": "Tagging",
- "description": "Remove tags from a QuickSight resource.",
+ "description": "Grants permission to remove tags from a QuickSight resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -99999,7 +109232,7 @@
},
{
"access_level": "Write",
- "description": "Updates an analysis in an AWS account",
+ "description": "Grants permission to update an analysis",
"privilege": "UpdateAnalysis",
"resource_types": [
{
@@ -100011,7 +109244,7 @@
},
{
"access_level": "Write",
- "description": "Updates read and write permissions on an analysis",
+ "description": "Grants permission to update permissions for an analysis",
"privilege": "UpdateAnalysisPermissions",
"resource_types": [
{
@@ -100035,7 +109268,7 @@
},
{
"access_level": "Write",
- "description": "Updates a dashboard in an AWS account",
+ "description": "Grants permission to update a QuickSight Dashboard",
"privilege": "UpdateDashboard",
"resource_types": [
{
@@ -100047,7 +109280,7 @@
},
{
"access_level": "Write",
- "description": "Updates read and write permissions on a dashboard",
+ "description": "Grants permission to update permissions for a QuickSight Dashboard",
"privilege": "UpdateDashboardPermissions",
"resource_types": [
{
@@ -100059,7 +109292,7 @@
},
{
"access_level": "Write",
- "description": "Updates the published version of a dashboard",
+ "description": "Grants permission to update a QuickSight Dashboard\u2019s Published Version",
"privilege": "UpdateDashboardPublishedVersion",
"resource_types": [
{
@@ -100076,7 +109309,9 @@
"resource_types": [
{
"condition_keys": [],
- "dependent_actions": [],
+ "dependent_actions": [
+ "quicksight:PassDataSource"
+ ],
"resource_type": "dataset*"
},
{
@@ -100156,7 +109391,7 @@
},
{
"access_level": "Write",
- "description": "Change group description.",
+ "description": "Grants permission to change group description",
"privilege": "UpdateGroup",
"resource_types": [
{
@@ -100168,7 +109403,7 @@
},
{
"access_level": "Write",
- "description": "Update an existing assignment.",
+ "description": "Grants permission to update an existing assignment",
"privilege": "UpdateIAMPolicyAssignment",
"resource_types": [
{
@@ -100180,7 +109415,7 @@
},
{
"access_level": "Write",
- "description": "Updates a template from an existing Amazon QuickSight analysis or another template",
+ "description": "Grants permission to update a template",
"privilege": "UpdateTemplate",
"resource_types": [
{
@@ -100192,7 +109427,7 @@
},
{
"access_level": "Write",
- "description": "Updates the template alias of a template",
+ "description": "Grants permission to update a template alias",
"privilege": "UpdateTemplateAlias",
"resource_types": [
{
@@ -100204,7 +109439,7 @@
},
{
"access_level": "Write",
- "description": "Updates the resource permissions for a template",
+ "description": "Grants permission to update permissions for a template",
"privilege": "UpdateTemplatePermissions",
"resource_types": [
{
@@ -100216,7 +109451,7 @@
},
{
"access_level": "Write",
- "description": "Updates a theme",
+ "description": "Grants permission to update a theme",
"privilege": "UpdateTheme",
"resource_types": [
{
@@ -100228,7 +109463,7 @@
},
{
"access_level": "Write",
- "description": "Updates the theme alias of a theme",
+ "description": "Grants permission to update the alias of a theme",
"privilege": "UpdateThemeAlias",
"resource_types": [
{
@@ -100240,7 +109475,7 @@
},
{
"access_level": "Write",
- "description": "Updates the resource permissions for a theme",
+ "description": "Grants permission to update permissions for a theme",
"privilege": "UpdateThemePermissions",
"resource_types": [
{
@@ -100252,7 +109487,7 @@
},
{
"access_level": "Write",
- "description": "Updates an Amazon QuickSight user.",
+ "description": "Grants permission to update an Amazon QuickSight user",
"privilege": "UpdateUser",
"resource_types": [
{
@@ -103199,6 +112434,11 @@
},
{
"conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters actions based on the tags that are passed in the request",
+ "type": "String"
+ },
{
"condition": "aws:ResourceTag/${TagKey}",
"description": "Filters actions based on the tags associated with the resource",
@@ -103214,11 +112454,13 @@
"privileges": [
{
"access_level": "Write",
- "description": "Runs a batch SQL statement over an array of data.",
+ "description": "Grants permission to run a batch SQL statement over an array of data",
"privilege": "BatchExecuteStatement",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": ""
}
@@ -103226,11 +112468,13 @@
},
{
"access_level": "Write",
- "description": "Starts a SQL transaction.",
+ "description": "Grants permission to start a SQL transaction",
"privilege": "BeginTransaction",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": ""
}
@@ -103238,11 +112482,13 @@
},
{
"access_level": "Write",
- "description": "Ends a SQL transaction started with the BeginTransaction operation and commits the changes.",
+ "description": "Grants permission to end a SQL transaction started with the BeginTransaction operation and commits the changes",
"privilege": "CommitTransaction",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [
"rds-data:BeginTransaction"
],
@@ -103252,7 +112498,7 @@
},
{
"access_level": "Write",
- "description": "Runs one or more SQL statements. This operation is deprecated. Use the BatchExecuteStatement or ExecuteStatement operation.",
+ "description": "Grants permission to run one or more SQL statements. This operation is deprecated. Use the BatchExecuteStatement or ExecuteStatement operation",
"privilege": "ExecuteSql",
"resource_types": [
{
@@ -103264,11 +112510,13 @@
},
{
"access_level": "Write",
- "description": "Runs a SQL statement against a database.",
+ "description": "Grants permission to run a SQL statement against a database",
"privilege": "ExecuteStatement",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [],
"resource_type": ""
}
@@ -103276,11 +112524,13 @@
},
{
"access_level": "Write",
- "description": "Performs a rollback of a transaction. Rolling back a transaction cancels its changes.",
+ "description": "Grants permission to perform a rollback of a transaction. Rolling back a transaction cancels its changes",
"privilege": "RollbackTransaction",
"resource_types": [
{
- "condition_keys": [],
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
"dependent_actions": [
"rds-data:BeginTransaction"
],
@@ -105885,7 +115135,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Creates a group with a specified name, description, and resource query.",
+ "description": "Grants permission to create a resource group with a specified name, description, and resource query",
"privilege": "CreateGroup",
"resource_types": [
{
@@ -105900,7 +115150,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a specified resource group",
+ "description": "Grants permission to delete a specified resource group",
"privilege": "DeleteGroup",
"resource_types": [
{
@@ -105912,7 +115162,7 @@
},
{
"access_level": "Read",
- "description": "Gets information of a specified resource group",
+ "description": "Grants permission to get information of a specified resource group",
"privilege": "GetGroup",
"resource_types": [
{
@@ -105924,7 +115174,19 @@
},
{
"access_level": "Read",
- "description": "Gets the query associated with a specified resource group",
+ "description": "Grants permission to get the service configuration associated with the specified resource group",
+ "privilege": "GetGroupConfiguration",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "group*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the query associated with a specified resource group",
"privilege": "GetGroupQuery",
"resource_types": [
{
@@ -105936,7 +115198,7 @@
},
{
"access_level": "Read",
- "description": "Gets the tags associated with a specified resource group",
+ "description": "Grants permission to get the tags associated with a specified resource group",
"privilege": "GetTags",
"resource_types": [
{
@@ -105946,21 +115208,37 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add the specified resources to the specified group",
+ "privilege": "GroupResources",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "group*"
+ }
+ ]
+ },
{
"access_level": "List",
- "description": "Lists the resources that are member of a specified resource group",
+ "description": "Grants permission to list the resources that are members of a specified resource group",
"privilege": "ListGroupResources",
"resource_types": [
{
"condition_keys": [],
- "dependent_actions": [],
+ "dependent_actions": [
+ "cloudformation:DescribeStacks",
+ "cloudformation:ListStackResources",
+ "tag:GetResources"
+ ],
"resource_type": "group*"
}
]
},
{
"access_level": "List",
- "description": "Lists all resource groups",
+ "description": "Grants permission to list all resource groups in your account",
"privilege": "ListGroups",
"resource_types": [
{
@@ -105970,21 +115248,37 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to add a resource-based policy for the specified group",
+ "privilege": "PutGroupPolicy",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "group*"
+ }
+ ]
+ },
{
"access_level": "List",
- "description": "Returns a list of AWS resource identifiers matching the given query",
+ "description": "Grants permission to search for AWS resources matching the given query",
"privilege": "SearchResources",
"resource_types": [
{
"condition_keys": [],
- "dependent_actions": [],
+ "dependent_actions": [
+ "cloudformation:DescribeStacks",
+ "cloudformation:ListStackResources",
+ "tag:GetResources"
+ ],
"resource_type": ""
}
]
},
{
"access_level": "Tagging",
- "description": "Tags a specified resource group",
+ "description": "Grants permission to tag a specified resource group",
"privilege": "Tag",
"resource_types": [
{
@@ -106002,9 +115296,21 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to remove the specified resources from the specified group",
+ "privilege": "UngroupResources",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "group*"
+ }
+ ]
+ },
{
"access_level": "Tagging",
- "description": "Removes tags associated with a specified resource group",
+ "description": "Grants permission to remove tags associated with a specified resource group",
"privilege": "Untag",
"resource_types": [
{
@@ -106023,7 +115329,7 @@
},
{
"access_level": "Write",
- "description": "Updates a specified resource group",
+ "description": "Grants permission to update a specified resource group",
"privilege": "UpdateGroup",
"resource_types": [
{
@@ -106035,7 +115341,7 @@
},
{
"access_level": "Write",
- "description": "Updates the query associated with a specified resource group",
+ "description": "Grants permission to update the query associated with a specified resource group",
"privilege": "UpdateGroupQuery",
"resource_types": [
{
@@ -108296,6 +117602,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the DNSSEC validation support status for DNS queries within the specified resource",
+ "privilege": "GetResolverDnssecConfig",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "resolver-dnssec-config*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get information about a specified Resolver endpoint, such as whether it's an inbound or an outbound endpoint, and the IP addresses in your VPC that DNS queries are forwarded to on the way into or out of your VPC",
@@ -108380,6 +117698,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the DNSSEC validation support status for DNS queries",
+ "privilege": "ListResolverDnssecConfigs",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "resolver-dnssec-config*"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "For a specified Resolver endpoint, grants permission to list the IP addresses that DNS queries pass through on the way to your network (outbound) or your VPCs (inbound)",
@@ -108527,6 +117857,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the DNSSEC validation support status for DNS queries within the specified resource",
+ "privilege": "UpdateResolverDnssecConfig",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "resolver-dnssec-config*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update selected settings for an inbound or an outbound Resolver endpoint",
@@ -108553,6 +117895,13 @@
}
],
"resources": [
+ {
+ "arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-dnssec-config/${ResourceId}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "resolver-dnssec-config"
+ },
{
"arn": "arn:${Partition}:route53resolver:${Region}:${Account}:resolver-query-log-config/${ResourceId}",
"condition_keys": [
@@ -108654,6 +118003,16 @@
"description": "Filters access by the tag keys to be added to objects",
"type": "String"
},
+ {
+ "condition": "s3:ResourceAccount",
+ "description": "Filters access by the resource owner AWS account ID",
+ "type": "String"
+ },
+ {
+ "condition": "s3:TlsVersion",
+ "description": "Filters access by the TLS version used by the client",
+ "type": "Numeric"
+ },
{
"condition": "s3:VersionId",
"description": "Filters access by a specific object version",
@@ -108803,8 +118162,10 @@
"s3:DataAccessPointAccount",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -108830,8 +118191,10 @@
"s3:RequestObjectTag/",
"s3:RequestObjectTagKeys",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-acl",
"s3:x-amz-content-sha256",
"s3:x-amz-copy-source",
@@ -108872,8 +118235,10 @@
"s3:AccessPointNetworkOrigin",
"s3:authType",
"s3:locationconstraint",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-acl",
"s3:x-amz-content-sha256"
],
@@ -108896,8 +118261,10 @@
"condition_keys": [
"s3:authType",
"s3:locationconstraint",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-acl",
"s3:x-amz-content-sha256",
"s3:x-amz-grant-full-control",
@@ -108919,8 +118286,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:RequestJobPriority",
"s3:RequestJobOperation",
@@ -108950,8 +118319,10 @@
"s3:DataAccessPointAccount",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -108975,8 +118346,10 @@
"s3:DataAccessPointAccount",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -108997,8 +118370,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109019,8 +118394,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109041,8 +118418,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109063,8 +118442,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109085,8 +118466,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:ExistingJobPriority",
"s3:ExistingJobOperation"
@@ -109112,8 +118495,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109138,8 +118523,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109163,8 +118550,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -109190,8 +118579,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -109213,8 +118604,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109235,8 +118628,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109257,8 +118652,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109279,8 +118676,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109299,8 +118698,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109324,8 +118725,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109349,8 +118752,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109366,8 +118771,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109388,8 +118795,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109410,8 +118819,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109432,8 +118843,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109466,8 +118879,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109488,8 +118903,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109510,7 +118927,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
+ "s3:signatureversion",
+ "s3:TlsVersion",
"s3:signatureversion"
],
"dependent_actions": [],
@@ -109531,8 +118951,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109553,8 +118975,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109575,8 +118999,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109597,8 +119023,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109619,8 +119047,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109641,8 +119071,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109663,8 +119095,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109685,8 +119119,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109707,8 +119143,34 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
+ "s3:x-amz-content-sha256"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get an or list all Amazon S3 Intelligent Tiering configuration in a S3 Bucket",
+ "privilege": "GetIntelligentTieringConfiguration",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "bucket*"
+ },
+ {
+ "condition_keys": [
+ "s3:authType",
+ "s3:ResourceAccount",
+ "s3:signatureAge",
+ "s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109729,8 +119191,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109751,8 +119215,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109773,8 +119239,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109795,8 +119263,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109821,8 +119291,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109847,8 +119319,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109872,8 +119346,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109897,8 +119373,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109923,8 +119401,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109945,8 +119425,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -109971,8 +119453,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -109998,8 +119482,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -110021,8 +119507,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110047,8 +119535,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -110070,8 +119560,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -110093,8 +119585,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110115,8 +119609,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110137,8 +119633,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110159,8 +119657,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110176,8 +119676,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110193,8 +119695,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110221,8 +119725,10 @@
"s3:delimiter",
"s3:max-keys",
"s3:prefix",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110246,8 +119752,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110274,8 +119782,10 @@
"s3:delimiter",
"s3:max-keys",
"s3:prefix",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110291,8 +119801,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110316,8 +119828,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110333,8 +119847,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110355,8 +119871,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110377,8 +119895,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110402,8 +119922,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110419,8 +119941,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110441,8 +119965,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110463,8 +119989,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-acl",
"s3:x-amz-content-sha256",
"s3:x-amz-grant-full-control",
@@ -110491,8 +120019,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110513,8 +120043,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110535,8 +120067,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110557,7 +120091,9 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
+ "s3:TlsVersion",
"s3:signatureversion"
],
"dependent_actions": [],
@@ -110578,8 +120114,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110600,8 +120138,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110622,8 +120162,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110644,8 +120186,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110666,8 +120210,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110688,8 +120234,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110710,8 +120258,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110732,8 +120282,34 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
+ "s3:signatureAge",
+ "s3:signatureversion",
+ "s3:TlsVersion",
+ "s3:x-amz-content-sha256"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create new or update or delete an existing Amazon S3 Intelligent Tiering configuration",
+ "privilege": "PutIntelligentTieringConfiguration",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "bucket*"
+ },
+ {
+ "condition_keys": [
+ "s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110754,8 +120330,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110776,8 +120354,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:ExistingJobPriority",
"s3:ExistingJobOperation",
@@ -110802,8 +120382,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110824,8 +120406,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -110851,8 +120435,10 @@
"s3:RequestObjectTag/",
"s3:RequestObjectTagKeys",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-acl",
"s3:x-amz-content-sha256",
"s3:x-amz-copy-source",
@@ -110893,8 +120479,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-acl",
"s3:x-amz-content-sha256",
"s3:x-amz-grant-full-control",
@@ -110925,8 +120513,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:object-lock-legal-hold"
],
@@ -110951,8 +120541,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:object-lock-mode",
"s3:object-lock-retain-until-date",
@@ -110982,8 +120574,10 @@
"s3:RequestObjectTag/",
"s3:RequestObjectTagKeys",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -111008,8 +120602,10 @@
"s3:AccessPointNetworkOrigin",
"s3:ExistingObjectTag/",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-acl",
"s3:x-amz-content-sha256",
@@ -111044,8 +120640,10 @@
"s3:RequestObjectTag/",
"s3:RequestObjectTagKeys",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:versionid",
"s3:x-amz-content-sha256"
],
@@ -111069,8 +120667,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -111086,8 +120686,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"aws:TagKeys",
"aws:RequestTag/${TagKey}"
@@ -111110,8 +120712,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"aws:TagKeys",
"aws:RequestTag/${TagKey}"
@@ -111134,8 +120738,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -111156,8 +120762,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:x-amz-server-side-encryption",
"s3:x-amz-server-side-encryption-aws-kms-key-id"
@@ -111180,8 +120788,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -111205,8 +120815,10 @@
"s3:DataAccessPointArn",
"s3:AccessPointNetworkOrigin",
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256"
],
"dependent_actions": [],
@@ -111227,8 +120839,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:RequestJobPriority",
"s3:ExistingJobPriority",
@@ -111252,8 +120866,10 @@
{
"condition_keys": [
"s3:authType",
+ "s3:ResourceAccount",
"s3:signatureAge",
"s3:signatureversion",
+ "s3:TlsVersion",
"s3:x-amz-content-sha256",
"s3:ExistingJobPriority",
"s3:ExistingJobOperation",
@@ -112167,6 +121783,21 @@
"description": "A tag key and value pair.",
"type": "String"
},
+ {
+ "condition": "aws:SourceIp",
+ "description": "Filters access by the requestor's IP address",
+ "type": "String"
+ },
+ {
+ "condition": "aws:SourceVpc",
+ "description": "Filters access by the requestor's VPC",
+ "type": "String"
+ },
+ {
+ "condition": "aws:SourceVpce",
+ "description": "Filters access by the requestor's VPC endpoint",
+ "type": "String"
+ },
{
"condition": "aws:TagKeys",
"description": "The list of all the tag key names associated with the resource in the request.",
@@ -112397,11 +122028,31 @@
"dependent_actions": [],
"resource_type": "context"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "data-quality-job-definition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet"
+ },
{
"condition_keys": [],
"dependent_actions": [],
"resource_type": "domain"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "edge-packaging-job"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -112462,6 +122113,16 @@
"dependent_actions": [],
"resource_type": "model"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-bias-job-definition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-explainability-job-definition"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -112472,6 +122133,11 @@
"dependent_actions": [],
"resource_type": "model-package-group"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-quality-job-definition"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -112752,6 +122418,58 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a data quality job definition.",
+ "privilege": "CreateDataQualityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iam:PassRole"
+ ],
+ "resource_type": "data-quality-job-definition*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "sagemaker:InstanceTypes",
+ "sagemaker:InterContainerTrafficEncryption",
+ "sagemaker:MaxRuntimeInSeconds",
+ "sagemaker:NetworkIsolation",
+ "sagemaker:OutputKmsKey",
+ "sagemaker:VolumeKmsKey",
+ "sagemaker:VpcSecurityGroupIds",
+ "sagemaker:VpcSubnets"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a device fleet",
+ "privilege": "CreateDeviceFleet",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iam:PassRole"
+ ],
+ "resource_type": "device-fleet*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a Domain for SageMaker Studio",
@@ -112783,6 +122501,28 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an edge packaging job",
+ "privilege": "CreateEdgePackagingJob",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iam:PassRole"
+ ],
+ "resource_type": "edge-packaging-job*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Creates an endpoint using the endpoint configuration specified in the request.",
@@ -113035,6 +122775,66 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a model bias job definition.",
+ "privilege": "CreateModelBiasJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iam:PassRole"
+ ],
+ "resource_type": "model-bias-job-definition*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "sagemaker:InstanceTypes",
+ "sagemaker:InterContainerTrafficEncryption",
+ "sagemaker:MaxRuntimeInSeconds",
+ "sagemaker:NetworkIsolation",
+ "sagemaker:OutputKmsKey",
+ "sagemaker:VolumeKmsKey",
+ "sagemaker:VpcSecurityGroupIds",
+ "sagemaker:VpcSubnets"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a model explainability job definition.",
+ "privilege": "CreateModelExplainabilityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iam:PassRole"
+ ],
+ "resource_type": "model-explainability-job-definition*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "sagemaker:InstanceTypes",
+ "sagemaker:InterContainerTrafficEncryption",
+ "sagemaker:MaxRuntimeInSeconds",
+ "sagemaker:NetworkIsolation",
+ "sagemaker:OutputKmsKey",
+ "sagemaker:VolumeKmsKey",
+ "sagemaker:VpcSecurityGroupIds",
+ "sagemaker:VpcSubnets"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a ModelPackage.",
@@ -113082,7 +122882,37 @@
},
{
"access_level": "Write",
- "description": "Creates a monitoring schedule.",
+ "description": "Grants permission to create a model quality job definition.",
+ "privilege": "CreateModelQualityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [
+ "iam:PassRole"
+ ],
+ "resource_type": "model-quality-job-definition*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys",
+ "sagemaker:InstanceTypes",
+ "sagemaker:InterContainerTrafficEncryption",
+ "sagemaker:MaxRuntimeInSeconds",
+ "sagemaker:NetworkIsolation",
+ "sagemaker:OutputKmsKey",
+ "sagemaker:VolumeKmsKey",
+ "sagemaker:VpcSecurityGroupIds",
+ "sagemaker:VpcSubnets"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a monitoring schedule.",
"privilege": "CreateMonitoringSchedule",
"resource_types": [
{
@@ -113097,6 +122927,7 @@
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"sagemaker:InstanceTypes",
+ "sagemaker:InterContainerTrafficEncryption",
"sagemaker:MaxRuntimeInSeconds",
"sagemaker:NetworkIsolation",
"sagemaker:OutputKmsKey",
@@ -113181,6 +123012,15 @@
"condition_keys": [],
"dependent_actions": [],
"resource_type": "user-profile*"
+ },
+ {
+ "condition_keys": [
+ "aws:SourceIp",
+ "aws:SourceVpc",
+ "aws:SourceVpce"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
}
]
},
@@ -113527,6 +123367,30 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete the data quality job definition created using the CreateDataQualityJobDefinition API.",
+ "privilege": "DeleteDataQualityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "data-quality-job-definition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a device fleet",
+ "privilege": "DeleteDeviceFleet",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete a Domain",
@@ -113654,6 +123518,30 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete the model bias job definition created using the CreateModelBiasJobDefinition API.",
+ "privilege": "DeleteModelBiasJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-bias-job-definition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete the model explainability job definition created using the CreateModelExplainabilityJobDefinition API.",
+ "privilege": "DeleteModelExplainabilityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-explainability-job-definition*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete a ModelPackage.",
@@ -113692,7 +123580,19 @@
},
{
"access_level": "Write",
- "description": "Deletes a monitoring schedule. Amazon SageMaker will no longer run the scheduled monitoring.",
+ "description": "Grants permission to delete the model quality job definition created using the CreateModelQualityJobDefinition API.",
+ "privilege": "DeleteModelQualityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-quality-job-definition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete a monitoring schedule.",
"privilege": "DeleteMonitoringSchedule",
"resource_types": [
{
@@ -113812,11 +123712,31 @@
"dependent_actions": [],
"resource_type": "context"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "data-quality-job-definition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet"
+ },
{
"condition_keys": [],
"dependent_actions": [],
"resource_type": "domain"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "edge-packaging-job"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -113877,6 +123797,16 @@
"dependent_actions": [],
"resource_type": "model"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-bias-job-definition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-explainability-job-definition"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -113887,6 +123817,11 @@
"dependent_actions": [],
"resource_type": "model-package-group"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-quality-job-definition"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -114001,6 +123936,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to deregister a set of devices",
+ "privilege": "DeregisterDevices",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get information about an action.",
@@ -114109,6 +124056,42 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to return information about a data quality job definition.",
+ "privilege": "DescribeDataQualityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "data-quality-job-definition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to access information about a device",
+ "privilege": "DescribeDevice",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to access information about a device fleet",
+ "privilege": "DescribeDeviceFleet",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to describe a Domain",
@@ -114121,6 +124104,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to access information about an edge packaging job",
+ "privilege": "DescribeEdgePackagingJob",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "edge-packaging-job*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Returns the description of an endpoint.",
@@ -114265,6 +124260,30 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to return information about a model bias job definition.",
+ "privilege": "DescribeModelBiasJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-bias-job-definition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to return information about a model explainability job definition.",
+ "privilege": "DescribeModelExplainabilityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-explainability-job-definition*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to describe a ModelPackage.",
@@ -114291,7 +124310,19 @@
},
{
"access_level": "Read",
- "description": "Returns information about a monitoring schedule.",
+ "description": "Grants permission to return information about a model quality job definition.",
+ "privilege": "DescribeModelQualityJobDefinition",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-quality-job-definition*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to return information about a monitoring schedule.",
"privilege": "DescribeMonitoringSchedule",
"resource_types": [
{
@@ -114527,6 +124558,30 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to access a summary of the devices in a device fleet",
+ "privilege": "GetDeviceFleetReport",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get device registration. After you deploy a model onto edge devices this api is used to get current device registration",
+ "privilege": "GetDeviceRegistration",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to get a ModelPackageGroup policy.",
@@ -114726,6 +124781,42 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list data quality job definitions.",
+ "privilege": "ListDataQualityJobDefinitions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list device fleets",
+ "privilege": "ListDeviceFleets",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list devices.",
+ "privilege": "ListDevices",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list the Domains in your account",
@@ -114738,6 +124829,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list edge packaging jobs",
+ "privilege": "ListEdgePackagingJobs",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Lists endpoint configurations.",
@@ -114882,6 +124985,30 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list model bias job definitions.",
+ "privilege": "ListModelBiasJobDefinitions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list model explainability job definitions.",
+ "privilege": "ListModelExplainabilityJobDefinitions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list ModelPackageGroups.",
@@ -114906,6 +125033,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list model quality job definitions.",
+ "privilege": "ListModelQualityJobDefinitions",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Lists the models created with the CreateModel API.",
@@ -114920,7 +125059,7 @@
},
{
"access_level": "List",
- "description": "Lists monitoring executions.",
+ "description": "Grants permission to list monitoring executions.",
"privilege": "ListMonitoringExecutions",
"resource_types": [
{
@@ -114932,7 +125071,7 @@
},
{
"access_level": "List",
- "description": "Lists monitoring schedules.",
+ "description": "Grants permission to list monitoring schedules.",
"privilege": "ListMonitoringSchedules",
"resource_types": [
{
@@ -115095,11 +125234,31 @@
"dependent_actions": [],
"resource_type": "context"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "data-quality-job-definition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet"
+ },
{
"condition_keys": [],
"dependent_actions": [],
"resource_type": "domain"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "edge-packaging-job"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -115160,6 +125319,16 @@
"dependent_actions": [],
"resource_type": "model"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-bias-job-definition"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-explainability-job-definition"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -115170,6 +125339,11 @@
"dependent_actions": [],
"resource_type": "model-package-group"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "model-quality-job-definition"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -115332,6 +125506,26 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to register a set of devices",
+ "privilege": "RegisterDevices",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Render a UI template used for a human annotation task.",
@@ -115358,6 +125552,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to publish heartbeat data from devices. After you deploy a model onto edge devices this api is used to report device status",
+ "privilege": "SendHeartbeat",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Starts a human loop.",
@@ -115430,6 +125636,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to stop an edge packaging job",
+ "privilege": "StopEdgePackagingJob",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "edge-packaging-job*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Stops the specified human loop.",
@@ -115598,6 +125816,30 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a device fleet",
+ "privilege": "UpdateDeviceFleet",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device-fleet*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update a set of devices",
+ "privilege": "UpdateDevices",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "device*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update a Domain",
@@ -115705,7 +125947,8 @@
"sagemaker:OutputKmsKey",
"sagemaker:VolumeKmsKey",
"sagemaker:VpcSecurityGroupIds",
- "sagemaker:VpcSubnets"
+ "sagemaker:VpcSubnets",
+ "sagemaker:InterContainerTrafficEncryption"
],
"dependent_actions": [],
"resource_type": ""
@@ -115771,6 +126014,25 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Updates a training job.",
+ "privilege": "UpdateTrainingJob",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "training-job*"
+ },
+ {
+ "condition_keys": [
+ "sagemaker:InstanceTypes"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Updates a trial.",
@@ -115845,6 +126107,30 @@
}
],
"resources": [
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}/device/${DeviceName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "device"
+ },
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:device-fleet/${DeviceFleetName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "device-fleet"
+ },
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:edge-packaging-job/${EdgePackagingJobName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "edge-packaging-job"
+ },
{
"arn": "arn:${Partition}:sagemaker:${Region}:${Account}:human-loop/${HumanLoopName}",
"condition_keys": [],
@@ -116065,6 +126351,38 @@
],
"resource": "monitoring-schedule"
},
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:data-quality-job-definition/${DataQualityJobDefinitionName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "data-quality-job-definition"
+ },
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-quality-job-definition/${ModelQualityJobDefinitionName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "model-quality-job-definition"
+ },
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-bias-job-definition/${ModelBiasJobDefinitionName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "model-bias-job-definition"
+ },
+ {
+ "arn": "arn:${Partition}:sagemaker:${Region}:${Account}:model-explainability-job-definition/${ModelExplainabilityJobDefinitionName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}",
+ "sagemaker:ResourceTag/${TagKey}"
+ ],
+ "resource": "model-explainability-job-definition"
+ },
{
"arn": "arn:${Partition}:sagemaker:${Region}:${Account}:experiment/${ExperimentName}",
"condition_keys": [
@@ -119377,6 +129695,23 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the tags for a service catalog appregistry resource.",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Application"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "AttributeGroup"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to provision a product with a specified provisioning artifact and launch parameters",
@@ -119457,6 +129792,43 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to sync a resource with its current state in AppRegistry.",
+ "privilege": "SyncResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to tag a service catalog appregistry resource.",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Application"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "AttributeGroup"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to terminate an existing provisioned product",
@@ -119473,6 +129845,31 @@
}
]
},
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to remove a tag from a service catalog appregistry resource.",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "Application"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "AttributeGroup"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys",
+ "aws:RequestTag/${TagKey}"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update the attributes of an existing application.",
@@ -119665,22 +130062,22 @@
},
{
"condition": "servicediscovery:NamespaceArn",
- "description": "A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related namespace.",
+ "description": "Filters access by specifying the Amazon Resource Name (ARN) for the related namespace",
"type": "String"
},
{
"condition": "servicediscovery:NamespaceName",
- "description": "A filter that lets you get objects by specifying the name of the related namespace.",
+ "description": "Filters access by specifying the name of the related namespace",
"type": "String"
},
{
"condition": "servicediscovery:ServiceArn",
- "description": "A filter that lets you get objects by specifying the Amazon Resource Name (ARN) for the related service.",
+ "description": "Filters access by specifying the Amazon Resource Name (ARN) for the related service",
"type": "String"
},
{
"condition": "servicediscovery:ServiceName",
- "description": "A filter that lets you get objects by specifying the name of the related service.",
+ "description": "Filters access by specifying the name of the related service",
"type": "String"
}
],
@@ -119688,7 +130085,7 @@
"privileges": [
{
"access_level": "Write",
- "description": "Creates an HTTP namespace.",
+ "description": "Grants permission to create an HTTP namespace",
"privilege": "CreateHttpNamespace",
"resource_types": [
{
@@ -119703,7 +130100,7 @@
},
{
"access_level": "Write",
- "description": "Creates a private namespace based on DNS, which will be visible only inside a specified Amazon VPC.",
+ "description": "Grants permission to create a private namespace based on DNS, which will be visible only inside a specified Amazon VPC",
"privilege": "CreatePrivateDnsNamespace",
"resource_types": [
{
@@ -119718,7 +130115,7 @@
},
{
"access_level": "Write",
- "description": "Creates a public namespace based on DNS, which will be visible on the internet.",
+ "description": "Grants permission to create a public namespace based on DNS, which will be visible on the internet",
"privilege": "CreatePublicDnsNamespace",
"resource_types": [
{
@@ -119733,7 +130130,7 @@
},
{
"access_level": "Write",
- "description": "Creates a service.",
+ "description": "Grants permission to create a service",
"privilege": "CreateService",
"resource_types": [
{
@@ -119754,7 +130151,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a specified namespace.",
+ "description": "Grants permission to delete a specified namespace",
"privilege": "DeleteNamespace",
"resource_types": [
{
@@ -119766,7 +130163,7 @@
},
{
"access_level": "Write",
- "description": "Deletes a specified service.",
+ "description": "Grants permission to delete a specified service",
"privilege": "DeleteService",
"resource_types": [
{
@@ -119778,7 +130175,7 @@
},
{
"access_level": "Write",
- "description": "Deletes the records and the health check, if any, that Amazon Route 53 created for the specified instance.",
+ "description": "Grants permission to delete the records and the health check, if any, that Amazon Route 53 created for the specified instance",
"privilege": "DeregisterInstance",
"resource_types": [
{
@@ -119797,7 +130194,7 @@
},
{
"access_level": "Read",
- "description": "Discovers registered instances for a specified namespace and service.",
+ "description": "Grants permission to discover registered instances for a specified namespace and service",
"privilege": "DiscoverInstances",
"resource_types": [
{
@@ -119812,7 +130209,7 @@
},
{
"access_level": "Read",
- "description": "Gets information about a specified instance.",
+ "description": "Grants permission to get information about a specified instance",
"privilege": "GetInstance",
"resource_types": [
{
@@ -119826,7 +130223,7 @@
},
{
"access_level": "Read",
- "description": "Gets the current health status (Healthy, Unhealthy, or Unknown) of one or more instances.",
+ "description": "Grants permission to get the current health status (Healthy, Unhealthy, or Unknown) of one or more instances",
"privilege": "GetInstancesHealthStatus",
"resource_types": [
{
@@ -119840,7 +130237,7 @@
},
{
"access_level": "Read",
- "description": "Gets information about a namespace.",
+ "description": "Grants permission to get information about a namespace",
"privilege": "GetNamespace",
"resource_types": [
{
@@ -119852,7 +130249,7 @@
},
{
"access_level": "Read",
- "description": "Gets information about a specific operation.",
+ "description": "Grants permission to get information about a specific operation",
"privilege": "GetOperation",
"resource_types": [
{
@@ -119864,7 +130261,7 @@
},
{
"access_level": "Read",
- "description": "Gets the settings for a specified service.",
+ "description": "Grants permission to get the settings for a specified service",
"privilege": "GetService",
"resource_types": [
{
@@ -119876,7 +130273,7 @@
},
{
"access_level": "List",
- "description": "Gets summary information about the instances that were registered with a specified service.",
+ "description": "Grants permission to get summary information about the instances that were registered with a specified service",
"privilege": "ListInstances",
"resource_types": [
{
@@ -119890,7 +130287,7 @@
},
{
"access_level": "List",
- "description": "Gets information about the namespaces.",
+ "description": "Grants permission to get information about the namespaces",
"privilege": "ListNamespaces",
"resource_types": [
{
@@ -119902,7 +130299,7 @@
},
{
"access_level": "List",
- "description": "Lists operations that match the criteria that you specify.",
+ "description": "Grants permission to list operations that match the criteria that you specify",
"privilege": "ListOperations",
"resource_types": [
{
@@ -119914,7 +130311,7 @@
},
{
"access_level": "List",
- "description": "Gets settings for all the services that match specified filters.",
+ "description": "Grants permission to get settings for all the services that match specified filters",
"privilege": "ListServices",
"resource_types": [
{
@@ -119926,7 +130323,7 @@
},
{
"access_level": "List",
- "description": "Lists tags for the specified resource.",
+ "description": "Grants permission to lists tags for the specified resource",
"privilege": "ListTagsForResource",
"resource_types": [
{
@@ -119938,7 +130335,7 @@
},
{
"access_level": "Write",
- "description": "Registers an instance based on the settings in a specified service.",
+ "description": "Grants permission to register an instance based on the settings in a specified service",
"privilege": "RegisterInstance",
"resource_types": [
{
@@ -119957,7 +130354,7 @@
},
{
"access_level": "Tagging",
- "description": "Adds one or more tags to the specified resource.",
+ "description": "Grants permission to add one or more tags to the specified resource",
"privilege": "TagResource",
"resource_types": [
{
@@ -119972,7 +130369,7 @@
},
{
"access_level": "Tagging",
- "description": "Removes one or more tags from the specified resource.",
+ "description": "Grants permission to remove one or more tags from the specified resource",
"privilege": "UntagResource",
"resource_types": [
{
@@ -119987,7 +130384,7 @@
},
{
"access_level": "Write",
- "description": "Updates the current health status for an instance that has a custom health check.",
+ "description": "Grants permission to update the current health status for an instance that has a custom health check",
"privilege": "UpdateInstanceCustomHealthStatus",
"resource_types": [
{
@@ -120001,7 +130398,7 @@
},
{
"access_level": "Write",
- "description": "Updates the settings in a specified service.",
+ "description": "Grants permission to update the settings in a specified service",
"privilege": "UpdateService",
"resource_types": [
{
@@ -120032,6 +130429,21 @@
},
{
"conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters actions based on the tags that are passed in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters actions based on the tags associated with the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters actions based on the tag keys that are passed in the request",
+ "type": "String"
+ },
{
"condition": "servicequotas:service",
"description": "Filters or restricts access to a specified AWS service",
@@ -120208,6 +130620,18 @@
}
]
},
+ {
+ "access_level": "List",
+ "description": "Grants permission to view the existing tags on a SQ resource",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to define and add a quota to the service quota template",
@@ -120245,6 +130669,30 @@
"resource_type": ""
}
]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to associate a set of tags with an existing SQ resource",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permission to remove a set of tags from a SQ resource, where tags to be removed match a set of customer-supplied tag keys",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
}
],
"resources": [
@@ -122231,7 +132679,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "Grants permission to list the cross-account permissions associated with a Signing Profile",
"privilege": "ListProfilePermissions",
"resource_types": [
@@ -124333,6 +134781,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create an OpsMetadata object for an AWS resource",
+ "privilege": "CreateOpsMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to create a patch baseline",
@@ -124442,6 +134902,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an OpsMetadata object",
+ "privilege": "DeleteOpsMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "opsmetadata*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to delete a specified SSM parameter",
@@ -125184,6 +135656,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve an OpsMetadata object",
+ "privilege": "GetOpsMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "opsmetadata*"
+ }
+ ]
+ },
{
"access_level": "Read",
"description": "Grants permission to view summary information about OpsItems based on specified filters and aggregators",
@@ -125385,6 +135869,18 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to view metadata history about a specified SSM document",
+ "privilege": "ListDocumentMetadataHistory",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "document*"
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list all versions of a specified document",
@@ -125438,6 +135934,30 @@
}
]
},
+ {
+ "access_level": "Read",
+ "description": "Grants permission to view details about OpsItemEvents",
+ "privilege": "ListOpsItemEvents",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to view a list of OpsMetadata objects",
+ "privilege": "ListOpsMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
{
"access_level": "List",
"description": "Grants permission to list resource-level summary count",
@@ -125695,6 +136215,11 @@
"dependent_actions": [],
"resource_type": "document*"
},
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "bucket"
+ },
{
"condition_keys": [],
"dependent_actions": [],
@@ -125739,6 +136264,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to initiate the execution of an Automation Change Template document",
+ "privilege": "StartChangeRequestExecution",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "automation-definition*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to initiate a connection to a specified target for a Session Manager session",
@@ -125860,6 +136397,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update the metadata of an SSM document",
+ "privilege": "UpdateDocumentMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "document*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Used by SSM Agent to update the status of the association that it is currently running (internal Systems Manager call)",
@@ -125954,6 +136503,18 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update an OpsMetadata object",
+ "privilege": "UpdateOpsMetadata",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "opsmetadata*"
+ }
+ ]
+ },
{
"access_level": "Write",
"description": "Grants permission to update a specified patch baseline",
@@ -126014,6 +136575,11 @@
"condition_keys": [],
"resource": "automation-definition"
},
+ {
+ "arn": "arn:${Partition}:s3:::${BucketName}",
+ "condition_keys": [],
+ "resource": "bucket"
+ },
{
"arn": "arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}",
"condition_keys": [
@@ -126056,6 +136622,11 @@
"condition_keys": [],
"resource": "opsitem"
},
+ {
+ "arn": "arn:${Partition}:ssm:${Region}:${Account}:opsmetadata/${ResourceId}",
+ "condition_keys": [],
+ "resource": "opsmetadata"
+ },
{
"arn": "arn:${Partition}:ssm:${Region}:${Account}:parameter/${FullyQualifiedParameterName}",
"condition_keys": [
@@ -131736,6 +142307,319 @@
],
"service_name": "AWS Timestream"
},
+ {
+ "conditions": [
+ {
+ "condition": "aws:RequestTag/${TagKey}",
+ "description": "Filters actions based on the presence of tag key-value pairs in the request",
+ "type": "String"
+ },
+ {
+ "condition": "aws:ResourceTag/${TagKey}",
+ "description": "Filters actions based on tag key-value pairs attached to the resource",
+ "type": "String"
+ },
+ {
+ "condition": "aws:TagKeys",
+ "description": "Filters actions based on the presence of tag keys in the request",
+ "type": "String"
+ }
+ ],
+ "prefix": "timestream",
+ "privileges": [
+ {
+ "access_level": "Write",
+ "description": "Grants Permission to cancel queries in your account",
+ "privilege": "CancelQuery",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to create a database in your account.",
+ "privilege": "CreateDatabase",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to create a table in your account.",
+ "privilege": "CreateTable",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to delete a database in your account.",
+ "privilege": "DeleteDatabase",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to delete a table in your account.",
+ "privilege": "DeleteTable",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permissions to describe a database in your account.",
+ "privilege": "DescribeDatabase",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permissions to describe timestream endpoints.",
+ "privilege": "DescribeEndpoints",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants Permissions to describe a table in your account",
+ "privilege": "DescribeTable",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants Permission to list databases in your account",
+ "privilege": "ListDatabases",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants Permissions to list measures of a table in your account",
+ "privilege": "ListMeasures",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants Permission to list tables in your account",
+ "privilege": "ListTables",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permissions to list tags of a resource in your account.",
+ "privilege": "ListTagsForResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants Permission to issue 'select from table' queries",
+ "privilege": "Select",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants Permissions to issue 'select 1' queries",
+ "privilege": "SelectValues",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permissions to add tags to a resource.",
+ "privilege": "TagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ },
+ {
+ "condition_keys": [
+ "aws:RequestTag/${TagKey}",
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Tagging",
+ "description": "Grants permissions to remove a tag from a resource.",
+ "privilege": "UntagResource",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ },
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ },
+ {
+ "condition_keys": [
+ "aws:TagKeys"
+ ],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to update a database in your account.",
+ "privilege": "UpdateDatabase",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "database*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to update a table in your account.",
+ "privilege": "UpdateTable",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permissions to ingest data to a table in your account.",
+ "privilege": "WriteRecords",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "table*"
+ }
+ ]
+ }
+ ],
+ "resources": [
+ {
+ "arn": "arn:${Partition}:timestream:${Region}:${Account}:database/${DatabaseName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "database"
+ },
+ {
+ "arn": "arn:${Partition}:timestream:${Region}:${Account}:database/${DatabaseName}/table/${TableName}",
+ "condition_keys": [
+ "aws:ResourceTag/${TagKey}"
+ ],
+ "resource": "table"
+ }
+ ],
+ "service_name": "Amazon Timestream"
+ },
{
"conditions": [
{
@@ -136024,7 +146908,31 @@
"privileges": [
{
"access_level": "Write",
- "description": "Creates a new workload.",
+ "description": "Grants permission to associate a lens to the specified workload",
+ "privilege": "AssociateLenses",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a new milestone for the specified workload",
+ "privilege": "CreateMilestone",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to create a new workload",
"privilege": "CreateWorkload",
"resource_types": [
{
@@ -136036,7 +146944,7 @@
},
{
"access_level": "Write",
- "description": "Shares a workload with another account.",
+ "description": "Grants permission to share a workload with another account",
"privilege": "CreateWorkloadShare",
"resource_types": [
{
@@ -136048,7 +146956,7 @@
},
{
"access_level": "Write",
- "description": "Deletes an existing workload.",
+ "description": "Grants permission to delete an existing workload",
"privilege": "DeleteWorkload",
"resource_types": [
{
@@ -136058,9 +146966,93 @@
}
]
},
+ {
+ "access_level": "Write",
+ "description": "Grants permission to delete an existing workload share",
+ "privilege": "DeleteWorkloadShare",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to disassociate a lens from the specified workload",
+ "privilege": "DisassociateLenses",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the specified answer from the specified lens review",
+ "privilege": "GetAnswer",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the specified lens review of the specified workload",
+ "privilege": "GetLensReview",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the report for the specified lens review",
+ "privilege": "GetLensReviewReport",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to get the difference between the specified lens version and latest available lens version",
+ "privilege": "GetLensVersionDifference",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "Read",
+ "description": "Grants permission to retrieve the specified milestone of the specified workload",
+ "privilege": "GetMilestone",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
{
"access_level": "Read",
- "description": "Retrieves the specified workload.",
+ "description": "Grants permission to retrieve the specified workload",
"privilege": "GetWorkload",
"resource_types": [
{
@@ -136072,7 +147064,103 @@
},
{
"access_level": "List",
- "description": "Lists the workloads in this account.",
+ "description": "Grants permission to list the answers from the specified lens review",
+ "privilege": "ListAnswers",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the improvements of the specified lens review",
+ "privilege": "ListLensReviewImprovements",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the lens reviews of the specified workload",
+ "privilege": "ListLensReviews",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the lenses available to this account",
+ "privilege": "ListLenses",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the milestones of the specified workload",
+ "privilege": "ListMilestones",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list notifications related to the account or specified resource",
+ "privilege": "ListNotifications",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the workload share invitations of the specified account or user",
+ "privilege": "ListShareInvitations",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": ""
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the workload shares of the specified workload",
+ "privilege": "ListWorkloadShares",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "List",
+ "description": "Grants permission to list the workloads in this account",
"privilege": "ListWorkloads",
"resource_types": [
{
@@ -136081,6 +147169,78 @@
"resource_type": ""
}
]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update properties of the specified answer",
+ "privilege": "UpdateAnswer",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update properties of the specified lens review",
+ "privilege": "UpdateLensReview",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update status of the specified workload share invitation",
+ "privilege": "UpdateShareInvitation",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update properties of the specified workload",
+ "privilege": "UpdateWorkload",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to update properties of the specified workload",
+ "privilege": "UpdateWorkloadShare",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
+ },
+ {
+ "access_level": "Write",
+ "description": "Grants permission to upgrade the specified lens review to use the latest version of the associated lens",
+ "privilege": "UpgradeLensReview",
+ "resource_types": [
+ {
+ "condition_keys": [],
+ "dependent_actions": [],
+ "resource_type": "workload*"
+ }
+ ]
}
],
"resources": [
@@ -138973,7 +150133,7 @@
]
},
{
- "access_level": "Permissions management",
+ "access_level": "Read",
"description": "Grants permission to retrieve the current encryption configuration for X-Ray data",
"privilege": "GetEncryptionConfig",
"resource_types": [